8 Cybersecurity Themes to Expect at Black Hat USA 2020
Here are the trends and topics that'll capture the limelight at next month's virtual event.
July 23, 2020
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt78439e7519a0b137/64f0d32200fbd4d5e0b5b895/1.jpeg?width=700&auto=webp&quality=80&disable=upscale)
While many a security professional currently laments the inability to meet up with peers for real-life security summer camp this year, the good news is that Black Hat USA 2020 is a go for virtual attendees. The conference organizers have still managed to capture the zeitgeist of the security industry through Black Hat programming, which will feature the same kinds of vulnerability disclosures, attack research, and exploit tools that regulars have come to expect.
The following are some of the biggest themes the agenda holds for Black Hat audience members Aug. 1 to 6.
Securing remote work has been the unexpectedly urgent theme for 2020, and a few pieces of research coming out of Black Hat will offer some insight into vulnerabilities that could put work-from-home (WFH) employees at risk.
In one talk, Orange Cyberdefense security researchers Charl van der Walt and Wicus Ross will demonstrate how secure implementations of virtual private networks (VPNs) could be endangered by how these connections interact with Wi-Fi hotspots as they're initialized and VPNs are activated -- potentially throwing off threat models for highly distributed workforces.
Meanwhile, in another planned session, ESET's Robert Lipovsky and Stefan Svorenick will explain the details of a vulnerability they discovered that could impact over a billion Wi-Fi-enabled devices. The flaw, named Kr00k, was disclosed earlier this year, but along with their talk they'll drop a proof-of-concept testing script to detect the vulnerability on unpatched devices.
Expect to hear about a number of different cloud attack trends and best practices, and potentially pick up some free tooling to address the broad spectrum of cloud fronts, including software-as-a-service and Internet-as-a-service platforms and containers.
Among the cloud security highlights in the Black Hat sessions this year, Mandiant's Josh Madeley and Doug Bienstock will take a deep dive into the targeted attacks occurring on enterprise Office 365 deployments that have been used to consistently steal large volumes of data over the past several years.
Meanwhile, in response to increasing numbers of organizations accidentally exposing sensitive data through insecure, public-facing Amazon Web Services (AWS) data stores, a couple of researchers developed a new tool to help, which will be released at Black Hat Arsenal. Called SmogCloud, the tool developed by Rob Ragan and Oscar Salazar will help organizations quickly identify poorly configured, Internet-facing AWS services.
The troubling political climate, weaknesses in election systems, and the digital dissemination of information will factor big at Black Hat, captivating the attention of both of the show's major keynotes and explored in greater technical depth within several sessions.
In one keynote, Renée DiResta, research manager at the Stanford Internet Observatory, will offer a high-level overview of modern-day information operations and how sophisticated players are hacking public opinion. In the other headliner keynote, Matt Blaze, McDevitt chair in computer science and law at Georgetown University. will discuss the challenges faced in keeping elections running securely during a global pandemic.
Meanwhile, other important sessions include a rundown from Nate Beach-Westmoreland, head of strategic cyber threat intelligence at Booz Allen Hamilton, on the past decade of Russian attempts to interfere with US election activities. Christopher Krebs, director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), will also provide an update on what the agency has been doing to prepare for what's looking to be an extremely contentious election year.
The insecurity of critical infrastructure and the Internet of Things (IoT) will get lots of play during the show this year, as security researchers have increasingly turned up the heat on work to discover weaknesses in the power plants, factories, oil and gas facilities, and other crucial components of global critical infrastructure.
In one session, Trend Micro senior research scientist Marco Balduzzi will highlight work done with Trend colleagues and external researcher Luca Bongiorni in finding weaknesses in industrial protocol gateways in industrial-control system (ICS) environments. These gateways are used to connect equipment and control systems from different vendors with one another or bridge older equipment so they can be used with modern SCADA systems. They'll run down nine zero-day vulnerabilities that put these systems at risk of denial-of-service (DoS), unauthorized modification of configurations, and translation errors that could send wrong commands to programmable logic controllers (PLCs) and the switches, sensors, devices, and machinery associated with them.
