HYBRID HACKER SUMMER CAMP 2021 GUIDE — Part Four: Black Hat USA
Welcome to the DEFCON 201 guide to Hybrid Hacker Summer Camp! This is part of a series where we are going to cover all the various hacker conventions and shenanigans in August. As more blog posts are uploaded, you will be able to jump through the guide via these links:
HYBRID HACKER SUMMER CAMP — Part One: Surviving Physical + Virtual Vegas
HYBRID HACKER SUMMER CAMP — Part Two: BSides Las Vegas
HYBRID HACKER SUMMER CAMP — Part Three: Ring Zer0
HYBRID HACKER SUMMER CAMP — Part Four: Black Hat USA
HYBRID HACKER SUMMER CAMP — Part Five: FuzzCON
HYBRID HACKER SUMMER CAMP — Part Six: DEFCON 29
HYBRID HACKER SUMMER CAMP — Part Seven: USENIX
HYBRID HACKER SUMMER CAMP — Part Eight: SIGS, EVENTS AND PARTIES
BLACK HAT USA 2021
Date: Saturday, July 30th (12:00 PM EST) — Thursday, August 5th (6:30 PM EST)
Website: https://www.blackhat.com/us-21/
Location: Mandalay Bay Convention Center (3950 Las Vegas Blvd. South Las Vegas, Nevada 89119)
Black Hat USA Andorid App: https://play.google.com/store/apps/details?id=com.coreapps.android.followme.blackhat
Platform(s): Black Hat USA CISO Summit as well as the Main Conference including Briefings, Arsenal, the Business Hall, and more, will take place on the Swapcard Virtual Event Platform. Black Hat USA Trainings will be taught online on the GoToTraining virtual classroom platform..
Scheduel: https://www.blackhat.com/us-21/schedule.html
Live Streams:
Youtube (KEYNOTES): https://www.youtube.com/user/BlackHatOfficialYT
Chat: TBA
Accessibility: Only registered attendees will be able to view the Briefings (Talks) and Workshops attendance not only have a price tag but are filled in by a case-to-case basis. Virtual Business Pass is free and gets you access to the rest of the convention including the Business Hall, Arsenal, Contests, Sponsored Talks and more. See deals for In Person Vegas later in this guide.
Tickets: https://www.blackhat.com/us-21/registration.html
Code Of Conduct: https://www.blackhat.com/code-of-conduct.html
From its inception in 1997, Black Hat has grown from a single annual conference in Las Vegas to the most respected information security event series internationally. For more than 20 years, Black Hat Briefings have provided attendees with the very latest in information security research, development, and trends in a strictly vendor-neutral environment. These high-profile global events and Trainings are driven by the needs of the security community, striving to bring together the best minds in the industry.
Now in its 25th year, Black Hat USA is the world’s leading information security event, providing attendees with the very latest security research, development and trends. Black Hat USA 2021 will be entirely virtual this year, held over the same dates, July 30th–August 6th in Pacific Daylight Time (UTC−07:00).
Due to the rise of the Delta Strain and COVID-19, the Black Hat hybrid event experience in 2021 offers the cybersecurity community a choice in how they wish to participate. They will host both an in-person experience in Las Vegas and a virtual experience online. When you purchase a Briefings Pass, you can select whether to attend in-person or online.
If you choose the Virtual Only Briefings Pass, you will have access to all the online and recorded Briefings Sessions, Sponsored Sessions, Arsenal Demos and the Business Hall. You will also have access to the recorded sessions for 30 days after the event.
If you choose the In-Person Briefings Pass you will have access to BOTH the in-person Briefings, Sponsored Sessions, Arsenal Demos and the Business Hall activities in Las Vegas, AND access to all the online sessions, including online access to the recordings for 30 days after the event.
This is the BIG corporate convention of the Information Security world. Very suit and tie, bring your resume, talking about numbers and projections type of convention. Get use to hearing the words “cyber”, “mitigation”, “”deployment” “corporate”, “blockchain” and “pipeline” being thrown around like candy on Halloween without eye roll. Attendees will also introduce them selves with their job title and workplace as if they are their last names.
This year, because of virtualization due to the COVID-19 Pandemic, we feel this has been the most diverse and easily accessible Black Hat USA ever created. From the Business Pass being completely free, reduced (but still expensive for Blue Collar prices) and various way to interact these inclusive elements has put the convention back on our radar. If you want to network and rub shoulders with the InfoSec big leagues (or to land a job), this is the convention that will be on your priority list!
PHYSICAL LOCATION RECON
Registration Hours (On-Site for Live Event):
Bayside Ballroom — Level One: Mandalay Bay Convention Center
Mandalay Bay Convention Center
3950 S Las Vegas Blvd
Las Vegas, NV 89119
Tuesday, August 3: 2:00 PM — 6:00 PM
Wednesday, August 4: 8:00 AM — 5:00 PM
Thursday, August 5: 8:00 AM — 4:00 PM
Training Course Hours (VIRTUAL ONLY):
Saturday, July 31: 9:00 AM — 6:00 PM
Sunday, August 1: 9:00 AM — 6:00 PM
Monday, August 2: 9:00 AM — 6:00 PM
Tuesday, August 3: 9:00 AM — 6:00 PM
Conference Hours (Briefings):
Wednesday, August 4: 9:00 AM — 5:00 PM
Thursday, August 5: 9:00 AM — 5:00 PM
Business Hall Hours: (Virtual)
Wednesday, August 4: 8:30 AM — 5:00 PM
Thursday, August 5: 8:30 AM — 4:00 PM
Business Hall Hours: (In-Person)
Wednesday, August 4: 10:00 AM — 6:00 PM
Thursday, August 5: 10:00 AM — 4:00 PM
ATTEND BLACK HAT CHEAP-AS-FREE!
This year thanks to the hybridization, there is some amazing discounted and FREE options available for those of us hackers who want to rub shoulders (6 feet apart of course) with the dapper folks without breaking our already sparse checking accounts.
In-Person Business Passes is only $250 this year (cheaper than DEF CON 29) and the Online Business Pass is FREE. With a Business Pass, access the Keynote, the Business Hall and a number of Features, including Arsenal, Sponsored Sessions, Passport to Prizes, and more.
EFF Members can get a $200 discount on an In-Person Briefings pass with promo code: AP21eff.
And speaking of DEFCON 29, here is a very cool deal from them:
EARLY DEFCON 29 BADGE REGISTRATION
Upon purchase of Black Hat Briefings and/or Trainings passes, each registrant will also have the option to purchase a single (1) advance ticket to DEF CON 2018, at a rate of $280 per ticket, one ticket purchase per person, up until the close of “Late” registration on August 3, 2018 at 11:59 PT.
DEF CON tickets will not be sold on-site at Black Hat USA. After August 3, 2018, DEF CON tickets are only available for purchase at DEF CON during their ticket sales window.
Please note, you must first register and pay for your Black Hat Training/Briefings registration in order to purchase a DEF CON ticket. The option to purchase a DEF CON ticket is not available to individuals who purchase a Black Hat Business Pass only.
DEF CON tickets are non-refundable, once purchased. When you check in to Black Hat, you will receive a DEF CON badge voucher, and after DEF CON staff provide badges to Black Hat, you may then redeem your voucher for a DEF CON badge, generally on the Thursday of the event.
VIRTUAL PLATFORM RESOURCES
This year’s event will be fully virtual. We have provided information and resources below to make your experience at Black Hat a successful one. Please contact Black Hat Registration with any questions or for more information.
When the platform goes live, you will receive an email with a link directing to a login page where you can create a password for accessing the virtual event.
Please note that your event login information will come in an email from
Sender: “Black Hat USA <hello@swapcard.com>”
You should add hello@swapcard.com to your allowed email list to ensure receipt of your login details.
CREDENTIALS
You can access the Swapcard platform directly at login.swapcard.com.
There you can log in by entering the email you used to register for Black Hat USA and creating a password. If you’ve forgotten your password, click on “Send me a magic link” to receive an email to reset your password.
SETTING YOUR PROFILE VISIBILITY
Your profile will be automatically created in Swapcard using the information you supplied when you registered for the event.
You have the option to connect with other attendees and sponsors, just as you would at a live event.
Once you’ve logged into the platform, click on the “Attendee” tab. On the left side of the page, look for the “Visibility” setting to turn your Profile visibility on or off. You may change this setting at any time.
SESSIONS
Learn how to access sessions and content
NETWORKING
Learn how to network with other attendees:
INTERACTING
Learn how to find virtual exhibit booths
STAY CONNECTED
In addition to all of the chat and networking opportunities within GoToTrainings and Swapcard, you can stay up-to-date and join the conversations on social media by following and tweeting @BlackHatEvents, using the hashtags #BHUSA and #BHTrainings.
TRAININGS
Sat, July 31— Tues, August 3
Provides hands-on offensive and defensive skill-building opportunities. These courses are taught by some of the most sought-after international industry & subject matter experts, with the goal of defining and defending tomorrow’s InfoSec landscape.
View Trainings: https://www.blackhat.com/us-21/training/schedule/index.html
BUSINESS HALL
Wed, August 4— Thurs, August 5
Network with InfoSec professionals and evaluate a broad range of security products, open-source tool solutions and more. The virtual Business Hall offers unique opportunities for community engagement between vendors and attendees.
CONTESTS
LogWars at Blackhat
August 4th, 2021
Compete for prizes and bragging rights
1:00 PM PT / 4:00 PM ET
Join us for an epic virtual jeopardy-style capture the flag event. In this two-hour event, you’ll be led through a brief platform training by a LogRhythm expert. Then we’ll kick off the competition where you compete against your peers to find answers to questions using the LogRhythm Web UI, alarms, and investigations. The competitor with the most points claims the top prize — and bragging rights! Prizes: 1st place: $500 | 2nd place: $250 | 3rd place: $100 1:00 PM — 3:00 PM Pacific Save your spot and get ready to battle. Don’t forget to start taunting your competition with the hashtag #LogWars. A special thank you to our sponsor, Code42®! LogRhythm customer or partner? This event is for LogRhythm n00bs only, but you can still join us for an expert-level LogWars event. Email events@logrhythm.com and we’ll share the info to get you signed up for the perfect LogWars challenge for you.
Think you have what it takes to be a vulnerability researcher?
Join us for the Virtual Exploit Elimination Challenge and prove it! Put your skills to the test at this Black Hat session, where you’ll learn hands-on from a world-class vulnerability research team and access exclusive intel and toolkits. Compete alongside your peers to win.
This is your time to show that you have what it takes to:
Analyze code differences from patching
Identify different attack vectors to reach the vulnerability
Develop protection to disrupt the exploits
The challenge opens on Wednesday, August 4 at 11 a.m. PDT. Typical completion time is 2–3 hours. No Black Hat registration required.
There is no cost to attend. No sales pitches. Bring your “A” game.
Security Leaders Concert with Social Animals
Tue, August 3, 2021
8:00 PM — 11:00 PM PDT
House of Blues Las Vegas (3950 South Las Vegas Boulevard Las Vegas, NV 89119)
Don’t miss the hottest security conference party in Las Vegas this year!
Kick off your conference week with fellow security leaders and industry peers at the biggest security party in Las Vegas, inside the iconic House of Blues at Mandalay Bay.
Featuring a full hosted bar, mingle with industry colleagues and rock out with American Alternative band, Social Animals. Enjoy some of their hits, including: Best Years, Bad Things, Something to Keep Me Awake, and more!
Sponsored by the 14 hottest companies in security, this is THE can’t-miss event for this year’s conference attendees.
Brought to you by vArmour, HUMAN, SafeGuard Cyber, Chronicle Security, RiskIQ, Tanium, Synack, Area 1 Security, Cyber Mentor Fund , OKERA, HYAS, SecurityAdvisor, Synsaber, and Kognos.
Free Event. Hosted Bar. 21+ only. RSVP Required
BLACK HAT CISO SUMMIT
Tuesday, August 3, 2021
The Black Hat CISO Summit is an approval-only event during Black Hat USA which brings together top security executives from global corporations and government agencies for a full day of unique discussions. Offered the day before the main Black Hat USA Briefings sessions, the CISO Summit is intended to give CISOs and other InfoSec executives leading-edge insight into the latest security trends, technologies, and enterprise best practices.
AGENDA (PST)
9:00–9:15 AM
Welcome and Introductions
- Jeff Moss, Founder, Black Hat + DEF CON
- Steve Wylie, General Manager, Black Hat
9:15–9:45 AM
How Can New and Existing CISOs Stand Out From the Crowd and Separate Themselves From Others as They Compete for Desired Roles?
For new and existing CISOs the job market has never been riper with opportunity. The CISO has become the critical hire for many organizations regardless of industry, company size, or location. Whether a company is hiring a CISO to secure their products, achieve compliance, build customer trust, or demonstrate executive leadership, the job opportunities are plentiful. How do you know if you are a match?
- What will prevent a company from taking a closer look at your background?
- Understanding your superpower, personal brand, and points of separation from the crowd when attempting to stand out to an organization?
- What should you consider and investigate when evaluating the many CISO and Head of Security opportunities?
- To what information are you entitled and what defines a good match versus a bad match?
- When considering an opportunity, understanding what’s “in it for me” as a candidate and “what’s in it” for the client?
We intend to explore these and other areas to help CISOs better comprehend the new world job market.
- Michael Piacente
- Lee Kushner
9:45–10:15 AM
Live Breakout Sessions:
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security
The SolarWinds attack brought additional scrutiny software supply chain security, but concerns about organizations’ software supply chains have been discussed for a number of years. Development organizations’ shift to DevOps or DevSecOps has pushed teams to adopt new technologies in the build pipeline — often hosted by 3rd parties. This has resulted in build pipelines that expose a complicated and often uncharted attack surface. In addition, modern products also incorporate code from a variety of contributors — ranging from in-house developers, 3rd party development contractors, as well as an array open source contributors.
This talk looks at the challenge of developing secure build pipelines. This is done via the construction of a threat model for an example software build pipeline that walks through how the various systems and communications along the way can potentially be misused by malicious actors. Coverage of the major components of a build pipeline — source control, open source component management, software builds, automated testing, and packaging for distribution — is used to enumerate likely attack surface exposed via the build process and to highlight potential controls that can be put in place to harden the pipeline against attacks. After introducing the threat model, the presentation is intended to be an interactive discussion that will help attendees both evaluate internal build processes as well as ask vendors questions to better understand the maturity of their practices.
- Dan Cornell
Anatomy of a Breach with CyberArk Labs- Supply Chain & Privilege
Examining revelations from the SolarWinds and Codecov attacks, it’s clear that the compromise of identity and manipulation of privileged access were instrumental in their success. In this session, CyberArk Labs deconstructs these breaches to shed light on supply chain risk and the lure of identity compromise by breaking down the key phases of the attack — from initial infection and customer targeting, through privilege escalation to high value assets.
- Andy Thompson
Executive (dis)Orders: Cognitive and Systemic Risk in the Boardroom
Organizations have to address various forms and manifestations of risk: cyber risk, financial risk, supply chain risk and many others. Lately it seems that a large portion of innovation and disruptive thinking is coming from the bottom of the org chart and not so much from the top.
This session will dive into some strategic questions about risk that plague every business both large and small. Building secure systems and technology platforms that are resilient and profitable is not impossible, but increasingly difficult unless we strive to understand two oft-overlooked sources of trouble: cognitive risk and systemic risk.
- Mike Wilkes
10:15–10:30 AM
CISO PANEL: Why Data Science Powered Behavioral Analytics is Critical to Modern Cyber Defenses
Staying ahead of cybercriminals and insider threats is more critical than ever. It’s also important to automate as much of your security operations as possible. Data science driven controls enable you to focus on what’s important — to connect the dots, weed out false positives, and get high efficacy results. Hear from peers with extensive experience implementing successful Machine Learning based cybersecurity controls. We’ll discuss the nuances of what to look for when evaluating data science cyber defenses. We’ll explore the business value of ML behavioral analytics and provide insights into how this technology has radically improved their organization’s security posture.
- Saryu Nayyar
- Kurt Lieber
- Jim Routh
10:30–11:00 AM
Widespread & Worsening Cyber Events: A Cyber Insurer’s Perspective
“Think earthquake modeling and building codes but for cyber security. Yes, this exists.”
A leading cyber insurer’s view of the state of cybersecurity, and cyber insurance, in 2021 and beyond. As ransomware continues to dominate the headlines, Matt will provide details on the state of the cyber insurance industry and various efforts underway to become an even more engrained part of the holistic solution. With the escalating market failures that exist in the cyber security and technology industries; cyber insurance also needs to change and the data that cyber insurers have is valuable. Matt will discuss how and why insurance data and establishing a common lexicon for ‘cyber catastrophes’ in insurance contracts will inform society and continue to break down the walls between technology, cybersecurity, legal, insurance, & governments.
- Matt Prevost
11:00–11:30 AM
Live Group Discussion
Be a part of the discussion. Join Advisory Board members Jeremiah Grossman, Wendy Nather, and Saša Zdjelar for a moderated discussion on the following topics:
- What is this year’s snake oil?
- What key policy areas can the federal government best help in cyber security?
- Should ransomware payments be made illegal?
- What Zero Trust concepts have you been able to successfully implement? What was the motivation and how were you able to overcome any challenges in doing so?
