On the eve of the Black Hat 2019 Briefings sessions, The Daily Swig takes a closer look at the real-world impact of the security research that’s showcased in the desert each year

DISPATCHES For a few days each summer, the cavernous corridors of the Mandalay Bay Convention Center give rise to new ways of thinking about security, as researchers from around the world gather at Black Hat to demonstrate their latest techniques, exploits, and toolkits.

Last year, in the tropical-named, but otherwise nondescript rooms of South Seas, Islander, and Lagoon, security pros lifted the lid on everything from new web security techniques to hardware backdoors in dozens of presentations that saw zero-days rain down like pennies from a slot machine.

Of course, it’s not only Black Hat, but also DEF CON and BSides Las Vegas that act as a showcase for fresh security ideas out here in the desert.

The trinity of overlapping security events that comprise ‘Hacker Summer Camp’ attract hundreds of news headlines and tens of thousands of people every year, but what happens once the conferences close their doors?

How can we assess the impact this research has on the security community and, perhaps more importantly, end users?

In the lead-up to this year’s Black Hat Briefings, The Daily Swig spoke with various security industry stakeholders to hear their thoughts on the research unveiled at last year’s conference, along with what they are looking out for in 2019.

Ashish Gupta – president and CEO, Bugcrowd

Ashish Gupta at Black Hat 2019 (Image: PortSwigger Ltd)

What are your thoughts on new security research in relation to bug bounties?

Ashish Gupta: “Novel research and attack techniques presented at conferences definitely have real-world impact, and this is reflected in the vulnerability reports from our bug bounty programs.

“Researchers actively apply these techniques and, depending on how widespread the affected technologies are, it could account for a substantial amount of reports.

“However, the usage tends to decline after program owners catch up with patching. This is partly due to the research being technology-specific these days and applicable only in certain scenarios. Only a few new attack vectors are broad and generic enough to withstand time and become a true new vulnerability type.”

Which Black Hat sessions are you looking forward to this year?

AG: “Our very own strategy program manager Chloe Brown is presenting on maintaining a healthy bug bounty program on Thursday at noon. Her speaking session will touch on measuring success, reporting, incentivizing hackers, and handling vulnerability disclosures.

“In light of recent news around Boeing 787 aircrafts, I’m particularly excited about the analysis of the Boeing 787’s Core Network from IOActive. IOActive researchers have found some pretty cool vulnerabilities in the past, so no doubt this will be good.

“Another session that is super relevant to recent news is a session from Arkose Labs on the attack surface as a service and utilizing third-party services as a defense against attackers. Given recent news stories around third parties exposing data, this is an interesting take. 

“On the Bugcrowd front, we have a lot of exciting things going on at Black Hat this year and folks can come find us at booth #960 on the show floor. We're also sponsoring several DEF CON hacking villages including the DEF CON Car Hacking Village, Recon Village, and ICS Village. We'll be handing out exclusive DEF CON swag, so be sure to stop by.”

Adam Kujawa – director, Malwarebytes Lab

Adam Kujawa at Black Hat 2019 (Image: PortSwigger Ltd)

How does Malwarebytes approach an event like Black Hat?

Adam Kujawa: “We frequently send researchers and developers to events across the world. For those that can’t make it, we also frequently purchase the full talks [conference proceedings] from the event organizer and distribute them across our teams.

“It is worth saying, however, that in many cases the findings of a conference don’t always result in modifications to how malware is distributed in the wild, unless it’s an exploit or some other new method of spreading threats.  Many of these conferences focus on manual hacking which doesn’t always translate into what we see being pushed by criminals in the wild.

“When we do find out about a new tactic, potential threat or even analysis tool, we’ll frequently discuss in internally, share files and information as needed and determine whether or not it’s something that we can deploy to make our work easier or more complete.

“We do a lot of in-house development of various tools and tech that we use in our product (or will use once we’re done developing it) and talks can provide ideas on directions to go when developing new tools as well as things to keep in consideration of when thinking about a new tool that we want to keep working for years.”

Which Black Hat sessions are you looking forward to in 2019?

AK: “There are quite a few I am interested in. I doubt I will be able to see most of them with my schedule, but hopefully I can see them after we get our hands on the recorded talks:

“Many of these are important for understanding our current threat landscape, there are a couple of ones that focus on tools and techniques that can be used for future analysis or future development of security processes.

“Then there are ones in there that deal with privacy, social engineering and understanding that our future, with ‘DeepFake’ technology, is going to be harder to trust than our past.”

Mårten Mickos – CEO, HackerOne

Last year once again saw experts present cutting-edge research into web security. What impact has this research had on the security space, from your perspective?

