Black shirts in Vegas: Impressions from Black Hat and DEF CON
Symantec Security Response threat researcher Candid Wueest was in Las Vegas to attend Black Hat and DEF CON 2017. He recounts his highlights from the IT security industry’s biggest week of the year.
Last week, Las Vegas was in the grip of IT security once again.
Multiple IT conventions were taking place, with the big three being Black Hat, DEF CON and BSidesLV. It was difficult to miss the stereotype-fulfilling, black t-shirt clad IT and hacker crowd that populated many of the hotels. They were everywhere, wearing blinking badges or backpacks with multiple radio antennas.
As always, it was fun talking to the various taxi drivers I encountered in Vegas over the week. Some of them had clearly never engaged with computer security before, as they thought they were not a target for attackers, whereas others believed in Hollywood stories and were waiting for us hackers to change all the traffic lights to green and program all the hotel screens so their name would appear — all by just using our smartphones. This didn’t happen.
For people outside the industry, all kinds of legends and stories surround these conferences. There is a certain reverence, almost, and many shops in Vegas prepared themselves for possible cyber attacks, including one copy store that restricted the use of USB sticks during the conference, probably with the (sadly false) hope that this would protect them from falling victim to a cyber attack.
I regularly get questions from first time attendees at these conferences about what they should pay special attention to: whether they should stay off Wi-fi or bring a burner phone. The reality is usually somewhere in between. Most of the gambling machines with “out of service” messages probably hadn’t been hacked, but really just needed a service.
Big crowds, big ideas
This year marked the 20th edition of Black Hat, and the 25th edition of DEF CON. I attended my first DEF CON conference 15 years ago, when it was still at the Alexis Park hotel in Las Vegas, and the event has come a long way since then. In particular, the number of attendees has grown fast over the years. This year it was held at the Caesars Palace Hotel and Casino, and the venue faced challenges at times coping with the mass of more than 20,000 attendees. However, I was only waiting for half an hour to get registered and pick up my badge this year, compared to other years, when I had to wait for nearly two hours. Of course, this might also be due to the fact that it was not an electronic badge this year, which often attracts more people. Instead, it was a luggage name tag style badge.
Nevertheless, the large number of attendees still posed a challenge at times, such as when trying to switch floors between talks. Sometimes, the corridors where so blocked with people that I (and others) missed half of the talk we were trying to attend. However, there were always interesting discussions to be had with random strangers in the waiting line. It also allowed time to warm up a bit before entering the cold air-conditioned rooms again.
Industrial controllers
When it comes to the talking points at these conferences, not much has changed in recent years. Many of the presentations didn’t raise too many eyebrows, as people have become accustomed to devices like routers and Wi-fi cameras getting compromised. Most of these attack concepts have been shown before, and it is just another Internet of Things (IoT) device that did not secure its web interface or left the firmware unprotected. Of course, it is not just smart home IoT devices that are vulnerable to compromise, but also wind turbines, robotic arms, cars, and anything else that is connected to the internet.
Listening to the presentations, it feels like the situation has not improved in the last year. If we take the increase of sabotage and blackmail attacks against manufacturing lines into account, then it got even worse. One Industrial Control Systems (ICS) scenario that was discussed a few times was that of modifying industrial controllers only slightly so that they would still operate in their tolerance levels. For example, increase the spinning by 10 percent, lowering the pressure by 5 percent, or adding a 50 millisecond delay between two robot movements. Such modifications are hard to detect and do not break the operation immediately, but the mean time between failure of the overall system would decrease drastically. Small natural fluctuations would no longer be absorbed by the system and would lead to a higher number of failures. Such sneaky attacks could remain unnoticed for a long time.
Voting machines
The IoT device category that was the focus of most interest this year was voting machines. Multiple machines were prepared at DEF CON to be tested by hackers. Unsurprisingly, it only took a few hours for severe weaknesses to be found in multiple voting machines. One of the machines, which was actively being used in U.S. elections up until 2015, including three presidential elections, was compromised through its Wi-Fi system. A hacker used a 14-year-old Windows XP exploit to gain access to the system. Another group of hackers inserted a USB keyboard and mouse into two free, and exposed, ports at the back of the machine. By simply pressing CTRL-ALT-DEL the hackers were able to get past the voting software and access the underlying operating system. From there they were able to install a remote desktop program and control the voting machine remotely from a mobile device. This shows that information protection in this area is clearly not yet at the level we would hope.
Machine learning
Hot topics of previous years, such as ransomware and blockchain, did not feature much at either conference this year; but artificial intelligence (AI) and machine learning were two topics that were still discussed a lot. In contrast to previous years, this time the focus was more on the offensive side. For example, one presenter discussed how AI could be successfully used to modify malware automatically to evade detection, and other speakers were trying to attack the machine learning algorithm directly. Two of my own colleagues also demonstrated how machine learning is a powerful weapon for scammers when crafting business email compromise (BEC) scams. As with so many technologies and concepts, AI and machine learning can be used for both good and bad purposes.
Living off the land
Another popular topic was the use of the “living off the land” tactic. This topic is close to my heart as I recently published a white paper detailing the different aspects of this technique. There were presentations on how to persist with Microsoft Office or Kerberos delegation, and others that elaborated on how to misuse GPO, COM objects and WMI during attack scenarios. Another talk reminded the audience that PowerShell scripts could call system APIs directly to perform any nefarious action they want. Using legitimate tools and API calls that are already present make the threat blend in and harder to detect. Of course, this is not just a Windows phenomenon, as Patrick Wardle demonstrated with a nice presentation on how Mac OSX installers could be hijacked to gain higher privileges.
There were other talking points beyond the ones I have mentioned, such as firmware hacks, cloud app weaknesses and attacks against the mobile networks. Many of the slides from the DEF CON presentations are already available online.
Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cyber security.
Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.