Attendees should come ready to ask questions and actively participate.
11:30–11:45 AM
Why Security Transparency Makes for Good Corporate Governance
Transparency in hiring, sustainability and privacy is in demand from consumers, investors, and regulators. Boards of directors are paying attention and changing their practices as a result. Is cybersecurity transparency next?
This session will cover the fast-developing realm of responsible disclosure practices, the rise in outside-in security testing, and the pressure for disclosure within supply chains. This mindset shift — from secrecy to transparency — is already happening. Topics include:
— Vulnerability disclosure policies — current and future
— Why over 40% of the Fortune 100 employ ethical hackers
— Supply chain disclosure for the U.S. government
— Communicating the benefits of security transparency to your Board
- Marten Mickos
11:45 AM — 12:00 PM
Break
12:00–12:30 PM
Great Expectations (for Cyber Incident Response)
As the prevalence of cybersecurity incidents increases, more organizations have been obligated to keep Incident Response firms on retainer, or hire them at full price in the midst of an intrusion. Many of the most high-profile and lauded firms have reached their maximum capacity and have waitlists for new customers. As a result, many new incident response service providers have moved to fill the gap. Some firms provide exceptional service and boast top talent. Others are unfortunately not prepared to provide quality incident response services and are essentially ambulance-chasing. This presentation will discuss reasonable expectations which a customer should have of their incident response provider, as well as an overview of the proper incident response onboarding process and technical lifecycle. Attendees will learn to recognize key indicators of good quality and warning signs of poor quality incident response service.
- Lesley Carhart
12:30–12:45 PM
A Seat at the Table: CISO Priorities are Business Priorities
During the past tumultuous year, CISOs have juggled many issues, including those brought on by the pandemic and a massive increase in the scale and scope of hacking, ransomware, and cybercrime. This session will dive into these challenges and look at how they have transformed the role of the CISO into that of a business enabler. Ben will share his expert advice on how CISOs can capitalize on this opportunity and keep the seat they’ve gained at the table.
- Sumedh Thakar
- Ben Carr
12:45–1:15 PM
How to Put Breaches on Your Resume and Live to Tell the Tale
We live in a time when the probability of a breach is high. As security leaders, we build our security programs informed by that fact. We think about things like incident prevention, detection, and response across our data, systems, and networks. But we also should reserve time to think about what happens to our organizations, security teams, and our own careers ahead of the breach.
Bob Lord has had a front row seat at organizations that have experienced much publicized breaches. In this talk, he’ll reflect on how companies and executives think about security, how that affects their actions, and how to build a more weatherproof career.
- Bob Lord
1:15–1:45 PM
Live Breakout Sessions:
Defending the Build Pipeline
Software runs the world and that’s never been truer than it is today. From healthcare and transportation to finance and entertainment, software enhances our experience with hardware and each other. The development and deployment of software creates a “bottle-neck” risk which can impact many aspects of our lives. We will have an open discussion on the strategic implications of poorly protected build processes and how companies should be strategizing to better protect their software deployment journey.
- Kurt John
Today’s CISO — Leading a Resilient Enterprise
Cybersecurity in any organization is measured in by two instances in time — “before pandemic” or BP and “after pandemic” of AP. The BP CISO was largely viewed as the leader of a technical team, a cost center, and the department of “no”. The AP CISO is viewed as critical to the success of business outcomes, a trusted advisor to C-suite colleagues and the board, and the leader of cross-functional team work.
Join the AT&T Cybersecurity team to learn how the role of the CISO is evolving in an AP world and how the decisions made by CISOs today matter for the future of your company. With a steady hand to guide a company, the modern CISO will lead the journey to resilience, adaptability, and new ways of conducting business in an era defined by edge computing.
- Theresa Lanowitz
- Bindu Sundaresan
The Emerging Cyber Threat Landscape
The recent Rise of Ransomware can be traced to WannaCry and (Not)Petya that fused large scale compromise techniques with an encryption payload that demanded a ransom payment in exchange for the decryption key. This fusion inspired this new generation of human operated ransomware, vastly expanding the ransomware business model into an enterprise scale operation blending targeted attack techniques and the extortion business model, threatening disclosure of data and/or encryption in exchange for payment. Learn how this rise in ransomware is influencing cyber strategies that help strengthen your security posture.
- Ann Johnson
1:45–2:15 PM
Locknote
At the close of the CISO Summit, join Black Hat Advisory Board members Jeremiah Grossman, Allison Miller, Justine Bone, and Alex Stamos for an insightful conversation on the most pressing issues facing the InfoSec community. This Locknote will feature a candid discussion on the key takeaways from the CISO Summit and how these trends will impact future InfoSec strategies.
2:15–3:15 PM
Closing Reception, sponsored by Cybereason
Black Hat — Omdia Analyst Summit
Virtual-only Event — Monday, August 2, 2021
2020 brought about a sea-change in how organizations operate and engage with their customers. Journeys to the cloud were turbo-charged. Digitization plans that might have taken years to come to fruition were delivered in weeks. We found ways of doing things that we didn’t know we could.
Yet this was only the beginning; organizations are continuing to evolve both front-office and back-office capabilities in today’s “reset normality”. Join the inaugural Omdia Analyst Summit at Black Hat for exclusive analyst insights into the security impacts of this change and what security functions and the wider business must consider to maintain and enhance security posture faced with this continuing organizational evolution.
AGENDA (PST)
9:00–9:30 AM
Welcome and Keynote
Security Has Gone Haywire: Surviving and Thriving Amid Organizational Evolution
Developments in the use of technology has been turbo-charged in the past 18 months. Organizational engagement with customers and citizens has been reimagined. Running an enterprise, irrespective of size, has evolved dramatically. The pace of change shows little sign of slowing, and organizations are battling to keep up with and get ahead of demand and what their competition is capable of.
The security function has had to turn on a sixpence (or a dime) and security has gone “haywire” in attempts to match the pace of organizational change. What are the biggest concerns of security professionals and CISOs as they navigate the changes they must make as their organizations look to survive and thrive in the new world? What is keeping them awake night? And what can they do to get ahead of the game?
- Maxine Holt, Senior Director, Research
9:35–10:05 AM
Data Security:
Ransomware: The New Terrorism
While encryption serves as a fundamental element of data security, when it is used by an adversary to deny organizations access to their own data, the consequences can be devastating. Recent security incidents directed at critical infrastructure have resulted in the United States DOJ and FBI elevating the severity of ransomware to considered on par with terrorism. Ransomware gangs, with ties to criminal organizations worldwide, have been tied to some of the most destructive attacks in recent years. Omdia will outline some of the challenges that organizations face in their ability to prepare for and respond to ransomware attacks and highlight best data security practices to help mitigate the hurdles of this evolving threat.
- Tanner Johnson, Principal Analyst
10:10–10:20 AM
Fast Chat:
Tanner Johnson talks to Israel Barack of Cybereason
10:25–10:45 AM
Identity, Authentication, Access:
Is Continuous Authentication All It’s Cracked Up to Be?
Even before the 2020 coronavirus pandemic forced millions of knowledge workers worldwide to work from home, it had long been a truism that identity had become “The Perimeter”. Continuous authentication is a method of identity confirmation on an ongoing basis. In this session we will look at the various types of CA and also explore the pros, the cons, and the challenges of utilizing these technologies over the next few years.
- Don Tait, Senior Analyst
10:45–11:05
AM Break
11:05–11:35 AM
Infrastructure Security:
The Decaying Corpse of the Hardware Security Market Gives Life to Cloud-Native and Cloud-Delivered Infrastructure Security
Proprietary hardware-based security solution deployed behind the safe walls of enterprise-owned HQs, data centers, and campuses are flagging, they just don’t know it yet…a bit like the famous “I’m not dead” scene in Monty Python and the Holy Grail. And while the vendors who deliver those solutions are coming off record-breaking 2020 sales numbers yelling “I feel happy”, the cloud providers and their enterprise customers who are rapidly moving data, applications, and infrastructure into the cloud are standing right behind them with a cudgel. Fear not though, because many of those same vendors, and a slew of new ones, have been migrating existing technology and developing new solutions that are cloud-native, cloud-delivered, or both. In this session we’ll look at how Infrastructure security solutions like firewall, DDoS mitigation, web/application security and more will manage the move to the cloud.
- Jeff Wilson, Chief Analyst
11:40–11:50 AM
Fast Chat:
Curt Franklin talks to Anand Oswal of Palo Alto Networks
11:55 AM — 12:05 PM
Snapshot Session: Emerging Security Technologies
Beyond CWPP and CSPM: Cloud Permissions Management brings a Zero Touch approach by curtailing entitlements
Cloud workload protection platforms provide runtime security for cloud-based code and data, while cloud security posture management checks for compliance or security drift in apps in the cloud. Both can be considered reactive technologies, but now CPM arises to reduce attack surfaces before any attack happens.
- Rik Turner, Principal Analyst
12:10–12:20 PM
Fast Chat:
Rik Turner talks to Kevin Keh of ISACA
12:25–12:55 PM
Security Operations:
Rebuilding the SOC Stack: SecOps Priorities & Technologies for 2021 and Beyond
Enterprise cybersecurity operations (SecOps) technology architectures have remained surprisingly static over the past decade. Today, a confluence of long-awaited technology advancements and unexpected global events are ushering in a new generation of SOC capabilities, and with them dramatic ramifications. This presentation will not only examine how industry changes are affecting SecOps business and technical priorities, but also how solutions are evolving to realign and even remake the SOC technology stack.
Specific areas of focus will include:
- Omdia’s view of enterprise SOC technology priorities, based on exclusive survey results
- Detailing how Next-Generation SIEM solutions will drive enterprise threat detection & response evolution
- Understanding the emerging XDR technology landscape, and the implications for traditional SIEM-based SOC architectures
- Eric Parizo, Principal Analyst
12:55–1:35 PM
Lunch
1:35–2:00 PM
Enterprise Security Management:
Turning Users into Cybersecurity Allies: Pushing, Pleading, or Punishing?
Users are never neutral. They are either vulnerabilities to be managed or part of your cybersecurity defenses. What does it take to turn them into allies? Traditional approaches have relied on a triumvirate of threats, rewards, and responsibility to move employees into the “ally” column. But do new technologies mean that the makeup of that trio needs to change? What can technology do for increasing cybersecurity awareness and helping employees move from awareness to ally? Are there technologies that make the employees’ role less important? And what are the implications to cybersecurity and your organization’s culture of choosing one strategy over another? This session will pack a lot into a few minutes, but you’ll come away with a better understanding of what technologies and strategies can (and cannot) do together, or one at a time.
- Curt Franklin, Senior Analyst
2:05–2:15 PM
Fast Chat:
Maxine Holt talks to Adam Bromwich of Broadcom
2:20–2:30 PM
Snapshot Session: IoT Cybersecurity
Now a Matter of Life and Death: The Expanding IoT Threat Landscape in Healthcare
The IoT in healthcare is an attack vector and attackers have a choice. Option 1: Use the IoT to access PII and/or compromise the systems that run the healthcare organization. Option 2: Render IoT devices inoperable to disrupt healthcare provision. Neither of these options is acceptable to the healthcare organization, but they are a risk that must be assessed and addressed. Join this Omdia snapshot session to hear about the significant rise in IoT devices in healthcare and what organizations must consider to protect the health and well-being of their patients.
- Hollie Hennessy, Senior Analyst
2:35–2:45 PM
Snapshot Session: Emerging Security Technologies
Zero Trust Access: The VPN replacement technology becoming the tail that wags the SASE dog
When the SASE paradigm, in which networking and security technologies are bundled and delivered from the cloud, was announced in 2019, it looked like Zero Trust Access was added as an afterthought after the network, SD-WAN, firewalls, secure Web gateways, and CASBs. 18 months and on pandemic later, and ZTA has become the key component that no SASE worth its salt can do without.
- Rik Turner, Principal Analyst
2:45–3:05 PM
Break
3:05–3:30 PM
IT Security Services:
Building an Interlaced Security Armour Through the Fabric of Security Services
End to end cybersecurity for large enterprises and government is complex, and a rapidly evolving advanced threat landscape raises the stakes. But not all CISOs and CIOs are well prepared for tough challenges ahead. Now, more than ever, organizations need help to build critical internal security capabilities, augment these with a third-party security provider, and consider partnering for longer term success.
Attend this session to hear about the key organizational cybersecurity challenges facing every CISO and what to expect from a global leader in cybersecurity services.
- Adam Etherington
3:35–3:45 PM
Fast Chat:
Adam Etherington talks to Theresa Lanowitz of AT&T 3:50–4:30 PM
Live Q&A with Omdia Analysts
Join this live Q&A session with some of today’s analysts to ask any questions that you might have from today’s presentations or indeed anything else #cybersecurity that you might want to ask!
ARSENAL
Arsenal brings independent researchers to showcase their open-source tools with the Black Hat community. Tools cover a variety of tracks, from mobile hacking to network defense. Learn about the latest resources and developments for tool creators and developers.
Arsenal Reception
Date: Thursday, August 5 | 2:50pm-4:00pm ( Business Hall, Arsenal )
Track:
Session Type: Arsenal
Join us on Thursday, August 5 from 2:50 PM — 4:00 PM for drinks and networking as we thank our Arsenal presenters for their contributions to the open-source community.
ARSENAL HIGHLIGHTS:
Capture the Signal: Running Wireless IoT CTFs, Remotely!
Federico Maggi
Marco Balduzzi
Jonathan Andersson
Date: Wednesday, August 4 | 11:00am-12:00pm ( Virtual )
Track:
Session Type: Arsenal
The famous DEFCON CTF is one of the thousands Capture the Flag (CTFs) contests that, since many years, have become the “lifeblood” of the cybersecurity community. CTF players reverse-engineer vulnerable services in traditional IT applications (like web and binary) to score points.
Given the increased adoption of wireless-connected devices and pervasive, interconnected networks of so-called “IoT systems,” since 2018 our teams of researchers have been promoting an RF-specific version of traditional CTFs, in which contestants are asked to reverse engineer radio-based protocols as opposed to traditional network communications. We called our contest the Capture the Signal (CTS) (https://www.trendmicro.com/cts/). This activity is also known as “blind signal analysis” as the signals’ specification are unknown to the attacker. Each radio signal corresponds to a challenge. The challenges are organized by difficulty levels, and each solved challenge unlocks the next one. In other words, the flag concealed in each signal represents the clue to the next radio signal (e.g., the tuning frequency or any other radio parameters). The more points are scored, the closer the contestant is to win.
In normal circumstances, we’ve hosted the game on site at conferences world-wide, where radio signals are distributed “over the air”, and participant are asked to use software-defined radio equipment to interact with the challenges. However, due the diverse local regulations in terms of wireless transmissions, we designed and implemented a containerized solution that eliminates the complexity of deploying physical radio transmitters, using an RF-over-IP broadcasting technique instead. With this framework, we can easily deploy CTS contests in countries with strict wireless regulation and remotely, backed by any cloud provider that offer container services.
Cloudtopolis: Zero Infrastructure Password Cracking
Date: Wednesday, August 4 | 11:00am-12:00pm ( Virtual )
Track: Exploitation and Ethical Hacking
Session Type: Arsenal
Cloudtopolis is a tool that facilitates the installation and provisioning of Hashtopolis on the Google Cloud Shell platform, quickly and completely unattended (and also, free!). Together with Google Collaboratory, it allows us to break hashes without the need for dedicated hardware from any browser (even from your smartphone).
Thanks to its implementation through Docker, it can be run almost anywhere in a fast and easy way. In addition, it can be used collaboratively using different accounts, being very useful for use in CTF teams or in Red Team exercises.
As a novelty in this talk, automated clients for Windows and Linux (not disclosed yet) will be presented, being able to additionally use the user’s local resources together with the graphic cards provided by Colab.
Report Writing Is Half the Battle: Finish Your Report in Less Time and Get Back to Hacking.
Dates: Wednesday, August 4 | 11:00am-12:00pm ( Virtual )
Wednesday, August 4 | 4:40pm-5:50pm ( Business Hall, Arsenal Station 5 )
Thursday, August 5 | 1:00pm-1:50pm ( Business Hall, Arsenal Station 5 )
Track: OSINT — Open Source Intelligence
Session Type: Arsenal
A single place to hold assessment findings, notes, methodologies, tasks, and feedback from your team makes working together simpler and saves time delivering reports. Dradis combines the output of 20+ popular security tools — including Nessus, Qualys, Burp, and Nmap, along with your manual notes to keep all of your findings centralized for one click report generation.
If you’re reviewing scan results manually or putting together reports by hand, digging through emails and chat logs for details from teammates, or copying and pasting findings from old reports instead of having a findings database, do yourself a favor and download Dradis CE so you can get back to hacking.
Started in 2007 to solve the frustrations associated with creating reports, Dradis Framework has an established track record and a full time, international team working every day so you can ditch the overhead of a traditional security assessment workflow.