Mårten Mickos: “Every year, the respective proportion of various types of vulnerabilities changes a little across all our bug bounty programs. When some vulnerability type becomes less frequent, it is usually the sign of the industry learning and taking action.

“The great research and findings that get published at Black Hat and DEF CON and other events surely help with this. Companies learn what software libraries to use, what mistakes other organizations make, and they improve their software design patterns to reduce the likelihood of vulnerabilities.”

What else does HackerOne have planned over the coming days?

MM: “HackerOne will be everywhere during ‘Hacker Summer Camp’ in Vegas this year.

“Firstly, we’ll be hosting our annual Las Vegas live hacking event – h1-702 – our biggest live hacking event every year. From Thursday, August 8, to Saturday, August 10, top hackers from across the globe will join together to find vulnerabilities in HackerOne customer programs.

“At Black Hat itself, we’ll be at booth #1330. Anyone can swing by to get a product demo, grab some custom swag and snag a few entry passes to our invite-only happy hours and live hacking events.”

Dustin Childs – communications manager, Zero Day Initiative

Dustin Childs at Black Hat 2019 (Image: PortSwigger Ltd)

Has the research from Black Hat 2018 started to filter down through to those involved in ZDI?

Dustin Childs: “Unless it’s a different method for finding bugs, most new research techniques take time to filter down to us – mainly because the older techniques continue to be a reliable source for researchers hunting bugs.

“We are seeing some new trends – most notably in virtualization software and IoT devices – and we’re starting to see some research on containers come our way as well.”

Which presentations are you particularly looking forward to this year? What else will the ZDI team be getting up to during 'Hacker Summer Camp'?

DC: “ZDI program manager Shannon Sabens will be on a panel regarding bug bounty operations. That definitely tops my admittedly biased list.

“Beyond that, there are definitely some talks that look interesting (Apple and Hyper-V to be sure), but I find the best talks occur during ‘HallwayCon’. I look forward to getting to know what people are currently researching in a more informal setting.

“That’s one of the great things about ‘Hacker Summer Camp’ – connecting (or re-connecting) with people face-to-face. One big thing I’m hoping to do while I’m there is to let people know more about our Targeted Incentive Program and encourage them to submit.

“I’ll also be looking for feedback on what products and protocols we could include in the future.”

Black Hat 2019: Attendee security tips

Security pros offer their advice for Black Hat attendees new and old.

Mårten Mickos:

Don’t connect to the WiFi! You will be surrounded by hostile WiFi networks all throughout Vegas. These networks have the specific goal of embarrassing you and the companies that use them.

BSides Las Vegas, Black Hat, and DEF CON offer some of the best research and presentations out there. But, wow, there are a lot of them! Don’t make your goal to attend as many as possible. Go to the ones that interest you, are relevant to your job or industry, and leave the rest behind.

If you are new to the industry or learning the space, do your best to immerse yourself, identify with and relate to the different types of people that attend the conference.

There are privacy advocates, researchers, vendors, government officials, law enforcement agents, journalists, among many, many others. These connections can be just as valuable as a presentation.

Dustin Childs:

I always encourage people to go to at least one random talk. Nothing interest you in this time slot? Just pick one at random. Those can often be the most fun.

I also encourage people to ask questions. Some folks can get nervous talking to speakers or bloggers, etc, but – in my experience – most are more than happy to talk regardless of your experience level. Don’t be intimidated if you are new to the industry. We all had to start at some point.

Ashish Gupta:

This is not your typical trade show – as standard with a hacker conference, there are things that regular trade show goers would do without thinking twice that one should definitely not do in Vegas.

First and foremost, be cognizant of your phone and the sensitive data you may be housing on it. Avoid connecting to hotel or cafe WiFi anywhere in Vegas, even if it appears to be legit, and beware of will free WiFi hotspots that can harvest your data once connected.

Also, if hotel WiFi is insecure, it can be hacked into and your data is at risk. Before you go, turn off WiFi, Bluetooth, and NFC – turn off everything but your data. Then you’ll want to find a mobile VPN service to safeguard your device. For communication (text and calls), I highly recommend using an encrypted communication app like Signal or Telegram instead of SMS.

In short, keep a healthy paranoia. If it seems sketchy, it probably is; don’t connect to it.

Adam Kujawa:

  • Scope out what talks you want to attend before you don’t have enough time to schedule them.
  • Don’t bring your personal tech, unless it’s secured.
  • Stay with people you know, keep your gear attached to you.
  • Don’t leave anything unsecured in your hotel room while you aren’t there.
  • While the temptation to get super drunk perpetually exists in Vegas, it’s better to keep your partying to a minimum, unless you are around a group of people who you completely trust.

Black Hat Briefings, Day One, starts tomorrow. The Daily Swig will be back with more coverage throughout the week.