I had the pleasure of finally attending Black Hat this year; the European iteration which took place in Amsterdam on 16-17 October. From my understanding, the event is a much smaller and more reserved version of its Vegas counterpart, and primarily stocked by European-based researchers and attendees; although a few of the speakers had previously presented in the U.S. The briefings are mostly very technical -as they should be- although a few provided higher-level overviews (that were still however firmly focused on proofs and vulnerabilities of their specific subject-matter). Two of interest were the opening keynote by Adi Shamir (the S in RSA) and another by Veracode’s Erik Peterson (Bringing a Machete to the Amazon).
Mr. Shamir talked about an experiment carried out whereby his team sought to breach an air gap (notably a physical air gap of several miles) to activate malware on a PC. This involved using a blue laser light to flash instructions through an office window into the inside of a printer (essentially the white bit on the underside of the lid). The bonus Die Hard scenario involved using a quadcopter to read information sent by the malware through the printer via the flashing of a scan. While the scenario is interesting, it requires quite a number of factors to be present, not least of which is the obtrusive hovering of a quadcopter outside the office window (alarm bells are ringing, Willie!). I think the point Mr. Shamir wanted to bring home was really that peripheral devices such as printers, those ubiquitous office machines, are a relatively easy weak link that can be tampered with even in the most bizarre and far-reaching scenarios.
The other interesting briefing was by Veracode’s Director of technology strategy, Mr. Peterson. He rather pertinently highlighted the lack of understanding of cloud infrastructures and the often blind dive (however well-intentioned) that many organizations are making. The promise of AWS and other similar platforms in terms of cost savings, scalability and flexibility mean nothing when the actual workings of the architecture are not firmly understood. The API is the king of cloud, and yet it can so easily offer the whole keys to the kingdom to anyone requesting it. A nice case-in-point was the Prezi Got Pwned example, which shows how easily someone can leverage AWS Instance Metadata and User Data service (only accessible when a running EC2 instance) to pull out all kinds of confidential data, including private keys. This is why knowledge of the environment is essential, not least because the cloud is much more complex and includes so many different variables than traditional on-prem scenarios. Most organizations are still not all that well informed about how public cloud platforms work, with Dev Ops teams focusing on getting the thing to work before considering the security implications.
Both these talks were interesting in terms of the broader level findings for particular applications. In terms of niche briefings, there were quite a few on industrial control systems, notably a great 2 hour workshop on pen testing PLCs by Arnaud Souille which provided a neat live demo (and crowd participation) using two PLCs (one from Siemens and another from Schneider), as well as a nice little search on Shodan. Another of interest showed a smart meter hack (Lights Off! The Darkness of the Smart Meters) by Alberto Illera and Javier Vidal, while a third presented by two Russian researchers, Alexander Bolshev and Gleb Cherbovon, explained how to subvert plant asset management systems (DTM Components: Shadow Keys to the ICS Kingdom). Coming away from those talks, I felt that ICS vendors seem to be providing a lovely open landscape where all kinds of exploits can be more or less easily found by a motivated hacker.
Aside from the briefings, the conference also had a small show floor, with various vendors sponsoring the event or just showcasing their products. I had time to meet up and speak with a couple of them, notably Checkmarx and Emerging Threats. I met first with Checkmarx, a company that specializes in app-layer scanning using static-code analysis. The service allows developers to scan their applications for vulnerabilities during the software development lifecycle, either in bits as the code gets written, or all at once. Checkmarx offers the product for on-prem usage, but also as a cloud service. Perhaps most innovatively, the scan results will group similar vulnerabilities and the resultant remediation so that they can be applied simultaneously rather than one-by-one, largely simplifying the whole patching process.
The other company I met up with was Emerging Threats, and despite knowing little about them, I was surprised to hear that their technology powers much of the feeds found in network-based malware detection appliances from many big vendors in the space. They white label their threat intelligence feed into OEM’s branded network security appliances as well as directly into organization’s IPS/IDS. The company grew out of the open intelligence space, and the Emerging Threats open rule set is still currently active. Their partners include internet and telco service providers, where they deploy various sensors on the backbone to collect real-time information and create a reputation list for IP addresses and domains. Emerging Threats’ intel is gathered into databases with can be accessed via a web portal (SaaS model), allowing the company to correlate patterns both locally and globally.
Overall, Black Hat was a great experience. There are a lot of interesting people there (and not just speakers and vendors); you rarely spend a lunch or tea break without meeting someone (even on the train in from the airport; shout-out to the ESET lads from Krakow). The only real issue I had was deciding which talks to attend, and finding more time to spend in the Arsenal. The conference is certainly very tech-focused, but there is enough on the vendor show floor and in the keynote briefings to interest even the more market-focused and strategically-oriented attendees.