Blue Pigeon: Bluetooth-Based Data Exfiltration and Proxy Tool for Red Teamers
Chia Hui Mah
Jing Loon Goh
Kang Hao Leng
Dates: Wednesday, August 4 | 11:20am-12:30pm ( Business Hall, Arsenal Station 4 )
Thursday, August 5 | 2:00pm-2:50pm ( Business Hall, Arsenal Station 1 )
Thursday, August 5 | 3:00pm-4:00pm ( Virtual )
Track: Exploitation and Ethical Hacking
Session Type: Arsenal
Blue Pigeon is a Bluetooth-based data exfiltration and proxy tool to enable communication between a remote Command and Control (C2) server and a compromised host. It is developed as an Android application for the Red Teamer to deploy within vicinity of the compromised host. Expanding on the “Exfiltration over Alternative Protocol” technique (ID: T1048) under the Exfiltration tactic of the MITRE AT&CK framework, Blue Pigeon provides a novel way of establishing Command and Control and performing data exfiltration as an Action on Objective of the Cyber Kill Chain by utilizing Bluetooth File Sharing as the communication protocol.
Establishing Command and Control and performing data exfiltration are key phases in the Cyber Kill Chain, but they often come with their complications and severe implications if done wrongly. In a Red Team operation, a misfired attempt could leave permanent traces in the network activity logs and raise alarm to the detection mechanisms. In situations where communication over traditional channels (such as through web, e-mail or DNS) are to be avoided/not available, it could be challenging to establish communication back to the attacker.
With few solutions available to address this operational need, we explored various exfiltration ideas based on wireless/radio-comms vectors. As a result, Blue Pigeon was created to expand our Red Team toolset.
Phishmonger: Welcome to the Phish Market
Dates: Wednesday, August 4 | 11:20am-12:30pm ( Business Hall, Arsenal Station 5 )
Wednesday, August 4 | 1:00pm-2:00pm ( Virtual )
Thursday, August 5 | 1:00pm-1:50pm ( Business Hall, Arsenal Station 3 )
Track: Exploitation and Ethical Hacking
Session Type: Arsenal
Phishmonger is an email phishing tool that allows penetration testers to quickly template, test, and deploy phishing campaigns.
Phishmonger has several key features for operators that we have not seen in other open-source phishing tools. These features include:
The ability to build templates by capturing “real” emails. Operators craft their phishing emails in a mail client, like Outlook, and send them to the Phishmonger server where they are parsed and automatically turned into templates.
The ability to DKIM sign messages to help with spam scores.
The ability to view SMTP logs in real time, from the web UI, for testing and troubleshooting.
The ability to view, search, and modify phishing results real-time without reloading the results page.
The ability to integrate with MitM tools to capture session cookies and bypass multi-factor authentication on many target applications.
The tool also allows operators to send test emails while templating, view previews of templates in the UI, “ignore” false positive results from within the UI, run multiple campaigns at a time, and export campaign results CSVs and graphs to a zip file.
Hacking the Digital Drone License Plate
Dates: Wednesday, August 4 | 12:00pm-1:30pm ( Business Hall, Arsenal Lab )
Thursday, August 5 | 12:00pm-1:30pm ( Business Hall, Arsenal Lab )
Track: Arsenal Lab
Session Type: Arsenal
Description:
This game is designed to explore a variety of proposed drone identification protocols, so called UAS Remote ID systems. Your goal will be to find a weakness in a variety Remote ID protocols and exploit it by (generally) forging a message that a receiver will accept as valid. There are eight levels (0–7), where each represents some simulacrum of an existing protocol, a proposed protocol, or an amalgamation of both. Point being: pretty much everything out there is, has been, or can be broken.
Requirements:
Players will need some sort of device on which they can write and run some basic code and have a connection to the internet. That’s basically it. There are no restrictions on the toolset, though you will find languages that support HTTP POST requests, JSON parsing, and cryptographic operations to be very helpful.
WARCannon: Grep the Entire Internet for WebApp Vulnerabilities
Dates: Wednesday, August 4 | 4:40pm-5:50pm ( Business Hall, Arsenal Station 1 )
Wednesday, August 4 | 12:00pm-1:00pm ( Virtual )
Thursday, August 5 | 10:00am-10:50am ( Business Hall, Arsenal Station 4 )
Track: Web AppSec
Session Type: Arsenal
Have you ever found a novel vulnerability in a website, framework, javascript library, or third-party integration, and wondered how many other people in the world are vulnerable, too? Have you ever wished that you could non-invasively grep the internet for a vulnerability indicator?
WARCannon was built for exactly this purpose, and is fed by Common Crawl via the AWS Open Data program to allow for petabyte-scale analysis of previously-spidered websites. Security researchers and bug bounty hunters can leverage WARCannon to scale their research horizontally across the entire internet in a fast, cost-effective, and entirely non-invasive/invisible way.
Scanning DNA to Detect Malicious Packages in Your Code
Carlos Avila
Franco Piergallini
Diego Espitia
Dates: Thursday, August 5 | 2:00pm-3:00pm ( Virtual )
Wednesday, August 4 | 12:40pm-1:50pm ( Business Hall, Arsenal Station 5 )
Thursday, August 5 | 3:00pm-3:50pm ( Business Hall, Arsenal Station 3 )
Track: Code Assessment
Session Type: Arsenal
PackageDNA is an open-source tool, free and modular tool developed in Python3, that offers developers and researchers the ability to analyze code packages from different programming languages, in search of vulnerabilities in the code, the possible manipulations or spoofing of the package (‘typosquatting’), identifying suspicious files, searching for strings in the code, among other data for analysis.
PackageDNA, enables threat intelligence analysis or code audits, which allow to detect attacks to the software supply chain, the vast majority of companies integrate third-party code in their developments, thus the need to have a suite such as PackageDNA that performs the analysis of all these external codes and delivers the results of the analysis in a standardized way.
Introducing subCrawl: A Framework for the Analysis and Clustering of Hacking Tools Found Using Open Directories
Josh Stroschein
Patrick Schläpfer
Date: Wednesday, August 4 | 1:00pm-2:00pm ( Virtual )
Track: Malware Offense
Session Type: Arsenal
From phishing kits to command-and-control panels, web shells and multiple samples of malware, open directories can provide a wealth of information into threat actor operations. But how can we discover open directories? And once we discover them, what are the next steps for identifying interesting content?
To answer these questions, we created the open-source framework subCrawl. subCrawl is written in Python3 and provides a modular framework for discovering open directories, unique content through signatures and organizing the data with optional output modules, such as MISP.
Open directories are simply folders that are viewable on a public web server that provides direct links to all its content. While open directories can be used to legitimately share files, they are often overlooked by threat actors. Therefore, they can provide insight into the structure, tools and malware being used by many threat actors. This oversight can provide direct access to the tools they’ve placed on a server, such as web shells, C2 panels or proxy scripts.
To organize the data, we use our framework subCrawl to aggregate the data with fuzzy hashes, web server information, used scripting languages and more. This approach allows for the creation of signatures that can be used to track tool usage across multiple hosts and cluster threat actor activities. To help manage the hosts explored and the data collected, we create consolidated MISP events, which enables us to cluster the found artifacts and draw interesting conclusions about the use of tools.
We will present the open-source framework subCrawl, which reflects our approach for hunting open directories. We will also explore our methodology to detect and cluster malicious content using publicly available threat feeds with the support of the well-known tool MISP, which helps us to store the data in a structured form and cluster it.
Tsurugi Linux Project the Right DFIR Tool in the Wrong Time
Date: Wednesday, August 4 | 1:00pm-2:00pm ( Virtual )
Track: Data Forensics/Incident Response
Session Type: Arsenal
Any DFIR analyst knows that everyday in many companies, it doesn’t matter the size, it’s not easy to perform forensics investigations often due to lack of internal information (like mastery all IT architecture, have the logs or the right one…) and ready to use DFIR tools.
As DFIR professionals we have faced these problems many times and so we decided last year to create something that can help who will need the right tool in the “wrong time” (during a security incident).
And the answer is the Tsurugi Linux project that, of course, can be used also for educational purposes.
After more than a year since the last release, a Tsurugi Linux special BLACK HAT EDITION with this major release will be shared with the participants before the public release.
Mushikago: IT and OT Automation Penetration Tool Using Game AI
Date: Wednesday, August 4 | 2:00pm-3:00pm ( Virtual )
Track: Exploitation and Ethical Hacking
Session Type: Arsenal
Penetration testing is an effective means of discovering vulnerabilities and inadequate settings in the overall system, and of investigating whether there are any operational security risks. However, in manual penetration testing, there are many cases where it is unclear whether the test content is really appropriate, because the diagnosis varies depending on the tester’s strong and weak, interests, physical condition, and mental state on that day. Also, excellent testers are already booked by a large amount of work, and it is not always possible to request them without fail. In addition, cyber attacks on ICS (Industrial Control System) have been increasing recently, especially in 2020, when there were many cases of ransomware infections that caused damage to ICS. Furthermore, the number of reports of ICS vulnerabilities is increasing every year. In response to this situation, penetration testing for ICS has been attracting much attention.
In this work, we developed Mushikago, an automatic penetration testing tool using game AI, which focuses on the verification of post-exploit among penetration tools. A post-exploit is an attack that an attacker carries out after entering the target environment. By focusing on post-exploit verification, we can understand how far an attacker can actually penetrate and what kind of information is collected. Mushikago uses the GOAP (Goal Oriented Action Planning), which is game AI commonly used in NPC (Non Player Character). To using Mushikago, we can flexibly change the content of the attack according to the environment and mimic the attacks conducted by actual APT attackers and testers. It is also possible to identify terminal information, account information, and network information without manual intervention, and visualize and report them based on MITRE ATT&CK. In addition, Mushikago supports ICS, and can be used for penetration testing across IT and OT (Operation Technology).
Bringing the X86 Complete RE Experience to Smart Contract
ZiQiao Kong
ChenXu Wu
KaiJern Lau
Date: Wednesday, August 4 | 3:00pm-4:00pm ( Virtual )
Track: Reverse Engineering
Session Type: Arsenal
Currently there is more than 2 Trillion USD market cap for the crypto currency market, DeFi alone is more than 100 Billion. With the popularity of the DeFi market, smart contracts again become the playground of hackers and security researchers. Token “robbery” became the most problematic issue for both investors and crypto currency exchange.
Ethereum Virtual Machine (EVM) is still the most widely used architect to support the core of smart contracts such as Polkadot, EVM and soon Cardano blockchain. Emulators built around EVM are merely good for development purposes. Most of the EVM analysis engines are just debugging tools based on symbolic execution. Unfortunately, these engines are just simple tools that do not encourage and support us to develop tools on top of them.
During Black Hat Asia, Arsenal 2021, we presented “Qiling: Smart Analysis for Smart Contract” [1] and explained the foundation of Qiling’s EVM engine. In Blackhat USA Arsenal 2021, we would like to take this opportunity to demonstrate the full capabilities and tools that we build on top of the Qiling’s EVM engine. That brings the complete traditional X86 reverse engineering experience to the smart contract space.
- Real time EVM debugger, with step into, step over and memory stack modification capabilities
- Full emulation of multi cross contract instrumentation
- Ultra fast emulation with pre-set environment variable
- Fully automated reapply and verify latest smart contract attack to all existing contract on a exchange or chain
- Make symbolic execution to work with Qiling EVM engine to provide a more in depth emulation
- Added a fully functional LLVM Intermediate Representation(IR). It allow a users to build a ultra fast fuzzer on-top of Qiling Framework.
To demonstrate the power of our framework and tools. We prepared some case study and demo on how we can rebuild the entire blockchain and verify the currently existing smart contract against the latest attack being discovered in the wild in the matters on few lines of code.
Once the talk ends, we will release the code and tools into the Qiling github repo, as usual.
Play with Fire: Uncovering Fairplay DRM and Obfuscation for Fun and Profit
Date: Wednesday, August 4 | 3:00pm-4:00pm ( Virtual )
Track: Reverse Engineering
Session Type: Arsenal
Apple has introduced Fairplay DRM into App Store apps since 2013. For a long time before, a jailbroken IOS device is necessary for decrypting DRM protected app, which brings many problems for security researchers and malware analysts. And Apple’s property DRM implementation and other components are highly protected with LLVM-based obfuscation, the lack of review and research may also leaves the vulnerability lasting. With the release of highly iOS-similar Apple Silicon device, we are able to explore more secrets of hardware and software on Apple platforms. My work will cover on three parts: firstly, how Fairplay DRM works and how to make a DRM decryption system on M1 Mac without breaking the system; secondly, possible attack surface of FairplayIOKit; and lastly, what methods Apple uses to obfuscate their property software and attack the weakness.
Cyber Weapon Range
Brian Sypher
Dan Wolfford, MSc, USAF (R)
Dates: Wednesday, August 4 | 3:20pm-4:30pm ( Business Hall, Arsenal Station 5 )
Thursday, August 5 | 12:00pm-12:50pm ( Business Hall, Arsenal Station 5 )
Track: Malware Offense
Session Type: Arsenal
We built a gun range for cyber weapons and made it available to Black Hat as a contest. Contestants get to shoot cyber weapons at targets and observe the results. Range officers will be online to advise and assist as necessary. Top shooters are awarded marksmanship badges.
LUDA: Large URLs Dataset Analyzer for Security
Date: Wednesday, August 4 | 10:00am-11:00am ( Virtual )
Track: Network Defense
Session Type: Arsenal
What interesting stuff can we find by looking only at URLs without the actual HTTP traffic ?
Well, quite a lot. Hackers often do not reinvent the wheel. They buy existing malwares or phishing that use the same scheme for HTTP communication. Techniques to randomize URLs , like DGA, often apply on the domain part”. But what about the rest?
In this talk, we present LUDA — Large URLs Dataset Analyzer for security. It works in two modes: Malware or Phishing.
The first will detect similarities between C2 communication and cluster them by families. The last will apply the same clustering with an additional layer of “ brand “ detection.
Both of them can automatically extract regexes, using Genetic algorithm, and can be deployed for inline detections.
This powerful tool already supports integration with various public malicious repositories like PhishTank, URLHaus , Virus Total as well as dozens more.
As opposed to similar projects , this tool is focused only on security. It includes specific options like automatic false positive cleaning.
We will demo how we can run LUDA on public datasets with the two modes and show how it succeeds to get quality insights from large datasets. Finally we will show what are the current threat families found on real traffic data taken from Akamai Secure Web Gateway.
REW-sploit: Dissecting Metasploit Attacks
Date: Wednesday, August 4 | 10:00am-11:00am ( Virtual )
Track: Data Forensics/Incident Response
Session Type: Arsenal
Metasploit and Cobalt Strike are wildly used tool for red-teams, pen-testers and sometimes malicious actors. They deliver a lot of ready-to-use exploits facilitating work of the attacker. But who thinks about the poor blue-team members? They are left alone. It looks automation is for attackers only!
But now, there is a hope: REW-sploit is a new tool with the aim to help defenders in analyzing Metasploit (and in some form Cobalt Strike) based attacks. Leveraging some well know frameworks it can emulate payloads, extracts crypto keys and correlate PCAP dumps to get extra info about what is going on. Automation is now for defenders too!
Scrapesy: Open Source Credential Leak and Validation Tool
Dates: Wednesday, August 4 | 10:00am-11:10am ( Business Hall, Arsenal Station 2 )
Thursday, August 5 | 3:00pm-3:50pm ( Business Hall, Arsenal Station 5 )
Track: OSINT — Open Source Intelligence
Session Type: Arsenal
“Scrapesy™ (pending) is a credential scraping and validation tool developed internally by the Standard Industries Red Team. It gathers, ingests, and parses combolists and credential dumps from known dark web and other sources. It will check them against a list of explicit domains or email addresses owned by or associated with the organization for potential compromised accounts. Scrapesy attempts to identify and mitigate organizational-related account compromises before they can be actively leveraged.”
Lazyrecon v2.0
Date: Thursday, August 5 | 10:00am-11:00am ( Virtual )
Track: Exploitation and Ethical Hacking
Session Type: Arsenal
Lazyrecon v2.0 is a subdomain discovery tool that discovers and resolves valid subdomains then performs SSRF/LFI/SQLi fuzzing and port scanning. It has a simple modular architecture and is optimized for speed while working with github and wayback machine.
USBsamurai: One Cable To Pwn’em All
Date: Thursday, August 5 | 10:00am-11:00am ( Virtual )
Track: Hardware/Embedded
Session Type: Arsenal
During the last years, hardware implants have become a popular attack vector in air-gapped environments such as industrial networks: Stuxnet (2010), Operation Copperfield (2017), and the recent ransomware attack that has led to a shutdown in a US natural gas facility are only some notable cases. In parallel, in an effort to raise the bar of red-teaming operations, security researchers have been designing and releasing powerful open-source devices with the intent to make Red-Teaming operations even more interesting and disruptive. Smoothing the path to new TTPs and improving old ones. As a result, hardware implants should always be included in the threat modeling of an industrial facility.
During this talk, after a bit of history of hardware implants, will be presented a new hacking device: USBsamurai. A remotely-controlled USB HID injecting cable that costs less than 15 USD to produce from off-the-shelf components (a cable and a USB radio transceiver) that can be used to compromise targets remotely (i.e. over a 2.4GHz undetectable protocol) in the stealthiest way ever seen & also bypass Air-Gapped Environments like a boss!
This presentation will be quite technical, tailored for an ICS security audience. Come to this talk to start preparing for the next wave of attacks that can pass undetected by most of the existing security solutions available on the market.
