Top 10 Blackhat Talks for the Security Researcher
It’s Vegas time! Or should I say, Blackhat US 2018 is right around the corner. I’ve pretty much got all sessions and events on my calendar, but if I have to shortlist to Top 10, here they are.
Can’t wait to meet up with fellow security researchers. If you’re in town as well, feel free to reach out to me directly via social media.
Get the best third-party security content sent right to your inbox
Thanks for subscribing!
I’d like to point out that the below is a personal choice and might change ad hoc by the time, and even during, the event.
- Optimistic Dissatisfaction with the Status Quo: Steps We Must Take to Improve Security in Complex Landscapes/ Parisa Tabriz
When: Wednesday, August 8, 9:00am, Mandalay Bay Events Center (Keynote)
What: This talk offers guiding advice that we as security practitioners and leaders must embrace in order to succeed: principled pragmatism, openness, and an optimistic dissatisfaction with the status quo. Drawing on her experiences leading some of the biggest, ongoing security efforts that aim to make technology safer for all users, Parisa will first describe how a grassroots side project grew to shift the majority of the web ecosystem to secure transport, nearly 25 years after the technology was first made available. Next, she will review the major effort to implement an intern’s publication in one of today’s largest open source projects, and how they persevered for 5+ years of refactoring, avoiding efforts to defund the work along the way. (Coincidentally, this project helped the world’s most popular browser mitigate a new class of hardware vulnerabilities earlier this year!) Finally, she will share how throwing out the rule book on vulnerability disclosure has been moving giants of the software industry toward measurably faster patching and end-user security.
Why: Parisa is not only one of the key security folks at Google, with the “keys” to browser security, but one of the most influential security individuals in the world. This is the first time that Google is exposing some of their practices to the world. As opposed to past keynotes which focused on business and high-level practices, I’m expecting here a hardcore technical talk. Last, I cannot ignore the fact that latest research showed that only 20% of cyber-security practitioners are women. As a father to a 7-year old daughter (future handle: nopsled), I’m looking at Parisa to inspire the younger generation to overcome any perceived barriers.
- Threat Modeling in 2018: Attacks, Impacts and Other Updates/ Adam Shostack
When: Wednesday, August 8, 2:40pm, Islander EI
What: Attacks always get better, and that means your threat modeling needs to evolve. This talk looks at what’s new and important in threat modeling, organizes it into a simple conceptual framework, and makes it actionable. This includes new properties of systems being attacked, new attack techniques (like biometrics confused by LEDs) and a growing importance of threats to and/or through social media platforms and features. Take home ways to ensure your security engineering and threat modeling practices are up-to-date.
Why: This is an important talk for security researchers, analysts and executives. The thing is that we cannot consider one attack similar in significance to another attack. To best deal with threats and minimize risks, we need to prioritize based on likelihood of the breach, motivation of the attacker and the impact to the business. This talk aims to do just that by providing the necessary framework to mitigate risk.
- Don’t @ Me: Hunting Twitter Bots at Scale / Jordan Wright, Olabode Anise
When: Wednesday, August 8, 2:40pm, Jasmine Ballroom
What: In this talk, we explore the economy around Twitter bots, as well as demonstrate how attendees can track down bots in through a three step methodology: building a dataset, identifying common attributes of bot accounts, and building a classifier to accurately identify bots at scale.
Why: Social media is a big problem for consumers and businesses alike. Threats vary from opening fake accounts under a certain individual’s name to overtaking legitimate accounts in order to spew malicious content from these accounts. And I didn’t even discuss yet the issue of click fraud. All the while these threats are double-charged through the usage of automation. Undoubtedly, as social media continues to garner traction amongst hackers, there needs to be security solutions to overcome the different threats. This practical talk takes off the glove and tries to cleverly identify Twitter bots as a first step to tackling these threats.
- Open Sesame: Picking Locks with Cortana/ Amichai Shulman, Ron Marcovich, Tal Be’ery & Yuval Ron
When: Wednesday, August 8, 4:00pm, Islander EI
What: In this presentation, we will reveal the “Open Sesame” vulnerability, a much more powerful vulnerability in Cortana that allows attackers to take over a locked Windows machine and execute arbitrary code. Exploiting the “Open Sesame” vulnerability attackers can view the contents of sensitive files (text and media), browse arbitrary web sites, download and execute arbitrary executables from the Internet, and under some circumstances gain elevated privileges. To make matters even worse, exploiting the vulnerability does not involve ANY external code, nor shady system calls, hence making code focused defenses such as Antivirus, Anti-malware and IPS blind to the attack.
Why: This is why Blackhat became Blackhat. Good exploits against the latest technologies. Voice activation is the hottest thing, and they’re penetrating the enterprise. These researchers will show how they can activate Cortana for malicious purposes, even when the computer is locked. Cool stuff. Oh, and I should also state that one of the leading researchers is Amichai Shulman – a board advisor at my employer, Panorays. Amichai already showed me a few of the demos and undoubtedly it’s going to be a really good talk. I’ve met some pretty good researchers throughout the career, and I can full heartedly say that any one of Amichai’s research pieces is not to be missed. On the contrary, listen and learn.
- Pwnie Awards/ Winners TBD
When: Wednesday, August 8, 6:30pm, Lagoon Ballroom DEFJKL
What: Black Hat USA will once again provide the venue for the Pwnie Awards, InfoSec’s premier award show celebrating the achievements and failures of the security community over the past year. For more information about the awards or to submit a nomination, please visit the official Pwnie Awards website at pwnies.com.
