Black Hat USA 2022 https://www.blackhat.com/us-22 never fails to deliver exciting, enlightening, and distressing discussions about the state of cybersecurity. Analysts saw this at Black Hat impressed and worried us the most. If you could not make the trip, here is a summary of 14 Black Hat topics.
- A Quarter Century of Hacking: The Black Hat security conference turned 25 this year, and the relentless passage of time was enough to scare some of our reporters. The conference marked the occasion by focusing its two keynote presentations on the future of security. Both were a bit grim, touching on the impact of an ongoing cyberwar in Ukraine, the rise of online disinformation, and the political turbulence following unfounded claims that the 2020 US election was fraudulent.
Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency (CISA) ticked through many of the challenges facing the world of cybersecurity. His talk was a call for attendees and security companies to embrace principles to help guide them in the turbulent times he saw ahead.
In her keynote, journalist Kim Zetter described how many of the most shocking security stories of recent years, Stuxnet, and the Colonial Pipeline attack was predictable and preceded by many warning signs. Her description of how difficult it is to cover election security in an era when legitimate concerns and research are misappropriated as disinformation. - SMS Codes Flunk MFA: When password security isn’t enough, banks and sensitive websites turn to multi-factor authentication (MFA). But not all factors are equal. A Swedish research team demonstrated that sending an authentication code via text is inherently insecure. They identified several recent breaches involving a failure of MFA and went on to demonstrate hacking techniques. Text-based authentication will not protect you if a hacker has your login credentials and phone number.
- Ghost in the Touch Screen: We know that a keylogger can steal the words we type, and a gimmicked USB drive can pretend to be a keyboard, inputting unwanted commands. Surely the touch-screen interface is more secure? Nope. An academic research team explained how they managed an attack that triggers touch-screen events from several centimeters away. If you set your device down on the table containing its hidden antennas, the attack can use its invisible finger to take control.
- Cyber Harm Reduction: Not everything at Black Hat involves privacy gloom and security doom. One briefing exhorted security leaders to step back and change how they handle risky security behaviors. If you just say “don’t do that,” some will do it anyway. You need to protect those people (and those around them) by reducing the negative consequences of their risky behavior. This harm reduction philosophy has proven effective in medicine for years, for example, providing clean needles rather than telling addicts, “No drugs!” It can work in security too.
- Investigating WTF Just Happened: Another Black Hat briefing tackled a systemic issue in the cybersecurity field: the lack of a clear historical narrative regarding major cyber incidents. If organizations don't take the time to investigate how cybersecurity incidents happen, they could be doomed to repeat history. That's the problem a team of researchers sought to answer by creating the Major Cyber Incident Investigations Playbook.
The document contains a guide for creating independent review boards at organizations, from deciding who should be on the board to presenting investigation results to interested parties. These groups would be tasked with gathering the facts about cybersecurity incidents and then sharing that information with the wider cybersecurity community online. Currently, the document is available on GitHub. - Malware Searching for Job Searchers: At a different Black Hat briefing, two threat intelligence experts from PwC said global threat actors are taking advantage of "the great resignation" and targeting job seekers online with phishing links. The main offenders are groups from Iran and North Korea. The hackers create fake websites, job descriptions, job posts, and social media profiles to deliver malicious links and file attachments to their victims.
Do not click links in your emails or in LinkedIn messages you receive from strangers. See https://redskyalliance.org/xindustry/doj-warning-to-job-hunters That advice is doubly important when you're on the job. Explaining to your manager that you infected the company network with malware because you opened a link about an amazing job opportunity at another company isn't a great look. - Startups Shirk Security: A Black Hat briefing Thursday about ways to improve bug bounty rewards offered a reminder of how fast-growing startups that don’t incorporate security into their early planning can wind up having to speedrun “infosec.”
Luta Security founder and CEO Katie Moussouris reminded attendees of how she discovered serious vulnerabilities in the Clubhouse app last year, then struggled to get the company’s attention: "It took me a couple of weeks even to find the right contact" The company eventually did respond.
