Black Hat 2022 USA Briefings wrapped up this past week, along with its sister conference DEF CON 30. The DEF CON theme was a “Hacker Homecoming”, and it really was a fun one. Coming back from the COVID hiatus, the conferences were enthusiastically full compared to the 2021 ghost town. Many of the talks were great, fresh content.

With the parties and the CTF fun humming along, excellent briefings included Kim Zetter’s insights on “Pre-Stuxnet, Post-Stuxnet: Everything Has Changed, Nothing Has Changed”. She is the first journalist to keynote Black Hat, and she intended to speak on the changes that Stuxnet brought, and the stuff that gets ignored until it’s too late. She specifically included discussion of elections infrastructure security, and cybernorm challenges in light of recent activity in Eastern Europe and the Middle East.

Kim listed the major changes that came about following Stuxnet:

  • A reversed trend in trickle down techniques and tools, now from APT to the crimey underground
  • Launched a cyber arms race and militarization of cyberspace
  • Politicization of security research and defense
  • Introduction of serious ICS vulnerabilities impacting critical infrastructure

Zetter highlighted the legitimate election security discussion, and said that it’s important to talk about, in spite of the consistent misappropriation and misinformation coming from high volume conspiracy groups. She spoke about various voting count incidents and the lack of accountability in very specific incidents. Of course, these actual events have been and will be spun up into misinformation content, which is unfortunate, but the legitimate discussion must be held. Interestingly, OAN members were later allegedly kicked out of DEF CON, specifically from the Voting Village.

Zetter noted from a 1997 “CRITICAL FOUNDATIONS PROTECTING AMERICA’S INFRASTRUCTURES” Report of the President’s Commission on Critical Infrastructure Protection, “The capability to do harm—particularly through information networks—is real; it is growing at an alarming rate; and we have little defense against it.” Keep in mind it was authored 25 years ago.

Fast forward to 2022 and Kim makes mention of the technical debt leading to the Colonial Pipeline ransomware fiasco that led to an overwhelming of the east coast fuel supply chain. She discussed how quickly Colonial paid the ransom, their lack of security preparation, and preceding audits of their “atrocious” security practices, “an eight grader could have hacked that system”. Not long after, CISA re-released yet another set of security guidelines for pipeline owner/operators. Unfortunately, Kim didn’t provide any mention of accountability for the decision-makers behind the Colonial fiasco.

Her talk turned to the challenges to “cyber-norms” that the Ukraine-related ITArmy presents and the recent incidents in Iran with 4,000 gas pumps being disabled and a severe equipment malfunction at a steel plant, suggesting these events also will likely leave an impact on the future stability of cyberspace.

Another favorite talk came from an individual still tied up in Taiwan with Visa issues. Orange Tsai enthusiastically gave a remote, well structured, insightful explanation of his research on Microsoft’s Hash Tables and attacking them from IIS with “Let’s Dance in the Cache – Destabilizing Hash Table on Microsoft IIS”. The codebase he addressed is decade+ old, and he danced all over web services and their authentication. Hopefully he will be in-person for future work.

Amongst all the village dazzle, DEF CON included a social engineering village, and talks included policy discussion, panels on getting a start in social engineering, and more. Their live action vishing challenge is a thrill. I am catching up on one of the recommended reading titles from a panel “How to Make People Like You in 90 Seconds or Less”.

It’s great to see people slowly returning to fully masked, in-person venues. See you next year!

Posted by Charlie