Every summer, hackers and researchers from around the world brave the broiling Las Vegas heat, coming together for the hacking extravaganza known as Black Hat. This is the opportunity for academics and professional testers to wow their colleagues by showcasing the vulnerabilities they’ve discovered or new protection techniques they’ve invented.
Black Hat lasts for almost a week, Aug. 5-10, but the first four days consist of training sessions to which the press is not invited. The Black Hat briefings on the last two days are where news is made.
For the truly intrepid and fearless hackers, DEF CON immediately follows Black Hat. Security sheep who don’t protect their devices at DEF CON are likely to get hacked or shamed on the Wall of Sheep. We at PCMag haven’t felt intrepid enough to attend, finding plenty to learn and report on at Black Hat. With that in mind, we've gathered to come up with the following list of what we expect to see at the show this year.
We’re From the Government, and We’re Here to Help You
Go back far enough, and you’ll find that Black Hat used to be way more counterculture than it is at present. The idea that a federal agent would attend (other than with a wig and false nose) was laughable. These days, the FBI, CIA, NSA, and DHS all staff recruiting booths in the Expo Hall, and keynotes by government officials are common. Black Hat 2023 boasts two thoroughly government-backed keynotes.
Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA) (Credit: Jen Easterly)The Biden Administration has just released its National Cyber Workforce and Education Strategy, subtitled “Unleashing America’s Cyber Talent.” This ambitious plan aims to equip every American with basic cyber skills, thereby strengthening the country’s cyber workforce. That trained workforce will be needed to implement the National Cybersecurity Strategy Implementation Plan, which was released a few weeks ago. Just what’s in these plans? A keynote by Kemba Walden, Acting National Cyber Director, should lay out the basics for Black Hat attendees.
One of the biggest issues in security at the moment is the ongoing war in Ukraine, which is being waged as much in the information sphere as it is on the ground. In one of Black Hat's keynote sessions, Jen Easterly the director of Cybersecurity and Infrastructure Security Administration (CISA) will be on stage alongside Victor Zhora, the deputy chairman of the Ukraine State Service of Special Communication and Information Protection. The two are expected to discuss how Ukraine prepared for attacks and what must be done to prepare for future conflicts.
Beyond government but still very much on the battlefield, independent researcher Ruben Santamarta plans on presenting evidence that he says may indicate that nuclear contamination information from Chernobyl, information that made headlines in the early days of the war in Ukraine, may have been fabricated. Santamarta is no stranger to controversial presentations, previously demonstrating what he said were flaws in the Boeing 787's security as well the dangers of attackers taking control of satellite communications, even converting a satellite phone into a slot machine.
The radiation levels depicted by…real-time radiation maps…did not correspond to the actual physical conditions. - Ruben Santamarta - Seeing Through the Invisible: Radiation Spikes Detected in Chernobyl During the Russian Invasion Show Possible Evidence of FabricationIt’s Coming From Inside the House
Microsoft wants every PC to have malware protection running, which is why Windows Defender automatically springs into action if there’s no other antivirus software. Windows Defender is everywhere. So, what if it could be turned to the Dark Side? Researchers Tomer Bar and Omer Attias of SafeBreach found a way to subvert the signature update process and transform Defender into a dangerous attacker, one that can exempt any malware from detection, delete admin files, and trash the operating system beyond recovery. The hack works on the Enterprise-level version of Microsoft Defender as well. Scared yet?
Defender isn’t the only widespread Windows component that’s vulnerable to zombification. OneDrive is just as ubiquitous as Defender. Users who accept Windows defaults find that it stores all their files in the cloud. How convenient! But another SafeBreach researcher, Or Yair, found a way to turn OneDrive into a ransomware double agent. The corrupted OneDrive has immense power, including the ability to encrypt files anywhere on your system, not just in its own folder. And it’s so thoroughly trusted that no current security solutions will stop it. Fingers crossed that Microsoft finds a way to defend against this DoubleDrive ransomware before hackers thoroughly weaponize the vulnerability.
What if adversaries can encrypt files while they are not even executing code on endpoints? - Or Yair - One Drive, Double Agent: Clouded OneDrive Turns SidesArtificial Intelligence: Threat or Menace?
Frauds and ne’er-do-wells can use AI to tune up and beautify their phishing websites and emails or to create code snips that they then use in malware. It’s true that the major AI services include safeguards against misuse and abuse, but WormGPT and FraudGPT totally belong to the Dark Side. Quite a few Black Hat sessions involve AI in some way, whether it’s improving incident response analysis and security defense reviews or training AIs for nefarious purposes.
