Bit Frolicking in Nevada

One week earlier than last year, so either i'm getting better at this or lucky, i'm leaning more towards the latter.

The run up to Hacker Summer Camp (a.k.a Blackhat and Defcon) usually starts in February when the CFP opens. This might seem rather early for a conference that is held in August, but when you peak behind the curtain of the biggest hacking events in the world, it dawns upon you that you can't leave anything until the last minute. A staggering amount of submissions were made, proof that this industry continues to grow at a phenomenal pace, which considering how much we need a more secure Internet and ecosystem, is probably a good thing.

With 22 tracks, there's pretty much something for everyone and the review process looks at providing balance whilst maintaining technical quality you'd expect at Blackhat. I've talked about the process before in previous articles, so won't go on about it again, so this year I'll get stuck straight into the talks that intrigue me and why and how I think they are relevant for the time we are living in.

The Keynote

I couldn't be happier that my friend Dino Dai Zovi is the Keynote speaker. A solid hacker and now someone driving change and defensive thinking. He is going to touch upon the notion that every security team is now a software team and with software eating the world, every company is becoming a software company. This doesn’t mean that every company is shipping software products, it means that services and products in every field are becoming increasingly driven, powered, and differentiated by software.

I'm looking forward to this one and should drive home a lot of messages we need to be thinking about.

The Briefings

It used to be that rarely would you get tech giants submitting talks as them, often it was employees doing so in a personal capacity or a heavily-vetted talk but this year we were inundated by so many giants, it was inspiring. Companies actively pointing out weaknesses in their products and how you could make them more secure. This for me was a huge cultural change. Security through obscurity has never worked, yet seemingly it is the mantra for many. So kudos to the likes of Microsoft, Google and others who embrace cons like this in an effort to make things more secure for all.

So with 22 tracks, you inevitably see a trend appearing as to what kept many researchers up over the last year or more. Hardware is here, and I believe we are now in the golden age of hardware hacking. Never before has access to equipment and knowledge been so readily accessible and affordable and I saw this with the submissions. In addition, the web application space, which traditionally has been quiet for a very long time, is coming alive again. There are many talks that excite me, but I will try and limit myself to a handful here otherwise the article will become rather long.

This is such a key issue for all of us. It affects damn near everything we do and it's seemingly less protected than enterprise (which never really kept up anyway). The attacks against those in the chain are increasing and Eric and Microsoft have first hand experience at dealing with this, so behind the scenes and learn about previously undisclosed supply chain attacks – from the techniques and objectives of adversaries, the mechanisms that were effective in blunting their attacks, and the sometimes-comical challenges dealing with our most complex asset to defend.

Ian is one person who I'm in awe of. She's a super talented engineer at Heroku, who I feel are one of the best cloud engineering teams out there and this talk is timely as hell. While the industry is starting to pay some attention to Kubernetes security, there are many attack paths that aren’t well-documented, and are rarely discussed. This talk will enlighten many.

Allan touches upon the supply chain issue Eric talks about, but from a government perspective. Hardware Engineers create BOMs (Bill of Materials) when designing products. Think of them as recipes like a chef would use. What The US Dept of Commerce is pitching is the need for a "software bill of materials," or SBOM, to promote transparency of what code we're actually using across the entire software supply chain. Having been involved in the software world for over two decades now, this idea needs to happen if we are to create more secure software.

Cult of the Dead Cow. I shouldn't need to say anything else.

Microsoft talking about hacking, and defending, their cloud. Yes, you read that right. A vendor talking about pwning their crown jewels. As more embrace the cloud and O365/Azure, this is going to be a worthy talk for both red and blue people.

A marmite talk if ever. 0hdays are an issue, but this is more about a small market not many know about. Expect it to be packed.

Now this is very interesting. There has been monumental advances in automating software security code pipelines, but not really much for firmware. Collin is one person I respect and this talk should have broad appeal to both purveyors and consumers of IoT and all manner of embedded Linux products in all of the surprising locations it exists.

Remember I said that usually vendors never talked at Blackhat? Well here we have BMW talking about flaws in their connected cars, alongside a phenomeal team (KeenLab and Tencent). Car hacking is a personal passion of mine, so this appeals.

Orange Tsai is a machine. Enterprise loves SSL VPNs and yet they've seemingly found a nasty flaw that is yet another nail in the coffin of traditional network architecture. This will be a highlight for me.

