by Bricata
Black Hat is one of those “can’t miss” events for the security industry. The six-day conference has doubled in size since 2014, according to the Las Vegas Review-Journal. The publication reported this year’s show attracted some 17,000 cybersecurity professionals, including 300 exhibitors, who collectively offered 80 sessions and 120 briefings.
All of these people and sessions produced an incredible volume of information. For example, if you peruse these three hashtags: #BHUSA, #BlackHat2018, or #BHUSA18 – the number of views, images and links is staggering. There were other hashtags in use as well.
As such, it occurred to us that attendees and observers might like to go back over notes from the show after the fact. To that end, this post is an effort to organize and curate much of the news and ideas we observed at the show into a useful resource.
While we call out a few points we think are of interest, the layout is not intended to convey importance or merit. We grouped links and articles logically along themes to summarize the 2018 Black Hat USA conference.
Day zero at @BlackHatEvents almost ready to begin pic.twitter.com/eD6ydywQHJ
— -Yiannis- (@Sec_GroundZero) August 7, 2018
Roundups, Overviews and Observations
1) Cyber Security Hub: ‘Black Hatter’ Lists Top 5 Show Takeaways: AI, IoT & More
“At the end of the day, though, shows can be all about optics, or all about substantive information. Black Hat touched the latter, with an agenda pleasantly occupied by sessions with attention-grabbing headlines and speakers.”
2) Cyber Security Hub: Black Hat Day 2 Coverage Centers Around Mobile Sec, AI & ML
3) Cyber Security Hub: From Endpoint Protection To Threat Intel: Black Hat Day 1 In Review
4) The Parallax: Black Hat attendees are surprisingly lax about encryption
5) MSSP Alert: 10 Managed Security Developments at Black Hat USA 2018
“The Cloud Security Alliance (CSA) has released the Top Threats to Cloud Computing: Deep Dive, a case-study analysis that provides more technical details dealing with architecture, compliance, risk and mitigations for each of the cloud computing threats and vulnerabilities identified in the Treacherous 12: Top Threats to Cloud Computing (2016), the organization says.”
6) The Daily Swig: We are now being tested. Are we as good as we say we are?’
7) The Daily Swig: ‘Stay humble, keep learning, and have fun’
8) LinkedIn Pulse: Black Hat USA Takes it to the Next Level
Special thanks to all the students (and dog) in our first #BHUSA Adversary Tactics: Detection course. We had a blast and hope you did too! pic.twitter.com/AQ1NphOYVZ
— SpecterOps (@SpecterOps) August 6, 2018
Studies and Surveys from Black Hat
9) Dark Reading: Black Hat Survey: Enterprise Tech, USG Unprepared for Cyberattacks
10) SearchSecurity: Black Hat 2018 survey: Cybersecurity staffing, budgets still lacking
11) Malwarebytes: …the emergence of the gray hat: the true costs of cybercrime
Note: Malwarebytes published a US and global version of this report.
“…our research found that an organization of 2,500 employees in the United States can expect to spend nearly $1.9 million per year for cybersecurity-related costs (that’s nearly $760 per employee).”
12) Help Net Security: There’s a global divide in how organizations assess cyber risk
“…study that examined the 285 Black Hat USA 2018 exhibitors to objectively compare the magnitude of darknet exposure among them. The extent of the presence of a company’s data on the darknet is a significant measure of that company’s cybersecurity risk. For the first time, the report also contains a preliminary analysis of whether changes in a firm’s darknet footprint was a good proxy for its stock price performance.”
14) Dark Reading: No, The Mafia Doesn’t Own Cybercrime: Study
Thanks to #BHUSA 2018 Keynote, Parisa Tabriz (@laparisa) — If you missed the talk or want to re-live it, you can watch the livestream recording on YouTube: https://t.co/zuJ5xMS0gg https://t.co/GFgRi52aO5
— Black Hat (@BlackHatEvents) August 10, 2018
Key Note by Project Zero
15) Threat Post: Google Bug Hunter Urges Apple to Change its iOS Security Culture
16) The Register: Google Project Zero boss: Blockchain won’t solve your security woes
17) CNET: Google doesn’t want you to have to think about cybersecurity
18) SC Magazine: Google’s Tabriz calls for more collaboration in Black Hat keynote
“Coalition building, both within a company and with external partners, is also needed to keep cybersecurity projects alive and on track.”
