Despite COVID-19 pushing the Black Hat USA 2020 conference to go virtual for the first time, you can expect a steady stream of new security research, threat intel and an impressive lineup of high-profile speakers.
This year’s conference kicks off with Matt Blaze, McDevitt Chair in Computer Science and Law at Georgetown University, who is slated to talk about election security measures. Earlier this week, Blaze put President Donald Trump in the Twitter spotlight blasting him in a high-profile tweet for spreading “baseless” election concerns. Election security is also on the mind of Christopher Krebs, director of the Department of Homeland Security’s CISA unit, whose Black Hat session is called “Election Security: Securing America’s Elections.”
COVID-19 and remote work will also be a theme at the conference, with Renée DiResta, research manager at Stanford Internet Observatory giving a keynote (“Hacking Public Opinion”) on online disinformation about coronavirus and nation states spinning pandemic conspiracies. Beyond that, you can look out for advancements in research around some of the typical hot topics unveiled at Black Hat USA, including Apple research by Patrick Wardle, vulnerabilities found in connected cars (this year a Mercedes-Benz), critical infrastructure weaknesses and even “satellite eavesdropping attacks.”
Threatpost editors Tom Spring, Tara Seals and Lindsey O’Donnell-Welch break down the top sessions, keynotes, speakers and themes to look out for in this week’s podcast.
Below find a lightly edited transcript of the podcast.
Lindsey O’Donnell Welch: Welcome back to the Threatpost podcast, Black Hat USA 2020 preview edition. You’ve got the Threatpost team here, including myself, Lindsey O’Donnell-Welch, Tom Spring and Tara Seals. And we are planning on breaking down what to expect from the first ever virtual Black Hat Conference in the entire 23 years of the show, which kicks off this weekend. So Tom and Tara, how are you doing? Are you excited for the show?
Tom Spring: Well, yeah, I’m excited. I’m excited that I don’t have to hop on a plane and fly to Vegas. I mean, there’s there’s pluses and minuses.
Tara Seals: I am, I’m definitely excited about not being in Vegas in August. So that’s a good thing. Yeah, it’ll be interesting to see how that how the virtual event is going to go. It looks like the session list has pretty impactful content, lots of interesting stuff and tendrils to pick up on in there, in terms of trends.
Lindsey: Yeah, it’ll be interesting, it being virtual, in previous years of the show, obviously, you go for the keynotes and the sessions and the breaking news. And that will still all be there. But it’s also always fun to meet, you know, face to face with security experts who you’ve mostly been interacting with on the phone for all of the year. So I’ll really miss that this year. But I do see that they have Tara, as you say, tons of sessions and really interesting – I think it was over 90 research presentations that’ll be prepared and presented this year. So, you know, in terms of topics, I mean, this probably comes to a surprise to no one but obviously election security is going to be a huge topic this year just looking at the keynotes and the sessions as well.
Tara: Yeah, for sure. And I think that, obviously it being an election year, it’s near and dear to everyone’s hearts and is at the top of everyone’s minds how this election is going to go. So it’ll be interesting to see from a cybersecurity perspective what it is that they’re going to be zeroing in on. And, you know, at past events we’ve had a lot of talk about the voting machines themselves. But I think this year, the focus might be more on online voting and mail-in ballots and more the hacking of processes rather than the actual machines. That would be interesting.
Tom: Yeah, the second day keynote in terms of election manipulation in terms of social media, there’s going to be a focus on that as well. I think one of the other dominant themes that can’t be avoided, even though it’s not explicitly stated in the sessions, is going to be remote work, with everybody working from home. I don’t know if it was deliberate or not, but it doesn’t seem to be too much discussion about the pandemic and about how workforces are working from home. But it does seem like there’s enough stuff about VPN security, cloud security, cloud exploits, container security, where we’re going to see that, is also another dominant theme.
Tara: Yeah, it’s kind of interesting that you mentioned the cloud, Tom, because there are a ton of cloud-related sessions this year. And I know the guys from Mandiant are going to be talking about an O365-targeted series of attacks that I think you’re going to be attending, right?
