Black Hat, DefCon Draw Security Experts to Demo Latest Exploits

Security experts examined modern threats—ranging from car hacking to Flash vulnerabilities—at the Black Hat USA and DefCon 24 conferences.

Security researcher Dan Kaminsky, who delivered the only Black Hat keynote this year, said the basic fabric of the internet continues to be at risk. “We have work to do to keep the internet working,” he said. “I’m here to encourage everyone to notice what is wrong, how it can get worse and what we can do about it.”

Charlie Miller and Chris Valasek completed their Black Hat car hacking trifeca by delivering their third (and ostensibly final) talk about vehicle flaws that the pair were able exploit. This year, the two researchers demonstrated how they could control a vehicle’s brakes and steering.

Tod Beardsley, security research manager, and Weston Hecker, senior security engineer, both of Rapid7, demonstrated flaws in how ATM systems could be tampered with to allow an attacker to steal cash.

Will people pick up randomly placed USB keys and stick them in their PCs? Surprisingly, a Google researcher checked this out and found 46 percent of people picking up a key, putting it in a PC and then clicking a link.

Google Project Zero security researcher Natalie Silvanovich is among the most prolific bug reporters of Adobe Flash vulnerabilities. In a Black Hat session, she detailed myriad flaws discovered in Flash over the last year, including 79 in December 2015.

At Black Hat, Ivan Krstic, head of Apple Security Engineering and Architecture, announced the company’s new security awards program. The bug bounty program, set to launch in September, will offer researchers up to $200,000 in awards for finding iOS software vulnerabilities.

While Black Hat was originally best known for its security research, in recent years the exhibit hall has expanded to rival the show floor at the neighboring RSA Security conference.

DefCon played host to the final round of the DARPA’s Cyber Grand Challenge, pitting seven autonomous systems against each other in a security challenge. In total, $3.75 million in prize money was awarded with the Mayhem system winning the top prize of $2 million.

Terrell McSweeny, FTC commissioner, made a plea at DefCon for hackers to work with the government on research that can help improve consumer privacy and data protection.

The Wall of Sheep, hosted in the Packet Hacking Village at DefCon, publicly shamed attendees that connected to the network and sent their usernames and passwords in clear text.

Among the most popular areas of DefCon this year was the IoT village, which provided visitors with the opportunity to hack popular IoT devices.

Fiat Chrysler America was among the multiple sponsors of the Car Hacking Village at DefCon that encouraged attendees to learn about car hacking and vehicle security.

The Black Hat USA 2017 event is scheduled for July 22 to 27, 2017, with DefCon 25 set to follow.