There exist very few good security journalists out there, Lorenzo is one i'm proud to call a friend and a damn good hack. This investigative reseearch into the Exodus spyware, which is seemingly equipped with extensive collection capabilities, able to turn a phone into a faithful surveillance companion—and distributed openly on the Google Play store. Of all the talks I'll do my best not to miss, this will be one of them.

The “Exodus” scandal is a poster boy for the sorry, dangerous state of the spyware industry, also known as the “lawful intercept” industry.

2019 and we still have command injection in web applications, and applications that enterprise love and use to reverse proxy & route web traffic in complex high performance projects. Sure, I mean let's ignore the efforts of an entire industry to make applications more secure, what's the worst that could happen? Christoffer found out, and this will be good.

Atredis Partners are epic, so is Nathan and this talk appeals to me. They will explain thier methodology for vulnerability hunting in undocumented server components, mapping the paths laid out in binary firmware images. Tracking the interactions between software, hardware, and everything in-between exposes the permeable (or missing!) security controls that attempt to block you from opening these new worlds to explore.

This is very much a foundational Blackhat talk that many will refer to in years to come.

API all teh things right? Well... yeah only if you do it right. As Joshua found out, SAAS APIs essentially embed SSRF into their interface. A huge problem and solid research. Go and attend this!

HSM vendors: rarely will you hear anything bad about their tech. Until now. This highly technical presentation targets an HSM manufactured by a vendor whose solutions are usually found in major banks and large cloud service providers. It will demonstrate several attack paths, some of them allowing unauthenticated attackers to take full control of the HSM. The presented attacks allow retrieving all HSM secrets remotely, including cryptographic keys and administrator credentials.

This will be a hugely popular talk!

Christiaan from Google will talk in detail on the use cases WebAuthn sets out solve, how Google got here, what's ready for implementation today and what's coming. With the drive to move away from passwords, and WebAuthn being pretty sexy, this will appeal to so many.

Apple have made something spectacular in their T2 chip. It shows the innovation and brains they have when trying to solve complex problems but not much is known outside of the carefully curated marketing pieces, until now. Mikhail (if you dont follow him on Twitter, you really should) and Jeremy decided to explore the T2, specifically the T2's communication. They ended up reverse engineering Apple's proprietary XPC protocol, which previously had near-zero third-party documentation. In addition to decoding the messaging format, they demonstrated the ability to interface directly with the T2 chip from unprivileged userspace code by writing their own client application. Their talk will present methods and tooling to query the T2's exposed services as well as decode and encode valid messages.

You had me at T2.

James Kettle is a machine.

I can't think of anyone in recent years who has continually challenged the status quo when it comes to the application layer. He decided to look at HTTP requests for this years submission, and those requests are traditionally viewed as isolated, standalone entities.

He found ways that these requests could be exploited, remotely by unauthenticated attackers to smash through this isolation and splice their requests into others. In turn, allowing him to play puppeteer with the web infrastructure of numerous commercial and military systems, rain exploits on their visitors, and harvest over $50k in bug bounties.

nuff said.

Thomas, a machine in the making and truly a rising star in our industry. This talk is about glitching for those who that attack and defend MCUs. But more importantly, they're doing this with accessible hardware and releasing tools that cost less than 100 USD (the price of a coffee and muffin in Las Vegas)

Yesterday was the fifth birthday of Google's Project Zero and it seems fitting that we have Ben Hawkes going behind-the-scenes on what they do at Project Zero and a retrospective assessment of the impact this work has had. He'll look at why a team like Project Zero is needed in the first place, and some of the core principles that we use to make decisions, dive into some of the classic hits from Project Zero's portfolio, and share some of the technical insights that result. And finally, he'll share some of the lessons learned, and a sketch for the next five years of Project Zero.

Finally, a member of that elite team, Natalie will school us all on the rather secure iPhone. She specifically looks at all those rumours of zero-click ohdays being used by dodgy Israeli firms to own all, more specifically the potential for vulnerabilities in SMS, MMS, Visual Voicemail, iMessage and Mail, and explains how to set up tooling to test these components. It also includes two examples of vulnerabilities discovered using these methods.

A solid talk and really interesting deep dive.

That's about it, as I said at the start, there are many other talks but it would be silly to list them all. If you are attending, say hello :)