Black Hat 2019: Bounties, Breaches and Deepfakes, Oh My!
Black Hat 2019 recently wrapped in Las Vegas, where somewhere between 15,000 and 20,000 experts descended to experience the latest developments in the world of cybersecurity. While we saw the expected releases of new threat research, vulnerabilities and breakdowns on nation-state level attacks, the reason I, and many others, attend this annual conference is to see what trends are emerging, and be surprised by the unexpected.
Exploring the show floor at Black Hat is fun. From the big and well-known, to tiny start-ups with great ideas, there are so many vendors and so much noise that it is obvious why this event works so well in the glitz of Sin City.
When Black Hat first began 22 years ago, it was intended to be a place where hackers and cybersecurity professionals alike could get together and share ideas or demonstrate vulnerabilities. Fast forward to 2019 and this has changed slightly, with big corporations stealing focus on the conference floor and the deeper (and more interesting) hacking being moved out to DEF CON. However, there are still some great research sessions at Black Hat that make it well-worth the attendance.
With all the spotlight on recent security breaches, and a rise in malware infections globally, it was good to see a renewed focus on bug-bounty programs from Microsoft and Apple, which created some media buzz at the show. Earlier in the year, we saw Tesla offering a Model 3 to any researcher who could hack the cars computer systems and Apple is now offering custom-made iPhones to researchers, as well as a scaled bounty program, for any discreetly shared vulnerabilities. Microsoft also announced enhancements to its program and disclosed that in the last twelve months alone, it has paid out $4.4 million in bounties – making this area of cybersecurity clearly lucrative for the white-hat specialists out there!
Several companies made product announcements, many of which focused on the need for security to move closer to the edge of the network and better utilize intelligence and cloud analytics. It is clear that the move to analytic and behavior-based models is becoming a reality – with so many organizations moving to multicloud, these new models will quickly become the way to stay ahead of emerging and evolving threats. Traditional security models give too much time for a threat to spread inside the network (or dwell-time), where security-based on analytics can spot anomalous behavior to help identify threats faster.
Although interesting and important, none of this struck the unexpected we all crave from Black Hat. Much of this information came from the presenting researchers at the conference, instead. One area that has definitely seen growth in the last year is around social engineering and social media manipulation. With people being so willing to auto-share content on the internet, it is becoming hard to spot the difference between real content and fakes, or know whether or not someone is a true media influencer.
A couple of good sessions at the event highlighted this in more detail:
• Deep fakes could become a real problem in the next year. The quality of some videos is now so good that it is likely just a matter of time before we see one being used in an attempt to sway public opinion. Zerofox researchers Matt Price and Mark Price have created a tool that looks at the mouths in potential deep fakes to try and detect more accurately whether a video is real or not. It is not at 100 percent accuracy yet, but is in very early stages and will clearly improve over time. This is undoubtedly an area to keep an eye on in 2020, with so many critical political situations occurring globally in the next year.
• For those of us on social media platforms, including Instagram – ever wondered why some people have so many followers when they do not seem to have much to say that is interesting? Masarah Paquet-Clouston and Olivier Bilodeau from GoSecure presented research in their session with details of an enormous underground built specifically to sell and manage fake-users for social media. Masarah also demonstrated how easy it is to buy fake-users for Instagram with a bogus account that she had setup for this purpose. Instagram is improving its artificial intelligence to detect these fake accounts and is making a huge difference by deleting them, but this session showed just how easy it can be to get up and running again.
Overall, this year’s Black Hat was a great event, with some very strong research presented in many of the sessions. If you are a cybersecurity professional, or someone who wants to get into the industry, I highly recommend that you mark your calendar to attend next summer