Black Hat Europe wraps up in London; Twitter opens Privacy Center; and HackerOne hands out a $20,000 bounty
The Black Hat Europe conference took place in London this week, with security researchers descending on the British capital to learn about the latest hacking tools and listen to some proposed solutions to building a better digital world.
The Daily Swig was there, too.
Amanda Rousseau, offensive security engineer at Facebook and very likely the conference's most fashionable, opened the event with a keynote address on how blue and red team collaboration can facilitate better research and employee value within a company’s infrastructure.
The “adversarial mindset”, Rousseau explained, should be applied to both blue and red teamers in order to challenge the assumption that certain infosec roles must adhere to strict boundaries.
“Think outside the box,” Rousseau said.
And it wouldn’t be a Black Hat event without PortSwigger’s own James Kettle presenting his latest work – this year’s focus centering around issues with the HTTP protocol.
Kettle demonstrated how isolated HTTP requests can be exploited to poison web caches and desynchronize entire systems using a technique called HTTP request smuggling. Let’s just say there were some fans.
“He’s singlehandedly made appsec sexy again after years of hardly any decent research,” researcher Daniel Cutherbert said in a Twitter thread outlining Kettle’s methodology on how to break into modern web stacks.
“This little trick will make the bug bounty scene go mad.”
If you didn’t make this year’s conference, you can catch up with The Daily Swig’s coverage, including research from Leigh-Anne Galloway and Tim Yunusov on contactless card payment security, and a new open source API tool from Imperva.
And outside of the conference scene, social media continued to tick by this week with Twitter announcing on Monday that it would be creating its very own Privacy Center to increase transparency between the company and members of its community.
A Twitter Privacy Centre website has been launched, aiming to deliver updates on the social media platform’s policies and how it adheres to data protection legislation such as GDPR and the soon-to-be enacted California Consumer Privacy Act (CCPA).
In October, Twitter CEO Jack Dorsey said that the platform would now ban all political advertising. But will this be enough to win over the detractors?
Google also had its share of headlines after a report published on Tuesday by PreciseSecurity.com analyzed the number of data requests the tech giant has received from law enforcement in the first half of 2019.
According to the stats, the US and Germany have tallied up the most requests – 26,826 and 10,009, respectively. India was a close third with 8,542 requests.
Google, like all Big Tech companies, has a standard procedure for complying with requests for data from the police. If such a request is within the confines of both state law and company scope, the information is granted, according to Google’s Transparency Report.
And finally, HackerOne awarded a $20,000 bug bounty this week to a researcher who was able to access the platform’s bug reports.
Craig Young, senior security researcher at Tripwire, told The Daily Swig:
“While I commend HackerOne for their response, this incident is yet another reminder of a distinct risk organizations take by using managed vulnerability reporting services like Bugcrowd or HackerOne.
“The consolidation of valuable data by such vendors creates a hugely attractive attack target for intelligence agencies – or even criminal actors – to fill their arsenal.”