Black Hat Security Conference Returns To Las Vegas – With Hacks To Calm Hotel Guest From Hell • The Register
In short After a year of downtime due to a certain virus, the Black Hat and DEF CON security conferences returned to Las Vegas last week, just in time for attempts by the U.S. government to foster greater collaboration in the industry of infosec.
The cybersecurity and infrastructure agency’s new director of security, Jen Easterly, moved to the virtual Black Hat scene last week (although there was a limited and well-spaced physical conference this year) and announced the Joint Cyber Defense Collaborative (JCDC), which it claimed would be a true public / private partnership to try to lock down security incidents by sharing data and skills.
Microsoft, AWS, Google and several US telecom operators signed up, but Easterly’s speech was particularly aimed at attracting independent talent. Suggestions included increasing public sector wages and adopting a more flexible approach to hiring.
DHS Secretary Alejandro Mayorkas also delivered a similar speech, saying his agency was ready to do its part.
“We are working really hard and we have no illusions about the road ahead,” he said. “There is nothing simple about the cybersecurity challenges we face, and we need your help to make it happen. We need your expertise to inform our policies and the future of our critical mission. “
Hellish hotel neighbor
We all had the trip to the hotel where someone was too loud. When a fellow traveler at a capsule hotel got angry, a Lexfo security consultant named Kyasupā decided to fight back.
The hotel allowed guests to control aspects of their room using an iPod Touch with Bluetooth and Wi-Fi. Kyasupā found [PDF] that the iPod is connected to a Nasnos CS8700 router. By stringing together six vulnerabilities and forcing a restart of the iPod touch, Kyasupā discovered that he could control any capsule in the hotel.
Kyasupā had asked a guest, called Bob for anonymity, if he could be quieter at night, as the person was prone to loud phone calls at 2 a.m. After repeated unsuccessful attempts to fix this issue, Kyasupā simply programmed the man’s bed to turn into a sofa and vice versa and flashed the bedroom lights every two hours.
He then went to the hotel management team, who were surprisingly kind about it, and fixed the issue. The moral of the story? Politeness is important.
Punkspider is back, inventors claim it’s cool this time around
The Punkspider web application scanner has been controversial since its release in 2013, with critics claiming it can all too easily be abused.
The project died out in 2015, but now it’s back, say its creators, and people have nothing to fear. A presentation at DEF CON saw Alejandro Caceres, chief operating officer of computer networks at QOMPLX, and self-proclaimed hacker Jason Hopper, explain.
“We were banned over a 15-year-old with a fake ID trying to get into a bar. It became painful and hardly viable without a lot of investment of time and money. Every time that we were banned, it meant thousands of dollars and countless hours to move sh ** around, ”they said.
“Now we have solved our problems and completely redesigned and expanded the system. “
The proof of this pudding, however, will be in the eating, and the team could find itself closed again. Many fear that the tool will be abused again, not only to expose vulnerabilities, but also to exploit some. You can see the full speech here.
Inside the Middle East Security Machine
A disturbing conversation [PDF] in Black Hat this year was former NSA Training Specialist David Evenden, who now runs the StandardUser Security Store.
Evenden recounted how he and others were courted by intelligence agencies around the world to work with a group called CyberPoint in the UAE on a project called Project Raven. The job was supposed to be an intelligence gathering and defensive security job, but Evenden said it was increasingly asked to collect more dangerous data.
Evenden and others have been asked to spy on reporters, members of local royal families, and he even found some of Michelle Obama’s emails. Despite the generous tax-free salary, he and others decided to leave the country while they still could.
Evenden warned that you should never file your passport with an employer and always have enough money and a plan to get out if something sounds too good to be true – and to carefully check a potential employer’s background.
The other virus
Jeff Moss, aka Dark Tangent and the man who founded the lectures, offered a sobering warning at the start of the show. He said the industry has lost some good people this year and that COVID-19 will be around for a while, it seems.
Reports from the field suggest the conferences were very lightly attended – certainly nothing to do with the crazy crush of tens of thousands of visitors that is normal for the show. Most of the participants wore masks, but more than one without a mask was walking around.
Las Vegas already has a big problem with COVID, and events like this can act like super-diffuser events, as this hack discovered the hard way at the RSA conference last year. Let’s be careful there, guys. ®