Hacker Wisdom: Top Three Takeaways from Black Hat 2016
Las Vegas was the place to be for hackers this past week. Thousands of cybersecurity professionals, analysts and yes, hackers, from around the globe flocked to Sin City – appropriately – for the annual Black Hat cybersecurity conference to share findings and secrets, discuss mounting threats and issues and raise awareness regarding the current state and future of security.
A few of the primary topics discussed included the growing ransomware threat, analytics, endpoint security and cloud and IoT security. Here are three key happenings and takeaways from this year’s conference:
Would you pick up a random USB drive and plug it into your personal computer?
This is a question that Google researcher Elie Bursztein wanted to know the answer to. There is an enduring theory among cybersecurity experts that people will pick up and use random USB keys that they find, which could potentially infect their systems. Bursztein devised an experiment to test this theory, and presented his findings during an entertaining session at the conference. Bursztein and his team had distributed 297 USB drives as “bait” at various strategic-ish locations, such as parking lots, building hallways, classrooms and outdoor areas, around the University of Illinois campus.
Each of the drives housed tracking software that would “call home” if plugged in. The drives also included several different messages, some saying "final exam results,” others simply labeled as “confidential.” This was meant to test if certain messages piqued users’ interests more than others. The drives also included a survey and instructions to make the users aware of the experiment and the possible implications had the drives been dropped by hackers with malicious intent.
According to an article by eWeek, a whopping 46 percent of the distributed drives "phoned home," which means that many people found the drives, plugged them into their computers and clicked the links provided. Bursztein suggested that awareness and security training in this area is highly important, and warned organizations and individuals to be mindful of what they plug into their machines. "You don't pick up food from the floor and eat it. You might get poisoned. So don't pick up random USB keys, either," Bursztein said.
The mounting threat of attacks in the VoIP and UC space
Another theme highlighted at this year’s conference was the lack of understanding and awareness of modern voice over internet protocol (VoIP) and unified communications (UC) security. With the ever-increasing and rapidly-growing number of threats out there, this gap leaves providers and organizations extremely vulnerable to attacks.
“A lack of understanding of modern VoIP and UC security means that many service providers and businesses are leaving themselves at risk to threat actors repurposing this exposed infrastructure for attacks such as botnets, malware distribution, vishing, denial of service attacks and toll fraud,” said Fatih Ozavci, a managing consultant with Context Information Security.
At the conference, Ozavci spoke of the weaknesses in messaging platforms and UC product suites. These vulnerabilities in particular make it easy for hackers to sneak past security measures and spread malicious content. “By exploiting these vulnerabilities, attackers could gain unauthorized access to client systems or communication services such as conference and collaboration, voicemail, SIP trunks and instant messaging,” said Ozavci.
While Ozavci’s presentation focused on highlighting these VoIP and UC vulnerabilities, he also spoke of awareness. To help get the word out, Ozavci has developed open source tools Viproxy and Viproy which can be used for VoIP penetration testing.
Information sharing and public work
In 2008, security expert Dan Kaminsky found a huge gap in the basic underpinnings of the internet. Since then, Kaminsky has been very vocal about the role that hackers have and will continue to play in the shaping of the internet. And, how they can help protect it.
Kaminsky, the co-founder and chief technologist of the cybersecurity firm White Op, kicked off the Black Hat conference on Wednesday. To the crowd assembled, he stressed several key points, all highlighting the importance of making the internet a safe place for everyone. First, he called for more information sharing as a way to improve security and deal with and combat cyberthreats faster and more efficiently.
"Bugs are not random. Fixes are not random either. We're not taking all of the lessons we have to deal with and actually dealing with them," Kaminsky said. “We don't compete on security. If one of us gets hit, we're all going down so we should probably share our information.”
For longer-term projects, Kaminsky pointed to the need for work from the public sector.
"I believe in all projects in terms of timelines," Kaminsky said. "How long is it going to take to do this? Some things are just going to take three years of effort and the longer the timeline, the less it's something that private sector is good at and the more it's something the public sector is good at. How do I get a hundred nerds working on a project for ten years and not getting interrupted and not getting harassed and not getting told to do different things? The way you don't make it happen is how we're doing it in infosec today, which is the spare time of a small number of highly paid consultants. We can do better than that."
It will be interesting to see how all of these stories and timelines develop in the years to come. What predictions will come true, what cautions and tools will be put into place and will prove effective or not, and what tactics will be carried out to stop attacks and ultimately make the virtual world a safer place. For now, stay away from that USB drive you see on the floor, and be ever mindful of vulnerabilities.