Black Hat Security Conference Returns To Las Vegas Complete With Hacks To Soothe The Hotel Guest From Hell • The Register
Shortly After a year hiatus due to a specific virus, the Black Hat and DEF CON security conferences returned to Las Vegas last week, just in time for the US government’s attempts to encourage more collaboration in the Infosec industry.
The agency’s newly appointed Cyber Security and Infrastructure Security Director Jen Easterly took to the virtual black hat stage last week (although there was a limited and spatially limited physical conference this year) and announced the Joint Cyber Defense Collaborative (JCDC ), which it claims is a true public-private partnership to try to contain security incidents by sharing data and skills.
Microsoft, AWS, Google, and several U.S. telecommunications companies signed up, but Easterly’s keynote was specifically aimed at attracting independent talent. Proposals included increasing public sector salaries and a more flexible approach to hiring.
DHS Secretary Alejandro Mayorkas also gave a keynote address in the same direction, saying his agency was ready to do its bit.
“We work really hard and have no illusions about the road ahead,” he said. “The cybersecurity challenges we face are not easy and we need your help to get this right. We need your expertise to inform our guidelines and the future of our critical mission. “
Hotel neighbor from hell
We have all experienced the hotel trip where someone is too loud. When a fellow traveler at a capsule hotel got on his nerves, a Lexfo security advisor named Kyasup decided to hit back.
The hotel allowed guests to control certain aspects of their room using an iPod Touch with Bluetooth and Wi-Fi. Kyasup found [PDF] that the iPod is connected to a Nasnos CS8700 router. By chaining six vulnerabilities and restarting the iPod touch, Kyasup found that he could control every capsule in the hotel.
Kyasup had asked a guest who had called Bob for anonymity if he could be quieter at night as the person was prone to loud calls at 2am. After repeated unsuccessful attempts to resolve this, Kyasupā simply programmed the man’s bed to be converted into a couch and back again, and flashed the room lights every two hours.
He then went to the hotel’s management team, who were surprisingly nice, and fixed the problem. The moral of the story? Courtesy is important.
Punkspider is back, inventors think it’s cool this time
The Punkspider web app scanner has been controversial since its release in 2013, with critics saying it is too easily misused.
The project went dark in 2015, but now it’s back, say its creators, and people don’t have to worry. During a presentation at DEF CON, Alejandro Caceres, Director of Computer Network Exploitation at QOMPLX, and self-proclaimed hacker Jason Hopper said.
“We were banned when more than a 15-year-old tried to get into a bar with a fake ID. It became tedious and barely sustainable without investing a lot of time and money. Every time we were banned it meant thousands of dollars and countless hours of hanging around, “they said.
“Now we have solved our problems and completely revised and expanded the system.”
However, the proof of this pudding will be in the food, and the team could shut down again. Many fear that the tool will be misused again – not only to uncover weak points, but also to exploit them. You can see the full lecture here.
In the security machine of the Middle East
A disturbing conversation [PDF] at Black Hat this year by former NSA instruction specialist David Evenden, who now runs the StandardUser security shop.
Evenden shared how he and others were wooed by intelligence agencies around the world to work with a group called CyberPoint in the United Arab Emirates on a project called Project Raven. The work should be intelligence intelligence and defensive security work, but Evenden said he was increasingly being urged to retrieve more malicious data.
Evenden and others were asked to spy on journalists and members of the local royal families, and he even found some emails from Michelle Obama. Despite the generous tax-free salary, he and a few others decided to leave the country while they still could.
Evenden cautioned against leaving your passport with an employer and always having enough cash and a plan to get out if something looks too good to be true – and carefully reviewing a potential employer’s history.
The other virus
Jeff Moss, AKA Dark Tangent and the founder of the conferences, issued a sobering warning at the beginning of the show. He said the industry has lost good people this year and that COVID-19 will appear to be around for a while.
On-site reports indicate that the conferences were very sparsely attended – certainly nothing like the madness of tens of thousands of visitors that is usual for the fair. Most of the participants wore masks, but more than a few maskless wandered around.
Las Vegas already has a huge COVID problem, and events like this can act as super-spreader events, as this hack found out at its expense at the RSA conference last year. Let’s be careful out there folks. ®