7 Hot Cybersecurity Trends to Be Highlighted at Black Hat
Just some of the research and ideas worth checking out at this year's 'security summer camp.'
July 8, 2019
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt7d3db5ce6379dd2a/64f0d474b6d113010a5a6c2e/1.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Black Hat USA is fast approaching. With the full conference schedule online, now is the time for security pros to dive in and plan out their paths to exploring a wide range of learning opportunities. As with years past, the conference will feature sessions about new zero-day vulnerabilities, research that stretches the bounds of what's breakable in emerging technology, and new methods of defending systems in the ever-evolving tech world.
Following up on this year's very dramatic unraveling of Boeing 737 Max software quality flaws, it's only appropriate that Black Hat revisits aerospace software security. One of the most highly anticipated talks this year will be research presented by Ruben Santamarta of IOActive that analyzes work done to reverse Being 787 Dreamliner's Core Network and a reveal of previously unknown vulnerabilities therein.
This talk is a highlight among a number of interesting sessions probing the security of things that "go," including connected BMW cars and electric motors used in critical infrastructure.
Research on hackable trains and cars is just the tip of the iceberg of what Black Hat speakers will explore when it comes to firmware and embedded software security. For example, Nathan Keltner and Dionysus Blazakis of Atredis Partners will delve into the vulnerabilities in undocumented server components that put modern servers at risk of compromise. And a pair of independent security researchers will detail how they were able to apply Bluetooth LE hacking techniques common for breaking Internet of Things (IoT) gadgets to completely own the phone key system of a large hotel chain. All told, the show promises some 17 different sessions in the hardware and embedded hacking track.
It has taken a few years, but we're starting to see more Black Hat programming acknowledging how the seismic shifts in modern application development are impacting security research and defense techniques. A number of talks will be delving into how security can keep up with DevOps, how increased use of open source components require more transparency in the software supply chain, better approaches to rooting out open-source vulnerabilities at scale, and how teams can get better at securing the cloud infrastructures developers use to create new software.
Another really crucial trend that has been fueled by DevOps and continuous delivery models for software development is the rapid proliferation of containerization and cloud-native technology. Containers offer a new class of threat surface for security teams to protect, and the industry is due to see a lot of new vulnerabilities and security issues arise as researchers and attackers gain more familiarity with the technology.
Black Hat will feature two important talks on containers. The first, presented by Brandon Edwards and Nick Freeman of Capsule8, will offer a foundational what's-what on how container escape vulnerabilities and exploits work, how prevalent they are, and what the industry can expect in the future. The second talk, presented by Ian Coldwater of Heroku and Duffie Cooley of VMware, will explore how attackers can exploit features in Kubernetes and what practitioners and the industry at large needs to do to harden this extremely popular container orchestration framework.
If access management is at the heart of security defense, then conversely it only stands to reason that it's also at the core of so many offensive attack techniques. As such, it's no surprise to see a full slate of talks digging into different aspects of breaking authentication and escalating privileges on systems. For example, Alvaro Munoz and Oleksandr Mirosh of Micro Focus Fortify will be delving into bugs in major federated identity implementation libraries that threaten the security of single sign-on. And Marina Simakov and Yaron Zinar of Preempt plan on presenting several new vulnerabilities they discovered in Active Directory, including a new critical zero-day that gives attackers the ability to take over any machine in a domain, even those highly hardened with strong configuration and server signing.
Meantime, Yu Chen and Bin Ma of the prolific Tencent Security team will be presenting new methods for bypassing off-the-shelf biometric products, including facial and voiceprint recognition used by payment software. Tencent's Wenxu Wu also will be presenting a separate talk on a new methodology for automatically finding file privilege escalation bugs in Windows 10.
As artificial intelligence capabilities advance and the socio-political stakes of technology continue to rise, manipulation risks by deepfakes will continue to mount. The security community is already starting to explore these areas, as evidenced by a few talks on the schedule. They include a talk by George Williams of GSI Technology detailing research around using mice to discriminate between real and fake speech, as well as an exploration by Mike Price and Matt Price of ZeroFOX on how deepfake videos are created and used offensively online. They'll also be introducing a new tool for offensive and defensive research on deepfakes.
As artificial intelligence capabilities advance and the socio-political stakes of technology continue to rise, manipulation risks by deepfakes will continue to mount. The security community is already starting to explore these areas, as evidenced by a few talks on the schedule. They include a talk by George Williams of GSI Technology detailing research around using mice to discriminate between real and fake speech, as well as an exploration by Mike Price and Matt Price of ZeroFOX on how deepfake videos are created and used offensively online. They'll also be introducing a new tool for offensive and defensive research on deepfakes.
Black Hat USA is fast approaching. With the full conference schedule online, now is the time for security pros to dive in and plan out their paths to exploring a wide range of learning opportunities. As with years past, the conference will feature sessions about new zero-day vulnerabilities, research that stretches the bounds of what's breakable in emerging technology, and new methods of defending systems in the ever-evolving tech world.
Read more about:
Black Hat NewsAbout the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024