What you’ll learn
- Highlights from the Black Hat conference.
- What was discussed regarding election integrity and public opinion.
- What is SOAR?
I’ve had many issues with virtual trade shows, but I still find them valuable. The fact that they’re online means I can actually attend more than I normally would when I had to be there in-person, since travel isn’t an issue. Travel takes time and costs money. The result isn’t the same as an in-person event and I’m looking forward to their return. Nonetheless, they open up opportunities that otherwise would not exist.
Black Hat is a conference that many may have heard of but not attended. Sort of like the Consumer Electronics Show. Oftentimes, this is due to thinking that the conference would not be relevant. Having to travel to the show tends to limit its evaluation. It’s actually quite useful these days as security is finally at least a talking point for embedded developers. IoT has pushed security to the forefront and Black Hat is one of the top conferences in this space.
In the past, Black Hat was tailored to hackers. These days, the technology is still part of the discussion, but a significant portion is now oriented toward enterprise and cloud solutions with a plethora of companies touting their wares. Information security, or “Infosec,” is the watchword.
Voting on Keynotes
I wish I had more time to devote to the show and will hopefully have time to check out more before it disappears. The presentations are available for 30 days upon the conference’s conclusion. I have another week or so.
I did check out the two keynotes, which I usually skip at many conferences because they’re often redundant or company-oriented based on the speaker. That wasn’t the case for these two, though. They covered relevant themes for the general public and took a deeper dive that developers and engineers would appreciate.
Matt Blaze from Georgetown University started off the keynotes with “Stress-Testing Democracy: Election Integrity During a Global Pandemic” (Fig. 1). It addressed how voting occurs in different areas of the country using different ballots, voting machines, etc. He noted that they’re managed by local governments that are often stressed by limited budgets and technical expertise, especially when it comes to security. On the plus side, he talked about the move back to paper ballots and risk-limiting audits among other topics. His keynote was very educational. It would be nice if these were publicly available.
The next day was Renee DiResta’s turn (Fig. 2). She works at Stanford Internet Observatory and the topic was “Hacking Public Opinion,” also relevant to voting these days. Her presentation spanned the gamut of social-media platforms and addressed the challenges presented by misinformation, disinformation, and propaganda, as well as agents of influence. The discussion also touched on gaming algorithms and the elimination of editorial controls. She wrapped up with a call-to-action regarding the 2020 U.S. election.
Cherry-Picking Presentations
One challenge with a large show gone virtual is the same as an in-person show: There’s too much to see. The big difference is that the in-person show lasts for a short amount of time, usually a couple days, and the virtual show contents are available for weeks if not months. After having the chance to go through a few presentations, I chose a couple to highlight some of the topics available.
Check Point Software Technologies’ Maya Horowitz, Director of Threat Research, presented a twist with “Cyber Talk: Agatha Christie Cyber Murder Mystery” (see video below). One variant was entitled “Cyber on the Orient Express.” This mystery wound up being about a remote-access trojan called “ghost.” The attack starts with an email attachment that has a macro. The macro sets up a VBscript that eventually loads the ghost. There were different infections over time with changes to subsequent emails. Check Point identified eight clusters of attack.
Maya Horowitz, Director of Threat Research at Check Point Software, presented the talk “Cyber Talk: Agatha Christie Cyber Murder Mystery.”
There were some surprising revelations, such as Chinese characters in the code. Some scripts were similar to other known Chinese attacks. Likewise, the malware appeared to communicate with Chinese-based servers.
Another session I checked out was “What’s Automation Got To Do With It?,” presented by Palo Alto Networks’ Scott Simkin, Sr. Director and Head of Cortex Product Marketing. This talk centered around the topic of SOAR (Security Orchestration, Automation and Response), which is a relatively new technology in this space (Fig. 3).
Some interesting tidbits from the start of the talk included the fact that there are 11,000 alerts per day per analyst in their enterprise environment and that only 17% are touched by automation. Obviously, more automation reduces the workload on people. Risk compliance and security management through security orchestration is something Palo Alto Networks is into big time.
The talk did introduce me to some terminology that’s common with SOAR, such as a security playbook. Embedded developers, even those dealing with security aspects of their projects, may not be as in touch with issues in the cloud, but it’s handy to know the terminology when discussions move in that direction. These days, IoT and the cloud are buzzwords that translate into lots of work and an underlying infrastructure that includes security.
Taking a Deep Dive
High-level, cloud-based issues aren’t the only topics presented at Black Hat. Some got deep into the code and engineering.
Cooper Quintin’s “Detecting Fake 4G Base Stations in Real Time” took a look at 4G/LTE IMSI-catchers (e.g., the Hailstorm) and 2G IMSI-catchers (e.g., the Stingray). He’s a Senior Security Researcher at Electronic Frontier Foundation. These cell-site simulators are being used by everyone from police to spies and criminals. The 4G/LTE IMSI-catchers are becoming more popular with governments and law enforcement as the 2G IMSI-catchers are quickly falling out of favor.
Another technical presentation was given by Cheng-Yu “Jeff” Chao (also known as Jeffxx). He’s a member of Chroot, the top private hacker group in Taiwan, and works for TrapaSecurity. The presentation, entitled “Breaking Samsung's Root of Trust: Exploiting Samsung S10 Secure Boot,” talks about the various ways his group hacked the Samsung Galaxy S10 smartphone. Other researchers who worked with Jeff were Hung Chi Su, a researcher at TrapaSecurity, and Che-Yang Wu, a Senior Researcher with TeamT5.
The discussion was relevant to me as I just picked up the next-generation Galaxy S20. They, and earlier incarnations, share the Knox security system that’s based on Arm TrustZone. It’s something developers are more familiar with.
Jeff presented the C code and a host of diagrams that started with successful attacks on the earlier Samsung Galaxy S8 attack. Many of these attacks were based on buffer overflow errors. He covered a range of Galaxy S10 exploits that touched on MMU control being bypassed because of remote access, as well as issues related to USB connections that have direct memory access.
The presentation started with a short video where someone had their phone charging at a coffee shop but not using their own charger, allowing the attacker to insert their code in a smartphone that was using secure boot. The follow-on attack used this to remotely download all of the information from the phone. The trick was to make CPU boot fail, at which point the fallback was a normal download mode.
All of the attacks presented have been reported to Samsung, and updates that mitigate the attacks were already deployed. These aren’t the only exploits that have targeted this family of smartphones; however, bypassing secure boot is something we all need to worry about.
I’m a bit late on the coverage of the conference, but hopefully this gives some insight into what is covered and the value for embedded developers. It would be great if next year’s conference is also virtual, or at least a hybrid version with a virtual component that makes it easier to attend.