Another interesting session of note in this theme category is a project conducted by Tohid Shekari and Rahem Beyah of Georgia Institute of Technology. The pair created a hierarchical model they call "IoT Skimmer," which could be used to conduct power market manipulation in the same vein as pump-and-dump stock scams by using botnets made up of high-wattage IoT devices to spike power demands in deregulated market.
Technology and software supply chain risks are gaining more visibility, and several Black Hat speakers will explore nuances of this theme at varying degrees of depth.
Among them will be the CEO and two researchers from JSOF, who will provide an in-depth explanation of their work on Ripple20, a set of 19 zero-day vulnerabilities they found in a widely used, low-level TCP/IP software library that puts hundreds of millions of critical devices around the globe at risk of multiple remote-code execution flaws. Because the library is so widely used in embedded software, the flaw had a ripple effect across the device supply chain. In other words, it puts everything from infusion pumps to electrical grid equipment at risk.
Some of the most difficult weaknesses to address in cybersecurity have nothing to do with systems, security architecture, or controls. Instead, the weakness resides in the people tasked with protecting enterprises day in and day out. Issues of burnout, personality conflict, inability to communicate, and poor coping skills can all play a factor in how well a security team made up of very human professionals is able to effectively operate.
Security luminary Rich Mogull of Securosis and DisruptOps plans to draw parallels between the stresses faced by cybersecurity pros and paramedics in an interesting talk from which he hopes security professionals can gain new coping skills. As a longtime paramedic and security pro, Mogull believes his cyber colleagues can learn about surviving and thriving in their profession by hearing how paramedics do so.
Phishing, business email compromise, and other email threats that depend heavily on email spoofing are on the uptick as attackers try to profit off of pandemic pressure. Many security organizations and email providers are trying to combat email threats through increased use of email authentication mechanisms like SPF, DKIM, and DMARC. But these measures aren't perfect, and one Black Hat session in particular will illustrate that.
A trio of researchers -- Vern Paxson, UC Berkeley professor and co-founder of Corelight; Jianjun Chen, post-doc researcher at International Computer Science Institute; and Jian Jiang, senior director of engineering at Shape Security -- will run down 18 different attacks that can game even the most updated email authentication deployments. They'll be offering technical details about the attack and providing a new testing tool for email providers to start improving their email authentication mechanisms in the future.
Weaknesses in enterprise resource planning (ERP) software and other related platforms have been a particular favorite to pick apart among Black Hat researchers for several years running now, as these systems of record are so intertwined with critical business processes but were also woefully ignored by enterprise security programs for far too long.
ERP security has come a long way since Black Hat started highlighting a lot of research in this area half a decade ago. Nevertheless, it's a work in progress, and this year researchers Pablo Artuso and Yvan Genuer of Onapsis will dig into another piece of research around the SAP ecosystem that's we;; worth a gander for those charged with securing enterprise software environments. The duo will be presenting their work to audit the security weaknesses of SAP Solution Manager (SolMan), which is at the administrative heart of every SAP deployment. They will show that it was possible to compromise all systems in an SAP environment through unauthenticated HTTP access.
Weaknesses in enterprise resource planning (ERP) software and other related platforms have been a particular favorite to pick apart among Black Hat researchers for several years running now, as these systems of record are so intertwined with critical business processes but were also woefully ignored by enterprise security programs for far too long.
ERP security has come a long way since Black Hat started highlighting a lot of research in this area half a decade ago. Nevertheless, it's a work in progress, and this year researchers Pablo Artuso and Yvan Genuer of Onapsis will dig into another piece of research around the SAP ecosystem that's we;; worth a gander for those charged with securing enterprise software environments. The duo will be presenting their work to audit the security weaknesses of SAP Solution Manager (SolMan), which is at the administrative heart of every SAP deployment. They will show that it was possible to compromise all systems in an SAP environment through unauthenticated HTTP access.
While many a security professional currently laments the inability to meet up with peers for real-life security summer camp this year, the good news is that Black Hat USA 2020 is a go for virtual attendees. The conference organizers have still managed to capture the zeitgeist of the security industry through Black Hat programming, which will feature the same kinds of vulnerability disclosures, attack research, and exploit tools that regulars have come to expect.
The following are some of the biggest themes the agenda holds for Black Hat audience members Aug. 1 to 6.
Read more about:
Black Hat NewsAbout the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024