Hacker Summer Camp: Takeaways from Black Hat and DEF CON 2019
Two big US cybersecurity conferences, Black Hat and DEF CON, jointly billed as “Hacker Summer Camp” have just finished in Las Vegas. The conferences tend to lead to a flood of news as the work done by the security researcher community is presented to their peers. Pulling off a particularly impressive hack – such as discovering security flaws in the control systems of a Boeing Dreamliner can lead to cheering and rounds of applause. This year was no different.
While the event always includes some incredibly noteworthy discoveries of vulnerabilities or exposures, it is important to consider the real-world implications of these flaws. The point of the event isn’t to become overwhelmed by the potential dangers that lurk outside (or inside) your network – because as we know, nothing is invulnerable – but look at how to address issues as a larger community. And among the many presentations and research shared, there were plenty of reminders of how IT and security teams need to remain vigilant but continue to adopt and follow security best practices.
On display again this year was an area called Voting Village where there were further demonstrations of how easy it is to compromise electronic voting machines like those used in US elections. The US state of Virginia took swift action last year after officials visited DEF CON and moved to paper-based systems. Continued discussions about the vulnerable state of these systems was a common theme at this year’s event. However, few IT professionals have the option of returning to pencil and paper to overcome security concerns.
An example of one of the compromised voting machines is pictured below.
What surprised me when considering the event overall, was how many incidents did not stem from complex vulnerabilities. Instead many issues seemed to originate from or be linked to the failure to keep up with the basics – patching, inventory and education – which left organisations vulnerable.
One notable demonstration was the hack of an iPhone via an iMessage presented by Google Project Zero researcher Natalie Silvanovich. The high-level summary is that the hack works via a text message. Once it arrives, your phone can be immediately compromised. No interaction is necessary by the phone owner – not even clicking on a malicious link, which we know people fall victim to. The good news is that Apple has already patched the bug but if you haven’t already upgraded to version 12.4, this should be the wakeup call to patch your iOS devices. If your mobile control software lets you push updates to your employees, now is the time to do so.
One other significant event that gained attention at this year’s event was around Microsoft. Attackers constantly evolve as people change what software they are using. As more businesses utilise Office 365, Microsoft is seeing increasing numbers of brute force password attempts on Office customers. Considering this, it was disappointing to learn from Mark Morowczynski of Microsoft and Sean Metcalf of Trimarc that only 7.94% of Office 365 admin accounts have multi-factor authentication (MFA) enabled. All other security measures are to all intents worthless if the Admin account is not protected. It is critical that firms use the security features available to them and extremely concerning that such a simple security measure is not being more widely applied.
It was another year of some incredible learnings and chill-inducing hacks, but I walked away with a focus on ensuring we have tackled the basics around patching and security education. While IT and security professionals struggle to keep up to date with the rate of new vulnerabilities, it’s good to know that as a community, we are finding ways to continuously share information, get smarter and strengthen our ecosystems together.