The Scariest Things We Saw at Black Hat 2020 | by PCMag | PC Magazine | Aug, 2020
medium.com – 2020-08-10 19:01:02 – Source link
Every year, hackers and researchers flock to Las Vegas for the Black Hat security conference (and some stay on for the free-wheeling DEF CON) to see and share the latest in security research. This year, everyone had to stay at home because of COVID-19, but there was still plenty to be worried about at this year’s conference.
The ongoing COVID-19 pandemic in the US knocked a lot of security conferences offline — or rather, it knocked them to online-only. This year, both Black Hat and DEF CON (along with HOPE 2020 and others) used live and prerecorded video coupled with chat platforms. It worked out surprisingly well and could be a pattern for other gatherings to follow. That said, the experience lacked the fun of an in-person event, and it’s hard to make time for a video session when you also have to walk the dog. Hopefully, 2021 will be a kinder year for everyone.
It’s been known for a long time that law enforcement (and others!) use devices to track cell phones in real-time, and in some cases even intercept data from those devices. Sometimes called IMSI catchers, all such devices work by impersonating cell towers to trick mobile devices into connecting. This year, the EFF showed off Crocodile Hunter, a tool that identifies suspicious cell towers in real-time. The researchers also put forth a bold suggestion to stop their worst uses altogether: Apple and Google should make use of the poorly secured 2G spectrum optional.
Spying on a Wi-Fi network is tricky, because you need to be fairly close to your target. Not so with satellite internet, which sprays some of its users’ data across whole continents. This information is often not encrypted, can be intercepted with very cheap equipment, and contains extremely valuable information. And a VPN isn’t likely to help, because of special speed tweaks employed by the satellite ISPs. Fortunately, researchers have offered up their own solution.
Keynote speaker Matt Blaze had good news: We have, generally, figured out how to do secure elections in the US, which is no mean feat. All that was left was to implement it across the country. Then the novel coronavirus hit. Blaze outlined the complications COVID-19 brings to the already complicated realm of election security, and he put out a call to action for attendees to volunteer at their local election precincts.
Justin Wynn and Gary Demercurio were hired to do some “penetration testing” — basically, real-world attacks to see whether they could enter government buildings despite their security and, once inside, check that the computer systems within were up to the task of protecting themselves. This was all on the up-and-up, arranged directly with the state of Iowa and the knowledge of local law enforcement, but a county sheriff slapped back at state “interference” by arresting the pair.
Much has been written about the revolution technology is fueling in medicine, bringing new treatments and smarter and more-convenient ways to move critical information. The apps used by your doctor are probably safe, given the information they handle. Right? (Right?)
Matt Wixey makes puzzles, not just because they’re fun (albeit, in the eyes of some, infuriating), but because Wixey believes cracking puzzles can make you a better problem solver. And what is hacking except really complicated problem solving?
Keynote speaker Renée DiResta from the Stanford Internet Observatory spends a lot of time thinking about how state actors use the internet to further their goals. In her presentation, she showed that while China boasts an enormous army of online accounts, Russian online operations have been far more effective with far less investment. The good news: A chain of events is used to make online influence operations effective, which means the chain can be broken. The bad news is that Russian memes really work.
If you’re intending to have a secret conversation, you may have to have it in the dark. That’s because researchers have developed a way to capture the minute changes in light caused by sound hitting a lightbulb. With some technological know-how, the sound can be reconstructed from a great distance. Researchers have dubbed their creation Lamphone.
You get a test phishing email from your employer’s security trainers. You click the link. You get shamed and sent for training. And nothing changes. Masha Sedova of Elevate Security knows why. Changing behavior requires motivation, and she knows just the hacks to motivate employees so they want to do the right thing, security-wise.
Americans got an up close and personal look at what Russian election interference looks like in 2016, but that wasn’t Russia’s first time to the campaign meddling rodeo. Nate Beach-Westmoreland looked at a decade of Russian military intelligence operations and found many of the same tactics Americans saw in 2016: discredit officials, hack and leak information, and sow discord by playing to existing cultural divisions. The good news is that Russia rarely seems to succeed in swinging an election, but the bad news is that the chaos that’s created is probably the real goal.
Your phone, computer, and smartwatch all have to communicate wirelessly through many different radios, and those radios have to avoid talking over one another. This is called a coexistence mechanism, and researchers demonstrated how getting access to Bluetooth or Wi-Fi can use that coexistence to extract information, shut off communications, and even send some machines into a tailspin. It’s an attack now named Spectra.
Robert Lipovsky and Stefan Svorencik from ESET dove deep on their Kr00k vulnerability, which was disclosed some months ago. This attack takes advantage of features in Wi-Fi security so that some data packets get sent out with an extremely not-secure encryption key consisting of all zeroes.
At PCMag, we spend a lot of time explaining how encryption works to educate readers but also ourselves, because this stuff is really, really complicated. Omer Akgul and Wei Bai, of the University of Maryland and Google, respectively, wanted to see whether there was a better way to explain encryption so that people could make better decisions about how to secure their data. In the lab, all went well; carefully constructed messaging educated regular people. Finding a way to integrate those messages into apps where people will actually see them might be a tougher problem.