Black Hat and DEF CON, stunt hacks and Meta encryption moves
Black Hat conference founder Jeff Moss welcomes attendees before the opening keynote Wednesday. (Informa)
Welcome to Changelog for 8/14/22, published by Synack! Cue the DEF CON is canceled jokes: Heavy rains caused damaging flash flooding in Las Vegas late last week during “Hacker Summer Camp,” forcing many casino patrons to take shelter from streets that became raging rapids, as CNN reported. But despite the monsoon season, the show went on at Black Hat and DEF CON:
The payload
For a broadly secretive bunch, some hackers can be showy. From Charlie Miller and Chris Valasek’s infamous engine-killing hack of a Jeep Cherokee to less dangerous but equally alarming presentations like Marina Krotofil’s “evil bubbles” talk in 2017, the annals of Black Hat and DEF CON history are filled with unusual compromises and flashy demonstrations. The back-to-back conferences have seen their fair share of stunt hacks, often requiring elaborate preparations, hours of detailed study and physical access to the targeted device.
Take this year’s demo of how to use “invisible fingers” to remotely control touchscreens. As Vice reported, there are major real-world limitations to the “Intentional Electromagnetic Interference (IEMI) attack,” which replicates the swipe of a finger on an iPad screen via electromagnetic pulses. The targeted device needs to be facedown, unlocked and no more than an inch and a half away from the attacker’s mathematically tailored antenna array for the technique to bear fruit.
“Regular people, they don’t really need to worry too much about this type of attack,” Haoqi Shan, one of the lead researchers behind the IEMI demonstration, told Motherboard.
Still, I’m fascinated by even the most extravagant, Rube Goldberg-esque hacks on display in Vegas. While they may not keep me up at night, they are a testament to the resourcefulness and creativity of the hacking community. And they’re a big part of what keeps thousands of infosec pros making the annual pilgrimage to Sin City.
The week, compiled
While cybersecurity practitioners were busy in Vegas, in Washington, D.C., the Federal Trade Commission took a big step toward tightening data collection and privacy rules for U.S. tech companies. The agency is seeking public comments on its efforts to “to crack down on harmful commercial surveillance and lax data security,” it said.
From browsing history to location data, our online habits in an increasingly digitized world have exposed us to ever more intrusive corporate surveillance. The FTC has noticed.
“As the nation’s top privacy and data security watchdog, the FTC has broad authority to prosecute unfair and deceptive business practices,” CNN’s Brian Fung reported last week. “It is rarer, however, for the agency to exercise its rulemaking authority, and the effort to potentially draft new privacy regulations reflects an unusual flex of FTC muscle.”
It’s too early to say what eventual FTC rules might look like in practice. But I’d count on Big Tech companies and digital advertisers to flex their muscles right back in public comments and behind-the-scenes lobbying.
Here’s what else caught my eye:
Wired: The U.S. government upped the ante in its efforts to unmask and serve justice to members of the Conti ransomware group, offering a whopping $10 million reward for info that could lead to the threat actors using the handles Professor, Reshaev, Tramp, Dandis, and Target.
Bleeping Computer: Cisco disclosed that the Yanluowang ransomware group breached its networks in May via a sophisticated voice phishing attack on a Cisco employee. The hackers claim to have stolen 2.75 gigabytes of company data.
Wired: Meta expanded end-to-end encryption for Facebook Messenger days after the company became tangled up in a high-profile abortion case in Nebraska. Facebook reportedly complied with a search warrant seeking messages between a 17-year-old and her mother as they discussed terminating the girl’s pregnancy in violation of Nebraska’s 20-week abortion ban. Had end-to-end encryption been used in the conversation, the tech giant would not have been able to turn over the contents of the messages to law enforcement.
A message from Synack
Cybersecurity professionals face a raft of challenges when it comes to staffing up to meet ever-evolving digital threats. Hear how the U.S. Department of Health and Human Services navigates cybersecurity hiring hurdles in an Aug. 24 webinar featuring Matthew Shallbetter, Director for Security Design and Innovation at HHS. Also presenting at 1 p.m. ET that day will be Synack’s own Scott Ormiston, who will speak to tactics and solutions for augmenting public sector security teams and best practices for setting up continuous penetration testing. Learn more and register here.
Flash memory
I first attended Black Hat and DEF CON in 2014.
Though I’ve since deleted my notes from the encounter, I still have photos of Shodan founder John Matherly taking me on my first “Shodan safari,” revealing the ocean of connected devices within reach of his specialized search engine, which was then only five years old.
Matherly patched us through to an online portal controlling someone’s “smart” home lighting system. While he stopped short of flipping any switches, the room-by-room tour amply demonstrated how many insecure devices were floating out there for anyone to find.
Shodan has only expanded its scope since then, as billions of new devices link up to the internet each year. While many are now tucked away behind protected networks, security researchers can still dig up plenty of interesting online tidbits to keep the #ShodanSafari hashtag alive and well.
Local files
RUSI: Two researchers at U.K. defense and security think tank RUSI are urging Britain and its allies to ramp up diplomatic efforts on ransomware as new cyberthreats menace the Global South. “Recent attacks on countries such as Costa Rica, South Africa, Malaysia, Peru, Brazil and India illustrate the increased threat to governments, critical national infrastructure providers and businesses in middle-income and developing countries,” they write.
CyberScoop: A top Department of Homeland Security official said China appears to have retaliated against e-commerce company Alibaba for reporting the Log4j vulnerability publicly before giving Beijing a sneak peek at the critical flaw. “Alibaba did the right thing… We think that this was a good vulnerability disclosure process, and it was troubling to us that there would be some kind of punishment,” said DHS Under Secretary for Strategy, Policy, and Plans Rob Silvers.
Off-script
For a rare bit of good news, a pair of explorers teamed up to rescue an elderly dog who had been stranded in a cave for weeks on end.
Caver Gerry Keene found the missing pet 500 feet underground in a mileslong Missouri tunnel system while on a trip with a group of young spelunkers. He later returned with local assistant fire chief Rick Haley to rescue the dog, named Abby, who had been missing since June 9.
Abby’s owners were flabbergasted and thrilled that she was still alive, as The Washington Post reported.
“When my head finally hit the pillow that night, I fell asleep with a smile on my face,” rescuer Haley said.
That’s all for now — don’t forget to send tips and feedback to bsobczak@synack.com. Catch you next week!