Black Hat Europe 2021

Humans. Actual human interaction that is not done via Zoom or Teams or Google or any other digital means. What an amazing concept!

This Black Hat has me super excited as it has been a pretty tough 18 months and to have a conference that is hybrid and so full of amazing research is pretty cool.

First up, we've got some amazing keynote speakers.

Marietje Schaake is the international policy director at Stanford University’s Cyber Policy Center and international policy fellow at Stanford’s Institute for Human-Centered Artificial Intelligence. She was named President of the Cyber Peace Institute. Her keynote looks at who actually is responsible for security in the public realm, and given the events that have occurred over the last few years, I feel this is an important subject to discuss.

That will set the stage for the briefings and I know I say this every year but I mean it, the quality is just getting better and better. It is becoming harder for us in the review board to pick the top talks as there are many. What COVID-19 has given us was lots of time to be at home and research and wow did people tear stuff apart, build new things and generally look at ways security could be made better.

I shall caveat this now: the following talks are the ones I was blown away by but are by no means the only good talks. I have left many out, as otherwise this would be just a mirror of the main Black Hat website.

I have utmost respect for Mr James Kettle, he truly is a super being when it comes to all things application security and continues to produce research that drives the industry forward and makes it better. This talk is a perfect example. HTTP/2 is still not that widely known and yet it comes with ugly bugs that people should know about. he delves into HTTP/2-exclusive desync attacks he's found possible, with case studies targeting high-profile websites powered by servers ranging from Amazon's Application Load Balancer to WAFs, CDNs, and bespoke stacks by big tech.

Honestly, this is a must see talk and goes nicely with Daniel's talk

Web applications commonly rely on proxy servers adding, modifying, or filtering HTTP headers to pass information to back-end servers. Research in recent years has shown how flawed implementations of these actions can lead to severe security vulnerabilities such as HTTP request smuggling, authentication bypasses, and cache poisoning. James and Daniel are leading the charge to highlight how badly this can be when left misconfigured or misunderstood and with many now relying on proxies to perform security-related tasks, this is a talk you should attend if you are indeed part of that club.

The cloud - someone else's computer right?

I'm a fan of cloud and cloud computing but I'm not a fan of new ways of working that still haven't learned from mistakes made in the past. Sagi and Nir talk about ?ChaosDB - a critical cross-tenant vulnerability they discovered in Microsoft's Azure Cosmos DB, which if you aren't aware, is Azure's flagship managed database solution used by countless organizations. This vuln impacted a lot of people and when you hear the details, you wonder how it existed.

Talking about the cloud and vulnerabilities, often when it is attacked, attackers either leverage access to gain access to valuable data or use it as a bastion host to perform further lateral movement. But as Joakim and Nicole will show, the rise of the cryptomining attacker is indeed a problem we need to be aware of. Using your cloud account to make crypto is indeed a thing.

Ransomware ransomware and ransomware.

If ever there was a word we are all very much aware of, it's ransomware and the impact of ransomware. Thing is, what rarely is talked about is the actual negotiations that take place between victims and the ransom gangs. Pepijn and Zong-Yu are going to talk about how such negotiations take place and this is fascinating, almost like a Netflix documentary.

VPNs, one can argue that they were the heroes of the working from home push we all experienced, but is that actually fair?

Often, said VPNs were built so badly with ideas and approaches from the 1990s that it was inevitable they'd be torn apart by attackers. The bugs we saw being disclosed pushed me into a fit of rage, this was embarrassing to say the least and yet coming from companies with turnovers in the billions. Bart delves into such bugs and I truly believe this is a vital talk as it's high-time we, as customers, started to demand more from security software vendors.

Something something crime doesn't pay kids.

Yeah I'm truly not sure that applies anymore. Crime does pay and we've made it so. Magecart's impact is something else, and Nethanel's research into such attempts and capabilities shows how much we, the industry, have enabled this. They've monitored the web for vulnerabilities in online infrastructures that enabled Magecart attacks or are leveraged in Magecart attacks and the dataset is great and gives insight into how effective web skimming is.

The state of fuzzing today and the tools available to us all have greatly improved our chances of finding bugs in code. From large fuzzing rigs like Google has, to the rise of American Fuzzy Lop (AFL), we are in a good place but what about the bugs that are labeled low-risk? Often these are ignored and this is where the research by Zhenpeng, Queqi, Xinyu and Kang blew us away by introducing a new technical method to turn those bugs with seemingly low-risk into memory corruption vulnerabilities. Very damn cool.

Hardware attacks, you may have noticed that I'm a big hardware fanboi and as such, the hardware element is one that always appeals. We had so many good hardware submissions this year that we could do a Black Hat Hardware Con.

Martijn and Dana, from Riscure (truly brilliant hardware security firm) looked at USB devices and the Linux kernel. Plug stuff in and get hit hard. Literally a malicious USB device that exploits a forgotten vulnerability in the USB stack of the Linux kernel, known as CVE-2016-2384. Full execution and shows how we shouldn't forget about vulnerabilities or plug stuff in still, which sucks for consumers.

If there's one thing that has been made easier thanks to the work of few, it's fault injection attacks. What was once an expensive and fiddly thing to do is now easier to access thanks to the likes of Colin O'Flynn and the team at Riscure. As such, we are now seeing really cool research happening against once secure elements, such as CPUs like AMD's. Robert and Niklas walk us through how they attacked the AMD Secure Processor (AMD-SP).

Following on from that is great research looking at Titan M

Google's Titan M chip was why I moved from the iPhone to a Pixel. Having had the pleasure of spending time with Urs H?lzle over at the Google campus and hearing about the Titan M, it blew me away what had been done, so to get a submission from Maxime, Philippe and Damiano delving deep into why the chip is so cool was great and I think you'd enjoy this too. There is a lot of R&D happening in the mobile ecosystem that many aren't aware of.

Once thing you might have noticed so far is that there are a lot of vulnerabilities found in commercial and critical software stacks. Well, how does one go about disclosing these? what are the common problems faced during this process? I'm biased but I'll be speaking with some brilliant researchers, namely Marina and Federico who like me are tasked with finding bugs in such stacks and we are trying to change the status quo when it comes to disclosure.

Now, mobile phones. We all have them and thanks to COVID-19, we are using them more than ever to pay for goods. But how secure are these mobile wallets? Timur has done some brilliant research into "contactless payments for public transport" schemes. They managed to successfully defrauded victims using stores located around the planet without the phone ever leaving the victim's pocket.

Another keynote from an old school hacker, Major Malfunction or Adam as his mum calls him.

Clocks and how you secure time. Knowing Adam, this will make us all think.

Talking of old school kool...

Marina and Ric go back to the 90s, because that is where most ICS kit still seems to be. There's so much I liked about this talk as it shows how sometimes segments of the industry, just like VPN providers, don't really change much and the impact could be huge if exploited.

Finally, a talk I think we need to hear. We, as an industry, are very gatekeepery and many newcomers feel they can't ask stupid questions. But in reality, there is no such thing as a stupid question and I'm keen to hear Regina's take on this as a newcomer to the industry.

As I said at the start, there are SO many good talks this year and I can't wait to try and see them all. I'm also looking forward to seeing so many of you in person this week, so don't be shy, say hello if you see me.