Finally, I’ll conclude the talk with practical, actionable countermeasures to prevent and detect HID attacks, and conclude by explaining how to approach a forensics analysis in presence of USB implants.
Tracee: Linux Runtime Security and Forensics Using eBPF
Date: Thursday, August 5 | 11:00am-12:00pm ( Virtual )
Track: Reverse Engineering
Session Type: Arsenal
Tracee is a runtime security and forensics tool for Linux. It is composed of tracee-ebpf, which collects OS events, and tracee-rules, which is the runtime security detection engine.
Tracee-ebpf is capable of tracing all processes in the system or a group of processes according to some given filters. The set of events to trace can be selected by the user and include the following:
1. System calls
2. LSM hooks (security_file_open, security_bprm_check, cap_capable, …)
3. Internal kernel functions (vfs_write, commit_creds, …)
4. Special events and alerts (magic_write, mem_prot_alert, …)
Other than tracing, Tracee-ebpf is also capable of capturing files written to disk or memory (e.g. “fileless” malwares), and extracting binaries that are dynamically loaded to an application’s memory (e.g. when a malware uses a packer). Using these capabilities, it is possible to automatically collect forensic artifacts for later investigation.
Tracee-Rules, is a rule engine that helps you detect suspicious behavioral patterns in streams of events. It is primarily made to leverage events collected with Tracee-eBPF into a Runtime Security solution.
Tracee supports authoring rules in Golang or in Rego.
New Face, Who Dis? Protecting Privacy in a World of Surveillance
Date: Thursday, August 5 | 12:00pm-1:00pm ( Virtual )
Track: OSINT — Open Source Intelligence
Session Type: Arsenal
While it has its potential benefits, facial recognition is eroding privacy and other human rights. Over the past year, several organizations have acknowledged that they have “scraped” social media and similar sites for photos to build their biometric databases, and photos intended for personal use only have now been potentially weaponized.
Industry and government have ethical responsibilities to prevent this, but what if there were a way to enhance privacy for individuals without waiting for the cavalry? Adversarial technology can provide a way to protect this biometric, but it must be as easy to use as picking up their mobile device and taking a photo.
Introducing “Ruse,” a mobile app that seeks to use adversarial strategies to make personal photos less useful for commercial facial recognition systems while retaining a (relatively) low impact on human usefulness.
Slips: A Machine-Learning Based, Free-Software, Network Intrusion Prevention System
Sebastian Garcia
Kamila Babayeva
Date: Thursday, August 5 | 1:00pm-2:00pm ( Virtual )
Track: Network Defense
Session Type: Arsenal
Slips is a behavioral-based intrusion prevention system, and the first free software to use machine learning to detect attacks in the network. It is a modular system that profiles the behavior of IP addresses and performs detections in time windows. Slips’ modules detect a range of attacks both to and from the protected device. Slips connects to other Slips using P2P, and exports alerts to other systems.
Slips works in several directionality modes. The concept of home network is not used to choose which detection to apply, but to choose which profile to analyze. The user can choose to detect attacks coming *to* or going *from* these profiles. This makes it easy to protect your network but also to focus on infected computers inside your network.
Among its modules, Slips includes the download/manage of external Threat Intelligence feed (including our laboratory’s own TI feed), whois/asn/geocountry enrichment, a LSTM neural net for malicious behavior detection, port scanning detection (vertical and horizontal) on flows, long connection detection, etc. The decisions to block profiles or not are based on ensembling
algorithms. The P2P module connects to other Slips to share detection alerts.
Slips can read packets from the network, pcap, Suricata, Zeek, Argus and Nfdump, and can output alerts files and summaries. Having Zeek as a base tool, Slips can correctly build a sorted timeline of flows combining all Zeek logs. Slips can send alerts using the STIX/TAXII protocol.
More importantly, the Kalipso Node.js interface allows the analysts to see the profiles’ behaviors and detections performed by Slips modules directly in the console. Kalipso displays the flows of each profile and time window and compares those connections in charts/bars. It also summarizes the whois/asn/geocountry information for each IP that communicates with a protected device.
Solitude: A Privacy Analysis Tool
Date: Thursday, August 5 | 2:00pm-3:00pm ( Virtual )
Track: Android, iOS and Mobile Hacking
Session Type: Arsenal
Solitude is an open-source privacy analysis tool that aims to help people inspect where their private data goes once it leaves their favorite mobile or web applications. Whether a curious novice or a more advanced researcher, Solitude makes the process of evaluating an app’s privacy accessible for everyone.
Unfortunately, privacy policies are often difficult to understand when trying to identify how your private data is being shared and whom it’s being shared with. As we have seen through research, privacy policies don’t always tell the complete truth of what an apps actual data collection practices are. Solitude was built to help give more transparency to users of where their private data
goes. Solitude makes the process of proxying HTTP traffic and searching through HTTP traffic more straightforward. Solitude can be configured to look for any type of data that you input in a mobile or web application and reveal where that data is going. The application inspects all outbound HTTP traffic, looks for various hashes of your data and recursively decodes common encoding schemes (base64,URL).
HOOKA: Deep Dive Into ART(Android Runtime) For Dynamic Binary Analysis
Date: Thursday, August 5 | 3:00pm-4:00pm ( Virtual )
Track: Android, iOS and Mobile Hacking
Session Type: Arsenal
Google has changed Android runtime drastically each time a new version of Android is released to optimize the performance, storage usage, and system updates of apps. The profiling data has started to be generated in the recent version of Android 10, based on the user’s behavior in ART (Android Runtime). Based on the profiling data, the byte code is optimized (Profile-Guided optimization and Cloud Profile optimization) by the compiler (AOT/JIT). ART also interprets and executes different types of code (byte code, oat code, and jit code) generated by the compiler. Such complexity in the structure and the operation method makes ART difficult to understand correctly. However, since all the code of the app is interpreted and executed through ART, if the attacker understands how ART works, it is possible to steal all the information necessary to analyze the app. Therefore, in this paper, we analyze the flow and structure of how the app code is interpreted and executed by objects existing in Android 10 ART. Then, by modifying the ART based on the analysis results, we develop a framework that can steal the information in real-time, such as smali code, interface, parameters, return value, fields, and stack trace of a method that is executed dynamically. In addition, we present an easy technique to effectively analyze the app without accessing the execution code by using tools such as decompiler or disassembler.
In existing debugger or hooking frameworks that dynamically analyze the apps in the Android environment, it is forcibly attached to the target analysis process, and the code is injected to read or analyze the code in the memory area while the execution code is loaded in memory. Since these methods are blocked by RASP (Runtime Application Self Protection), it takes a lot of time for attackers or analysts to bypass it and analyze the app.
The method proposed in this paper, on the other hand, analyzes the app by modifying the ART (Android Runtime) itself which is responsible for loading and executing the app’s execution code in memory in Android. Even if any Anti-Hooking and Anti-Debugging techniques are applied to the app, all the codes are eventually executed through ART. This allows us to dump the dynamically executed code as smali code without being detected by RASP. In addition, all runtime information (such as stack trace, args, return value, etc.) of running functions can be captured and used for the analysis.
This technique is basically to redevelop ART in Android. Most similar methods that change the system modules in Android build the Android OS in debug mode. This makes such approach with the system modification more easily detectable by RASP.
SPONSORED SESSIONS & WORKSHOPS HIGHLIGHTS (PST)
Chinese Intelligence Services: Methods and Purpose
Devin Thorne | Threat Intelligence Analyst, Recorded Future
Date: Wednesday, August 4 | 8:00am-8:15am ( Virtual )
Format: 15-Minute On-Demand Zone Sponsored Session
Track: Government & Nonprofit
This presentation shines a spotlight on trends in Chinese intelligence operations, arguing that the Chinese
Communist Party is becoming a more sophisticated adversary. Based on our research report of the same title, we
will discuss ongoing reforms to China’s domestic environment for intelligence work and the methods employed by
the Ministry of State Security and other Chinese intelligence services for human intelligence (HUMINT)
operations. In cyberspace, we will highlight priorities for Chinese cyber espionage and explain China’s military
doctrine toward cyber warfare. Ultimately, we argue that Chinese intelligence operations are increasingly
high-skill, targeted, and data-driven.
Cortex XDR vs SolarWinds and HAFNIUM
Yoni Allon | Director, Research, Palo Alto Networks
Peter Havens | Director, Product Marketing, Palo Alto Networks
Date: Wednesday, August 4 | 8:00am-8:15am ( Virtual )
Format: 15-Minute On-Demand Zone Sponsored Session
Tracks: Endpoint Security, Security Operations & Incident Response
Recent high impact attacks are raising concerns of whether advanced threat actors have the upper hand over enterprise security. SolarStorm showed how effective an adversary can be by subverting the trust we have in our technology vendors and HAFNIUM is teaching us just how vulnerable we are against a weaponized exploit on an exposed service even when a patch is available. This session will analyze what makes these attacks so effective, the methods used and what it takes to prevail with Cortex XDR.
Demo: New-School Security Awareness Training and Simulated Phishing
Greg Kras | Chief Product Officer, KnowBe4
Date: Wednesday, August 4 | 8:00am-8:15am ( Virtual )
Format: 15-Minute On-Demand Zone Sponsored Session
Tracks: Endpoint Security, Risk, Compliance and Security Management
Your email filters have an average 7–10% failure rate; you need a strong human firewall as your last line of defense.
Watch this demonstration of KnowBe4’s innovative new-school security awareness training and simulated phishing platform. Get a look at the latest features during Black Hat!
- NEW! AI-Driven phishing and training recommendations based on your users’ phishing and training history.
- Train your users from the world’s largest library of 1000+ pieces of training content with brandable content options.
- Find out where your users are in security knowledge and culture with Assessments.
- Advanced Reporting on 60+ key awareness training indicators.
K8s ATT&CK and D3f3nd: Addressing Addressing Workload Security in Kubernetes
Jeremy Bonghwan Choi | Principal Product Security Engineer, Red Hat
Neil Carpenter | Senior Principal Solutions Architect, Red Hat
Date: Wednesday, August 4 | 8:00am-8:15am ( Virtual )
Format: 15-Minute On-Demand Zone Sponsored Session
Tracks: Application Security, Cloud Security
As mission-critical applications move to Kubernetes, it’s important to understand how
to defend against new threats. In this session, we will discuss the recently published MITRE ATT&CK matrix for containers
and how defenders can anticipate and defend against attackers, laying out practical protections for modern containerized
applications.
Keep Your Enemies Close: Playing Offense on the Dark Web
Adam Durrah | Director, Operative Intelligence Services, ZeroFox
Date: Wednesday, August 4 | 8:00am-8:15am ( Virtual )
Format: 15-Minute On-Demand Zone Sponsored Session
Tracks: Risk, Compliance and Security Management, Security Operations & Incident Response
Cybercriminals leverage the dark web for data leakage, credential theft, credit card fraud, and phishing threats to name a few, leaving security teams unprepared and playing catch up. According to our recent report on the dark web, security risks are rapidly evolving within the underground economy of forums, marketplaces, data leak sites, encrypted chat platforms and discussion boards. Security leaders that understand today’s threats on the dark web are better equipped to minimize their organization’s vulnerability to an attack and increase their advantage over the adversary.
Know Your Enemy: The Darkweb Battle
Richard Sands | General Manager — North America, Cyble
Nitesh Pandey | Darkweb Researcher, Cyble
Date: Wednesday, August 4 | 8:00am-8:15am ( Virtual )
Format: 15-Minute On-Demand Zone Sponsored Session
Tracks: Risk, Compliance and Security Management, Security Operations & Incident Response
An effective cybersecurity strategy includes the real-time monitoring of darkweb threats targeting your organization. Join us as we discuss the truth about the darkweb data trade, how it impacts your organization, and how we use our expansive darkweb data repository to unmask threat actors and determine their physical location.
The State of Ransomware 2021
Brandon Carden | Senior Solutions Engineer, Sophos
Date: Wednesday, August 4 | 8:00am-8:15am ( Virtual )
Format: 15-Minute On-Demand Zone Sponsored Session
Track: Security Operations & Incident Response
Join Brandon Carden from Sophos for an overview into the state of ransomware in 2021.
Based on an independent survey of 5,400 IT managers in mid-sized organizations around the globe, this session will explore:
• The key findings from the survey
• How often attackers successfully encrypt their victims’ data
• The financial cost of ransomware, including the actual ransoms paid
• Why organizations expect to be hit by ransomware
Plus, you’ll discover the strategies that enable IT managers to feel confident they won’t fall victim to ransomware in the future.
Threats from Contactless (NFC) Payments
Adam Laurie | Associate Partner and Hardware Hacking Lead, X-Force Red, IBM Security
Date: Wednesday, August 4 | 8:00am-8:15am ( Virtual )
Format: 15-Minute On-Demand Zone Sponsored Session
Tracks: Risk, Compliance and Security Management, Security Operations & Incident Response
Remember the days of touching pin pads to plug in payment card information? They still exist but are increasingly fading. COVID-19 brought a surge in the use of contactless payment technology. After all, a contactless environment fosters social distancing and no shared pin pads, two cornerstones of pandemic living. The technology, however, can also come with cybersecurity implications. In this presentation, X-Force Red hardware hacking lead Adam Laurie will show how an attacker could sniff a contactless transaction and convert it into a magnetic stripe card that could be used by anyone in the world.
Watch Hackers Breach WI-FI Networks & Unleash Ransomware From Miles Away
Kody Kinzie | Security Researcher, Varonis
Stefan Kremser | Security Researcher & Founder, Spacehuhn Technologies
Date: Wednesday, August 4 | 8:00am-8:15am ( Virtual )
Format: 15-Minute On-Demand Zone Sponsored Session
Tracks: Data & Collaboration Security, Endpoint Security
Wi-Fi hacking remains an easy way for attackers to breach vulnerable networks using less than $80 in hardware. In this session, we remotely breach a company Wi-Fi network, phish employees, and deploy ransomware from over a mile away.
Enemy Inside the Gates: 2020 Threat Landscape Key Findings
Chad Skipper | Global Security Technologist, VMware
Giovanni Vigna | Sr. Director Threat Intelligence, VMware
Date: Wednesday, August 4 | 10:50am-11:10am ( Virtual )
Format: 20-Minute Sponsored Session
Tracks: Data & Collaboration Security, Security Operations & Incident Response
The global pandemic created an expanding remote workforce almost overnight. However, cyber criminals are now increasingly focused on the delivery of ransomware, especially targeting high-profile victims. In addition, there has been a resurgence of data exploits, likely targeting poorly maintained computers. These highly evasive, sophisticated, and targeted attacks are actively trying to spread and deliver malicious payloads to exfiltrate data. This session will dive into insights derived from data collected from VMware sensors deployed behind firewalls and in the data center — giving you a unique look into attacks that have already breached perimeter defenses.
The Mind’s Lie: How Our Thoughts and Actions Can Be Hacked and Hijacked
Perry Carpenter | Chief Evangelist & Strategy Officer, KnowBe4
Date: Wednesday, August 4 | 10:50am-11:10am ( Virtual )
Format: 20-Minute Sponsored Session
Tracks: Risk, Compliance and Security Management, Security Operations & Incident Response
Discover the art and science behind deception… and why you may still fall for dirty tricks even after you understand how they work. From the slight-of-hand used by magicians, to the slight-of-tongue used for social engineering, we are all wired to deceive and to be deceived. See how threat actors use these techniques against your users and how security awareness training can help them spot deceptions before it’s too late.
AI Red Team and Attack Path Modeling
Max Heinemeyer | Director of Threat Hunting, Darktrace
Toby Lewis | Head of Threat Analysis, Darktrace
Date: Wednesday, August 4 | 11:20am-11:40am ( Virtual )
Format: 20-Minute Sponsored Session
Track: Data & Collaboration Security
Offensive AI is already laying the groundwork for a new security challenge — deepfake technologies will outsmart and outpace human teams and traditional defenses with attacks that appear totally legitimate.
Organizations need self-learning AI technology to proactively identify emerging vulnerabilities and weak points, and deliver a holistic understanding of an organization’s evolving, dynamic risk profile.
Autonomous, AI Red-Teaming will transform defensive systems, augmenting human teams and offering a ‘Self-Learning AI loop’ cycle, improving with each phase and producing a fully autonomous approach to security — helping to mitigate and thwart real-world attacks before they even have a chance to strike.
The Future of Retail Cyber Security
Tim Woods | VP, Technology Alliances, FireMon
Date: Wednesday, August 4 | 12:20pm-1:00pm ( Virtual )
Format: 40-Minute Virtual Lunch & Learn
Track:
Join Nathan Venno, Cyber Security Engineer at Academy Sports + Outdoors, a leading Omni-Channel sporting goods retailer, and Tim Woods, VP, Technology Alliances from FireMon, the industry’s only agile network security policy management platform, as they discuss retail security amid rapid digital transformation.
With an increasing number of retail and consumer focused businesses taking steps toward digital transformation and transitioning more of their operations to the cloud, security is just as crucial to business survival as the need to transform. Mega breaches make headlines and damage reputations, and in an era when trust and brand loyalty are critical factors of success, a single breach can strip away any benefits of transformation a retailer has managed to secure for its brand.
