15 Hot Sessions at Black Hat Europe 2019Contactless Payments, IoT, False Flag Attacks and More in the Spotlight
Black Hat Europe returns this week to London. Now in its 18th year, the conference features 100 speakers and researchers delivering 15 in-depth technical training sessions and more than 40 briefings.
See Also: Defining and Refining Next-Gen AML
Repeating last year's choice of venue, this year's conference is hosted at the sprawling Exhibition Center London - ExCeL for short - in the city's Docklands area.
All briefings have been reviewed and selected by the more than 30 information security experts on the Black Hat Europe Regional Review Board. Organizers say the board fielded more submissions this year than ever before.
Tracks this year cover such topics as cryptography; data forensics and incident response; exploit development hardware and embedded systems; human factors; internet of things; malware; network defense; reverse engineering; the security development lifecycle; industrial security; and web application security.
Simply put, this year's briefings schedule features a wealth of goodness. Here's my rundown of 15 great-looking briefings:
Day 1 (Wednesday, Dec. 4)
- Blue to Red: Traversing the Spectrum (09:30): Amanda Rousseau, an offensive security engineer at Facebook, launches this year's briefings with a keynote speech devoted to the benefits of bringing an adversarial mindset to bear on cybersecurity challenges, drawing from her career experience, which includes working as a forensic technician for the government, serving as a private sector malware researcher and joining Facebook's red team.
- Conducting a Successful False Flag Cyber Operation: Blame it on China (11:00): Cybersecurity consultant Jake Williams, a former member of the U.S. National Security Agency's Tailored Access Operations hacking team, reviews the difficulty of running a false flag operation (hint: it's maybe easier than you think), compared to the extreme difficulty of correctly attributing attacks.
- First Contact - Vulnerabilities in Contactless Payments (11:00): Security researcher Leigh-Anne Galloway will detail vulnerabilities in contactless - NFC - payments, "how the EMV protocols and magstripe modes used for contactless are equally flawed," as well as how a physical card can be used to bypass £30 limit in the U.K. for contactless transactions.
- Money Doesn't Stink - Cybercrime Business Insights (11:00): Researchers share insights gleaned from gaining access to command-and-control servers and chat logs for a banking botnet they dubbed Geost that claimed 1 million victims in Russia. Cracking the botnet infrastructure enabled the team to identify 28 cybercriminals who discussed "other criminal projects ranged from pay per install, phishing website hosting, and C&C development to malicious APKs and fake games development."
- Exploiting Windows Hello for Business (12:10): Security hello, or goodbye? Microsoft in Windows 10 and Server 2016 introduced Windows Hello for Business, a new feature for password-less authentication in Active Directory-based environments. What could go wrong? Oh, just "a new type of persistent Active Directory backdoor," among other problems, reports IT security researcher and trainer Michael Grafnetter.
- Is Your Mental Health for Sale? (15:40): Short answer: Yes. Privacy International's Eliot Bendinelli and Mozilla's Frederike Kaltheuner reviewed 136 popular websites across France, Germany and the U.K. that offer advice on depression. They found that a majority of these sites used trackers and shared data, including depression test results, with third parties.
- ClusterFuzz: Fuzzing at Google Scale (16:50): Fuzzing, or using unexpected inputs to see what they make an application or device do, remains a tried-and-true testing method, as will be demonstrated by Google researchers Abhishek Arya and Oliver Chang, who promise to describe Google's automated ClusterFuzz infrastructure, which they say has been used to find 8,000 security vulnerabilities in multiple Google products as well as 200 open source projects.
Day 2 (Thursday, Dec. 5)
- Countering Threats to IoT (10:00): Members of Panasonic's security and incident response teams will demonstrate a malware sandbox they developed to watch for malware targeting the company's IoT devices.
- Implementing the Lessons Learned From a Major Cyberattack (10:45): Andy Powell, CISO of Maersk, describes lessons learned - the hard way - by the shipping giant as it responded to the massive 2017 NotPetya attack, and how those lessons are now being applied across the company.
- How to Break PDF Encryption (10:45): Researchers Jens Müller and Fabian Ising report that they tested PDF encryption implementations across 27 types of PDF readers and "found all of them to be vulnerable." All vendors have been notified. The researchers will demonstrate how their attacks enabled them to recovery "the entire plaintext of encrypted documents."
- OEM Finder: Hunting Vulnerable OEM IoT Devices at Scale (11:55): One persistent IoT challenge is that one original equipment manufacturer often builds devices that get rebranded by many different vendors, none of which make reference to the OEM. To help, Asuka Nakajima, a security researcher at NTT Secure Platform Laboratories, will detail a new type of search engine that can be used to compare vulnerable OEM device images with devices of unknown origin.
- Site Isolation: Confining Untrustworthy Code in the Web Browser (14:15): Two Google software engineers - Nasko Oskov and Charlie Reis - will describe Chrome's deployment of site isolation architecture and how "this pushes the browser security model forward, mitigating entire classes of attacks: from same-process Spectre exploits to UXSS to arbitrary code execution in the renderer sandbox." They'll also detail their hunt for bugs that might enable attackers to bypass site isolation.
- BlueMaster: Bypassing and Fixing Bluetooth-based Proximity Authentication (14:15): Researchers from Samsung Electronics and Oregon State University will demonstrate attacks against two approaches to Bluetooth proximity checks: Google's Android Smart Lock, for using registered devices to authenticate, and Windows 10 Dynamic Lock, to lock devices if paired smartphones move out of range.
- Trust in Apple's Secret Garden: Exploring & Reversing Apple's Continuity Protocol (15:25): While Apple devices may be known for simply working, using your Apple ID to share data across devices and services relies on protocols to safeguard your security and privacy. But researcher Ta-Lun Yen says these protocols can expose or leak sensitive data.
- Locknote: Conclusions and Key Takeaways from Black Hat Europe 2019 (17:15): The annual closing keynote panel discussion features Black Hat conference founder Jeff Moss, together with three fellow members of the conference's review board, discussing key takeaways from the conference and upcoming cybersecurity challenges.
Beyond the Briefings
Beyond the approximately 40 briefings that have been selected by the Black Hat Review Board, another 25 sessions are due to take place in the Business Hall, where vendors will be analyzing application security, identity and access management, dark web trends, as well as social engineering, cybersecurity careers and more.
Black Hat Europe Arsenal, which allows researchers and the open-source community to deliver live demonstrations of tools they develop and use in their daily professions, also returns to the Business Hall. This year's arsenal will feature nearly 50 tools covering topics ranging from Android, iOS and mobile hacking, to code assessment, ethical hacking and IoT.
There's also a "Women in Tech Meet Up" scheduled for Dec. 4 in the community lounge (Level 2) for local associations and attendees to connect and network.
An attendee lounge (Level 3, Room 10) for anyone attending the briefings is being billed as a place "to join Black Hat Review Board members for interactive discussions on IoT security, car hacking, industrial control system security, the future of community hacking spaces and more," as well as to just chill and recharge your phone.
Stay tuned for fresh stories and tweets as I hit London this week for Black Hat Europe.