Black Hat USA 2019 Preview

Threatpost editors discuss the top trends, keynotes and sessions that they look forward to at Black Hat USA and DEF CON 2019.

Las Vegas – Despite bizarre reports of a grasshopper infestation, Black Hat USA 2019 and DEF CON are set to kick off next week in Las Vegas, bringing on a wave of sessions, keynotes and security-themed villages.

The Threatpost team, which will be on the frontlines of next week’s shows, discuss what is sticking out to them – from the keynote given by Dino Dai Zovi with Square, “Every Security Team is a Software Team Now,” to new vulnerabilities disclosed in iPhones, 5G and IoT devices.

Listen to Threatpost’s Black Hat USA 2019/ DEF CON preview below (for direct download of the podcast, click here).

Below is a lightly-edited transcript of the podcast.

Lindsey O’Donnell: Welcome to the Threatpost podcast special Blackhat/DEF CON preview edition. This is the Threatpost team here. I’m Lindsey O’Donnell and I’m joined today with Tom Spring and Tara Seals from Threatpost.

Tom Spring: How’s it going?

Tara Seals: Hey Lindsey.

Lindsey: Good. Just getting ready for Black Hat. Tara and I will be attending Black Hat. And Tom, you will be attending DEF CON this upcoming year. So it’s under a week away, lots to do to prepare.

Tom: Yeah, my head’s already spinning. And I’ve seen the videos of the crickets and I’m not too sure how to prepare for the crickets. But at least I know they’re out there, the swarms of crickets that I guess are now descending upon Las Vegas because of the very moist summer so far.

Tara: That’s really disturbing. is it located in any sort of general area? Or is it everywhere?

Tom: I mean, the videos are just horrendous. I mean, on Twitter, I’ve been seeing videos of like the Luxor, all the massive amounts of crickets flying around the top of the pyramid. And they show pictures of people walking on the streets of Las Vegas, with just the ground cluttered with dead crickets and like thousands of crickets flying around the lightbulbs. It does not look good.

Lindsey: Yeah, I guess because the Luxor, which is right near where the conference is, it has that big light shining at the top of it too.

Tara: It gains cricket attention.

Lindsey: But insects aside, I’m excited for this year’s show. Looking at the Black Hat sessions, the topics covered and the trends that I see will be discussed, it seems different from previous years. And it seems like there’s a lot of new topics and trends that we’ll see; a lot of really interesting stuff there.

Tara: Yeah, I agree. I know that I did scan some of the new research that’s going to be presented there. And I thought it was really cool that on the Internet of Things side, there are some new categories of devices that researchers have been probing, like electric motors, for example, which are the things that run robotic arms, or autonomous vehicles. And they’re the things that cause your phone to vibrate when you have it on vibrate instead of ring. So they’re kind of ubiquitous, they’re all over the place. And these things are controlled by hardware and software. And so there’s been some pen testing done and there will be a session on that that seemed cool.

Lindsey: I know, last year to there seemed to be a lot more on the IoT side a lot more focused on medical device hacking. I don’t see that as much this year. And I also don’t see as much voice-assistant types of vulnerabilities being discussed, which was huge last year as well. So this year, I see a lot more of what you were saying, Tara, as well as aviation and car hacking and some other interesting applications there.

Tom: What do they have for aviation? I know that aviation is something that’s actually a theme that’s going to be in a part of DEF CON. Are there any more specifics around what they’re going to be talking about in terms of presentations or vulnerabilities?

Tara: So somebody from IOActive is going to be speaking on how he reverse-engineered the Boeing 787, which is the “Dreamliner” as it’s nicknamed, and it’s considered a really advanced aircraft. And so, it’s got a lot of software that controls everything inside of it. And so, he went through and really did a deep dive on the core network that runs everything on board. And he said that he found several vulnerabilities that would allow someone to compromise the security of the network — maybe in-flight safety mechanisms and things like that. So that’s going to be a really fascinating session. And I agree, Lindsay, that’s  a new focus, for sure. And it’s interesting that they’re talking about it at DEF CON too Tom. What are they doing there?

Tom: Well, we have an entire Aviation Village. I don’t know much about what’s going to be part of the Aviation Village. There’s a little bit of overlap sometimes with with presenters who also stick around for DEF CON after Black Hat. I wouldn’t be surprised if we saw some retreads on the aviation front. But they do have an entire village, which is basically a breakout room, big room where they have a number of different themes that are taking place. And aviation is one of them. So I’m really interested in it, especially with the 737 Max and all the attention that’s being placed on airline safety now, and how crucial the software systems are. It will be really interesting to see how that bubbles up at the conference, you know?

Lindsey: Yeah, for sure. Actually, I know that today there was just some research released by Rapid7 about how an attacker with physical access to aircrafts could inject false data into an avionics CAN bus and I know that they were going to further detail that at Black Hat or I guess at the DEF CON Aviation Village. So that should be interesting.

Then looking at the Black Hat keynote, that that looks like it’ll be pretty exciting as well. Dino Dai Zovi with Square will be talking about the security teams behind services and products, and how they’re becoming increasingly focused on the software side of things. And I think it was titled “Every Security Team is a Software Team Now.”