43 percent of Global 2000 companies are speeding up their digital transformation efforts to the cloud, according to a recent study conducted by Pulse media. This acceleration leads to a more complex digital environment which in turn facilitates greater risk. As retailers begin updating their infrastructures they’re also expanding their potential attack surfaces and behind every transaction is a plethora of data moving around on the network.
Listen in and discuss as we review why security leaders believe that combining automation with a Zero Trust approach, the implementation of SASE architectures, and systems to more effectively manage an increasingly heterogeneous hybrid environment will empower their organizations to respond more quickly and embrace digital transformation initiatives.
Passwordless Biometric Authentication in a Zero Trust World
Karen Larson | Director of Integration Programs, Yubico
Sue Bohn | Partner Director of Program Management, Microsoft Corporation
Date: Wednesday, August 4 | 2:10pm-2:30pm ( Virtual )
Format: 20-Minute Sponsored Session
Tracks: Cloud Security, Identity and Access Management (IAM)
Authentication is a critical component in a Zero Trust environment. And with the continued improvement and adoption of biometrics for authentication, enterprises can ensure strong authentication — including passwordless login — to provide users secure access to applications and services. Learn how Yubico and Microsoft can support Zero Trust initiatives through identity tools and policies while creating a seamless experience for users and protecting enterprise data.
Understanding XDR
Eric Parizo | Principal Analyst, Security Operations, Omdia Research
Brian Murphy | CEO, ReliaQuest
Roselle Safran | CEO & Founder, KeyCaliber
Date: Wednesday, August 4 | 3:00pm-3:50pm ( Business Hall Theater C )
Format: 50-Minute Sponsored Session
Track: Security Operations & Incident Response
Security operations teams are taking a hard look at eXtended detection and response tools — XDR — as a means of collecting and analyzing threat data and identifying cyber attacks faster and more efficiently. But exactly how does XDR technology work? What tools does it require, and what skills do you need to have to use it in your enterprise? In this panel discussion, top experts will discuss the benefits of XDR, the challenges in implementing it, and how it can help your SOC speed the detection of new exploits.
Incredible Email Hacks You’d Never Expect
Roger Grimes | Data-Driven Defense Evangelist, KnowBe4
Date: Thursday, August 5 | 11:20am-11:40am ( Virtual )
Format: 20-Minute Sponsored Session
Tracks: Cloud Security, Risk, Compliance and Security Management
Email is still a top attack vector for cybercriminals. A majority of cyberattacks start with a phishing email, but email hacking is much more than phishing and launching malware! Join us as we explore how hackers use social engineering to trick your users into revealing sensitive data or enabling malicious code.
You will learn:
• How silent malware launches, remote password hash capture, and how rogue rules work
• Why rogue documents, establishing fake relationships, and getting you to compromise your ethics are so effective
• Details behind clickjacking and web beacons
• Actionable steps on how to defend against them all
How to Operate a Successful Ransomware Campaign
Ken Westin | Director of Security Strategy, ReliaQuest
Marcus Carey | Enterprise Architect, ReliaQuest
Date: Thursday, August 5 | 11:30am-12:20pm ( Business Hall Theater C )
Format: 50-Minute Sponsored Session
Tracks: Endpoint Security, Security Operations & Incident Response
Ransomware has become a big business. The more money being made from this digital extortion only makes the problem worse as ransomware gangs become more aggressive and brazen, targeting not just businesses but also critical infrastructure. In this session we will be looking at ransomware from an adversary’s perspective and as a business model. We will cover how targets are picked, the buy verses build dilemma and the role of ransomware-as-a-service. We’ll also look at how attackers establish persistence and exfiltrate data for additional leverage, as well as the role Public Relations plays in both shaming the victims who don’t pay and potentially affecting stock prices to generate more income.
Turning Users Into Cybersecurity Allies: Pushing, Pleading, Or Punishing?
Curt Franklin | Senior Analyst, Omdia
Date: Thursday, August 5 | 11:30am-12:20pm ( Business Hall Theater A )
Format: 50-Minute Sponsored Workshop
Track: Risk, Compliance and Security Management
Users are never neutral. They are either vulnerabilities to be managed or part of your cybersecurity defenses. What does it take to turn them into allies? Traditional approaches have relied on a triumvirate of threats, rewards, and responsibility to move employees into the “ally” column. But do new technologies mean that the makeup of that trio needs to change? What can technology do for increasing cybersecurity awareness and helping employees move from awareness to ally? Are there technologies that make the employees’ role less important? And what are the implications to cybersecurity and your organization’s culture of choosing one strategy over another? This session will pack a lot into a few minutes, but you’ll come away with a better understanding of what technologies and strategies can (and cannot) do together, or one at a time.
APTs: Average Preventable Threats
Morey Haber | CTO & CISO, BeyondTrust
Date: Thursday, August 5 | 11:35am-11:55am ( Innovation Theater )
Format: 20-Minute Innovation Session
Track: Endpoint Security
In this session we want to cut through the hype of cybersecurity and focus on practical preventative techniques that make attackers lives harder and break attack chains. We’ll show how Privilege Management and Application Control are not only essential but achievable.
Biohacking: The Invisible Threat
Len Noe | Global Solutions Engineer/White Hat Hacker, CyberArk
Date: Thursday, August 5 | 11:50am-12:10pm ( Virtual )
Format: 20-Minute Sponsored Session
Track: Identity and Access Management (IAM)
How and How Not to Reconstruct an Exploit; ExifTool CVE-2021–22204
Michael Zandi | Software Engineer, BlackBerry Applied Research Group
Date: Thursday, August 5 | 1:40pm-2:00pm ( Virtual )
Format: 20-Minute Sponsored Session
Tracks: Application Security, Cloud Security
Explore steps and missteps of reconstruction as we build a proof of concept exploit for CVE-2021–22204 from just the advisory and project source code. We’ll experiment with fuzzing and other techniques as we determine the root cause of the vulnerability and build a functioning reverse shell proof-of-concept exploit. We’ll then review public research on further developing and weaponizing the exploit and see how other researchers approached the same problem.
The Real Cost Of Doing Nothing
Lee Kirkpatrick | Advisory Incident Response Consultant, NetWitness
Date: Thursday, August 5 | 1:40pm-2:00pm ( Virtual )
Format: 20-Minute Sponsored Session
Tracks: Infrastructure Protection, Security Operations & Incident Response
Security is a known bane for organizations that is often ignored due to complexity, costs, and negligence. While these security best practices can cost businesses time and money to implement, it is far less costly than losing data, the inability to recover data due to ransomware, or engaging incident response to remove an attacker; without accounting for invisible costs, such as brand image, public disclosure of data, etc.
In this presentation, we will share with you several cases that we worked as incident responders where overlooked security practices led to costly and disruptive breaches.
Inside the Boldest and Most Impactful Nation-State Attack in History
Elia Florio | Principal Research Lead, Microsoft
Ramin Nafisi | Senior Malware Reverse Engineer, Microsoft
Dana Baril | Senior Security Research Lead, Microsoft
Michael Grenetz | Senior Product Manager, Microsoft
Date: Thursday, August 5 | 2:10pm-2:30pm ( Virtual )
Format: 20-Minute Sponsored Session
Track: Security Operations & Incident Response
Microsoft publicly disclosed the Nobelium incident in December of 2020. This campaign has been one of the most far-reaching and impactful nation-state and supply chain attacks the industry has ever seen. Get an inside look into one of the most sophisticated attacks in history from the frontline responders that helped track and defend against it. We’ll discuss the adversary’s tradecraft, novel techniques and expert recommendations that can help organizations protect themselves from the next wave of advanced threats.
SME Phishing (Smishing) is Increasing: Can You Stop It?
Daniel Smallwood | Sr. Threat Research Engineer, IronNet Cybersecurity Inc.
Date: Thursday, August 5 | 2:40pm-2:50pm ( Virtual )
Format: 10-Minute Sponsored Session
Track: Security Operations & Incident Response
SMS Phishing (Smishing) has been increasing rapidly over the past 12 months. Smishing attacks have the potential to become the path of least resistance for attackers wanting to leverage the human factor in an automated way. This talk will explore the current state of this attack vector, and show you ways you can use your existing security investment to stay a step ahead.
A Lazy Hacker’s Approach to Ransomware
Gil Azrielant | Co-founder and CTO, Axis Security
Date: Wednesday, August 4 | 8:00am-8:15am ( Virtual )
Format: 15-Minute On-Demand Zone Sponsored Session
Tracks: Application Security, Cloud Security
Think Ransomware isn’t for you? In this enlightening talk, Gil Azrielant, co-founder of Axis Security, will quickly discuss the business opportunities, the technologies, the industry and the mechanics attracting hackers the world over to ransomware. In the process Gil will reveal how some enterprises can use new technologies to defend themselves against attack.
BEC Attacks Leverage Abused Sites to Avoid Detection
Dave Baggett | CEO & Founder, Inky Technology
Date: Wednesday, August 4 | 8:00am-8:15am ( Virtual )
Format: 15-Minute On-Demand Zone Sponsored Session
Tracks: Data & Collaboration Security, Risk, Compliance and Security Management
This talk explores phishing attackers cleverly using legitimate collaboration cloud services to evade detection. New BEC variants we’ve observed eschew attachments and links that might appear in threat intelligence feeds, instead generically linking to reputable cloud services. The linked service then either directly hosts malicious content or redirects to a phishing site that itself may appear in threat feeds, effectively cloaking the phishing site or malware payload. Often these emails originate from compromised accounts so their headers, too, generally fail to reveal anything suspicious. The talk will detail these new tactics and discuss the techniques we use to counter them.
Biometric Authentication Reimagined
Ludwig Ward | Product Manager, Yubico
Date: Wednesday, August 4 | 8:00am-8:15am ( Virtual )
Format: 15-Minute On-Demand Zone Sponsored Session
Tracks: Identity and Access Management (IAM), Risk, Compliance and Security Management
The market for biometric solutions is expected to reach nearly $60 billion by 2025. And as biometrics are trusted for identification, this is no surprise. The convenience of using a fingerprint or facial recognition to replace the burden of remembering, entering, and changing passwords to access applications and services is becoming a reality. Mobile phones and laptops now include support for biometric authentication, but without the proper approach, they may come at the cost of security. View this session to learn how biometric authentication has been reimagined to deliver strong security along with a seamless passwordless user experience.
THE PWNIE AWARDS
The Pwnie Awards is an annual awards ceremony celebrating the achievements and failures of security researchers and the security community.
The awards are given out once an year. The annual ceremony will take place during the Blackhat 2021 conference.
In 2021, there will be 10 award categories:
Best Client-Side Bug
MOZILLA (CVE-2021–29955), INTEL (CVE-2021–0086), AMD (CVE-2021–26314)
Exploiting Samsung Secure Chip (CVE-2020–28341)
Best Cryptographic Attack
Kaspersky Password Manager: All your passwords are belong to us
Best Privilege Escalation Bug
Floating Point Value Injection
Heap-based buffer overflow in Sudo!
Even more Windows print spooler
Sequoia: A deep root in Linux’s filesystem layer
Best Server-Side Bug
Microsoft Exchange Server (CVE-2021–26855, CVE-2021–27065, and others TBD)
UAF in HTTP.sys (CVE-2021–31166)
PrintNightmare (CVE-2021–34527)
(Another) Print Spooler Vulnerability (CVE-2021–1675)
Best Song
Epic Achievement
Floating Point Value Injection (FPVI)
Typhoon Mangkhut: One-click Remote Universal Root Formed with Two Vulnerabilities
Lamest Vendor Response
Giggle App Account and Public Information Disclosure Vulnerability
Apple Response to Password Reset Vulnerabilities
Peloton Patches and Requires Subscription
Most Epic Fail
Canadian Shield iOS application is itself vulnerable
CREST / NCC Group — The Saga Continues
Samsung’s “secure” chip has a memcpy() buffer overflow
Voatz just generally having a bad one (year)
Most Innovative Research
APICraft: Fuzz Driver Generation for Closed-source SDK Libraries
Lord of the Ring(s): Side Channel Attacks on the CPU On-Chip Ring Interconnect Are Practical
An Analysis of Speculative Type Confusion Vulnerabilities in the Wild
Speculative Probing: Hacking Blind in the Spectre Era
Most Under-Hyped Research
SMASH: Synchronized Many-sided Rowhammer Attacks from JavaScript
DCG 201 TALK HIGHLIGHTS FOR BLACK HAT USA 2021 (PST)
This is the section where we have comb through the entire list of talks on both days and list our highlights for the talks that stand out to us. Note that this does not invalidate any talks we didn’t list, in fact, we highly recommend you take a look at the full convention schedule beforehand and make up your own talk highlight lists. These are just the talks that for us had something stand out, either by being informative, unique or bizarre. (Sometimes, all three!)
Keynote: Hacking the Cybersecurity Puzzle
Jen Easterly | Director, Director of the Cybersecurity and Infrastructure Security Agency (CISA)
Date: Thursday, August 5 | 9:00am-10:00am ( Oceanside CD / Virtual )
Format: 60-Minute Briefings
Track: Keynote
Jen Easterly, the new Director for the Cybersecurity and Infrastructure Security Agency (CISA), lays out her vision for how hackers, the government, and private sector can work together to confront cyber threats and solve tomorrow’s cyber puzzles before they become threats. She’ll provide insight into the scope and scale of threats to the nation’s cyber infrastructure and what it means for the unified effort to secure the nation from these threats. Key themes include urgent threats and those on the horizon, transparency and information sharing, partners and collaboration, and ensuring the workforce of today and tomorrow is equipped with the right skillset and knowledge to protect against future threats.
Keynote: Secretary Alejandro Mayorkas
Alejandro Mayorkas | Secretary, Department of Homeland Security
Date: Thursday, August 5 | 4:20pm-5:00pm ( Oceanside CD / Virtual )
Format: 40-Minute Briefings
Track: Keynote
Alejandro Mayorkas was sworn in as Secretary of the Department of Homeland Security by President Biden on February 2, 2021.
Mayorkas is the first Latino and immigrant confirmed to serve as Secretary of Homeland Security. He has led a distinguished 30-year career as a law enforcement official and a nationally-recognized lawyer in the private sector. Mayorkas served as the Deputy Secretary of the U.S. Department of Homeland Security from 2013 to 2016, and as the Director of U.S. Citizenship and Immigration Services from 2009 to 2013. During his tenure at DHS, he led the development and implementation of DACA, negotiated cybersecurity and homeland security agreements with foreign governments, led the Department’s response to Ebola and Zika, helped build and administer the Blue Campaign to combat human trafficking, and developed an emergency relief program for orphaned youth following the tragic January 2010 earthquake in Haiti. Mayorkas also created the Fraud Detection and National Security Directorate to better ensure the integrity of the legal immigration system.
Mayorkas began his government service in the Department of Justice, where he served as an Assistant United States Attorney in the Central District of California, specializing in the prosecution of white collar crime. After nearly nine years as a federal prosecutor, he became the youngest United States Attorney in the nation, overseeing prosecutions of national significance, including the investigation and prosecution of financial fraud, violations of the Foreign Corrupt Practices Act, public corruption, violent crime, cybercrime, environmental crime, international money laundering, and securities fraud.
Mayorkas received his bachelor’s degree with distinction from the University of California at Berkeley and a law degree from Loyola Law School.
Back in Black Hat: The 7th Annual Black Hat USA NOC Report
Neil R. Wyler | Principal Threat Hunter, RSA
Bart Stump | Senior Security Consultant, Optiv
Date: Thursday, August 5 | 3:20pm-4:00pm ( Oceanside CD / Virtual )
Format: 40-Minute Briefings
Tracks: Network Security, Applied Security
After a short intermission, the Black Hat NOC team is back with what’s sure to be a year like no other. With the world going virtual, and Black Hat being no exception, come find out how we’ve spent the last two years changing, adapting, and preparing for an event that’s both in person, and broadcast to the world. We’ll share what we’re using to stabilize and secure one of the most notorious networks in the world, what worked, what didn’t, and all the shenanigans in between. As with all things in Vegas, the stakes are high, the outcomes are unknown, and we’re going to learn a lesson one way or another.
Safeguarding UEFI Ecosystem: Firmware Supply Chain is Hard(coded)
Alexander Tereshkin | Principal Offensive Security Researcher, Nvidia
Alexander Matrosov | Chief Offensive Security Researcher, Nvidia
Adam Zabrocki | Principal Offensive Security Researcher, Nvidia
Dates: Thursday, August 5 | 1:30pm-2:10pm ( Virtual )
Wednesday, August 4 | 11:20am-12:00pm ( Lagoon HI )
Format: 40-Minute Briefings
Tracks: Hardware / Embedded, Cloud & Platform Security
The UEFI ecosystem is very complicated in terms of supply chain security where we have multiple parties involved in the firmware code development like Intel/AMD with its reference code, or AMI, Phoenix and Insyde with its core frameworks for system firmware development. The hardware platform vendor contributes less than 10% to the UEFI system firmware code base from all the code shipped to the customers. The reality is vulnerabilities can be discovered not just in the platform vendor codebase, but inside the reference code. This impact can be worse reflecting on the whole ecosystem. The patch cycles are different across vendors and these vulnerabilities can stay unpatched to endpoints for 6–9 months. Moreover, they can be patched differently between vendors making fix verification difficult and expensive.