Tom: Yeah, yeah, I’m actually really interested to see how it’s gonna play out in terms of what the what the actual experience is going to be like from a – nevermind a reporter standpoint – but just as a sort of an attendee standpoint. Whether or not it’s just going to be like an empty room with somebody at a podium or, you know, somebody sitting at their desk. I don’t know, we’ll see what happens. But yes, so I’m really looking forward to covering the cloud security issues. There’s seems to be at a much smaller scale, a lot of news percolating up right now, in anticipation of some of the bigger sort of sessions that are going to be taking place primarily on Wednesday and Thursday, as the first half of the conference is dedicated to training.
Lindsey: Right. Yeah. And there’s definitely a ton of sessions that we’ve seen in previous Black Hats that are, you know, we’ve seen the speakers there, like Patrick Wardle would be talking about how on MacOS certain attacks are growing in popularity, and I know he’s done a ton of presentations in previous years, so I’ll be looking forward to that one. There’ll be a really cool, connected car security research on Mercedes-Benz session that I’m interested in. I know, it’s not presented by Charlie Miller and Chris Valasek, necessarily, but there is always really cool car security research that comes out of Black Hat. So I’ll definitely be focused on that one by I think it was researchers with 360 Group. And then just beyond that, I feel like, a focus on critical infrastructure and IoT. Tara, I know, yesterday, you wrote about those VPN flaws that were affecting OT networks. And I think that really will be a big focus this year at Black Hat in terms of security issues in critical infrastructure. And I know that I think I saw that like Trend Micro will highlight some work done in terms of research, finding weaknesses in industrial protocol gateways, in industrial control system environments. So just something to look out for there. I know that OT networks and OT security was a big topic at Black Hat 2019. So I think that will just continue this year.
Tara: Yeah, I think the focus on critical infrastructure of late — we’ve seen a bit of a groundswell in that area. And you know, you’re talking about some of the cool sessions that that you had spotted on the agenda, Lindsey, I know Tom, one of the ones that you have been talking about was the IoT Skimmer session from the researchers from the Georgia Institute of Technology. Talking about using a botnet to conduct power-market manipulation, which is really, really interesting. And new and different.
Tom: Yeah, no, that sounds like a really fascinating session, looking forward to actually sitting in and reporting on what comes out of that. This whole virtual Black Hat, it will be interesting to see how it plays out. You know, it’ll be interesting to see how I mean how the vendors deal with communicating their messages outside of the Black Hat in a sense that you know, so much about Black Hat wasn’t actually about the sessions, but some of the off-site stuff and some of the meet and greets and some of the private briefings. You know, as this plays out, it’ll be interesting to see how it all falls into place or if it falls into place. I am cautiously optimistic that it’s going to be a good hopefully great, Black Hat, you know?
Tara: Yeah, I would really love to see if they’re able to carry out some sort of virtual networking agenda. And I don’t know, I haven’t seen a whole lot, I’ve been getting some reach-out from different individual firms, but in terms of a virtual reception or something like that, and I don’t even know what that would necessarily look like, but I think if any virtual conference could crack the code on how to enable networking in a virtual type of setting, I think that would be a real winner.
Tom: Yeah, and Tara helped me better understand, I know this is Black Hat. But DEFCON is sort of the other conference that is such an important part of my Black Hat Las Vegas experience and, and help me help me and remind me what the plan of action is DEF CON, in terms of how they’re going to structure that event that usually overlaps and, and really is that you know, sort of for me the icing on the cake in terms of security coverage of the show.
Tara: Yeah, so DEFCON is going to kick off on August 7 and continue through August 8, so directly after Black Hat that is going to start. And they’re taking a very different approach from what I can tell, in that they don’t actually have a set agenda necessarily. They’re trying to get people to interact on forums and different messaging boards and trying to get people together in sort of clusters or pods to discuss different interesting topics of the day. And so I think that’s going to be a lot more informal and I think it’s gonna be a lot more interactive and about bouncing ideas off of each other and much closer to sort of the typical networking experience than you would see at traditional conferences. Which is honestly what DEFCON in its physical format was like anyway. But it seems as though they’re really eschewing the set session schedule in favor of more of a get-the-brain-trust together and see what comes out of it approach.