19) Search Security: Parisa Tabriz’s Black Hat 2018 keynote challenges infosec’s status quo
20) Threat Post: Bridging the Gap Between Complex Security Landscapes
21) Security Boulevard: Project Zero director exhorts Black Hat audience to do security better
22) The Parallax: Google’s ‘Security Princess’ calls for stronger collaboration
Flaws and Vulnerabilities
23) Threat Post: With Healthcare Security Flaws, Safety’s Increasingly at Stake
“’Whether [healthcare professionals] like it or not, code, networks and devices are now caring for patients every single day and it is so important to remember that securing them, we think, will save lives,’ said Christian Dameff, M.D. at the University of California at San Diego School of Medicine and security researcher.”
24) Threat Post: Mixed Signal Microcontrollers Open to Side-Channel Attacks
25) Threat Post: Update Mechanisms Allow Remote Attacks on UEFI Firmware
25) Threat Post: Stealthy Kernel Attack Flies Under Windows Mitigation Radar
27) Dark Reading: Cracking Cortana: The Dangers of Flawed Voice Assistants
“Security vs. convenience is a delicate balance to strike with new technology designed to make our lives easier.”
28) Threat Post: Patrick Wardle on Breaking and Bypassing MacOS Firewalls
29) Dark Reading: Understanding Firewalls: Build Them Up, Tear Them Down
“…even good firewalls are at a disadvantage to attackers because, in the Internet era, certain communications simply must be allowed.”
30) Search Security: Meltdown and Spectre disclosure suffered “extraordinary…
“[Project Zero] notified Intel and the other CPU vendors of these speculative execution vulnerabilities and they said a third of the way through the email that ‘We found these, here are the proof of concepts, and by the way, we haven’t told anyone else about this including Google, and it’s now your responsibility to tell anyone you need to tell,’ and somewhere along the line they missed that piece of the email.”
31) SC Media: Google, Microsoft and Red Hat dish on the Meltdown/Spectre backstory
32) Dark Reading: Cloud Intelligence Throwdown: Amazon vs. Google vs. Microsoft
33) PC Magazine: Black Hat Researcher Shows Why Air Gaps Won’t Protect Your Data
34) The Register: Microsoft to hackers: Finding Hyper-V bugs is hard. Change my mind.
35) Wired: Hacking a Brand New Mac Remotely, Right Out of the Box
36) eWeek: F5 Details Cellular Gateway IoT Flaws at Black Hat
Energy and ICS
37) Dark Reading: Even ‘Regular Cybercriminals’ Are After ICS Networks
38) Fifth Domain: Hackers targeted a fake power grid. Is the real one next?
39) Fifth Domain: Why small cyberattacks on power systems more likely than a blackout
New TRITON research paper, released with preso at #BHUSA, available now. Find out what it took to create the malware, new RE findings and two new tools to help the #ICS community secure SIS https://t.co/KqJvnv8bZn pic.twitter.com/eavwl4bWi3
— Heather E MacKenzie (@hemackenzie) August 8, 2018
Government
40) Fifth Domain: DHS wants more secure call encryption for feds
“We know that it is a risk area and we know that it is a challenge. Whether it is financially feasible to do it, even if the technology exists today and we are all going to agree multilaterally on one system, that is a little hard.”
41) Fifth Domain: How long is too long for a cyber operation? NSA has an idea
42) Fifth Domain: How algorithms can harm cybersecurity
44) Fifth Domain: How hackers can defeat cyber deception methods
45) Government Executive: Flaw in Some Satellite Communication…Expose U.S. Troops…
46) CRN: 10 Execs On The Top Cybersecurity Threat America Faces Around…Elections
“Voting machines can be manipulated in a manner similar to ATMs if a bad actor has direct access, Holmes said, and securing the infrastructure or network these machines connect with can be challenging.”