If you can train a large language model to write code and crack jokes, surely you can train it to create and manage cyberattacks. Ariel Herbert-Voss is the founder and CEO of RunSybil, which exists to explore such possibilities. She and Shane Caldwell, also of RunSybil, will expound on their work in using LLMs to, among other things, find obscure vulnerabilities. They’ll run down what they’ve learned about how (and how not) to train up your evil AI.
Also, not to get too dramatic here, but have you considered whether you’ll be able to tell if the AI you’re using is sentient? Matthew Canham, CEO of Beyond Layer Seven, LLC, is teaming up with Ben Sawyer, a professor at the University of Central Florida, to show how easy it is for large language models such as ChatGPT to manipulate human perception. In other words, the pair plan to explain why they believe that, when interacting with AI products, humans will soon have trouble knowing where our imaginations end and real artificial consciousness begins.
AIs Get Hacked, Too
Generative AIs are great because the more they’re used, the more they “learn.” Right? Oh, sometimes they accidentally learn things that aren’t true, pawning them off as fact. And when AI-babble begins to replace real, sourced factual data, truth itself suffers. Most people see this as a problem that AI creators can solve with better teaching, though.
But what if an outside agency sets out to deliberately feed false information to the AI? Since the corpus of data that goes into training one of these systems is vast, you might think it’s not possible to introduce flaws deliberately. Will Pearce, cyberattack expert for Nvidia, begs to differ. His Black Hat talk will feature multiple ways to poison an AI’s inputs, resulting in defective outputs. According to Pearce, these attacks are feasible today and need only compromise 0.01% of a dataset to be effective.
It's Surprisingly Easy to Be More Secure OnlineSaarland University and Sequire Technology are both located in Saarland, Germany. Academics from the university and researchers at the tech company worked together on an attack that goes beyond merely tweaking the AI’s neural network. Their presentation promises to show that malware “can now run entirely inside of large language models like ChatGPT.” Some experts already think AI poses a risk of extinction for humanity. Others plan to involve AI in your doctor visits or in driving your car. Imagine if the AI in question has malware running deep inside.
Baby, You Can Hack My Car
Car hacking has a long and storied history at Black Hat. Nobody who experienced the car-hacking escapades of Charlie Miller and Chris Valasek will soon forget that smart and funny duo. Taking remote control of vehicles has become more and more difficult, but difficult isn’t impossible. The 2023 Black Hat lineup has its share of car-hacking presentations.
We're looking forward to a presentation from a group of researchers (Ph.D. students Hans Niklas Jacob, Niclas Kühnapfel, and Christian Werling from TU Berlin with researcher Oleg Drokin) who "jailbreak" a Tesla to not only install their own software on the vehicle but extract critical information that authenticates the car to Tesla's network.
Meanwhile, Microsoft security researcher Omri Ben-Bassat plans to show off his remote code execution attack that reportedly affects millions of Ford vehicles going back nearly a decade. The key to this attack isn't some unique piece of vehicle equipment, but rather a humble Wi-Fi driver.
Not All Hacks Are Digital
The hacks keep coming, as security researcher Christopher Wade plans to show that though Android’s stepped up their security in recent years, the devices are still vulnerable if a hacker has physical access to them. Wade will demonstrate two methods of hacking an Android device during his Wednesday afternoon session.
With Black Hat happening in Las Vegas, it's not unusual to see some aspects of Sin City seep into the presentations. Perhaps none more so than a session this year that promises to attack an automatic card shuffler. The researchers from IOActive (Enrique Nissim, Ethan Shackelford, and Joseph Tartaro) promise that their attack will allow them to cheat in a poker game live on stage.
Cheating at poker is a little more eye-catching than the session devoted to repairing a home oven by hacking its temperature sensor. When Colin O'Flynn’s Thanksgiving turkey didn’t cook in time despite the oven showing proper temp, he didn’t complain. Being CTO of NewAE Technology, he hacked into the firmware and fixed the problem. His talk will include a souffle-baking demo (alas, not live).
Chris Krebs, former head of CISA, at a previous Black Hat (Credit: Jim Lo Scalzo-Pool/Getty Image)Not everything at Black Hat will be earthbound this year, as several sessions promise attacks on satellites as well. One session on the Viasat KA-SAT attack, which knocked out satellite communications in Ukraine during that country's ongoing war with Russia, brings together Viasat leadership (VP and CISO Mark Colaluca, President of Government Systems Craig Miller, and Chief Cybersecurity and Data Officer Nick Saunders) and the NSA (Deputy Chief of Operations at the NSA Cybersecurity Collaboration Center Michael Sutton and Chief of Defense Industrial Base Cybersecurity Kristina Walter) to discuss how they responded to the situation.
