Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Black Hat USA and DefCon: Finding Security Risks in All the Things

    By
    Sean Michael Kerner
    -
    August 1, 2016
    Share
    Facebook
    Twitter
    Linkedin
      Black Hat

      No week in the information security calendar is quite like this one, with the annual Black Hat USA and DefCon security conferences descending on Las Vegas. The mythos of the two security conferences runs deep across more than two decades as the places where new research is revealed and zero-day exploits are announced, and the 2016 events are no exception.

      While the focus of Black Hat USA, which has its briefings on Aug. 3 and 4 at the Mandalay Bay Resort and Casino, is largely on new issues, the event kicks off with a keynote address from security researcher Dan Kaminsky that will likely reminisce about one of the largest issues ever revealed at a Black Hat event.

      In 2008, Kaminsky dominated the Black Hat headlines by detailing a flaw in the Domain Name System (DNS) that has since become known simply as the “Kaminsky Flaw.” The Kaminsky Flaw is one that was thought to be critical to the foundation of the internet as we know it, and could have enabled the widespread disruption of traffic. At Black Hat USA 2016, Kaminsky is talking about the hidden architecture of the internet and how it is at risk today.

      “Essentially, I’d like to provide a model for comprehending the internet as it stands that prevents harm to it while providing the useful resources to promote its continued operation,” the abstract for Kaminsky’s session states.

      Kaminsky won’t be the only person at Black Hat talking about core internet protocols and the risks they pose, as there are multiple talks on DNS and HTTPS security. Security researcher Erik Wu from startup Acalvio, for example, is giving a talk titled “Dark Side of the DNS Force” that will discuss DNS-based attacks.

      SafeBreach security researchers Itzik Kotler and Amit Klein are talking about how to cripple HTTPS encrypted traffic.

      “We will demonstrate that, by forcing your browser/system to use a malicious PAC (Proxy AutoConfiguration) resource, it is possible to leak HTTPS URLs,” the SafeBreach session abstract states.

      Among the most anticipated protocol talks is one titled “BadWPAD” (Web Proxy Auto Discovery) in which researcher Maxim Goncharov will detail how the WPAD protocol is often misconfigured in a way that could be exposing millions of users to risk.

      Hijacking HTTP Cookies

      Columbia University researchers Suphannee Sivakorn and Jason Polakis are giving a talk about how to hijack HTTP cookies and what attackers have already been able to do. The two researchers will reveal flaws that enable attackers to steal cookies and get access to user information, including search history and contact lists.

      Abusing security features is a common theme at most Black Hat events, and at Black Hat USA 2016, one of the most interesting sessions is a talk titled “Certificate Bypass: Hiding and Executing Malware from a Digitally Signed Executable,” from Deep Insight security researcher Tom Nipravsky. In his talk, Nipravsky will detail how he was able to bypass Microsoft security for digitally signed applications.

      Bypassing the security of antivirus vendors is also a theme this year, and in a talk titled “Captain Hook: Pirating AVs to Bypass Exploit Mitigations,” researchers from security firm enSilo will detail vulnerabilities they reported to multiple antivirus vendors in how they hook into the Windows operating system.

      Black Hat USA and DefCon: Finding Security Risks in All the Things

      In years past, the security of payment systems was a primary topic as attackers demonstrated how to hack ATM systems as well as point of sale terminals. That topic will be discussed at this year’s Black Hat event as well. Two talks will focus on breaking payment systems, including one from security firm Rapid7 on how to hack next-generation ATMs. There is also a session from NCR security researchers Nir Valtman and Patrick Watson on breaking payment points of interaction (POI), including how to bypass EMV (chip and PIN).

      Among the big highlights of the Black Hat 2015 event was a session in which security researchers Charlie Miller and Chris Valasek detailed flaws they found in a Jeep that led to the recall of 1.4 million vehicles. The two car hackers are back again this year, with even more research into how cars, and specifically the CAN (Controller Area Network) message bus, can be attacked.

      “In this talk, we discuss how physical, safety critical systems react to injected CAN messages and how these systems are often resilient to this type of manipulation,” the talk abstract states. “We will outline new methods of CAN message injection which can bypass many of these restrictions and demonstrate the results on the braking, steering, and acceleration systems of an automobile.”

      Cyber Grand Challenge to Take Place at DefCon

      DefCon 24, which runs Aug. 4-7 at Las Vegas’ Bally’s and Paris hotels, will also provide all manner of interesting security talks and challenges. Among the big events is the U.S. government’s Defense Advanced Research Projects Agency (DARPA) Cyber Grand Challenge (CGC), in which seven autonomous computing systems will compete in what is being billed as the world’s first all-machine hacking tournament.

      DARPA isn’t the only U.S. government agency represented at this year’s DefCon. Terrell McSweeny, commissioner of the Federal Trade Commission, will speak about how the FTC wants to improve consumer privacy and how security professionals can help.

      A talk that federal officials are likely to have an interest in is one from security researcher Sebastian Westerhold, who is set to detail critical flaws in the Traffic Collision Avoidance System (TCAS) used in modern aviation.

      Security researcher Chris Rock, meanwhile, is looking to give an even more intriguing talk this year than the one he gave last year. At DefCon 23, Rock gave one of the more interesting talks—on how to forge birth and death certificates. This year, he is back but this time his talk isn’t about life and death, but rather about how to overthrow a government, using digital tools.

      “Chris will walk you through a cyber regime change from start to finish on a real country and show you how to architect a coup achieving the same result as a traditional mercenary operation without any blood spilt,” the session abstract states.

      Looking forward to the massive volume of threat information coming this week is somewhat overwhelming, as it would seem that no stone of our digital world has been left unturned in the search for vulnerabilities.

      While anxiety over security risks is understandable, soliciting fear is not what Black Hat and DefCon are all about. The simple truth is that there is no such thing as security by obscurity and by bringing issues to light in internet of things (IoT) and internet protocols and everything in between, fixes can be made, infrastructure can be hardened and the world might just become safer as a result.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×