The Black Hat conference not only sheds light on the IT security issues currently plaguing organizations, but the emerging issues that will soon affect people and companies. At the latest Black Hat, held in the Mandalay Bay in Las Vegas in August, industry experts offered their insights on how cybercriminals are upping the ante and what IT security professionals can do to combat the constant and unyielding tide of attacks. Here are some trends that presenters and attendees were talking about:
1. Security development is software development
In his Black Hat keynote address, Dino Dai Zovi, mobile security lead at Square, discussed how security development has segued into software development. According to Dai Zovi, there are three transformational principles for boosting the impact of security within organizations:
- Work backward from the job to be done.
- Seek and apply leverage, develop feedback loops and scale with software automation.
- Understand that culture trumps strategy and tactics every time.
“Security is still a small community, and the problems that we tackle can be huge,” he said in his keynote. “We must work smarter, not just harder, through better software and better automation.” On the importance of automated feedback loops, Dai Zovi said, “We have to build them explicitly, and the tighter feedback loop wins. We have to build security services for observability, so you can understand if the protections are working and also perform anomaly detection. We have to be able to identify attackers when they’re probing, learning, attacking and succeeding.”
Similarly, security teams need to determine what the job is to be done—talk to internal teams, try to understand their struggles, what are they setting out to do, what adds friction and what makes things easier. When and why do they interact with security? In understanding what their “hiring” criteria is for a security solution (as well as firing criteria) – it becomes possible to build agile way for the need at hand rather than spending time overlaying security principles that may or may not be useful, adopted or practical.
“This created a cultural change. There’s a lot more collaboration and empathy for how people are operating,” Dai Zovi said. “A software engineering team would write security features, then actively go to the security team to talk about it and for advice. We want to develop generative cultures, where risk is shared. It’s everyone’s concern. If you build security responsibility into every team, you can scale much more powerfully than if security is only the security staff’s responsibility.”
2. Biometric authentication is not infallible
At one popular Black Hat session, scientists from China’s Tencent Security Xuanwu Lab showed that they can fool biometric authentication using a pair of basic store-bought glasses. Biometric authentication is one of the fastest growing segments in the security industry, using facial recognition, fingerprint recognition, handwriting verification, hand geometry, retinal and iris scanner for user identification. It is viewed as an improvement over two-factor authentication, which is vulnerable to attack through brute force, phishing or third-party login processes.
Computer scientists created a technique they refer to as “liveness detection,” which is essentially the act of determining that the user is alive and not an image. The algorithm factors in several combinations of physical human traits that collectively determine whether the individual present is alive, thus countering imposters who attempt to bypass defenses by introducing a large number of spoofed biometrics into system. “Previous studies mainly focused on how to generate fake audio or video,” said presenter and Xuanwu Lab researcher HC Ma, “but bypassing the liveness detection algorithm is necessary to a real attack.”
In his Black Hat presentation, Xuanwu Lab researcher HC Ma took his rapt audience through how he and his team were able to use a modified pair of cheap eyeglasses to fake out the facial recognition software on a smartphone and unlock it. Ma and his team used black and white tape to manipulate photos of images of the user’s eyes and taped them to a pair of “ordinary” reading glasses, placed on a sleeping victim’s face, to bypass FaceID recognition. Such “low-tech” workarounds to high-tech security will continue to pop up, Ma predicted.
Black Hat 2019
Glasses used to fool biometric authentication
3. Social media a platform to spreading malware, gather victim information
Whether it’s Facebook, Twitter, Instagram or LinkedIn, social media has become a part of many people’s daily work and home lives. Knowing this, cybercriminals have increasingly come to see social media platforms as a means of disseminating phishing attacks or malware, as well as a place to collect information about high-profile victims (such as corporate executives) that they can use in wire fraud, spear-phishing or other customized attacks.
The subject of social media as a means of manipulation, information collection and automated attack launch was the focus of at least two sessions at Black Hat. According to cybersecurity company Bromium, social media platforms alone generate more than $3.2 billion in cybercrime annually. Indeed, political actors and nation-states have already become masters of controlling the conversation through social networks.
Social media influence will continue to affect not only elections and political campaigns, but corporate identities and reputations. Based on a six-month study by Mike McGuire, senior lecturer in criminology at the University of Surrey, Bromium’s Social Media Platforms and the Cybercrime Economy report predicts that social media presents an ideal “global distribution center for malware,” with 20% of organizations infected via social media sites.
Reports of cybercrime involving social media more than tripled from 2015 and 2017 in the United States, and social media-enabled crime quadrupled between 2013 and 2018 in the United Kingdom. Four out of ten malware infections are linked to malvertising, while three out of 10 come from malicious plug-ins and apps. Cryptojacking was another popular social media-enabled cyber-threat, with the number of enterprises infected by cryptomining malware doubling from 2017 to 2018.
Here’s the rub: It’s virtually impossible to prohibit employees from using social media – checking their Facebook, logging into LinkedIn, seeing what their kids may have posted on Instagram – especially if they are using a personal mobile device at work. Furthermore, social media can be a useful and important business platform, especially for sales, marketing and human resources. So, banning the use of social media will not work.
4. Hacking is increasingly being used for good as well as evil
Most people tend to hear “hacking” and think “bad”. As most cybersecurity professionals know, there are not only white-hat hackers who use their skills to suss out bad actors and criminal malfeasance, but also people who use their understanding of hacking for social and even corporate good.
This idea of “hacking for good” or hacking in the public interest was championed at the recent Black Hat conference by Bruce Schneier, a long-time security guru, author, blogger, consultant and a fellow and lecturer at the Berkman-Klein Center for Internet and Society at Harvard University.
Schneier shared a panel dubbed “Hacking for the Greater Good: Empowering Technologists to Strengthen Digital Society” with Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, and Camille Francois, research and analysis director at Graphika. All three speakers offered input on how their organizations and others in the cybersecurity ecosystem are promoting positive hacking and encouraging cybersecurity professionals to use their talents in the public interest.
“The EFF has really developed over time with its activism,” says Galperin. “We have a more nuanced take on things now.” The EFF is leading work on stalkerware and the impact of online in domestic violence, as well as how governments and corporations may use the Internet to gather information and propagate marketing. “The notion of adversarial research is something that we’re used to,” Schneier says. “Engaging in the public interest is deeply embedded in out culture. We wish it would spread to the wider technology community.”