Black Hat 2015: Salted Hash live blog (Day 2)

LAS VEGAS - Targeted attacks and social engineering are the top two concerns for Black Hat attendees, according to a recently published study based on responses from nearly 500 working InfoSec professionals.

The sample size was smaller, but it gives a clue as to the mindset of most people here in Las Vegas this week. Unfortunately while those who took part in the Black Hat survey have clear concerns and priorities, they lack the resources to actually do anything about them.

Nearly 60 percent of the respondents said that targeted attackers were of great concern, but only 26 percent of that group indicated that mitigating these types of attacks were among their organization’s top three spending priorities.

The second largest area of concern was social engineering. Nearly half of those who took part in the survey (46 percent) said that Phishing, social networking exploits (or similar forms of social engineering) were a big deal. But again, only a small percentage (22 percent in fact) indicated that their organization actually dedicated budget to addressing this issue.

So then, what are these professionals spending their time and resources on?

“More than a third of Black Hat attendees said that their most time-consuming tasks are in addressing vulnerabilities introduced by internally developed software (35%) and vulnerabilities introduced by off-the-shelf software (33%). The data suggests that application flaws across the enterprise consume a great deal of time for the IT staff, yet are seldom considered the greatest threats,” UBM Tech said in a press release.

There were other points of note in the report, including issues surrounding staffing shortages, lack of budget, and a lack of training. The full Black Hat report can be downloaded here.

So for today’s question: How do the stats and figures in this report measure up? Are you, dear readers, seeing something similar where you work? If so, what are your major concerns, and do you have the resources (or are you given the budget needed) to address them?

In other Black Hat news, Check Point researchers announced the discovery of a vulnerability in Android that affects LG, Samsung and HTC devices on every version of the operating system currently available.

They've given it a flashy title - 'Certifi-gate' because these days, a bug just isn't a bug if it can't be properly marketed. However, while that is said in jest, some experts feel there is value in this type of disclosure.

Short and sweet, the flaw found by Check Point could allow an attacker to gain unrestricted device access to remote support applications that are either pre-installed or personally installed on the device.

The flaw could be exploited to compromise personal data, track device locations, turn on microphones to record conversations, and more.

"Android offers no way to revoke the certificates that are providing privileged permissions. Left unpatched, and with no reasonable workaround, devices are exposed right out of the box. All affected vendors were notified by Check Point about Certifi-gate and have begun releasing updates. The vulnerability cannot be fixed, and can only be updated when a new software build is pushed to the device - a notoriously slow process. Android also offers no way to revoke certificates used to sign vulnerable plugins," Check Point said in a prepared statement.

Finally, a friendly reminder.

Today is also the start of DEF CON. Lasting until Sunday, DEF CON is easily the most amusing and the largest gathering of hackers in North America. The image below is an example of some of the things one will see while walking the floor. (Credit: Casey John Ellis)

Update:

I had an interesting discussion after getting my badge at DEF CON this afternoon about smart grids.

A friend of mine reminded me of a talk given during BSides Las Vegas last year about securing smart meter infrastructure. The focus of the talk was BC Hydro, the electric utility in British Columbia, and their move to smart meter adoption, as well as the security risks associated with this upgrade.

Smart meters and ICS security issues are a serious topic in many parts of InfoSec due to their reach into a person's home and life. It's a talk worth watching, and while you're at it, there is an ICS village at DEF CON for those interested in learning more.