Lindsey: Right. Yeah, that’s really interesting. And I know too, that DEFCON always has their Voting Village. So I’m not sure what’s going to how that’s going to play out this year, being virtual, but I am, you know, especially with election security being such a big focus this year, I am really interested in kind of how that’s gonna play out and what’s going to come out of that. And I was also talking to your Erez Yalon with Checkmarx, who heads up the AppSec village at DEFCON, and he said that they are moving forward with that in a virtual format this year. And that, you know, that should be, you know, really interesting as well in terms of how, how they’re going to kind of move forward with that, too. So I think that DEFCON will still have a lot of really interesting features and news coming out of it and just discussion. Should be cool.
Tara: Yeah, I agree. And I think we can just sort of monitor that and then leap in to bring all the news to our our readers, which would be good. I just wanted to highlight one session that I’m super-excited about. It’s on satellite eavesdropping attacks, and a guy from Oxford University is going to be presenting this, it kind of fits in with the industrial theme because they’re going to be talking about being able to hack satellite communications protocols that are used in things like wind farms, oil tankers, aircraft, things like that, and what the threats could be against real-world systems, and hacking those protocols. So that’s gonna be kind of fun to cover.
Lindsey: Yeah I always find those are fascinating. I think those kinds of sessions are really where Black Hat and RSA and some of the other big conferences really stand out in that those types of research are just so cool.
Lindsey: Yeah. One other session to that I want to highlight as well. And this goes back to the whole election security. But I did see that Chris Krebs, who’s the Director of the Department of Homeland Security’s CISA unit, we’ll also be talking about election security. So, you know, we’re obviously getting the election security talk from the keynote speaker, Matt Blaze, but I think it’ll be really interesting to hear what Chris Krebs has to say and kind of being in the trenches a little bit and all this and really, what’s going to happen there. So I really think that’s going to get a lot of focus during the show as well. And then one other election session that stuck out to me was, there’s a session by someone from Systems Security and someone from Synack, who are talking about building a vulnerability disclosure program that works for election vendors and hackers. And I think that’ll be a cool twist on the entire election security narrative, because it’s really bringing in the research community into the channel of communication a bit there and how that’s going to evolve and what the security research industry, like what kind of role they have to play with election security coming up right around the corner.
Tara: That’s kind of fascinating because if you think about it, all of that equipment is very proprietary and they keep everything really close to the vest in order to maintain an OpSec type of environment around it. So if they invite hackers to come in and start poking around and pen-testing these things, I’m wondering to what extent these platforms are going to be open. It’s much like when Apple said that they were going to be providing iPhones for hackers to take a crack at — but you know, they’re not completely open. I wonder to what extent are these machines going to be thrown open to for pen-testing?
Tom: Yeah, well, you know, baby steps, you got to keep in mind that, you know, these bug bounty programs have been around, they feel like they’ve been around for quite some time, but I think that still a lot of people are just adopting them and understanding them and figuring out how to really get the most out of them in terms of value, in terms of feedback. And also, you know, what we always hear is, you know, the cost associated with launching these programs is not insignificant. So, so yeah, it’ll be interesting, but I’m also really interested to know, we’ve had voting villages and huge warning signs around election security. It’ll be really interesting to me, as we go real time with the elections this November, whether or not we see a heightened awareness and heightened security around elections – another story for another podcast – but I hope that all these sessions and awareness and security is not all for naught.
Lindsey: Right? Wasn’t that in 2018 at DEFCON when the 11 year old hacked into the replica voting website at DEFCON’s voting village? Right? So I mean, that goes to show there’s just so much there that needs still, you know needs to be done but it is always really cool to kind of see that being played out at Black Hat and DEFCON so something to keep our eyes on for sure.
Well, Tom and Tara I’m excited for the show next week and thanks for coming on to talk about you know, the most interesting sessions and keynotes and themes that we should be on the lookout for.
Tara: Thanks so much, Lindsey.
Lindsey: Great and to all of our listeners we will be live at virtual show next week. And so be sure to continually check Threatpost.com, we’ll have live coverage coming out on all these keynotes and sessions that we’ve talked about here today. And be sure to keep up with Threatpost.com. Have a great weekend.