This research resulted from an internal security review for some of the NVIDIA hardware and few edge computing platforms provided by partners. We found several issues. Some issues related to Intel EDKII (reported to Intel in September 2020). Additional issues for legacy protocols like SmiFlash, which is sometimes still available even on relatively new hardware. These are subject to attacker influence through NVRAM or SPI flash, allowing attackers to gain persistence. One issue particularly exciting to us due to its sustainable path of exploitation and impact of arbitrary code execution in the PEI phase. Our researchers developed a PoC where arbitrary code execution on PEI phase transfers a payload to SMM and survives the DXE phase. This powerful exploit path can be used to install a persistent implant in the system firmware compromising all Secure Boots.
Zerologon: From Zero to Domain Admin by Exploiting a Crypto Bug
Tom Tervoort | Principal Security Specialist, Secura
Date: Wednesday, August 4 | 11:20am-12:00pm ( Virtual )
Format: 40-Minute Briefings
Tracks: Cryptography, CorpSec
In a Windows Active Directory environment, domain-joined computers need to regularly communicate with domain controllers to facilitate NTLM network authentication and a number of other tasks. This communication takes place via the Netlogon Remote Protocol. What is interesting about this protocol, is that it does not use Kerberos or NTLM for mutual authentication. Instead, a non-standard cryptographic protocol is used by both parties to prove knowledge of a computer password.
This protocol had a number of flaws: one is a downgrade vulnerability that allows a MitM attacker to achieve privileged remote code execution on the Netlogon client. A second, far more severe issue, allowed the impersonation of arbitrary computer accounts. By using a series of chosen-ciphertext attacks against an obscure block cipher mode of operation (that boil down to simply filling a number of fields to zeroes) an attacker could reset the computer password of the domain controller to an empty string, extract the account database with the DRS protocol, and gain domain admin access.
An attacker does not need any privileges to carry out an attack. All that’s needed is some initial foothold on the network from which TCP connections to an unpatched DC can be established. Since its disclosure in September 2019, this “Zerologon” vulnerability has been exploited on a large scale and resulted in an emergency directive from the DHS to install patches.
In this talk, I will outline my research on Netlogon cryptography and show how I accidentally discovered a theoretical issue that turned out to be one of the most critical AD vulnerabilities of the year. I will explain the different exploit steps of the Zerologon attack, and clarify how exactly Microsoft’s patch mitigates it.
Another Road Leads to the Host: From a Message to VM Escape on Nvidia vGPU
Wenxiang Qian | Senior Security Researcher, Tencent Blade Team
Date: Wednesday, August 4 | 1:30pm-2:10pm ( Virtual )
Format: 40-Minute Briefings
Tracks: Exploit Development, Network Security
NVIDIA has a huge market share in the area of vGPU. Starting from supporting artificial intelligence, deep learning, data science to cloud gaming, the vGPU is getting more and more perceived to the general public. The vGPU can bring a new attack surface to the cloud infrastructures.
Compared to well-analyzed hypervisors, there is still not much research on the security of vGPU and its components. The problem that researchers will face is not only the lack of information but also that all the components of NVIDIA vGPU are closed-source, with no symbols and obfuscated function names.
Regardless of the hypervisor, vGPU has a component called nvidia-vgpu-mgr, running independently on the host. Through a detailed study of it, we have figured out how the guest machine is communicating with the vGPU manager. The guest kernel driver in the guest virtual machine communicates with the host through a mechanism called “vRPC message”. This message is first processed by nvidia-vgpu-mgr, reorganized, and then sent via ioctl to the host kernel driver, for further processing.
We’ve developed several fuzz methods to test if its handler is secure. The security of its kernel drivers is also tested through fuzzing.
So far, we have found multiple vulnerabilities in its vRPC handler. Three of them are OOB write, one of them is OOB read/write, and the last one is an information leak. We have also found a vulnerability in the kernel that can be triggered directly from the guest machine, resulting in arbitrary kernel address writing.
By using these vulnerabilities, regardless of the hypervisor, an attacker could exploit the nvidia-vgpu-mgr from the guest machine and get root access on the host machine.
Disinformation At Scale: Using GPT-3 Maliciously for Information Operations
Andrew Lohn | Senior Research Fellow, Center for Security and Emerging Technology
Micah Musser | Research Analyst, Center for Security and Emerging Technology
Dates: Wednesday, August 4 | 1:30pm-2:10pm ( Virtual )
Thursday, August 5 | 10:20am-11:00am ( South Seas AB )
Format: 40-Minute Briefings
Tracks: AI, ML, & Data Science, Policy
Last year, OpenAI developed GPT-3 — currently the largest and most powerful natural language model in the world. The select groups that were granted first access quickly demonstrated that it can write realistic text from almost any genre — including articles that humans couldn’t distinguish from real news stories. In the wrong hands, this tool can tear at the fabric of society and bring disinformation operations to an entirely new scale.
Based on six months of privileged access to GPT-3, our research tries to answer just how useful GPT-3 can be for information operators looking to spread lies and deceit. Can GPT-3 be used to amplify disinformation narratives? Can it come up with explosive news stories on its own? Can it create text that might fuel the next QAnon? Can it really change people’s stances on world affairs? We will show how we got GPT-3 to do all this and discuss ways to prepare for the next wave of automated disinformation.
Bypassing Windows Hello for Business and Pleasure
Omer Tsarfati | Security Researcher, CyberArk
Dates: Thursday, August 5 | 11:20am-12:00pm ( Virtual )
Wednesday, August 4 | 1:30pm-2:10pm ( Lagoon FL )
Format: 40-Minute Briefings
Tracks: Cloud & Platform Security, Hardware / Embedded
Windows Hello is the most popular password-less solution that includes authentication by either PIN code or biometric authentication. As a password-less technology, Windows Hello provides people with a more convenient authentication experience compared with the traditional password technique. In addition, it promises better security — but is it the truth? Would it make the lives of attackers harder or easier?
In this talk, we’ll introduce our research on attacking the face recognition mechanism of Windows Hello and show how an attacker can bypass Windows Hello using an external crafted USB device.
Every biometric authentication process includes biometrics collection, preprocessing, liveness detection, and feature matching. Windows Hello is no different, and some processes apply to it as well, including an anti-spoofing mechanism to detect frauds and bypass attempts.
We’ll discuss how face recognition authentication works, how to trick the Windows Hello engine with a modified USB device, and how to capture the relevant picture frames for bypassing the login phase.
In addition, we will see how our findings can affect other biometrical authentication across other devices and systems.
Besides, we will overview the biometric system in Windows, how it is designed and what data can be interesting from the attacker’s perspective and what defenders should do to prevent attackers’ access.
Finally, we will discuss how this knowledge can go to practical red team engagements.
ERROR: BadAlloc! — Broken Memory Allocators Led to Millions of Vulnerable IoT and Embedded Devices
Omri Ben-Bassat | Security Researcher, Section 52 at Azure Defender for IoT, Microsoft
Tamir Ariel | Security Researcher, Section 52 at Azure Defender for IoT, Microsoft
Dates: Thursday, August 5 | 11:20am-12:00pm ( Virtual )
Wednesday, August 4 | 1:30pm-2:10pm ( South Seas AB )
Format: 40-Minute Briefings
Tracks: Cyber-Physical Systems, Hardware / Embedded
“BadAlloc” is our code name for a class of integer-overflow related security issues found in popular memory allocators’ core functions such as malloc and calloc. BadAlloc vulnerabilities affect 17 different widely used real time operating systems (i.e., VxWorks, FreeRTOS, eCos), standard C libraries (i.e., newlib, uClibc, Linux klibc), IoT device SDKs (i.e., Google Cloud IoT SDK, Texas Instruments SimpleLink SDK) and other self-memory management applications (i.e., Redis). Some of these vulnerabilities go as far back as the early 90’s and all of them collectively impact millions of devices worldwide, mainly IoT and embedded devices as this was our focus.
In this talk, we’ll present some of the most interesting findings and discuss how we found them. We’ll do a quick root-cause analysis for each of the selected cases and show, in high depth technical level, how this specific kind of vulnerability could be leveraged to a full-blown remote code execution exploit on affected systems. We’ll discuss possible mitigation techniques and propose a method to check whether your application is affected by BadAlloc or similar vulnerability. Finally, a demo of a working RCE exploit will be presented.
President’s Cup Cyber Competition: Finding the Best Cyber Talent in the US Government
Harry Mourtos | Advisor to the Executive Assistant Director for Cybersecurity, Cybersecurity and Infrastructure Security Agency (CISA)
Matt Kaar | Project Lead, Software Engineering Institute (SEI)
Dates: Thursday, August 5 | 3:20pm-4:00pm ( Virtual )
Wednesday, August 4 | 1:30pm-2:10pm ( South Seas CD )
Format: 40-Minute Briefings
Tracks: Community, Policy
In 2019, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) held the first cybersecurity competition for the Federal workforce. Dubbed the President’s Cup Cybersecurity Competition, its purpose is “to identify, challenge, and reward the United States Government’s best cybersecurity practitioners and teams across offensive and defensive cybersecurity disciplines”. With just a few months between the creation of the concept and its execution, time was short to prepare a competition that would meet this tall order.
This talk gives the behind-the-scenes story of the first two President’s Cup competitions from two members of the team that built it. In year one, the multi-round event came together in record time and included over 1,000 participants from 25+ top-level departments and agencies within the United States government. In year two, the team improved the competition while adapting to the new realities of the pandemic and held the entire competition remotely.
The Kitten that Charmed Me: The 9 Lives of a Nation State Attacker
Allison Wikoff | Senior Strategic Cyber Threat Analyst, IBM X-Force
Richard Emerson | Senior Threat Hunt Analyst, IBM X-Force
Date: Wednesday, August 4 | 1:30pm-2:10pm ( Virtual )
Format: 40-Minute Briefings
Tracks: Human Factors, Data Forensics & Incident Response
When our intel team talks about human error, we usually focus on the victim of a security incident. But in the investigation we ran in the past year, we flipped the script to highlight how the continued operational security errors of a prolific, state-sponsored threat group reveal intimate details of their entire operation.
Through very simple but persistent mistakes made by the adversary, likely based in Iran, we continued to learn the innermost details of the operations of a group we track as ITG18, better known as “Charming Kitten”. This group targeted pivotal individuals, including US politicians, nuclear scientists, journalists, and people involved in COVID vaccine development, recording the victims’ most private chats, emails, and even photos.
In our talk, we will reveal how an ITG18 operator set up their machine and various personas, hence 9 lives, to run adversarial operations and manage stolen data. We will go over TTPs of an ITG18 campaign and expose suspected initial access vectors for the audience to better understand how ITG18 compromises targets. Additionally, we will highlight ITG18’s new Android malware that they use to infect victims they follow on a daily basis. We named this code “LittleLooter” which we will discuss at the conference for the first time.
To get a better sense of ITG18 operational cadence, we will show two of the ITG18 training videos discovered during our research. These specifically cover how ITG18 configures the compromised personal email accounts of their victims to maintain access to their accounts without being detected, how ITG18 exfils information from their victims and how they expand on the compromises with the stolen data.
We will close this talk with some thoughts about ITG18’s future operations, including how they respond to public disclosure and how organizations and individuals can better defend themselves against this group.
Whoops, I Accidentally Helped Start the Offensive Intel Branch of a Foreign Intel Service
David Evenden | Founder, StandardUser, LLC
Date: Wednesday, August 4 | 1:30pm-2:10pm ( Virtual )
Format: 40-Minute Briefings
Tracks: Community, Human Factors
When I left the service and the NSA, I was offered a job that seemed WAY too good to be true. Turns out it was. This talk will discuss how I came to work on the UAE’s Project Raven, what signs I missed because I was being naive, and how other transitioning intelligence personnel can avoid making the same mistake.
Project Raven is discussed in episode 47 on Darknet Diaries, has been reported about extensively by Chris Bing at Reuters and Nicole Perloth in her book “This Is How They Tell Me the World Ends”.
A Survivor-Centric, Trauma-Informed Approach to Stalkerware
Lodrina Cherne | Principal Security Advocate, Cybereason
Martijn Grooten | Security Consultant, N/A
Dates: Wednesday, August 4 | 2:30pm-3:00pm ( Virtual )
Thursday, August 5 | 2:30pm-3:00pm ( South Seas CD )
Format: 30-Minute Briefings
Tracks: Human Factors, Community
Stalkerware is a type of spyware that is often used to surveil intimate partners or ex-partners. While it has been around for many years, its use has seen an uptick in recent years, with some studies suggesting a particular increase during the COVID-19 pandemic.
Technically, stalkerware is not particularly interesting: it is (primarily mobile) spyware and technically on par with commercial malware. But stalkerware is part of a broader ecosystem of technology-enabled abuse and coercive control, and therefore, technical means play only a small part in addressing it.
In this presentation, we will explain what stalkerware is, how it works and under what pretense it is often marketed and sold. More importantly, we will explain that stalkerware is part of the much wider problem of technology-enabled abuse and coercive control, such as intimate partner violence (IPV), domestic abuse, harassment, stalking, sexual violence, and other forms of gender-based violence (GBV). A holistic understanding of abuse and coercive control and the psychological harms experienced by survivors is essential for anyone who may encounter stalkerware and similar forms of tech misuse and abuse in their professional or personal lives.
The presentation will conclude with suggestions on what individual security practitioners can do when they encounter stalkerware, as well as what the security industry can do about stalkerware and tech abuse in general.
The Case for a National Cybersecurity Safety Board
Scott Shackelford | Associate Professor; Chair, IU Cybersecurity Program; Executive Director, Ostrom Workshop, Indiana University
Christopher Hart | Former Chairman, Formerly NTSB
Date: Wednesday, August 4 | 2:30pm-3:00pm ( Virtual )
Format: 30-Minute Briefings
Track: Policy
In the wake of a series of destabilizing and damaging cyber attacks, there has been a growing call for the U.S. government to establish an analogue of the National Transportation Safety Board (NTSB) to investigate cyber attacks. As we recently argued in a letter to the Wall Street Journal, we think that it is past time for such a move. The SolarWinds hack, for example, highlights many vulnerabilities that have gone unaddressed for too long. First, it shows that the nation’s approach to supply-chain cybersecurity is notoriously inadequate. Second, it demonstrates that a go-it-alone strategy for cybersecurity risk management is doomed to failure. Cybersecurity firm FireEye ’s coming forward helped ring the alarm that U.S. early-warning sensors reportedly missed. Third, it highlights the extent to which our nation’s critical infrastructure remains vulnerable, despite decades of efforts aimed at improving our defenses.
But how would such a Board function, and could it succeed where past public-private collaborations have fallen short given the rapid pace of technical innovation multifaceted challenges permeating the information security field? This presentation investigates this policy prescription by assessing how it could be used to respond to recent cyber incidents such as SolarWinds, applying lessons from the history and evolution of the original NTSB, examining the challenges (technical, political, and administrative) in establishing a National Cybersecurity Safety Board (NCSB), and globalizing the discussion to ascertain how other nations are approaching this same issue. However, it is not necessary to wait for the U.S. government to act; rather, states, and the private sector, can launch a beta version of this NCSB today.
In short, we will make the case that it is time for Congress to create a cybersecurity safety board to investigate breaches to find out why they happened and how to prevent them from happening again. It’s exactly the type of entity that could play a role in preventing future SolarWinds-scale breaches. We recognize that no single reform can make breaches like SolarWinds’ as rare as plane crashes, but this would be a step in the right direction.
Deepfake Social Engineering: Creating a Framework for Synthetic Media Social Engineering
Matthew Canham | CEO, Beyond Layer 7, LLC.
Dates: Thursday, August 5 | 1:30pm-2:10pm ( Virtual )
Wednesday, August 4 | 3:20pm-4:00pm ( South Seas AB )
Format: 40-Minute Briefings
Tracks: Human Factors, Defense
How do you know that you are actually talking to the person you think you are talking to? Deepfake and related synthetic media technologies represent the greatest revolution in social engineering capabilities over the past century.
In recent years, scammers have used synthetic audio in vishing attacks to impersonate executives to convince employees to wire funds to unauthorized accounts. In March 2021, the FBI warned the security community to expect a significant increase in synthetic media enabled scams over the next 18 months. The security community is at a highly dynamic moment in history in which the world is transitioning away from being able to trust what we experience with our own eyes and ears.
This presentation proposes the Synthetic Media Social Engineering framework to describe these attacks and offers some easy to implement, human-centric countermeasures. The Synthetic Media Social Engineering framework encompasses five dimensions: Medium (text, audio, video, or a combination), Interactivity (pre-recorded, asynchronously, or Real-Time), Control (human puppeteer, software, or a hybrid), Familiarity (unfamiliar, familiar, close), and Intended Target (human or automation, an individual target, or a broader audience). While several technology-based methods to detect synthetic media currently exist, this work focuses discussion on human centered countermeasures to Synthetic Media Social Engineering attacks because most technology-based solutions are not readily available to the average user and are difficult to apply in real-time. Behavior-focused methods can teach users to spot inconsistencies between behaviors of the legitimate person and a Synthetic Media Social Engineering puppet. Proof-of-life statements will effectively counter most virtual kidnappings. Financial transfers should require either multi-factor authentication (MFA) or multi-person authorization. These ‘old-school’ solutions will find new life in the emerging world of Synthetic Media Social Engineering attacks and this presentation will help audience members to adapt to this new reality.