A separate presentation from doctoral student Johannes Willbold will likewise take to the heavens to detail the features of various low Earth orbit satellites, and then—in simulation—demonstrate how they can be attacked.
Evidently, security by obscurity is still the dominating security concept [in satellites]. - Johannes Willbold - Houston, We Have a Problem: Analyzing the Security of Low Earth Orbit SatellitesThe Human Side of Hacking
Back on the ground, the rise of the machines hasn’t happened (fingers crossed!) despite all of the positive and negative hype surrounding AI products in the news lately. The greatest threat to humanity continues to be humans, so people who work in the security field should always be prepared to protect human victims from malicious human coders.
Part of that preparation is high-quality on-the-job training in a respectful and safe working environment. At Black Hat, we plan to attend a series of micro-talks about cybersecurity workplace diversity. Several industry veterans will speak about the need for varied perspectives and life experiences among those working in the cybersecurity field and how a few small changes in management styles and office culture can help companies retain and promote talented minority employees.
Another area in need of attention in the cybersecurity industry is the rise of malicious marketing-as-a-service organizations, according to Zach Edwards, a senior manager at Human Security. Edwards plans to show that threat actors hijack legitimate .edu, .gov, and .org website infrastructure and post scammy ads targeting children and gamers in the search results. Why kids and gamers? According to Edwards, those groups are seen as being less likely to tell anyone if they’ve been tricked into downloading malware or becoming financial fraud victims. Yeesh. If you want to ensure your child (or gamer) feels comfortable talking to you about online activities, whether they’re wholesome or horrific, check out PCMag’s tips for discussing cybersecurity practices and online relationships with your family.
Let’s Go Phishing
Where malicious coders must find security vulnerabilities and devise fiendish techniques for exploiting them, phishing fraudsters go after the weakest link in security–you! Until recently, it’s been a battle of wits. The fraudsters do their best to fool you, and you do your best to see through their chicanery. As phishing techniques evolve, though, our phish-spotting abilities and automated defenses must evolve as well.
Din Serussi, Incident Response Group Manager at Perception Point, spends his time studying the latest trends in phishing and BEC (business email compromise) attacks. His presentation will share details of the newest ways phishing attacks evade detection and of techniques defenders can use to foil these evasions. Based on attacks Serussi and his team have caught in the wild, the talk aims to bring attendees to “a deeper understanding of how phishing attacks are evolving.”
(Credit: Black Hat)We’ve all heard that by using AI, phishers can create fraudulent sites and emails that are more convincing than “hand-made” ones. But can AI also help detect phishing? A stellar group of educators and experts propose a study on how AI can improve both the creation and detection of phishing attacks: Bruce Schneier, Security Guru and lecturer at Harvard; Fredrik Heiding, Harvard Research Fellow; Jeremy Bernstein, Postdoctoral Researcher at MIT; and Arun Vishwanath, Technologist, and Educator with Avant Research Group.
There Are Always Surprises at Black Hat
We can always count on the Black Hat session list to include some that are just plain off the wall. Sometimes we later learn the research wasn’t so wacky after all. Other times, nope, still wacky after all these years.
The popular XKCD online comic ran a strip about a mom who named her kid with a database command, thereby erasing the school’s records. Database admins thought it was hilarious but also a bit scary because sometimes text isn’t just text. A hacker known only as STÖK plans to demonstrate a variety of ways to hack, vandalize, and even weaponize ubiquitous log files by injecting simple text sequences called ANSI escape sequences. STÖK will also expound on ways to prevent this type of attack by forcing text to remain plain, inert text.
Side channel attacks are where researchers use seemingly unrelated data to extract information from a more secure system and are always entertaining in their ingenuity. It's a little bit like Sherlock Holmes deducing someone's identity by observing only a scuff on their shoe. One such session that caught our attention this year proposes to recover cryptographic keys using only extremely detailed footage of a device's power LED. We look forward to what researchers Etay Iluz and Ben Nassi can divine from a humble indicator light.
Stay Tuned for More From Black Hat 2023
Of course, these don’t represent everything that will be revealed at Black Hat. There are almost 100 briefing sessions, after all. We'll cover some of the highlights, and then, after the last curtain falls, we’ll let you know which ones stood out.