In the 20 years since the first Black Hat conference in 1997, security hacks have become incredibly cheap to initiate, increasingly expensive and complex to mitigate, and have more real-world consequences than ever before, according to speakers and attendees at this year’s conference.
The first day of sessions at the conference, which runs until Thursday at the Mandalay Bay in Las Vegas, not only touched on new technology but also the human element of security. Facebook chief security officer Alex Stamos shifted the lens on hackers themselves in his keynote session on Wednesday morning, urging them to reflect on their empathy for users.
Here’s a look at the keynote and other highlights from day one at Black Hat conference.
Facebook CSO: Hackers Need to Work on Empathy
Facebook chief security officer Alex Stamos kicked off the Black Hat conference on Wednesday with a keynote that called on attendees – which include security practitioners, vendors, academics and others – to go beyond finding bugs and the next zero-day and recognize the potential human harm of less interesting security issues like phishing and spam.
According to a report by ThreatPost, Stamos said that the community “is not yet living up to its potential. We’ve perfected the art of finding problems over and over without addressing root issues. We need to think carefully about what to do about it downstream after discovery.” He said that the security community tends to shy away from areas that create real harm, such as instances of abuse like doxing.
“The security community has the tendency to punish those who implement imperfect solutions in an imperfect world,” Stamos said, according to ThreatPost. “We have no empathy. We don’t have the ability to put ourselves in the shoes of people we are trying to protect.”
If you want to watch the full keynote, you can do so on Facebook here. (Stamos’ presentation starts at 45:42)
Diversity in Cybersecurity Needs to Be Priority
Stamos addressed the issue in his keynote and offline as others in the community continued to discuss how important it is to foster diversity in cybersecurity.
Many believe that diversity is critical in ensuring that different minds come together to solve the complex security problems of the future. But in the last few years since Black Hat has been focusing on bringing more sessions and panels together on the topic, the diversity numbers have not seen a drastic improvement; instead, they’ve essentially flat lined, according to Kelly Jackson Higgins, executive editor at Dark Reading, who put together a panel on Wednesday called “Making Diversity a Priority in Security.”
The panel focused on real-world examples of how organizations are hiring diverse candidates, which actually starts right in the job description. Jackson Higgins describes during Charles Tendell Show podcast how many security job descriptions are not geared towards finding a diverse pool of candidates. Companies and advocates in the security community are trying to change this with internship programs to help underrepresented communities get their foot in the door.
New Hacks Range from Cheap to Critical (Infrastructure)
The human element to security may be interesting and topical, but this is a technology conference, and the sessions on technology are plentiful.
This is no surprise to anyone who works in security, but it’s insanely cheap to hack stuff. I mean, if you know what you’re doing, you basically only need a USB key; or as a panel at Black Hat on Wednesday showed attendees, a $10 SD card reader.
“Dumping firmware from hardware, utilizing a non-eMMC flash storage device, can be a daunting task with expensive programmers required, 15+ wires to solder (or a pricey socket), and dumps that contain extra data to allow for error correction. With the growing widespread use of eMMC flash storage, the process can be simplified to 5 wires and a cheap SD card reader/writer allowing for direct access to the filesystem within flash in an interface similar to that of using an SD card.”
Researchers also discussed on Wednesday a new flaw in the cryptographic protocol in 3G and 4G networks, which can be exploited using a low-cost setup.
Elsewhere, security experts showed attendees how a home-built ultrasound/sound emitting system can be used to launch attacks towards VR products, including smartphones and drones.
DIY projects and drones may seem small-time, but there are all kinds of attacks that have serious real-world security consequences, particularly when it comes to critical infrastructure.
Principal security consultant at IOActive Ruben Santamarta spoke Wednesday about how radiation monitoring devices, used in critical infrastructure like nuclear power plants and at the borders, are being exploited. Jason Staggs, a security researcher at the University of Tulsa, explained how wind farm control networks can be attacked to influence wind farm operations, which are becoming a leading source for renewable energy.