Black Hat security conference returns to Las Vegas – complete with hacks to quiet the hotel guest from hell
And a very scary story of a job that went from white hat to murky shades of gray in the United Arab Emirates
In Brief After a year off due to a certain virus, the Black Hat and DEF CON security conferences returned to Las Vegas last week, just in time for the US government's attempts to foster more collaboration across the infosec industry.
The newly appointed Security Director of the Cybersecurity and Infrastructure Agency Jen Easterly took to the virtual Black Hat stage last week (although there was a limited and well-spaced physical conference this year) and announced the Joint Cyber Defense Collaborative (JCDC), which she claimed would be a true public/private partnership to try to lock down security incidents by sharing data and skills.
Microsoft, AWS, Google and several US telcos have signed up, but Easterly's keynote was particularly aimed at bringing in independent talent. Among the suggestions were increasing public sector salaries and taking a more flexible approach to hiring.
DHS Secretary Alejandro Mayorkas also gave a keynote speech along the same lines, saying his agency stood ready to do its bit.
"We're really hard at work and we have no illusions about the road ahead," he said. "There is nothing simple about the cybersecurity challenges we face, and we need your help to get this right. We need your expertise to inform our policies and the future of our critical mission."
Hotel neighbor from hell
We've all had the hotel trip where someone's being too noisy. When a fellow traveler in a capsule hotel got on his nerves, a security consultant for Lexfo named Kyasupā decided to hit back.
The hotel allowed guests to control aspects of their room using an iPod Touch with Bluetooth and Wi-Fi. Kyasupā found [PDF] that the iPod connected to a Nasnos CS8700 router. By chaining together six vulnerabilities and forcing a reboot of the iPod touch, Kyasupā found he could control any capsule in the hotel.
Kyasupā had asked one guest, called Bob for anonymity, if he could be quieter at night, since the person was prone to loud 2AM phone calls. After repeated unsuccessful attempts to sort this out, Kyasupā simply programmed the man's bed to convert into a couch and back again and flashed the room lights every two hours.
He then went to the hotel's management team, who were surprisingly nice about it, and fixed the issue. The moral of the story? Politeness is important.
Punkspider is back, inventors claim it's cool this time
Web app scanner Punkspider has been controversial since its release in 2013, with critics saying it can too easily be abused.
The project went dark in 2015, but now it's back, say its creators, and it's nothing for folks to worry about. A presentation at DEF CON saw Alejandro Caceres, director of computer network exploitation at QOMPLX, and self-described hacker Jason Hopper, explaining.
"We got banned more than a 15-year-old with a fake ID trying to get into a bar. It became a pain and hardly sustainable without a lot of investment in time and money. Each time we got banned it meant thousands of dollars and countless hours moving sh** around," they said.
"Now we've solved our problems and completely re-engineered and expanded the system."
The proof of that pudding will be in the eating, however, and the team may find itself shut down again. Many fear that the tool will be abused again – not just to expose vulnerabilities, but to exploit some as well. You can see the full talk here.
Inside the Middle East snooping machine
One disturbing talk [PDF] at Black Hat this year was from former NSA instruction specialist David Evenden, now running security shop StandardUser.
Evenden recounted how he and others were wooed by intelligence agencies around the world to work with a group called CyberPoint in the United Arab Emirates on a scheme named Project Raven. The work was supposed to be intelligence gathering and defensive security work, but Evenden said he was increasingly being asked to pull in more harmful data.
Evenden and others were being asked to spy on journalists, members of the local royal families, and he even found some of Michelle Obama's emails. Despite the generous tax-free salary he, and some others, decided to get out of the country while they still could.
Evenden warned that you should never lodge your passport with an employer and always have enough cash and a plan to get out if something looks too good to be true – and to check a potential employer's history carefully.
The other virus
Jeff Moss, AKA Dark Tangent and the man who founded the conferences, offered a sobering warning at the start of the show. He said the industry has lost good people this year and COVID-19 will be around for a while, it seems.
Reports on the ground suggest the conferences have been very sparsely attended – certainly nothing like the mad crush of tens of thousands of visitors that's normal for the show. Most attendees wore masks, but more than a few maskless wandered about.
Las Vegas already has a big COVID problem, and events like this can act as superspreader events, as this hack found out to his cost at the RSA Conference last year. Let's be careful out there, folks. ®
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Palo Alto Networks
- Trusted Platform Module
- Zero trust