Mandalay Bay elevator “crashes” and reboots while I’m riding it…not cool. Surely totally unrelated to #BlackHat2018 pic.twitter.com/j9mFxAhtXY
— ░J░a░s░o░n░ ░K░i░c░h░e░n░ (@jckichen) August 9, 2018
Mobile and IoT
47) Fifth Domain: New bugs leave millions of phones vulnerable to hackers
48) PC Magazine: It Takes Just $200 to Tie Cell Networks in Knots
49) Ars Technica: In-vehicle wireless devices are endangering emergency first responders
50) Threat Post: Widespread Critical Flaws Found in Smart-City Gear
“In the Meshlium wireless sensor networks by Libelium, researchers found a critical pre-authentication shell injection flaw, present in four distinct instances.”
51) Politico: Research: Smart cities are dumb on defense
52) Help Net Security: Smart cities are exposed to old-school threats
53) SC Magazine: IBM X-Force finds 17 zero-day vulnerabilities in four smart city systems
54) eWeek: Researchers Reveal Smart City System Flaws at Black Hat
55) eWeek: IOActive to Detail Stock Trading App Vulnerabilities at Black Hat
56) Fortune: Dozens of applications used for online trading…have…vulnerabilities
57) Wired: Online Stock Trading Has Serious Security Holes
“Well over half of the desktop applications Hernández examined, for instance, transmitted at least some data—things like balances, portfolios, and personal information—unencrypted.”
58) Dark Reading: IoT Malware Trying to Attack Satellite Systems of Airplanes, Ships
59) Tech Crunch: Hack the planet: vulnerabilities unearthed in satellite systems…
60) eWeek: Black Hat Talk Reveals How Embedded Systems Expose Airlines to Risk
61) CRN: Research Revealed at Black Hat shows Airplane’s SATCOM’s are Hackable
62) Fox 5 Vegas: Airplane hacking explained at Black Hat 2018
63) Wired: A New Pacemaker Hack Puts Malware Directly on the Device
64) eWeek: Car Hackers Discuss What It Takes to Secure Autonomous Vehicles
65) Las Vegas Review-Journal: Black Hat experts in Las Vegas address hacking cars, medical devices
66) The Register: Say what you will about self-driving cars – the security is looking ‘OK’
67) Help Net Security: Vulnerabilities in mPOS devices could lead to fraud and theft
.@CNET covers Symantec’s #BHUSA simulation of an egg being cooked on top of a cryptojacked router. Read more: https://t.co/88jHHhpPKq pic.twitter.com/sb4AanUqnf
— Gerry Grealish (@GerryG_ND) August 10, 2018
Artificial Intelligence
68) Security Intelligence: DeepLocker: How AI Can Power a Stealthy New Breed of Malware
“The security community needs to prepare to face a new level of AI-powered attacks. We can’t, as an industry, simply wait until the attacks are found in the wild to start preparing our defenses. To borrow an analogy from the medical field, we need to examine the virus to create the “vaccine.’”
69) The Register: Should I infect this PC, wonders malware. Let me ask my neural net…
70) eWeek: IBM Demonstrates DeepLocker AI Malware at Black Hat
71) MSSP Alert: IBM Demos AI-powered Malware Called DeepLocker: The Implications
72) V3: IBM’s proof-of-concept malware uses AI for spear phishing
73) Reuters: New genre of AI programs take computer hacking to another level
Wow! @xoreaxeaxeax‘s talk @BlackHatEvents was amazing! Found mind blowing behaviors in x86! His work is available at https://t.co/J13TGX5eQH ! pic.twitter.com/7yv9Os0E9Q
— Saar Amar (@AmarSaar) August 9, 2018
Tools and Utilities Promoted Around Black Hat
74) Reddit: Coverage of Blackhat Presentation about Curl-P presentation
75) Dark Reading: Researchers Release Free TRITON/TRISIS Malware Detection Tools
76) Linux Security Expert: Linux security tools (top 100)
Note: This piece calls out two of our favorites including Suricata (#9) and Bro (#20) and says respectively:
“Suricata can be used as part of a Network Security Monitoring (NSM) ecosystem. You could use it to log HTTP requests, log and store TLS certificates, extract files from flows and store them to disk.”