Tara: Yeah, and I think it fits in with this ongoing theme of DevSecOps, and the idea that everything has to be secure by design, especially when you start to move to the cloud, and bring on all of these cloud applications and start developing bespoke software for your enterprise and all that kind of stuff. But he also raises the question in his synopsis on that: So what happens to the classic security teams at that point, if every software team has to have a security component? Do we then still have standalone security teams? Or do they become an ancillary resource that just gets tapped by different divisions? Where do they fit in operationally? And that’s obviously an institutional shift and the mindset shift, so that should be kind of interesting.

Google's Parisa Tabriz at Black Hat 2018

Google’s Parisa Tabriz at Black Hat 2018

Lindsey:  I’m curious to see what what people have to say in that aspect. And I know at last year’s Black Hat keynote,  if you guys remember, was Parisa Tabriz with Google who talked about Google’s efforts for HTTPS, and its Project Zero vulnerability disclosure efforts. So this seems like a very different kind of angle from from last year’s keynote.

Tara, were there any sessions that were sticking out on your end at Black Hat this year? I know I saw a couple of really cool ones.

Tara:  Yeah, there’s more of a focus on wireless in the sense of the networking side of it. So I know that there are a couple of 4G sessions. And then there’s also a 5G session that looked really interesting to me, talking about core vulnerabilities within these networks, these carrier networks, right. But also talking about what that means for end users, and how that can affect end users and companies and their wireless plans and open up new threat vectors and things like that. So I think that’s going to be really interesting. And I didn’t notice that being too much of a focus last year, so that seems like a shift.

Lindsey: I feel like that is something that you really covered a lot over the past year or two, right? Didn’t you go to the GSMA Mobile 360 conference a couple of months ago?

Tara: Yeah, I went to the May conference on 5G security, and that was really, really fascinating. There’s a leading-edge newly-developing security story around these networks. And it’s also something that a lot of people don’t really think about…it’s kind of a new attack surface. But the consequences can be huge when you think about things like autonomous vehicles and tele-surgery and some of these advanced use cases that 5G is in theory going to be able to support. So if you have a hacker that’s able to disrupt a remote surgery, obviously, that has vast repercussions for human life. So stakes are really high, and it’s pretty interesting area to cover for sure.

Tom: Wireless is actually something that we’re going to be hearing a lot at DEF CON. Maybe it’s not so much 5G focused, but they have a couple sessions, “how you can buy your AT&T, T-Mobile and Sprint real time data location on the Black Market,” and “GSM, we can hear everyone now” and “I’m on your phone, listening, attacking VoIP configuration interfaces.” Those are just the names of some of the sessions are gonna be taking place at DEF CON, definitely picking up on that wireless theme. And in how  I think it really it’s it’s such an important topic, considering not only voice data, but mobile communications and and how we’re becoming so much more reliant on these networks for things other than apps and voice.

Lindsey:  Yeah, for sure. Speaking of mobile, too, it seems like there’s a lot of emphasis on it, similar to last year, on the iPhone. And from a broader level, mobile interconnect threats, how next-gen mobile products are being challenged in the current security landscape. So that’s something to look out for as well. Although that that seems to be a recurring trend from last year.

And another thing that really stuck out to me too, like last year, there seems to be a continued narrative this year around social-media threats and security and privacy challenges on social media. I saw an interesting session that’s going to be on the first day of the Black Hat conference called “Detecting Deep Fakes with Mice,” which deep fakes is been increasingly cited on the news over the last year. And that’s essentially when a malicious actor can impersonate any sort of person through like their audio or through photos and use it to sway social media posts and how posts are viewed by people. So that that looks like it’ll be up that alley.

And then there’s another session by GoSecure called, “Behind the Scenes, the industry of social media manipulation driven by malware,” which talks about the potential profitability of the social-media malware industry. So there seems to be a lot of emphasis on the top security threats for social media that some of the bigger platforms like Twitter and Facebook are facing and the users of those platforms as well. Like I said, continues the narrative from the last year as well.

Tara: Well, and that’s interesting, too, because obviously, the idea of trust in these companies, even though a lot of them are starting to be slapped with fines now, but I think it’s a continued point of interest, right. People want to hear what what they’re doing and what we should be thinking about it.

Tom: Well, I mean, we still haven’t solved a lot of the problems that we were introduced to in the last election cycle. So I would say DEF CON is also mirroring some of that concern. Some of the sessions are on social-media manipulation and hacking Congress. And,just trying to continually be focusing on some of  those same types of topics in terms of being able to leverage these social-media platforms to push an agenda.

Tara: And that’s interesting, Tom, I had a question. Last year, when I covered DEF CON last year, and they had a whole Voting Village setup, which was appropriate as the midterms were coming up. Is that a focus this year?

Tom: Yeah. So I’m not seeing a lot of stuff regarding elections. And this is my theory, that next year we will be bumping up right up against the 2020 elections — so we will hear a lot, a lot more about elections. And so this year, it’ll be a theme, it’ll bubble up, but [not like] last year when there was a lot of emphasis on hacking voting machines and registration machines and everything like that.

