I was curious on what this year’s Black Hat conferences were all about, other than a bunch of people getting together in numerous seminars and presentations for about a week, so here are “The Top Three Takeaways from Black Hat 2016” by Allison Francis from The Var Guy.com.
- Would you pick up a random USB drive and plug it into your personal computer?
Google researcher Elie Bursztein explains the enduring theory among cybersecurity experts that people will pick up and use random USB thumb drives that they find, and potentially take the risk of infecting their systems, which is not a rare case among unaware computer users all over.
Bursztein and his team had distributed 297 USB drives as “bait” at various strategic-ish locations, such as parking lots, building hallways, classrooms and outdoor areas around the University of Illinois campus.
He added that each drive houses tracking software that would “call home” if plugged in. those drives also included several different messages like “final exam results,” or “confidential,” among others.
The results were issued by eWeek (article), revealing a stoning 46 percent of the distributed drives “phoned home”, so Bursztein suggested that awareness and security training is highly important, and warned organizations and individuals to be mindful of what they plug into their machines. “You don’t pick up food from the floor and eat it because you may get poisoned”, so don’t pick up random USB drives either,” Bursztein said.
- The mounting threat of attacks in the VoIP and UC space
Fatih Ozavci, a managing consultant with Context Information Security, presented the lack of understanding and awareness of modern voice over internet protocol (VoIP) and unified communications (UC) security. This gap leaves providers and organizations extremely vulnerable to attacks, due to the ever-increasing and rapidly-growing number of threats.
During the conference Ozavci mentioned the various awareness that services providers and business are leaving themselves at risk to threat actors repurposing and exposing infrastructure for attacks such as botnets, malware distribution, vishing, denial of service attacks and toll fraud.
Also Ozavci touched on the weaknesses in messaging platforms and IC products suites since those vulnerabilities make it easy for hackers to sneak past security measures and spread malicious content. Once those vulnerabilities are exploited, attackers could gain unauthorized access to client systems or communications services such as conference and collaboration, voicemail, SIP trunks and instant messaging.
Last, Ozavci presented awareness and how he planned to get the word out and revealed his newly developed open sources tools Viproxy and Viproy which can be used for VoIP penetration testing.
- Information sharing and public work
Dan Kaminsky, the co-founder and chief technologist of the cybersecurity firm White Op highlighted the importance of making the internet a safe place for everyone by calling for more information sharing as a way to improve security and deal with and combat cyberthreats faster and more efficiently.
Wade Mackey says
I was at BlackHat and DefCon this year. These topics were covered, but there was so much more. The most impactful presentation I saw was around the emotional stress experienced by the very people we charge with protecting us. One example provided was around police having to deal with child pornography. The presenter indicated burnout was very high as officer just couldn’t take having to go through the evidence.
Scott Radaszkiewicz says
The USB experiment that Bursztein conducted is very interesting. It just goes to point out the fact that the largest security risk to any organization is their employees. Not matter how many firewall’s we put up, how many Pen tests we conduct, the fact is that there is no way to stop that one employee from taking a USB drive and plugging it into a computer. Sure, we can disable USB ports on computers, but speaking in a larger term, Hackers have one job, to Hack. They will find a way. Social engineering is the biggest problem in defense against hacking. A chain is only as strong as it’s weakest link.
A personal story. I support small offices with technology needs. I had a Dentist who was very concerned about security. Small office. 12 workstations. Only workstation allowed access to the Internet was his and the office manager. All other workstations, accessed the patient program only. no email, no Internet. Well, the doctors machine got hit with Crypolocker. When we looked into it, it came in from a USB drive he was using to share a joint presentation he was working on with another dentist!! Irony.
Shain R. Amzovski says
Roberto,
Thanks for sharing this article, it had some interesting insights. I was not really surprised by the findings of Bursztein’s experiment. Quite frankly, I believed the results would be higher than 46%. I like the comparison he made to finding food on the ground. You would not pick it up and eat it because it could poison you, so why would you plug an unknown usb drive into your machine, it can infect it!