“Bro helps to perform security monitoring by looking into the network’s activity. It can find suspicious data streams. Based on the data, it alert, react, and integrate with other tools.”
77) eSecurity Planet: Demisto Demonstrates Tool to Validate IOC Detection at Black Hat
78) Medium: Black Hat Arsenal USA 2018 — The w0w lineup
79) CRN: 20 Hot Cybersecurity Products Announced At Black Hat 2018
80) eSecurity Planet: 10 Vendors Making News at Black Hat USA 2018
81) Help Net Security: Researchers open source tools to identify Twitter bots at scale
82) Help Net Security: Bugcrowd University to provide hands-on training for security…
And here you can see the wild #infosec bod in its natural habitat, scavenging for its primary resource: electricity.#BlackHat2018 pic.twitter.com/chM3sDblfQ
— Vic Harkness (@VicHarkness) August 5, 2018
Talent, People and Human Interest
83) Channel Partners: How to Hire, Retain More Women Cybersecurity Engineers
“Holtz said much of the research is flawed regarding why women aren’t being hired in technology and are leaving their careers in technology. A common misconception is that women aren’t interested in computers, she said. Also, unequal pay has been overly cited as a reason. ‘If unequal pay is the only problem you have in your organization, you’re very, very lucky,’ she said. ‘Changing a number is a lot easier than changing a culture.’”
84) SC Media: Retaining and promoting women cybersecurity staffers
85) Info Security: Focus on Hiring and Retaining Female Security Employees
86) Info Security: The Value of Skills, Education and Experience in Information Security Hiring
87) Info Security: Companies Encouraged to Adopt Sexual Harassment Policies
88) MSRC: Microsoft’s Top 100 Security Researchers – Black Hat 2018 Edition
89) Dark Reading: White Hat to Black Hat: What Motivates the Switch to Cybercrime
“The average starting salary for an entry-level security pro in the US is $65,578, slightly above the global average of $60,662. Top security professionals in the US make an average of $133,422, the second highest salary among nations surveyed.”
90) Dark Reading: 6 Drivers of Mental and Emotional Stress in Infosec
91) Axios: Mental health is new focus at premier cybersecurity conference
92) Medium: What type of vendors are showing themselves off in the Business Hall?
“…46% of vendors in the hall are indeed VC-backed companies at varying stages of maturity. Privately held companies are a non-trivial segment at 17%, and there are 30 Private Equity-owned companies making up 12% of the hall.”
3 Storylines to Watch During Black Hat 2018 #BHUSA https://t.co/NcYIIsAcrs New Threats Human Factors Cyber Policy pic.twitter.com/KXnqLjQndQ
— Jo Peterson (@digitalcloudgal) August 6, 2018
Around and About
93) Help Net Security: Photo gallery: Black Hat USA 2018
94) Las Vegas Review-Journal: Black Hat, with big names and crowds, infiltrates Las Vegas
95) eSecurity Planet: Top 10 Talks to See at Black Hat USA 2018
96) Fifth Domain: 3 storylines to watch during Black Hat 2018
Me to Vegas & #BHUSA pic.twitter.com/xLQrrxYaOf
— Kaylin Trychon (@KaylinTrychon) August 10, 2018
* * *
We are certain we didn’t capture everything, so if there is an article or blog post you like to see added? Send us a note at media -at- bricata -dot-com and we will consider it.
If you enjoyed this post, you might also like:
7 Security Trends Shaping Intrusion Detection Technology