“When one door closes, another door opens.” At Black Hat 2020, that couldn’t be more true. The infamous cybersecurity hacker conference, which normally takes place in Vegas, went fully virtual this year, as did DEFCON (aka “Hacker Summer Camp”)). As a member of this year’s Black Hat Review Board, an instructor for nearly a decade, and a mom, I was elated that for the first time, I could stay on the cutting-edge of my profession without having to leave my children behind.
Sure, this year I missed the burner phones, the hacked ATMS, the parties, the pools, and above all, my friends and colleagues. At the same time, the virtual format made this world-class cybersecurity content more accessible than ever before. Many brilliant people in diverse economic brackets, family situations, and faraway locations could attend for the first time (and hopefully not the last).
Highlights from this year’s Black Hat Briefings
On to the research! The highlights of this year’s conference ranged from practical human behavior studies to technical, proof-of-concept demonstrations, such as:
- More Effective Cybersecurity Training Tactics – How can you make cybersecurity training programs that really work? This year, researchers from Elevate Security performed a behavioral science experiment to determine which cybersecurity training tactics are the most effective. The result? The carrot is more effective than the stick. The researchers identified three “motivation hacks” that you can use to improve your cybersecurity training results: social proof (i.e. leveraging positive behavior of peers), gamification, and positive reinforcement.
- Your Ethernet Cables Can Get You Hacked – In a fascinating proof-of-concept attack, researchers from Armis showed that a faulty Ethernet cable could be used to exploit a victim’s network. In any Ethernet cable, there is a very small but real chance of transmission error: i.e. a bit that is supposed to be zero turns into a 1, or vice versa. This risk is dramatically higher in faulty Ethernet cables. The researchers took advantage of this and launched a “packet-in-packet” attack, bombarding the target with a large number of specially crafted UDP packets. When a certain bit was accidentally flipped, it enabled the UDP packet to sneak through the firewall and reach the target workstation inside the network. The payload of the packet caused the workstation to register the attacker’s system as a new search domain, enabling the researchers to intercept and redirect the victim’s web traffic.
- COVID-19 Hacking Risks – The COVID-19 pandemic has created a plethora of new cybersecurity risks, from a surge in remote access risks to cloud-based attacks. Cybersecurity firm Carbon Black reported a “dramatic increase in destructive attacks — the use of wipers and ransomware, NotPetya style, within networks,” said executive Tom Kellerman during a Black Hat “happy hour” panel. In the 2020 Black Hat Attendee Survey, 94% of respondents felt that “the COVID-19 crisis increases the cyber threat to enterprise systems and data” and nearly a quarter believed the threat is “critical and imminent.”
- Car Hacking Accelerates – When researchers demonstrated in 2015 that they could remotely shut down a Jeep on the highway, it sent shock waves through the automotive industry. Security issues have continued to plague manufacturers as they race to introduce new high-tech features. This year, researchers released 19 security vulnerabilities in the Mercedes-Benz, enabling them to remotely open the doors and start the engine. The issues, which may have affected as many as two million cars, have now been fixed—but they illustrate the challenges of IoT hacking. What’s more, since consumer devices (including cars!) increasingly come with a mobile app, our mobile phones introduce new avenues for hacking powerful devices.
- Is Your Light Bulb a Security Risk? Researchers from Ben-Gurion University of the Negev demonstrated that hanging light bulbs can be used to capture your conversations at a distance. The researchers hypothesized that sound wave cause minuscule fluctuations in the light emitted from hanging light bulbs, which can be detected and used to reconstruct audio from a room. As a proof-of-concept, the researchers set up a telescope and sensor on a bridge approximately 25 meters away from an office building. Inside the target room, they played two songs and an audio clip. They were able to successfully reconstruct the audio clip, as well as the songs (Coldplay’s “Clocks” and The Beatles “Let It Be.”) According to the researchers, their techniques will work using any kind of E27 light bulb, including incandescent, LED, or fluorescent. (Time to move to an underground bunker?)
- Election Year Hacking – It’s undeniable: hacking is part of the modern election cycle, and 2020 is no exception. For years, voting machine security was stymied in part by the frigid relationship between hackers and manufacturers. Fortunately, this year saw significant improvements. At Black Hat, major election technology vendor ES&S teamed up with security firm Synack to talk about their new partnership, and how the companies are working together to help move voting machine cybersecurity forward.
A New Format for Black Hat 2020 Trainings
Leading up to the Briefings were four intensive days of cybersecurity Trainings. This year, the new virtual format opened up opportunities for setup and one-on-one prep meetings that were previously impossible in the short, intense conference format.
In the Data Breaches class, taught by myself and Matt Durrin, all of the hands-on labs were in Azure, which meant everyone could test out their connections ahead of time and retain their access for 30 days following class. We set up “office hours” with students in advance, to make sure that everyone was ready to hit the ground running the day of the conference. That was something we were never able to do before! Lectures were conducted via GoToTraining, which gave everyone the ability to listen to lectures from the comfort of their own home.
When class wrapped up, Matt and I had our usual post-Black Hat whiskey and debrief session—but this time instead of being in a Vegas casino, we stopped at Missoula’s new Stave & Hoop speakeasy—and went home to spend the evening with our families.
All in all, it was a good year! Although we missed seeing our friends and colleagues, the virtual Black Hat 2020 gave rise to new opportunities to access— and provide– trainings and briefings in real time, from anywhere in the world.
Want to attend a virtual cybersecurity training course? Subscribe to our newsletter to receive notifications about upcoming classes or drop us a line.