Hacker Summer Camp is only a few days away, so to whet your appetite, The daily sip has compiled a list of some of the best threads from years past.
Over the years there have been thrills, spills and (of course) ‘sploits’, as the world’s top security researchers descended on Las Vegas for Black Hat USA and DEF CON – a double security bill hard to beat.
This year’s Black Hat – which again takes place as a hybrid event – and DEF CON offerings are sure to add to the already impressive list of groundbreaking talks from years past.
Now that Covid-related restrictions have largely been lifted, the 2022 edition promises to be something of a grand reopening of arguably the most important event on the infosec calendar.
Without further ado (and in no particular order), here are our top picks from past Black Hat and DEF CON events…
Panic in the Cisco
by Michael Lunn Cisco Network Technology Security Gaps 2005 Conference was significant not only because of the potential impact of its discovery, but also because it served as an example of attempted suppression of security research.
Lunn quit his job at Internet Security Systems to give a talk about a critical vulnerability in Cisco’s router technology.
The security researcher demonstrated an exploit – which opened the door to a range of attacks from eavesdropping to disabling the compromised device – while withholding all the details. Cisco released a security patch for its firmware ahead of the conference, but few organizations had applied it by the time it was released.
Cisco initially gave the go-ahead for the discussion, but reflected on the imminence of the event. ISS agreed to a request from the networking giant, but Lunn disagreed. This prompted him to resign in order to present their findings.
Dan Kaminsky’s revelation of a cache poisoning flaw affecting the software of several DNS providers in 2008 remains a milestone in network security.
The security researcher worked with DNS vendors for months to patch the critical vulnerability before exposing the problem in Black Hat 2008.
This remains a testament to the late security researcher, who sadly passed away in April 2021, sparking an outpouring of tributes to a truly great infosec characterized by “kindness, boundless energy and positivity”.
Win the jackpot
Barnaby Jack’s live ATM hacking demonstration set the benchmark for spectacular hacking and cutting-edge security research. jackpot – as the attack later became known – involved a targeted attack on software running on ATMs.
The end result was to inject malware into the operating system of ATMs, causing them to fraudulently dispense banknotes. Exploitable vulnerabilities in an ATM’s remote management system or unauthorized physical access to a machine (perhaps facilitated by a corrupt insider) can be used to carry out an attack.
Prior to Jack’s research, embedded systems such as ATMs were widely (but wrongly) considered to be beyond the reach of potential hacking attacks. The research paved the way for follow-up studies on the safety of medical devices such as pacemakers and insulin pumps.
In the air
Interest in the security of air traffic control systems took off with Andrei Costin’s presentation on the issue at Black Hat 2012. Costin’s presentation focused on the security aspects of ADS- B (Automatic Dependent Surveillance-Broadcast), a satellite-based aircraft tracking technology, and other flight technologies.
The presentation examined the (in)security of ADS-B from a practical perspective, presenting “the feasibility and techniques of how potential attackers could play with generated/injected air traffic, and thus potentially open a new attack surface” in air traffic control systems.
Do not look
Shifting the focus from airplanes in flight to satellites in orbit, a well-received 2014 lecture by Ruben Santamarta reviewed the security of satellite communication terminals.
IOActive found that all the devices they had access to were potentially subject to abuse. Discovered vulnerabilities included multiple backdoors, hard-coded credentials, undocumented and/or insecure protocols, or weak encryption algorithms.
“These vulnerabilities allow remote, unauthenticated attackers to completely compromise the affected products,” IOActive warned at the time. “In some cases, no user interaction is required to exploit the vulnerability, just sending a simple SMS or specially crafted message from ship to ship will do so.”
Black Hat and DEF CON have never been the only forum for tech discussions and hacking demos. Political issues are also often at stake, as evidenced by the speeches of Dan Geer and Jennifer Granick.
Geer, CISO for In-Q-Tel, a nonprofit venture capital firm that researches technologies that support the U.S. intelligence community, spoke about cyberspace as an area of conflict between nations and on power politics in 2014.
Granick, director of civil liberties at the Stanford Center for Internet and Society, was looking forward to the next phases of internet development in 2015.
Most recently, Parisa Tabriz, Director of Engineering at Google, used her Black Hat 2018 keynote to give a practical perspective on secure development. And last year, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), explained how hackers, government and the private sector can work together to deal with cyber threats.
Kettle reinvents HTTP request smuggling
PortSwigger’s James Kettle reinvented the long-neglected topic of request smuggling with his presentation on HTTP desync attacks at DEF CON in 2019.
Kettle showed how it was possible to manipulate web requests in order to poison web caches. The hack allowed Kettle to compromise PayPal’s login page, among other targets, and claim $70,000 in bug bounties.
The hack relied on exploiting flaws in the way web systems forward web requests between the front-end system and the back-end system, as explained in a daily swig article published at the time of the conference.
A new era in SSRF
Renowned web security researcher Orange Tsai used a 2017 Black Hat conference to describe a exploit a variant technique that could be exploited to circumvent protections against server-side request forgery (SSRF).
The root cause of the problem is inconsistent URL parsers and URL requesters.
Flaws in web applications such as WordPress, vBulletin, MyBB and GitHub have also been discovered using the same approach, the security researcher told Black Hat USA in 2017.
Hasta la vista
Polish security researcher Joanna Rutkowska rose to prominence in the security community after her demonstration of a attack on Windows Vista’s kernel protection mechanism at Black Hat USA 2006.
During the same presentation, she also demonstrated a technique called “Blue Pill” which involved hacking the operation of a virtual machine to implant stealthy malware.
Gone in 40ms
The hack hit the road in 2015 after security researchers Charlie Millar and Chris Valasek showed how to launch a remote cyber attack on an unmodified factory vehicle.
security researchers hacked a jeep cherokee via a mobile connection to his entertainment system via a technique that allowed them to send messages over the CAN bus to critical electronic control units. This, in turn, allowed them to control the braking, steering and acceleration of the car.
That’s our roundup of the best Hacker Summer Camp talks ever – but what are your picks?
Did we forget to mention essential conferences? What are your favorite hacks? Let us know on Twitter at @DailySwig.
YOU MIGHT ALSO LIKE ParseThru: HTTP Parameter Smuggling Flaw Discovered in Multiple Go Apps