At that point, she learned that Clubhouse’s bug-bounty program was not only saddled with a non-disclosure-agreement requirement but was run by one of the co-founders in his probably nonexistent spare time. Noting that Clubhouse’s venture-capital funding valued it at about $4 billion, Moussouris griped: "They had fewer employees at that company than I have at my company!" The clubhouse did, however, finally fix those bugs. - Taking a Bite Out of Apple Security: Macs are way more secure than PCs, right? Everybody knows that. The layers of security keep growing with every update to macOS. However, not every component of the operating platform keeps up with those security upgrades.
One persistent researcher dug deep into macOS and came up with a process-injection attack that allowed him to bypass all of those security layers he demonstrated using this attack to escape the sandbox, escalate privileges, and get around the ever-vigilant System Integrity Protection system. The security hole is fixed in macOS Monterey and even back-ported to Big Sur and Catalina, but it won’t be closed until every app gets a simple tweak. - Wolf in ELAM's Clothing: Microsoft is doing its best to make Windows more secure, but sometimes security efforts can backfire. The Early Launch Antimalware (ELAM) system lets security programs launch super-early in the boot process and protects them against all tampering. There’s no way to fake an ELAM driver, as Microsoft must approve them, nor can you tweak or change existing drivers. But one very persistent researcher found a way in through existing approved drivers with lax approval rules. The result? A program that could not only enter the secure bunker provided by ELAM but also shoot down the antivirus programs already residing there.
- Bug Hunting Exposes Bug Hunters: Being a security bug hunter is an exciting life. You could earn a six-figure bounty for detecting and reporting a serious security flaw. You could also get sued or charged with a crime. Recent policy changes protect honest hackers but don’t address one particular problem. In gathering information to prove a reported bug, hunters often capture personal information. One bug hunter teamed up with a lawyer to engagingly present the problem and, if not a solution, a better direction.
- Key Fobs Should Know Better:Recording and replaying radio signals are easily done with a laptop and the right equipment. That's why car key fobs employ a rolling code system, where each button press sends a different signal. A pre-recorded signal shouldn't be accepted. Researchers discovered that for some cars, however, playing multiple old signals can roll back the rolling code system and let an attacker unlock your car's doors. Worse, the researchers discovered there was no time limit for their attack, with old codes being accepted over 100 days after being captured. See: https://redskyalliance.org/xindustry/honda-cars-targets-for-hackers
- Using Zoom IMs to Zoom Malware: Zoom and the pandemic go together like cookies and milk, or security researchers and decades-old technology. It turns out that Zoom's instant messaging is built on XMPP, which one researcher figured out how to abuse in several ways. Spoof message sender? Easy. Intercept all messages to and from a target? Yawn. The real prize was using this attack to obtain remote code execution on a target's computer.
- Spoofing Tracking Devices: Keeping track of people and stuff is a breeze when you attach location-reporting tags to them. But can these systems be abused? Of course, they can. Researchers showed how they could manipulate ultra-wide-band real-time location systems (UWB RTLS) to trick disease contact tracing and industrial safety technologies.
- Cyberwar in Ukraine: Russia's invasion of Ukraine and the ongoing war in the region were the subject of several Black Hat presentations. Researchers from ESET, a security company based in neighboring Slovakia, walked attendees through a timeline of attacks on Ukraine's power grid. If successful, the most recently used Industroyer2 malware could have knocked out power to 2 million residents. Interestingly, Industroyer2 used "wiper" malware to render infected machines unusable, slowing recovery efforts. Tom Hegel and Juan Andres Guerrero-Saade, researchers from SentinelOne, pointed out that this was unusual as wipers meant the attacker had to give up access to the infected machines. They analyzed the observable cyberattacks in Ukraine and stressed that it's difficult to conclude since what's detectable is likely only a small part of what's happening.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service. For questions, comments, or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://www.pcmag.com/news/scariest-things-we-saw-at-black-hat-2022
Comments