Why: Yes, Pwnie Awards are back for their 12th year! This is the Oscar Awards for security. Though expect something more like the Razzie awards where self-humor takes central stage. From best vulnerability branding to folks never coming on stage to receive their best malware award (Flame developers: we’re talking to you). This is the best show in town, expect a full house and loads of laughter after a serious day of sessions.
- ARTist – A Novel Instrumentation Framework for Reversing and Analyzing Android Apps and the Middleware/ Oliver Schranz
When: Thursday, August 9, 9:00am, Lagoon GHI
What: On top of dex2oat, we created ARTist, the Android instrumentation and security toolkit, which is a novel instrumentation framework that allows for arbitrarily code modification of installed apps, the system server and the Java framework code. Similar to existing approaches, such as Frida and XPosed, ARTist can be used for app analysis and reversing (record traffic, modify files and databases), as well as modding and customization. However, it occupies a sweet spot in the design spaces of instrumentation tools since it does not break the app signature and hence modified applications still receive updates without compromising on security, it can be deployed on rooted stock devices beginning from Android 6 and it allows for instrumentation on the instruction level.
Why: From a personal point of view, I hold a sweet spot for mobile research, given my previous role at AVG where I led the mobile research team. Yet, for all the mobile researchers out there – ARTist sounds like a promising, efficient and effective tool. At last, an instrumentation framework that doesn’t break existing features, capabilities or security solutions. Best yet, it’s open source and they’re soliciting audience feedback. Did anyone say community giveback?
- AI & ML in Cyber Security- Why Algorithms are Dangerous/ Raffael Marty
When: Thursday, August 9, 11:00am, South Seas ABE
What: In this talk, Raffael will show the limitations of machine learning, outline the issues of explainability, and show where deep learning should never be applied. Raffael will show examples of how the blind application of algorithms (including deep learning) actually leads to wrong results. Algorithms are dangerous. We need to revert back to experts and invest in systems that learn from, and absorb the knowledge, of experts.
Why: I enjoy talks that are controversial and this one seems to dispute the very premise that many cyber-security companies focus on. From a professional standpoint, I’m interested in what Raffael has to say about the limitations of ML algorithms and his conclusions. The reason being is that we too at Panorays rely heavily on ML. From an engineering standpoint, ML led us to be able to run scans on scale. What would take months, takes us just a few hours. From a security standpoint, we’ve done quite a bit of research on the human perspective to understand the “hackability” of a company through its employees. What I gather is that ML allows us to better draw the line between people and technologies. In these scenarios, the technologies relieve the security professional from the manual work and insurmountable amount of data and act as a support system for the professional’s decision making.
- Applied Self-Driving Car Security/ Charlie Miller & Chris Valasek
When: Thursday, August 9, 12:10pm, South Seas ABE
What: In the not too distant future, we’ll live in a world where computers are driving our cars. Soon, cars may not even have steering wheels or brake pedals. But, in this scenario, should we be worried about cyber attack of these vehicles? In this talk, two researchers who have headed self-driving car security teams for multiple companies will discuss how self driving cars work, how they might be attacked, and how they can ultimately be secured.
Why: C’mon it’s Charlie Miller & Chris Valasek! the guys that led to the recall of 1.4M vehicles.
I must say that I am a huge fan of their talks – always both techie and funny as hell! This is definitely a must attend slot when you are at Black Hat.
Expect a show – fascinating talk, fantastic lecturers that know their audience and… a demo of handful of exploits.
- (Arsenal) Deep Exploit / Isao Takaesu
When: Thursday, August 9, 1:00pm, Business Hall (Oceanside), Arsenal Station 1
What: DeepExploit is fully automated penetration tool linked with Metasploit. It identifies the status of all opened ports on the target server and executes the exploit at pinpoint using Machine Learning. Current Deep Exploit’s version is a beta, but it can fully automatically execute following actions: Intelligence gathering, Threat modeling, Vulnerability analysis, Exploitation, Post-Exploitation, and Reporting.
Why: I love the Arsenal talks – these are the really practical sessions. Here, the researcher is taking Metasploit – the most common pen-testing tool and adding to it automated exploitation of open ports. For those pen-testers out there, such an automated tool can really help understand the gaps in a company’s security posture, as seen from a hacker’s point of view. After all, the hacker will always try to first go in through the door, i.e. the services that exposed.
- Catch me, Yes we can! – Pwning Social Engineers using Natural Language Processing Techniques in Real-Time / Ian Harris & Marcel Carlsson
When: Thursday, August 9, 2:30pm, South Pacific F
What: Question answering approaches, a hot topic in information extraction, attempt to provide answers to factoid questions. Although the current state-of-the-art in question answering is imperfect, we have found that even approximate answers are sufficient to determine the privacy of an answer. Commands are evaluated by summarizing their meaning as a combination of the main verb and its direct object in the sentence. The verb-object pairs are compared against a blacklist to see if they are malicious.
Why: The whole idea around this talk is to easily identify social engineering attacks. And, we all agree that anything to do with humans psychology and vice versa, manipulations on the hackers, is interesting. It’s all about the cat and mouse chase. The researchers promise that their system works also on non-phishing social engineering attacks and that I’m curious to see. Will the implementation of their technique in emails work in context of, say, phone-fraud? I’d be happy to see cross-implementation ideas between various aspects of security.
It’s important to mention that there are plentry of other good talks, demos and events to attend at BlackHat. During the event the list might change as I become more focused and aware of other interesting sessions.
On a last note, I have to share here that my little girl told me today: “ohhh…. So to be a hacker is like playing “escape room”, but just in a computer”. Couldn’t be more proud!
See you on the other side,