Black Hat 2019 felt like a blur to me as I ran from meeting to session to meeting (while still finding time for the business hall). I sat down with over a half dozen vendors, some old and new to me, and attended several interesting sessions.
While I continue to digest what I learned from vendors and at sessions that I plan to dive deeper into in the coming days, here’s what stood out to me at Black Hat 2019.
Everyone willing to talk authentication
While I didn’t go to Black Hat expecting to talk a ton about authentication, everyone was more than willing to oblige me. I’m planning a whole article around this subject soon, but here are some highlights.
There’s a lot of focus around this space right now, but I feel like while I heard a decent amount around continuous authentication last year, it’s not as much discussed now (or I’m missing the conversations).
Vendors I spoke with did comment that they feel continuous is the future, and I spoke with one company that came out of stealth late last year, Acceptto. They have a plug-in-play product that uses a multitude of signals to create an ongoing risk score for employees, including physical security (like using a key card to get into the office), which actually sounded neat to me.
Given people are starting to realize we’re not quite ready for passwordless login yet (everyone now calls it the “passwordless experience”), maybe we’ll start hearing more around continuous authentication again.
Discussions on biometrics security
I went to one session discussing liveness detection hacking. The session showed some pretty ingenious-looking methods to hack biometric authentication, such as using an audio cable to connect to the recording device so it introduces fewer audio issues when the mobile device asks for an audible password or manipulating an image to make it appear like a person fidgeting when logging in. Both of those are pretty easy to mitigate, with the audio solved by simply not allowing the person to use an audio cable when authenticating, they have to speak directly to the device.
The session did get into the goofier aspects of biometrics hacking, such as trying to access someone’s phone with some glasses placed upon their face while sleeping. It felt like something out of a spy movie.
User experience vs security
The age-old issue of providing adequate security while not making the user experience frustrating reared its head throughout my conversations with vendors. It’s top of mind as they develop their products. One solution that many consider is step-up verification. Maybe you let employees have a certain amount of access to company data (or applications, etc.) without logging in every time. But, say they want to access something that requires higher privileges, the application then requests a quick biometric authentication before letting them through.
Other breakout sessions
One aspect of the sessions I attended that I really liked was that those presenting were developers and researchers who had first-hand experience around what they were talking about. They all formatted sessions to present the vulnerabilities, explaining how they found them, what they did, and then how security teams could mitigate them. My only issue was that some went a mile a minute, leaving it difficult to absorb properly.
I attended several sessions over my two days in Vegas. One covered the basics around WebAuthn, which I had hoped might teach me something new here (unfortunately, no). Another session looked at Chrome vulnerabilities over the years, but it got technical very fast (and went over the heads of a lot in the audience as some quietly headed for the exits).
Here are two other sessions I attended:
Bug bounty session – Outlook vulnerability
One session went into how two researchers separately discovered a vulnerability in Outlook, the result of an unsigned JSON web token they could exploit to plug-in user’s OID or email address to get access to someone’s account. They both explained their methods and how they contacted Microsoft about it as part of the bug bounty program and how the vendor handled the issue (first they disabled the particular API, then introduced the fix). The session showed responsible disclosure by the researchers, who waited until a permanent fix came along before discussing the issue publicly and their methods for gaining access to someone’s account. Microsoft handled the problem well, too, initially triaging the issue to prevent anyone else from discovering the vulnerability while their developers came up with a solution.
Securing apps in the cloud
Snapchat engineers presented how the company has handled all their apps connecting to the internet early into their development lifecycle since they use AWS and Google Cloud Platform. They went over a couple different methodologies they tested with developers, from managed to unmanaged (one resulted in a noisy neighbors problem since they shared one account, while the other used a lot of cloud resources and became costly). Snapchat eventually went with a non-migrated solution that used a single line of code that was easy to integrate into all frameworks.
Apple confirms recent rumors
Ahead of the show, rumors popped up that Apple would expand their bug bounty program and a release new program offering researchers unlocked iPhones to test. At the end of a very interesting session focusing around macOS and iOS security updates involving secure boot and VT-d (Intel Virtualization Technology for Directed I/O), Apple revealed they were expanding the bug bounty to anyone (instead of just a handpicked few) and boosting the bounty, including for vulnerabilities discovered in released beta versions.
I plan to dig into the security aspects presented at the session in a separate post.
Other workspace vendors
When we talk workspace, the focus is often around VMware Workspace ONE and Citrix Workspace App. But, they aren’t the only ones, Microsoft has their own offering (one they don’t promote enough, in my view). So, I sat down with SyncDog, a vendor that focuses on unmanaged devices.
They argue that a lot of companies are starting to turn back toward BYOD. SyncDog’s focus is on providing a secure workspace so companies don’t have to worry so much about the state of the user’s device and the user retains control over their personal data (no worries the company will wipe the whole device). They offer all the normal apps on the workspace, alongside a photo library where business-related photos get stored.
They discussed one use case we’ve mentioned briefly before involving contractors. A utility company has an outage and uses contractors to go out and solve the problem. Two companies can’t manage one device, so the utility company instead uses the white-labeled SyncDog workspace where contractors can access all the info they need and provide updates to the company, along with getting access to apps they need.
Following that meeting, I got curious around the security of containers—especially as they feel like one of the “hot things” in our space. (Additionally, there was a session around container exploits that I had to miss that piqued my interest.) I spoke with Peter Markowsky of Capsule8, a vendor that offers real-time attack detection and response for Linux production environments. He explained that companies often think of containers as more like lightweight VMs, which isn’t completely true since they often share the kernel and resources of the OS. This opens up the attack surface. Basically, there’s a lot of complexity around containers that admins can potentially overlook, opening them up to attacks.
While I enjoyed my time at Black Hat 2019, and definitely do not regret attending it (I learned a lot and met some very interesting people)—I do find myself a little disappointed. I had built it up a little bit in my head, thanks to people I had talked to at RSA and elsewhere. Black Hat feels a bit more corporate than I would have preferred, making it feel very much like RSA at times. I hope to maybe attend Defcon next year now (especially since that too is becoming less “wild west” than it once was—or so I’ve been told).