I don’t want to shift gears if we’re still talking about Black Hat, but DEF CON villages are centered around artificial intelligence, and there’s the AppSec Village, talking about application development and security, Aviation Village, and also very much into the DEF CON zone, the Biohacking Village, but I’m not seeing anything straight up on elections and election machines. That’s not to say that it won’t be a theme, just because it’s very prescient right now, in terms of what people are thinking about and talking about.

Lindsey: Yeah, I’m kind of surprised that wouldn’t be a bigger focus this year to get ahead of it. But I guess you’re you’re right, because next year, I guess it will much more prevalent in the news and there might be a bigger focus there. And while this doesn’t directly address that, there was one session that I’m looking forward to attending, which is going to be presented by Bruce Schneier, Camille Francois and Eva Galperin, which is “Hacking For the Greater Good: Empowering Technologists to Strengthen Digital Society.” So I’d be curious how this will further dive into cybersecurity threats from a human rights perspective, whether it’s like you said, election security or governments using privacy threats against civilians, or whatnot. So and I think it’ll be looking at what public-interest experts can do there and some of the challenges that they’re facing in this current landscape. So I’m curious about that, and whether that might talk about election security, or if it’s going to be a little more broad.

Tom: DEF CON 27, their theme is “technology’s promise.” That’s just the blurb on the sort of the [DEF CON 27 website] for the conference website and is this year’s theme. The blurb reads: “This year’s theme, in a way, responds to ‘1983’ with new questions. What does it look like when we make the better choice? What kind of world do we hack together in the sunniest timeline?” I think that’s got to be a reference to George Orwell’s 1984 dystopian world where computers control much of the masses. And then and what I’m inferring from the brief description for DEF CON is that they’re trying to take a look at how we can hack a better world, how we can create the future that we want with these tools, as opposed to being enslaved by Big Brother, so to speak.

Tara: So that’s a really interesting theme for a story to write Tom, that can be really fun.

Tom: Yeah. It would. You could have some fun with it. Well, we’ll see. They have these themes for the conference, and whether they actually play out, is a different story. But we’ll see what happens. I mean, there’s some really cool sessions: Your sort of bread and butter hardware hacking sessions, software hacking, cloud hacking stuff, taking place at DEF CON, stuff that you would definitely, anticipate really looking forward to. Also a lot of stuff on wireless. And they’ve got a lot of good stuff on breaking Google Home and and just really doing a lot of really interesting things with a lot of the Windows cloud configurations, and I mean, some really fun quirky stuff.

Here are a couple of quirky DEF CON sessions: “Say Cheese – How I Ransomwared your DSLR camera,” “Hacking Your Thoughts – Batman Forever meets Black Mirror,” And “Why You Should Fear Your Mundane Office Equipment.” I mean, the list really does kind of go on. Oh, “Vacuum Cleaning Security: Pinky and the Brain Edition.” And I read the the session details, it’s about how your Roomba — I don’t know if they name it by brand — but it’s basically about how your  electronic vacuum cleaner, your automated little robo-vacuum actually has a lot of sensitive information and and how that can leak out and how that can be hacked.

Tara:  So I heard something actually not too long ago, somebody had hacked a Roomba. And basically as it moves around your house, someone could use that data to map out the floor plan, to plan a physical robbery or something like that.

Tom: Yeah. Yeah, I think that’s where they’re going with this. I’m not sure. I’ll be honest with you. I didn’t read the description very closely. And I am just sort of making phone calls and trying to figure out what the best conference what the best sessions to go to are. Lots of lots of fun stuff to choose from. I really, I really enjoy DEF CON a lot. Definitely a different beat, definitely different vibe.

Tara:I had one thing for Black Hat that I wanted to just quickly mention, because I thought it was kind of ironic. The CISO for Equifax is going to be giving a talk that’s entitled “On Trust: Stories From The Frontlines,” which I think is kind of hilarious. I’ll go see what that’s all about.

Lindsey: Interesting.

Tara: Yeah, I thought so. Obviously, they just got slapped with a $700 million fine for not keeping people’s data secure.

Tom: So they have nothing to lose, what else do they have to lose?

Tara: Well, they got to get out there and try to rebuild their brand. But you know, I think I’m going to attend just to see how he will position it and what the spin is going to be.

Lindsey: Hopefully it’s more of “things not to do” session.

Tom: Right. I wonder how far in advance that was planned.

Tara: I think it was on the site before the news of the fine broke.

Tom: Yeah, but they knew the fine was coming. It was just how much. But yeah, I mean, they must be just saving face. But I think the interesting thing will be the questions that people have for him at the end of the session.

Lindsey: All right, well, definitely looking forward to Black Hat and DEF CON. And yeah, we’ll have  a lot to be writing about and a lot to discuss. So everyone go to Threatpost.com. We’ll have the latest coverage. We have tons of news that we’re ready to break — and Tara and Tom, we’ll see you next week the show.

Tom: All right. We’ll see you out there with the crickets.

Tara: Sounds good.

Lindsey: Thanks, guys.

Suggested articles