How I Used a JSON Deserialization 0day to Steal Your Money on the Blockchain
Hao Xing | Senior Security Researcher, Tencent Security Xuanwu Lab
Zekai Wu | Security Researcher, Tencent Security Xuanwu Lab
Date: Wednesday, August 4 | 3:20pm-4:00pm ( Virtual )
Format: 40-Minute Briefings
Tracks: Exploit Development, Applied Security
Fastjson is a widely used open source JSON parser with 23'100 stars on GitHub. As a basic module of countless java web services, it serves hundreds of millions of users. We managed to find a way to bypass many security checks and mitigations by using the inheritance process of some basic classes, and achieve remote code execution successfully. We will disclose these high-risk and universal gadgets for the first time in this talk.
Now, we can control many important websites and affect millions of users. Let’s make things more interesting. We found that this fastjson vulnerability affects a multi-billion-dollar blockchain. We designed multiple complex gadgets based on the features of the blockchain, and exquisitely achieved information leakage and pointer hijacking. Putting all these gadgets together, we achieved remote code execution on the blockchain nodes.
However, generally after remote code execution, we seem to have no better exploit method other than the 51% attack, which will lead to serious accounting confusion. After a detailed analysis of the architecture design of the public blockchain, we found a way from RCE to steal the public blockchain users’ assets almost without any notification.
To the best of our knowledge, this is the first published attack case on the realization of covertly stealing user assets after RCE on the public blockchain nodes. We will propose a more covert post penetration exploit method for public blockchain nodes in this talk.
Blockchain is not bulletproof to security vulnerability and we hope our work can notify blockchain developers and users to be more careful about security.
Hack Different: Pwning iOS 14 with Generation Z Bugz
Zhi Zhou | Security Researcher
JunDong Xie | Senior Security Engineer, Ant Group Light-Year Security Lab
Date: Wednesday, August 4 | 3:20pm-4:00pm ( Virtual )
Format: 40-Minute Briefings
Tracks: Mobile, Exploit Development
The traditional Safari exploit is to gain code execution in the renderer first, then escape the sandbox with userland bugs or directly attack the kernel. However, since Safari has been under attention for a long time, it is not easy to find vulnerabilities in it. Furthermore, the sandbox protection mechanism is becoming more and more challenging, escaping the sandbox is even harder.
Instead of struggling with the state-of-the-art mitigations in WebKit, we used a brutally simple logic bug to bypass the renderer sandbox and get arbitrary JavaScript execution in another WebView without initial code execution. It was introduced by iOS 3. By using an Inter-App XSS, we can launch the Calculator from MobileSafari with literally zero memory corruption. It can even read the phone number and Apple ID directly. But the exploit chain doesn’t end here.
Since other WebView applications usually use JS Bridge to provide other JSAPI interfaces, they generally expose more attack surfaces than Safari. In the XSS-ed WebView, a mis implemented access control of bridged Objective-C objects effectively leads to object life-cycle control, which makes a perfectly exploitable UAF. Together with another logic information leakage, they showed how logic bugs can threaten memory safety.
We built the arbitrary call primitive despite the PAC, and further bypass APRR to load arbitrary shellcode in a loosely sandboxed context that can access various critical personal information, such as Apple ID credentials, contacts, and camera.
The Mass Effect: How Opportunistic Workers Drift into Cybercrime
Masarah Paquet-Clouston | Security Researcher, GoSecure
Serge-Olivier Paquette | Senior Manager of Data Science, Secureworks
Sebastian Garcia | Assistant Professor , Czech Technical University in Prague
Maria Jose Erquiaga | Malware Researcher, Czech Technical University in Prague
Date: Wednesday, August 4 | 3:20pm-4:00pm ( Virtual )
Format: 40-Minute Briefings
Tracks: Human Factors, AI, ML, & Data Science
By focusing on the most visible cybercriminals, our security community often overlooks the impact of massive groups supporting criminal activities. Yet, these groups act like the “mass effect”, where a primary pathology generates an inflating mass that pressures its surrounding, increasing the initial problem’s scale. This research was motivated by a desire to uncover the context and motivations of individuals involved in spreading the Geost banking Trojan, and ended with large-scale statistical analyses of behaviors in an informal online market, one of the largest out there. The market was found to host dubious activities through a hide in plain sight approach.
The research unexpectedly opened-up an alternative way of conceptualizing cybercrime economies, one that includes an ordinary working class, involved in any economic activity for the sake of little crumbs of profit. More than that, we realized that the motives of these individuals did not represent the excitement that is traditionally depicted by cybersecurity storytelling, nor they embodied the criminal ethos. What is concerning is rather their aggregated effect, their growing mass.
This presentation shares our research journey, depicting the actors involved in the operation of a botnet, their motivations, challenges, and an analysis of the informal market in which they grounded their criminal activities. By using machine learning techniques and a statistical analysis of the informal market population, we found other similar opportunistic entrepreneurs. The analysis also indicated that the informal market may be a revolving door to underground, more criminally-prone, communities.
Through this research, we hope to provide researchers, law enforcement officials and policy makers a better grasp on this type of cybercrime economy and a point of view that is closer to what these individuals actually experience.
Hacking a Capsule Hotel — Ghost in the Bedrooms
Kya Supa | Security Consultant, LEXFO
Dates: Wednesday, August 4 | 11:20am-12:00pm ( Virtual )
Thursday, August 5 | 11:20am-12:00pm ( Lagoon FL )
Format: 40-Minute Briefings
Track: Cyber-Physical Systems
IOT devices are widely deployed. Some hotels are now allowing their guests to control their room from their smartphone or other devices.
While traveling in a foreign country, a few nights were booked in a capsule hotel that was using various modern technologies. Capsule hotels are hotels composed of extremely small rooms that are stacked side-by-side.
In this hotel, an iPod touch given at check-in allowed each customer to control their bedroom. It was possible to control the light, change the position of the adjustable bed and control the ventilation fan.
In this presentation, we will share the methodology used to bypass the present security protections and we will show in detail how six different vulnerabilities were combined together and exploited in order to take control of all bedrooms and get revenge on a loud neighbor.
A demo video will be presented.
IPvSeeYou: Exploiting Leaked Identifiers in IPv6 for Street-Level Geolocation
Erik Rye | Researcher, Center for Measurement and Analysis of Network Data (CMAND)
Rob Beverly | Dr, Center for Measurement and Analysis of Network Data (CMAND)
Dates: Thursday, August 5 | 1:30pm-2:10pm ( Virtual )
Wednesday, August 4 | 11:20am-12:00pm ( South Seas CD )
Format: 40-Minute Briefings
Track: Network Security
While IP Geolocation — tying an IP address to a physical location — is in common use, available public and commercial techniques and tools provide only coarse city-level locations that are often wrong. With “IPvSeeYou,” we develop a data fusion attack against residential home routers running IPv6 that provides *street-level* geolocation. We then demonstrate IPvSeeYou by discovering and precisely geolocating millions of home routers deployed in the wild across the world.
We assume a weak adversary who is remote to the target and has no privileged access. Our privacy attack lies in IPv6 addresses formed via EUI-64, which embed the interface’s hardware MAC address in the IPv6 address. While EUI-64 IPv6 addresses are no longer used by most operating systems, they are commonly found in legacy and low-profit-margin customer premises equipment (CPE), e.g., commodity routers connecting residential and business subscribers. Because IPv6 CPE are routed hops (as opposed to IPv4 NATs), we can discover their MAC address via traceroute if they use EUI-64.
These CPE are frequently all-in-one devices that also provide Wi-Fi. Crucially, the MAC address of the Wi-Fi interface is often related to the MAC address of the wide area interface, e.g., a +/-1 offset. These Wi-Fi MACs are broadcast (the 802.11 BSSID) and captured by wardriving databases that also record their physical location. By correlating the MAC addresses embedded in IPv6 home router addresses with their Wi-Fi address counterpart, we can remotely geolocate them, fusing virtual data with meatspace.
Last, we demonstrate IPvSeeYou in practice. We develop an Internet-scale IPv6 router discovery technique that finds tens of millions of deployed CPE with EUI-64 addresses. On a per-OUI basis, we map these to a corresponding Wi-Fi BSSID. We search for these BSSID in geolocation databases to successfully map millions of routers, across the world, to a precise geolocation.
Let’s Attack Let’s Encrypt
Haya Shulman | Director of Cybersecurity Analytics and Defences Department, Fraunhofer Institute for Secure Information Technology SIT
Date: Wednesday, August 4 | 11:20am-12:00pm ( Virtual )
Format: 30-Minute Briefings
Tracks: Network Security, Defense
Following the recent off-path attacks against PKI, Let’sEncrypt deployed in 2020 domain validation from multiple vantage points to ensure security even against the stronger on-path MitM adversaries. The idea behind such distributed domain validation is that even if the adversary can hijack traffic of some vantage points, it will not be able to intercept traffic of all the vantage points to all the nameservers in a domain.
In this work we show that two central design issues of the distributed domain validation of Let’sEncrypt make it vulnerable to downgrade attacks: (1) the vantage points are selected from a small fixed set of vantage points, and (2) the way the vantage points select the nameservers in target domains can be manipulated by a remote adversary. We develop off-path methodologies, based on these observations, to launch downgrade attacks against Let’sEncrypt. The downgrade attacks reduce the validation with `multiple vantage points to multiple nameservers’, to validation with `multiple vantage points to a single attacker-selected nameserver’. Through experimental evaluations with Let’sEncrypt and the 1M-Let’sEncrypt-certified domains, we find that our off-path attacker can successfully launch downgrade attacks against more than 24.53% of the domains, rendering Let’sEncrypt to use a single nameserver for validation with them.
We then develop an automated off-path attack against the `single-server’-domain validation for these 24.53% domains, to obtain fraudulent certificates for more than 107K domains, which constitute 10% of the 1M domains in our dataset.
We also evaluate our attacks against other major CAs and compare the security and efforts needed to launch the attacks, to those needed to launch the attacks against Let’sEncrypt. The conclusion from the evaluations is that our downgrade attacks remove any security benefits that Let’sEncrypt has over other CAs.
Reverse Engineering the M1
Stan Skowronek | Co-Founder and Chief Architect, Corellium
Dates: Wednesday, August 4 | 11:20am-12:00pm ( South Seas AB )
Thursday, August 5 | 10:20am-11:00am ( Virtual )
Format: 40-Minute Briefings
Track: Reverse Engineering
The release of M1 Macs marked a turning point for the open-source operating system community on Apple hardware. Now, the whole hardware stack would be proprietary, with little hope of reusing drivers written for standard PC hardware. At the same time, it offered an unprecedented insight into the design of the Apple SoC product line. With this motivation, we set out to reverse engineer these parts and the systems they power.
The talk will cover interesting quirks of Apple ARM architecture variant, such as memory access issues (and how to recognize them) and the novel AMX vector instruction set. We’ll describe design patterns commonly employed by these SoCs, as well as give a short introduction to USB 4, which made its debut on them.
20+ Ways to Bypass Your macOS Privacy Mechanisms
Wojciech Reguła | Senior IT Security Specialist, SecuRing
Csaba Fitzl | Content Developer, Offensive Security
Date: Wednesday, August 4 | 10:20am-11:00am ( Virtual )
Format: 40-Minute Briefings
Tracks: Cloud & Platform Security, Exploit Development
“TotallyNotAVirus.app” would like to access the camera and spy on you. To protect your privacy, Apple introduced Transparency, Consent, and Control (TCC) framework that restricts access to sensitive personal resources: documents, camera, microphone, emails, and more. Granting such access requires authorization, and the mechanism’s main design concern was clear user consent.
In this talk, we will share multiple techniques that allowed us to bypass this prompt, and as a malicious application, get access to protected resources without any additional privileges or user’s consent. Together, we submitted over 40 vulnerabilities just to Apple through the past year, which allowed us to bypass some parts or the entire TCC. We also found numerous vulnerabilities in third-party apps (including Firefox, Signal, and others), which allowed us to avoid the OS restrictions by leveraging the targeted apps’ privileges.
In the first part of the talk, we will give you an overview of the TCC framework, its building blocks, and how it limits application access to private data. We will explore the various databases it uses and discuss the difference between user consent and user intent.
Next, we will go through various techniques and specific vulnerabilities that we used to bypass TCC. We will cover how we can use techniques like process injection, mounting, application behavior, or simple file searches to find vulnerabilities and gain access to the protected resources.
The audience will leave with a solid understanding of the macOS privacy restrictions framework (TCC) and its weaknesses. We believe there is a need to raise awareness on why OS protections are not 100% effective, and in the end, users have to be careful with installing software on their machines. Moreover — as we’re going to publish several exploits — red teams will also benefit from the talk.
A Hole in the Tube: Uncovering Vulnerabilities in Critical Infrastructure of Healthcare Facilities
Ben Seri | VP Research, Armis
Barak Hadad | Researcher, Armis
Dates: Wednesday, August 4 | 10:20am-11:00am ( South Seas CD )
Thursday, August 5 | 10:20am-11:00am ( Virtual )
Format: 40-Minute Briefings
Tracks: Cyber-Physical Systems, Network Security
A hidden infrastructure that transports critical care items within all modern hospitals, lies in plain sight — the pneumatic tube system (PTS). This critical infrastructure is responsible for delivering medications, blood products, and various lab samples across multiple departments of the hospital. Using pneumatic tubes, blowers, diverters, stations and a central management server, this system is essentially the equivalent of a computer network, for physical packets (named “carriers”). Modern PTS systems are IP-connected, and offer advanced features, such as secure transfers (using RFID and/or password-protected carriers), slow transfers (for carriers containing sensitive cargo), and remote system monitoring — that enables the on-prem PTS system to be monitored and controlled through the Cloud.
Despite the prevalence of these systems, and the reliance of hospitals on their availability to deliver care, the security of these systems has not been thoroughly analyzed to date. This talk will uncover nine critical vulnerabilities we discovered in the firmware of the PTS station of one of the most popular vendors, used by thousands of hospitals in North America. These vulnerabilities can enable an unauthenticated attacker to take over PTS stations and essentially gain full control over the PTS network of a target hospital. This type of control could enable sophisticated and worrisome ransomware attacks that can range from denial-of-service of this critical infrastructure, to full-blown man-in-the-middle attacks that can alter the paths of this networks’ packages, resulting in deliberate sabotage of the workings of the hospital.
This talk will emphasize the importance of researching embedded systems that operate systems that may look gray and unimportant, but nevertheless power infrastructure in mission-critical environments such as healthcare facilities.
Wibbly Wobbly, Timey Wimey — What’s Really Inside Apple’s U1 Chip
Jiska Classen | Dr.-Ing., TU Darmstadt, SEEMOO
Alexander Heinrich | N/A, TU Darmstadt, SEEMOO
Date: Wednesday, August 4 | 10:20am-11:00am ( Virtual )
Format: 40-Minute Briefings
Tracks: Hardware / Embedded, Reverse Engineering
Apple introduced an Ultra Wideband (UWB) chip in the iPhone 11. Its cryptographically secured spatial measurement capabilities are accessible via the Nearby Interaction framework since iOS 14. As of now, it only supports interaction with other Apple devices including the latest Apple Watch and HomePod mini. These are the first steps to support UWB in a larger ecosystem, as measuring precise distance and direction can be an enabler for various future applications. The automotive industry already announced UWB support for mobile car keys on the iPhone.
But what’s really inside Apple’s U1 chip, internally called Rose? In this talk, we will travel through time, space, firmware, and kernel components — and fight daemons to modify firmware interaction from user space. This will not only cover one or two, but three firmwares that process or forward each Rose time measurement: The Rose Digital Signal Processor (DSP), Rose Application Processor (AP), and the Always-On Processor (AOP).
Zero — The Funniest Number in Cryptography
Quan Thoi Minh Nguyen | Senior Security Engineer,
Dates: Thursday, August 5 | 3:20pm-4:00pm ( Virtual )
Wednesday, August 4 | 10:20am-11:00am ( Lagoon FL )
Format: 40-Minute Briefings
Track: Cryptography
What is the funniest number in cryptography? 0. The reason is that for all x, x*0 = 0, i.e., the equation is always satisfied no matter what x is. This talk will explore crypto bugs in four BLS signatures’ libraries (ethereum/py ecc, supranational/blst, herumi/bls, sigp/milagro bls) that revolve around 0. Furthermore, we developed “splitting zero” attacks to show a weakness in the proof-of-possession aggregate signature scheme standardized in BLS RFC draft v4.
Eth2 bug bounties program generously awarded $35,000 in total for the reported bugs.
Breaking Secure Bootloaders
Christopher Wade | Security Consultant, Pen Test Partners
Date: Thursday, August 5 | 10:20am-11:00am ( Virtual )
Format: 40-Minute Briefings
Tracks: Hardware / Embedded, Mobile
Bootloaders often use signature verification mechanisms in order to protect a device from executing malicious software. This talk aims to outline actionable weaknesses in modern bootloaders which allow attackers to deploy unsigned code, despite these protection mechanisms.
