Every summer, tens of thousands of security professionals, executives, and grey hats alike gather in Las Vegas for Security Summer Camp, the trifecta of conferences that set the tone of discussion for the second half of the year: Blackhat USA, DEF CON, and BSidesLV. Although the topics of presentations at these events vary wildly, there are some connecting threads — issues so universal that everyone wants to hear about them.
This year, those particular subjects were not surprising. Given the rise of BGP hijacking incidents, the revelation of Charlie Miller and Chris Valasek’s Jeep hack, and the proliferation of old-school attacks, it was easy to guess which sessions would have lines out the door.
BGP is the New Black
Move over SSL/SSH/TCP/BBQ, everyone in Vegas wanted to talk about the newfound protocol celebrity, BGP. (For a thorough explanation of BGP, and how it relates to security, see our explainer here.) Three talks at Blackhat highlighted an increased industry awareness of the security threat posed by BGP attacks. First, Wim Remes of Rapid7 provided an overview of BGP, and focused on increasing trust to prevent systemic routing abuse.
Remes was followed by Artyom Gavrichenkov of Qrator Labs, who took a more practical approach by showing how an attacker could execute a BGP hijack. His suggestions for mitigation included increased monitoring of BGP, as well as an industry-wide commitment to fixing the problem.
Speaking of monitoring, the final BGP presentation of the conference came from Dan Hubbard and Andree Toonk of OpenDNS. The pair also spoke on the problem of BGP hijacking, and officially unveiled BGP Stream, a live Twitter feed that will use data collected from BGPMon — a BGP monitoring service purchased by OpenDNS this year — to announce suspicious BGP activity, from hijacks to large-scale outages. They then went a step further and announced a companion feed, DNS Stream, which will announce DNS incidents.
The Internet of Things…Specifically, Your Car
As OpenDNS reported recently, the Internet of Things is less than adequately secured. This year in Vegas, one of the most popular talks was Chris Valasek and Charlie Miller’s session(s) on hacking a Jeep. The pair, researchers from IOActive and Twitter respectively, entertainingly walked the audience through their process in attacking the Internet-connected vehicle via the head unit, or in-dash portal.
At DEF CON, Marc Rodgers of Cloudflare and Kevin Mahaffey of Lookout presented their research on hacking a Tesla Model S — including the release of a tool that allows Tesla owners to view the telemetry data from their own vehicles. The conference also allocated a generous amount of space in the middle of the contest area to the vehicles in question, allowing attendees to get up close and personal with both a Tesla Model S and Jeep Cherokee. Also at DEF CON, Runa Sandvik and Michael Auger showcased their ability to hack a WiFi-enabled rifle, further proving the lack of security in IoT.
Fire Up Your Ham Radios, Hackers Are Going Old School
Finally, one seemingly unassuming trend was evident at all three conferences: the idea of attacks using what may be considered outdated or obvious methods. The staggering amount of talks involving radios lends credence to this. BSidesLV hosted several radio-focused talks, including I Amateur Radio (And So Can You!) by Kat Sweet, and All Your RFz Are Belong to Me – Software Defined Radio Exploits from Balint Seeber.
Another security issue that found audiences at all three events was the prevalence and success of online scams, such as phishing and malvertising. At DEF CON, Mark Ryan Talabis discussed how malicious publishers were using “hidden ads, ad stacking, intrusive ads, auto-refreshes, popups, popunders, blackhat SEO techniques and dirty inventory” to trick users. Markus Jakobsson & Ting-Fang Yen also delved into the world of online scams at Blackhat, specifically pointing to the staggering statistics: more than 10 percent of Americans fall victim to scams every year. Other presentations covered steganography, DoS, and XSLT attacks.
All of the topics that make it to the stage at Blackhat, DEF CON, and BSidesLV are worthy of serious consideration from the industry. But these few offer a quick glance into the problems that may dominate the headlines for the foreseeable future.