Cyber News Roundup: What to Expect at Black Hat and DEF CON

Editor’s Note: This is your cyber news roundup with the latest cybersecurity news and tips from the Cyber Oregon team to help you and your organization stay safe online and protect your digital assets. We examine cybersecurity news and developments from across the Northwest and the Nation that are important to all Oregonians including individuals, businesses, non-profit organizations, government entities, and educational institutions. Sign up to receive ongoing updates here.

Your phone is leaking your personally identifiable information (PII). Learn how to break modern encryption and hack into a car. Explore ways to hack physical security, including disabling alarm systems and cameras. Hear lessons learned from running a national penetration testing competition. These are just some of many topics that will be explored – and exploited – next week. As Las Vegas sizzles at 100 degrees plus, hot security technologies and cybersecurity findings will also be sizzling at this year’s Black Hat USA 2019 and DEF Con 27 conferences. Black Hat USA, one of the world’s leading information security events, paired with DEF CON, the world’s largest hacking conference, bring together top cybersecurity professionals who will discuss top trends, top threats, vulnerabilities, research – and the latest reverse engineering, attacks, and hacks. Welcome to Vegas, Baby!

Hot topics this year include:

  • New attack surfaces
  • Wireless 
  • Mobile
  • Auto and aircraft hacking
  • Social media manipulation driven by malware
  • Artificial intelligence
  • Biohacking

What are the biggest cybersecurity concerns?

A recent poll reveals that Black Hat attendees are most concerned about vulnerability management, ransomware, container security, and compliance. In his article, Black Hat 2019 Braving the Heat and Chaos in Search of Peace of Mind, Tony Bradley states that what businesses and cybersecurity professionals really want is peace of mind and less stress in their lives. With two back-to-back conferences exposing the dark side of security, there’s a lot to be worried about – and a lot to learn. Do you want to learn how to exploit rare technologies? Do you want a deep dive into the world of Linux containers? How about how to perform how to efficiently assess internal networks? Or how to attack and defend the Microsoft Cloud? Black Hat USA will offer ample technical trainings including cryptography, forensics, IoT, malware, social engineering, and pen testing.

The keynote at Black Hat, “Every Security Team is a Software Team Now,” sums everything up: how security teams are becoming increasingly focused on the software side of things, and how everything has to be secure by design from the start. According to an article in ThreatPost, does every software team have to have a security component? Security and how it fits into everything is the new normal.

The folks at McAfee weigh in on what attendees should keep an eye out for at this year’s Black Hat, offering perspectives on topics and the latest cyber concerns. Read the Q&A here.

Cyber Oregon Supporters Flood Vegas

Cyber Oregon supporters will have a big presence at this year’s Black Hat USA, including several featured speakers and sessions, booths, and surprises:

Following Black Hat USA 2019: DEF CON 27

DEF CON 27 won’t disappoint. Whether it’s exploiting Windows, embedded hacking, hacking a small aircraft, or breaking Google Home, speakers will share their latest thoughts and research and attendees will get the chance to live hack.

What does ThreatPost anticipate at DEF CON? In a podcast, editor Tom Springs outlines, “Your sort of bread and butter hardware hacking sessions, software hacking, cloud hacking stuff…stuff that you would definitely anticipate really looking forward to. And they’ve got a lot of good stuff on breaking Google Home and…doing a lot of really interesting things with a lot of the Windows cloud configurations…some really fun quirky stuff.” Quirky stuff including hacking a Roomba. Tara Seals of ThreatPost says that a hacked Roomba could use that data to map out the floor plan, to plan a physical robbery. #scary

Firmware vulnerability issues continue to be an issue. Eclypsium, enterprise firmware security company and Cyber Oregon supporter, recently issued a baseboard management controllers (BMC) vulnerabilities report finding critical vulnerabilities and weaknesses in the firmware of popular computer servers, according to a Cyberscoop article. The data has forced manufacturers to take action and mitigate the security flaws.

“Most hardware vendors do not write their own firmware and instead rely on their supply chain partners,” Eclypsium said in recently-published research. “Firmware is quite commonly licensed from a third party and used with little modification, allowing vulnerabilities to extend to many different brands and products.”

Cyber Oregon supporters will penetrate DEF CON 27 with presentations with subject matter experts and live-hacking demos:

On Friday, August 9 a DEF CON 27, cybersecurity expert Mark Cooper, president and founder of PKI Solutions and Cyber Oregon supporter, will present “How PKI and SHAKEN/STIR Will Fix the Global Robocall Problem.” More than 48 billion robocalls were placed in 2018 and the Federal Communications Commission (FCC) estimates robocalls will constitute more than half of all phone calls placed in the U.S. this year. In an effort to put an end to this, the FCC and major telecommunications companies including Comcast, AT&T, and T-Mobile are behind a new global standard called SHAKEN/STIR (Signature-based Handling of Asserted Information using ToKENs and Secure Telephony Identity Revisited) to combat robocalls and caller ID spoofing. Public key infrastructure (PKI) is the backbone of SHAKEN/STIR, using digital certificates based on common public key cryptography techniques to ensure the calling number of a telephone call has not been spoofed.

Cyber Oregon partner blog of interest