In the first phase of this talk, we will discuss exploitation of the bootloaders in modern Android smartphones, demonstrating weaknesses which allow for bypassing bootloader unlocking restrictions, decryption of protected user data, and deployment of malicious software to devices using full disk encryption.
In the second phase, we will discuss bootloader weaknesses in the secondary hardware used by smartphones. Using an embedded RF chip as a target, we will demonstrate reverse engineering techniques which identified weaknesses in the signature verification mechanisms of the firmware update protocols used by the bootloader, allowing for deployment of custom firmware to the chip.
5G IMSI Catchers Mirage
Ravishankar Borgaonkar | Senior Research Scientist, SINTEF Digital & University of Stavanger
Altaf Shaik | Senior Research Scientist, Technischen Universität Berlin
Date: Thursday, August 5 | 10:20am-11:00am ( Virtual )
Format: 40-Minute Briefings
Tracks: Network Security, Mobile
IMSI catchers aka Stingrays aka fake base stations are well-known privacy threats to almost every mobile phone with SIM card connectivity (including iOS or Android-based) in the world. The cellular network generations such as 2G, 3G, and 4G are vulnerable to such almost undetectable and silent attacks. Finally, new security mechanisms in the next generation 5G networks have been added to address these types of issues.
In this talk, we carefully investigate new security protection techniques in 5G and perform practical experiments using commercial 5G devices. Besides, we explain our failure and successful attempts at building 5G IMSI catchers for our research. Finally, we conclude with results explaining the impact of 5G IMSI catchers against 5G users without downgrading to legacy networks, guidelines for the cellular device vendors, operators, and end-users and directions towards fixing the problem in 6G networks.
Action Bias and the Two Most Dangerous Words in Cybersecurity
Josiah Dykstra | Technical Fellow, Cybersecurity Collaboration Center, National Security Agency
Douglas Hough | Senior Associate, Johns Hopkins University Bloomberg School of Public Health
Date: Thursday, August 5 | 11:20am-12:00pm ( Virtual )
Format: 40-Minute Briefings
Tracks: Human Factors, Community
Most cybersecurity professionals acknowledge that achieving perfect security is impossible. Yet, they nobly strive for perfection as the ultimate goal and feel loss, failure, and regret when incidents inevitably occur. Human instinct, especially in reaction to crisis or catastrophe, is to react and respond forcefully and immediately.
In this session, we will talk about action bias and when immediate action is appropriate and when it is counterproductive. Behavioral science has demonstrated that action bias can lead to wasteful spending and suboptimal outcomes. We will describe how action bias impacts users, security professionals, and leaders. Users display action bias, such as demanding password resets and virus scans when they think they’ve been hacked, even when there is no evidence of it; a feature attackers exploit in phishing expeditions. CISOs and other security leaders exhibit action bias following a breach or attack when they act quickly based on a sense of urgency and a need for control, rather than applying deliberate analysis, even if the cost of proposed defenses outweighs the value or the loss. We present countermeasures to temper the occurrence and effects of action bias based on the findings of behavioral science.
While there is no cure for cognitive bias, tools such as “pre-flight” checklists and pre-mortems (as used in risk management) can mitigate the dangers of action bias. Using these tools, the cybersecurity community can evolve to address the two most dangerous words in cybersecurity — “never again” — uttered in desperation even when incidents reoccur. As a result, we can be rationally prepared to make unbiased decisions.
HPE iLO5 Firmware Security — Go Home Cryptoprocessor, You’re Drunk!
Alexandre Gazet | Senior Security Engineer, Airbus
Fabien Périgaud | Reverse Engineering Team Tech Lead, Synacktiv
Joffrey Czarny | Red Team Lead, Medallia
Date: Thursday, August 5 | 11:20am-12:00pm ( Virtual )
Format: 40-Minute Briefings
Tracks: Hardware / Embedded, Reverse Engineering
At the core of HPE Gen10 servers lies the Integrated Lights Out 5 (iLO 5) out-of-band management technology. Coming with new hardware and software, it introduced a cornerstone feature described as a “silicon root of trust”. When you are not designing your own hardware and security (as Google with its Titan security module for example) you have to rely on the manufacturer of your equipment to provide you with best-in-class security. In such a situation, the iLO5 chipset is both your first and last line of defense.
At the start of 2020, we observed that the new HPE iLO5 firmware (versions greater or equal to 2.x) would come as an encrypted binary blob; now deterring any efforts of public scrutiny by the cyber-security community. That is why we decided to perform a complete review of the encryption mechanism and to analyze the security implications of the new firmware packaging.
This research led us to completely reverse-engineer the new encryption mechanism, the new boot chain, as well as the cryptographic co-processor this feature relies upon. To extract the encryption keys from the system-on-chip (SOC) we exploited software vulnerabilities, both old ones and a new one we discovered and reported during this study; we also discovered and investigated the presence of an unknown debug port (presumably JTAG) on the motherboards of one of our servers (MicroServer family).
Finally, we will demonstrate the impact of these new findings in operational environments. Based on new knowledge, we developed an exploitation script to recover the clear text credentials of all the accounts on the iLO5 system, directly from the host operation system. Placed in the context of a motivated attacker this would allow a very fast and efficient lateralization, possibly crossing production and administration networks segmentation.
What are the lessons learned of this new feature and analysis and how much trust can we put in the HPE iLO 5 secure element technology? Is it still possible for a motivated attacker to intercept the delivery of a server and implant a backdoored firmware in it?
I’m a Hacker Get Me Out of Here! Breaking Network Segregation Using Esoteric Command & Control Channels
James Coote | Senior Consultant, F-Secure Consulting
Alfie Champion | Senior Consultant, F-Secure Consulting
Date: Thursday, August 5 | 11:20am-12:00pm ( Virtual )
Format: 40-Minute Briefings
Tracks: Network Security, Defense
This talk will explore the weaponization of esoteric internal command and control (C2) channels and their use for lateral movement. James, an attack simulation consultant with F-Secure Consulting, will demonstrate some novel and reimagined techniques for breaking out of heavily segregated environments. In particular, the following will be explored, along with the tools that James has developed to make these usable operationally:
- C2 into VMs through vCenter and Guest Additions
- C2 using arbitrary network printers and print jobs
- C2 over Remote Desktop mapped drives and file shares
- C2 using LDAP attributes
For the red teamers, James will share how to identify and exploit these channels, and the OpSec considerations behind each. He will also share the tools that he’s developed to interface with popular C2 frameworks such as Cobalt Strike and C3, providing operators with a seamless C2 experience.
For the blue teamers, James will explore the detection artifacts created when using these tools, and will present use cases to consider implementing. He will also challenge defenders’ assumptions about how sophisticated actors may operate within segregated environments, and how commonly accepted boundary systems and technologies may offer a means for actors to progress unimpeded into organizations’ most sensitive network zones.
The Ripple Effect: Building a Diverse Security Research Team
Oryan De Paz | Low-Level Researcher & Developer, Symantec — A Division of Broadcom
Omer Yair | Endpoint Team Lead, Symantec — A Division of Broadcom
Dates: Wednesday, August 4 | 10:20am-11:00am ( Virtual )
Thursday, August 5 | 11:20am-12:00pm ( South Seas CD )
Format: 40-Minute Briefings
Track: Community
Achieving a diverse, inclusive team which is a dream to work in was not a short journey. It took time and was well worth the effort. While the industry numbers paint a gloomy picture for gender equality and representation, we successfully built a thriving diverse team of hackers with equal representation.
There were no misogynists, sexists, or toxic culture of any kind on our core team. Yet initially, it consisted entirely of men and no women. There was an unconscious bias that kept us in this state. We will share our journey to reveal and measure this bias and to ultimately increase female representation from 0 to 50%.
According to the Global Gender Gap Report 2020 (by World Economic Forum), it will take on average more than 100 years for women to reach gender equality. This is unacceptable and we can and must make it happen sooner.
Our hope is to share some tools with allies attending Black Hat to help make the change on their teams as well (tools for team members, leaders, and upper management alike). Incidentally, the same tools had not only created a more inclusive environment, they have also improved our R&D team atmosphere and deliverables.
This is not a technical talk. You won’t learn the bits and pieces of a fancy protocol or internals of an OS. It will however improve your team’s technical skills by fostering a healthy environment to work in.
HTTP/2: The Sequel is Always Worse
James Kettle | Director of Research, PortSwigger
Date: Thursday, August 5 | 1:30pm-2:10pm ( Virtual )
Format: 40-Minute Briefings
Tracks: AppSec, Cloud & Platform Security
HTTP/2 is easily mistaken for a transport-layer protocol that can be swapped in with zero security implications for the website behind it. Two years ago, I presented HTTP Desync Attacks and kicked off a wave of request smuggling, but HTTP/2 escaped serious analysis. In this presentation, I’ll take you beyond the frontiers of existing HTTP/2 research, to unearth horrifying implementation flaws and subtle RFC imperfections.
I’ll show you how these flaws enable HTTP/2-exclusive desync attacks, with case studies targeting high-profile websites powered by servers ranging from Amazon’s Application Load Balancer to WAFs, CDNs, and bespoke stacks by big tech. I’ll demonstrate critical impact by hijacking thick clients, poisoning caches, and stealing plaintext passwords to net multiple max-bounties. One of these attacks remarkably offers an array of exploit-paths surpassing all known techniques.
After that, I’ll unveil novel techniques and tooling to crack open a widespread but overlooked request smuggling variant affecting both HTTP/1 and HTTP/2 that is typically mistaken for a false positive.
Finally, I’ll drop multiple exploit-primitives that resurrect a largely forgotten class of vulnerability, and use HTTP/2 to expose a fresh application-layer attack surface.
I’ll leave you with an open-source scanner with accurate automated detection, a custom, open-source HTTP/2 stack so you can try out your own ideas, and free interactive labs so you can hone your new skills on live systems.
Securing Open Source Software — End-to-End, at Massive Scale, Together
Jennifer Fernick | SVP & Global Head of Research, NCC Group
Christopher Robinson | Director of Security Communications, Intel
Date: Thursday, August 5 | 1:30pm-2:10pm ( Virtual )
Format: 40-Minute Briefings
Tracks: Community, CorpSec
Open source software is a significant part of the core infrastructure in most enterprises in most sectors around the world and is foundational to the internet as we know it. Consequently, it represents a massive and profoundly valuable attack surface. Each year more lines of source code are created than ever before — and along with them, vulnerabilities. Consequently, we are minting vulnerabilities faster than our current techniques can discover and remediate them. We haven’t yet seen the true potential of techniques for finding vulnerabilities at scale, and there are reasons to believe attackers may get there before we can.
The combination of distributed community-driven development, public-facing deobfuscated source code, inconsistent use of security reviews and tooling, and the prominence of many key FOSS projects as the core infrastructure of enterprises around the world and of the internet itself means that the unique model that has made open source software projects and development lifecycles so impactful is also that which has historically made them difficult to secure. These are the problems we were aiming to solve with the creation of the Open Source Security Foundation.
In this presentation, we’ll share key lessons learned in our experience coordinating the industry-wide remediation of some of the most impactful vulnerabilities ever disclosed (Heartbleed, Shellshock, Rowhammer, and BlueZ), present a threat model of the many unmitigated challenges to securing the open source ecosystem, share new data which illustrates just how fragile and interdependent the security our core infrastructure can be, debate the challenges to securing OSS at scale, and speak unspoken truths of coordinated disclosure and where it can fail. We will also discuss research advances that are making it easier for adversaries to find and exploit vulnerabilities at scale, and offer guidance for how members of the security community can get involved and contribute meaningfully to improving the security of OSS — especially through coordinated industry-wide efforts.
This presentation will include the official launch announcement of Open Source Security Foundation’s (openssf.org) grant program for security research projects to help secure the open source ecosystem!
Windows Heap-backed Pool: The Good, the Bad, and the Encoded
Yarden Shafir | Software Engineer, CrowdStrike
Dates: Wednesday, August 4 | 11:20am-12:00pm ( Virtual )
Thursday, August 5 | 1:30pm-2:10pm ( South Seas CD )
Format: 40-Minute Briefings
Tracks: Reverse Engineering, Exploit Development
For decades, the Windows kernel pool remained the same, using simple structures that were easy to read, parse and search for, but recently this all changed, with a new and complex design that breaks assumptions and exploits, and of course, tools and debugger extensions.
This new design modernizes the kernel pool and makes it significantly more efficient. Additionally, it has significant security implications — both good and bad. Major code changes break a lot of existing code and might make future pool-related exploits more difficult, or in some cases nearly impossible to write.
But could this open up a whole new attack surface as well?
Can You Hear Me Now? Remote Eavesdropping Vulnerabilities in Mobile Messaging Applications
Natalie Silvanovich | Security Researcher, Google
Date: Thursday, August 5 | 2:30pm-3:00pm ( Virtual )
Format: 30-Minute Briefings
Tracks: Mobile, AppSec
On January 29, 2019, a serious vulnerability was discovered by multiple parties in Group FaceTime which allowed an attacker to call a target and force the call to connect without user interaction from the target, allowing the attacker to listen to the target’s surroundings without their knowledge or consent.
While this remarkable bug was soon fixed, it presented a new and unresearched attack surface in mobile applications that support video conferencing.
This presentation covers my attempts to find similar bugs in other messaging applications, including Signal, JioChat, Mocha, Google Duo, and Facebook Messenger.
Demystify AI Security Products With a Universal Pluggable XAI Translator
Kailiang Ying | PhD, Syracuse University
Tongbo Luo | Staff Security Software Engineer, Robinhood Inc.
Xinyu Xing | Assistant Professor, Pennsylvania State University
Xuguang (Luke) Liu | Software Engineer, Palo Alto Networks
Date: Thursday, August 5 | 2:30pm-3:00pm ( Virtual )
Format: 30-Minute Briefings
Tracks: AI, ML, & Data Science, Applied Security
In the past years, we witnessed a dramatic rise in the platforms and apps based on machine learning and artificial intelligence. Inevitably, nearly every security product claims to be powered by deep learning technology and achieve an incredible detection rate. Confused by the various fancy terms advertised by security companies, the dilemma faced by customers is how to determine the quality of these products and how to choose the suitable one. Previous studies have proposed various ways to evaluate many kinds of ML-based security products (e.g malware detection, cloud-based, endpoint av). Our presentation tends to bridge the research‐to‐practice gap by sharing our experience when evaluating the real-world vendor’s products.
Government-Mandated Front Doors?: A Global Assessment of Legalized Government Access to Data
Andrea Little Limbago | Vice President, Research and Analysis, Interos
Date: Thursday, August 5 | 2:30pm-3:00pm ( Virtual )
Format: 30-Minute Briefings
Tracks: Policy, Community
Who needs a backdoor when front door access is required? From Tesla to the U.S. tech giants, there has been a growing focus on whether private sector companies are obliged to turn over data to a foreign government in exchange for market access. This can take the form of source code reviews to unfettered access upon request and increasingly may pose a risk to intellectual property and personal data as digital authoritarian frameworks proliferate.
This comes at a time when significant supply chain disruptions have prompted many in the private sector to reassess their global footprint, with cybersecurity a top priority and motivator when exploring greener pastures elsewhere. Integrating government data access policies must become core to these considerations as corporations reshore and transform their global footprint.
But how do these policies compare from one country to the next? Has the GDPR inspired more progeny or is the Chinese model spreading faster as many contend? To address these questions, this presentation will introduce a new global index of countries based on government-mandated data access requirements. We will discuss the data and factors driving the index, as well as elicit community recommendations for improving the model. With such significant global transformations underway, government-mandated data access warrants greater attention when exploring the full range of global cyber risks.
Use & Abuse of Personal Information
Alan Michaels | Director, Electronic Systems Lab, Virginia Tech Hume Center
Kiernan George | Graduate Research Assistant, Virginia Tech Hume Center
Dates: Thursday, August 5 | 3:20pm-4:00pm ( Virtual )
Wednesday, August 4 | 10:20am-11:00am ( Lagoon HI )
Format: 40-Minute Briefings
Tracks: Policy, Human Factors
Virtually any meaningful interaction occurring across the Internet requires the establishment of a user profile, which in turn requires entry of Personally Identifiable Information (PII) as a way for service providers to verify and support/track user activity. Such PII often includes a person’s name, age, address, email, phone number, or demographic information, which is often associated with the IP address of the device used to access online services, all of which contribute to tailored responses from the vendor. Most users understand and accept that these distant parties will use the information to optimize their interactions; however, substantially unrelated uses and abuses of users’ personal information are common.
Our talk explores the levels and depths of how online entities, and their affiliates, use and abuse our personal information. Our conclusions are based on a 12-month study tracking email, phone, SMS text, and web scraping activity for 300 false identities established at ~200 distinct organizations to determine which companies behave consistent with a consumer’s interests and which companies are to blame for our culture of robocalls and spam. All of this activity is based on one-time interactions with the online entity, resulting in 16584 emails, 948 voicemails, and 753 text messages.
Beyond quantifying the amount of activity associated with these identities and building the graph of information sharing, we also analyze received content in the context of a quantitative rubric applied to published privacy policies, political and/or special interest leanings, and make an attempt to identify tangible evidence of foreign interest in the 2020 presidential election. We plan to make this dataset available for others to investigate as well.
