3 cybersecurity takeaways from “Hacker Summer Camp”
From vulnerabilities in Starlink user terminals to fresh iCalendar exploits, this year’s Black Hat and DEF CON conferences offered a fount of cybersecurity knowledge for hackers, policymakers and everyone else who braved the Las Vegas heat and monsoon weather.
“We’re all trying to figure out what the fuck is going on.”
Well-known hacker Jeff Moss set the tone for a week of infosec information overload while welcoming Black Hat conference-goers Wednesday morning.
Moss, founder of the Black Hat and DEF CON security conferences, was marveling over the fact that thousands of people from 111 countries had descended on Las Vegas to network with colleagues, try their hands at hacking competitions or tune into the many trainings and briefings throughout the week.
“Just when we think we’ve got it figured out, things change,” he said of the cybersecurity industry, citing fast-moving technological challenges such as the Log4j vulnerability and state-sponsored disinformation campaigns. “What we do is going to become even more consequential.”
As computer systems grow increasingly complex and essential to daily life, malicious hackers have found creative ways to hold them hostage, steal their secrets or make them fail. Black Hat and DEF CON call attention to those failures so the cybersecurity community can learn from them.
While Black Hat can be businesslike while DEF CON is more edgy, accessible and experimental, the attendees at both conferences aren’t strangers to the cat-and-mouse game of cyber offense and defense.
With two of the year’s biggest infosec events in the rearview, here are a few lessons:
Geopolitics and technology will keep colliding
Russia’s invasion of Ukraine early this year ushered in a new era of digital threats as Moscow deployed “wiper” malware, dusted off dangerous grid hacking tools and launched global cyberespionage campaigns.
Ukraine has also contributed to the fray, summoning an “IT Army” of volunteer recruits to hack Russian targets and test fragile international cyber norms that normally shun vigilantism.
“I want to acknowledge that of course the situation in Ukraine is unprecedented,” cybersecurity journalist Kim Zetter said Thursday in a keynote address at Black Hat. “But the security community and governments have to be aware of the potential path that this is leading us to.”
Zetter pointed out that Ukraine’s response to Russian aggression could tee up a cyber “free-for-all” in the wake of the physical war.
“It may be hard to rein in members of the IT Army after this,” she said, citing critics of the ad hoc group.
The Russia-Ukraine war isn’t the only geopolitical flashpoint for cyber conflict.
Chris Krebs, inaugural director of the Cybersecurity and Infrastructure Security Agency, warned of cyber and supply chain ramifications if China attacks Taiwan.
“Organizations need to be saying, ‘how could a Chinese invasion of Taiwan impact me?’” Krebs said last Wednesday while delivering Black Hat’s opening keynote. “You have to game these things out… Based on the conversations I have with national security officials, they’re pretty confident that that’s going to come to a head between China and Taiwan.”
Log4j is here to stay
Rollercoaster, forest fire, the Nightmare Before Christmas — last December’s blockbuster Log4j vulnerability drew many colorful comparisons as it tore through computer networks around the globe.
“Our customers were pretty scared; they were panicking because they didn’t know if they had Log4j or not, and nobody actually knows what kind of software they’re running, especially if you’re buying something from a vendor,” Guy Barnhart-Magen, CTO at cyber incident response firm Profero, recounted.
Barnhart-Magen, who presented at the DEF CON and Diana Initiative conferences in Vegas last week, added that Log4j was “not a classic incident case” despite being exploited within 24 hours by cryptocurrency miners and other threat actors.
“For most of our customers or for the community at large, there was no active attack that was happening. People were scrambling to find out if they were vulnerable or not,” he said.
He and his colleagues developed and released open-source tools to help find vulnerable Log4j instances in the weeks after the flaw became public.
Despite the frenzied response from cyber defenders, a recent report by the Department of Homeland Security-backed Cyber Safety Review Board found that Log4j could cause problems for a decade or more.
“I do think that surge, that rally that happened in December 2021 actually did put out a lot of the early fires very quickly,” said Heather Adkins, Google’s vice president for security engineering, at a Black Hat panel last week. “The easy stuff to exploit got cleaned up, but I think you will continue to see malicious threat actors innovate the way they find and exploit this. It will be around for a long, long time.”
Adkins, who is also co-chair of the CSRB, likened Log4j’s long tail to the infamous Heartbleed bug that wracked OpenSSL in 2014 and “spread like a forest fire” before simmering for years.
“There are still many hundreds of thousands of vulnerable OpenSSL instances on the internet,” Adkins pointed out. “The hotspots that are underneath the forest floor can flare up at any time.”
Policy won’t return to the sidelines
DEF CON doubled down on its cybersecurity policy track this year, offering hackers, academics and government representatives space to tackle some of the thorniest cybersecurity dilemmas.
“DEF CON is a place for everyone on the policy and technology spectrum to interact, learn from each other, and improve outcomes,” the official conference program noted.
It’s a marked departure from DEF CONs of decades past, when joking games of “Spot the Fed” belied all-too-real mutual distrust, including FBI interest in potential criminal activity at the conference. In 2013, Moss urged feds to take a “time out” from attending the event in the wake of Edward Snowden’s leaks chronicling intrusive NSA surveillance activity.
By contrast, over the weekend, CISA director Jen Easterly cruised around DEF CON as a minor celebrity, engaging with members of the hacking community and going toe-to-toe with Moss onstage. (He even sported a “Keep CISA Weird” T-shirt:)
At Black Hat, Krebs pointed out that it will still take a stronger, more organized government to tackle the next generation of threats.
“I’m not naïve enough to think that slight course corrections of individual agencies is going to be enough,” he said.
Nor will tighter cyber regulations necessarily solve the problem: “We’ve seen the government struggle here and as a result, we’re not getting the outcomes we want,” Krebs said. “We see an overreliance on checklists and compliance rather than performance-based outcomes.”
While Krebs expressed confidence that the cybersecurity community “can fix this,” he added that infosec pros in government and industry alike will have their hands full.
“We are going to be dealing with these challenges for the rest of our lives,” he said. “And perhaps for the rest of human history, there will be digital and technologically-related risk issues that we’ll have to solve.”