Tens of thousands of the world’s top cybersecurity pros descended on Las Vegas last week for the annual Hacker Summer Camp, with hundreds of sessions spread over three events. Taking it all in is an impossible task.
Here are six sessions that you may have missed — but that you can’t afford to overlook.
[ See the ReversingLabs @ Hacker Summer Camp event page ]
1. AI, the ‘troubled teen’ of cybersecurity
With the explosion of interest in and use of generative artificial intelligence (AI) since the release of OpenAI’s latest ChatGPT, it was inevitable that AI would loom large at this year’s Black Hat and DEF CON conferences, with presentations on the application of AI in both cyber offense and defense, as well as a red team contest to try to compromise generative AI models.
The technology is something like the troubled teen of the cybersecurity world, said Black Hat speaker Maria Markstedter, the founder of Azeria Labs in a keynote presentation. The release of ChatGPT has forced industries of all kinds to reckon with how widely accessible and powerful AI technology is, she said.
The cybersecurity industry needs a battle plan in order to handle the speed of today’s AI race. Markstedter said. In the short term, that means addressing issues that AI brings such as secrets leaks and data exfiltration. In the long term, the industry needs to cultivate cybersecurity talent with a deep knowledge of AI so they can help devise solutions to the cybersecurity challenges it will create.
In one encouraging sign, the White House announced that DARPA, the Defense Advanced Research Projects Agency, will host the first-ever Artificial Intelligence Cyber Challenge (AIxCC) at the 32nd annual DEF CON, in 2024, followed by the final competition at the 2025 show.
2. The software supply chain lowers the bar for voting system hacks
With a presidential race looming in the United States, all eyes are turning once again to the cybersecurity of voting systems. The Voting Village at DEF CON has long shone a spotlight on voting hardware such as direct-recording electronic (DRE) voting systems, but a bigger threat may lurk in the software supply chain that powers those devices, said Ashlee Benge, the director of threat intelligence advocacy at ReversingLabs.
In a talk at the Voting Village, Benge said that vulnerable software supply chains — including the widespread use of open-source libraries in voting systems — lower the bar for compromises of voting systems.
“It’s easy to fat-finger the name of a third-party library and import something you didn’t intend to import.”
Those targeting voting systems need not have the resources of a nation-state actor. “It could just be an individual with a bit of knowledge who can slip in a malicious library,” she said. “It makes me nervous.” The consequence is that firms making, selling, or supporting voting systems — both hardware and software — need to pay more attention to threats lurking in their software supply chain. That includes reviewing and assessing their source code for vulnerabilities and malicious code. But firms also need to analyze any compiled binaries they intend to ship to the users of their software, Benge said.
3. Satellites: Yes, they're hackable
After years of treating Black Hat and DEF CON as suspect gatherings, the federal government in the last decade has embraced them as important forums for engaging with the country’s top cybersecurity talent as it probes the security of everything from election equipment to medical devices to vehicles. And this year it took part in the “Hack A Sat" competition at DEF CON, which for the first time featured a “capture the flag” competition to hack a satellite in orbit, with a $50,000 prize for the winning team.
The target was a satellite dubbed Moonlighter that was launched on a SpaceX rideshare rocket to the International Space Station on June 5 by the U.S. government-backed, nonprofit Aerospace Corp. It’s described as a “foot-long, toaster-sized cubesat satellite with extendable solar panels.”
The contest, which began in 2020, has taken on new urgency following Russia’s attack on the Viasat satellite network used by Ukraine’s military — one of the opening salvos of its invasion of Ukraine in February 2022. In June, a Russian satellite network used by its military was knocked offline by a cyberattack by self-identified hacktivists shortly after a Russian mercenary group staged a short-lived coup.
4. CISA readies ransomware transparency reporting
One of the biggest challenges faced by the federal government — and the cybersecurity industry generally — is understanding the scope of threats and attacks. While the private sector has done its best to shed light on questions such as “How common are ransomware attacks?” the lack of accurate reporting by victims — and organizations' reluctance to disclose cyber incidents — makes that a difficult question to answer.
But that may not be the case for long. CISA, the Cybersecurity and Infrastructure Security Agency, is readying new rules that will require critical infrastructure owners and operators to disclose the payment of ransoms and other cybersecurity incidents. Speaking at DEF CON, CISA head Jen Easterly said the agency is finalizing reporting rules under powers given to it by passage of the Cyber Incident Reporting for Critical Infrastructure Act, according to a report in The Record.
The legislation will require critical infrastructure organizations to report significant cyber incidents. Easterly told DEF CON attendees that CISA is in the final stages of writing the specifics of the rules and that a notice of rulemaking will come out next year. The new rules will give the federal government critical insights into what measures are working to reduce the threat posed by ransomware, she said.
5. White House seeks input on open-source security
The days of "spot the fed" contests at Black Hat and DEF CON are long gone. This year, again, representatives of the federal government were everywhere at Hacker Summer Camp — both in the crowd and on stage. And their message was one of cooperation — and even optimism — not consternation. In her Black Hat keynote address, Kemba Walden, the Biden administration’s acting national cyber director, celebrated her office’s creation, which more than quadrupled the White House staff devoted to cybersecurity. Walden said her office was particularly interested in probing the cybersecurity risks posed by open-source software, and she issued a call for information on the security of open-source software.
“We have to think about cybersecurity as an opportunity for economic prosperity and technological innovation. We’ve allowed cybersecurity to devolve to those that are the least capable.Those of us that are more capable should be responsible for cybersecurity risk.”
6. Apple approved malicious app used in 3CX attack
Companies or individuals hoping that Apple's famous app-vetting process will stand between them and a malicious supply chain attack should think again. According to a presentation at Black Hat, there is strong evidence that the company approved a version of the 3CX Desktop application that contained malicious components.
Security researcher Patrick Wardle, an expert on the cybersecurity of Apple’s software, including macOS and iOS, presented research on a macOS component used in the hack of voice-over-IP (VoIP) provider 3CX. Wardle reverse engineered the macOS malware and discovered a trojanized installer in the macOS application for 3CX.
And Apple, which trumpets the security and integrity of its App Store, appears to have notarized the application. The lesson: “You can’t count on Apple’s security.” Instead, organizations should focus on developing the ability to track the evolution of software packages using differential analysis of their contents. That’s something ReversingLabs noted in our analysis of the 3CX Desktop app.
- Join Webinar: Threat Modeling & Software Supply Chain Security
- Supply Chain Risk Report: Learn why you need to upgrade your app sec
- See Special Report: The Evolution of Application Security
- Track key trends: The State of Supply Chain Security 2022-23
- Get report: Supply chain and the SOC: Why end-to-end security is key