We know that the 2020 conference experience has been different. Event after event has been postponed or cancelled. The last opportunity for IT professionals to meet up was at RSA 2020 in San Francisco, which quickly soured with the revelation of two attendees tested positive for COVID a week later.
It came as no surprise when Black Hat announced the move to an online platform a few months later. We usually would have flocked into Las Vegas at the start of August, attended the event for a few days and then extended to DEF CON to complete the week. This year, we flocked no further than our home offices (or other suitable remote working environments).
Despite the lack of travel and in-person networking opportunities, these virtual events have proven valuable in learning about the industry’s top trends and engaging in important discussions with our peers. Black Hat was no exception.
Election Security was Top of Mind
With the 2020 election looming, security is a hot topic. In the past, we’ve been made aware of the risks posed by voting booth hacking, but the opening keynote by Professor Matt Blaze took a different approach. In his session, Matt centered the solution on people, highlighting that technology changes have addressed many of the weaknesses with ballot machines. However, recognizing that differences in how we prefer to vote introduces additional risk, his suggestion is not that we increase technology, but add people.
Social distancing means that queuing and indoor groups will be riskier, so many people will opt to take a postal vote. This increases the workload of an already underinvested postal service, which raises the risk of missed or damaged ballot papers. There are technologies that could help with this but implementing and gaining trust with those in the next three months is unrealistic. So, his suggestion – and request – was for volunteers to step up and help. While quite the departure from typical Black Hat proposals, the extra hands would certainly be useful in ensuring a fair vote come November.
Deep Fakes and Tom Hanks
Election news brings us to one of my hot topics and an area that was discussed in detail at Black Hat: Deepfakes. Research by FireEye focused on an image of Tom Hanks, but not a movie or press image; instead, one created entirely using machine learning and software. In the presentation, Data Scientist Philip Tully showed us how easy it is, with only around $100 of investment, to create images that are real at first glance. This technology has been around for some time and is most used for entertainment purposes. That said, the demonstration from FireEye put into perspective just how inexpensive and accessible the tech is to anyone with a home computer.
We have a nation frustrated by pandemic limitations, along with a highly politically-charged upcoming U.S. election. The combination of these makes the dissemination of Deepfake by the ‘click and forget’ generation a simple task. If you can create a passable fake Tom Hanks for $100 and fool a room, imagine what would be possible for an artistic team of well-backed hackers, targeted on political confusion and disruption and funded with an investment of $1M or more?
COVID Security Remains Top of Mind
Stay Home, Stay Safe
COVID-19 was, unsurprisingly, a common theme across Black Hat, with many sessions highlighting the security challenges caused by employees not only working from home, but often using their own devices. Threats that would previously have been visible to the SOC on a corporate network have become invisible on an employee’s home network. In the business hall, we saw vendors with new offerings to extend the corporate network and security into a user’s home. This extension enables a more effective threat response but should not be the only solution, as it can increase the security team’s workload.
Increased user awareness of the risks from home or remote working is essential. We’re too accustomed to the automatic levels of protection afforded by our office networks. We often don’t realize the level of potential threats that are typically blocked even before they reach our computer. At home, it’s different, as not only are we using our network, but also more distracted by pets, children, package deliveries, etc.
Not every session at Black Hat was technical and this is something I like about the event. There are opportunities for presenters to propose left-field ideas. The core sessions are not under corporate sponsorship and it makes for some fresh and interesting content. This year, a session that caught my attention was from Matt Wixey of PwC UK, who started by asking everyone to work on a security crossword with a prize for (near) completion. He then discussed the importance of puzzle-solving skills in research and security.
This is a topic that I have personally presented on in the past, posing that gamers could be future security researchers, due to their skill solving complex and fast-moving challenges. What I enjoyed about this session is that the puzzles Matt has designed seem complicated at first blush but can be solved with research and access to online resources. For a researcher, these resources and the ability to think around corners in using them is essential to success in thwarting cyber-attacks.
If you have a minute, look at the cyber-cryptic-crossword he offered. Unfortunately, the prize deadline has passed – but it is fun for a few minutes (hours, days, etc.).
At the start of this article, I said that Black Hat was different and that I am looking forward to – hopefully – a return to normal in 2021. However, change is not a bad thing. There was a lot of excellent content and I recommend anyone with time to take a more in-depth look over the coming months. There is much we can all learn, especially in these tumultuous times.