Black Hat USA 2016 and defcon 24 - The Last Word

This year's BH and Defcon were historic. Nothing less.

It was truly "The Rise of the Machines".

Darpa's CGC Contest

Any contest with a $2M first prize is special. When the result is a machine that beats some of the best humans in the world at CTF, this is extraordinary. When I checked today, Mayhem was 3rd last - better than 2 other human teams!
It now is only a question of time before a machine will win CTF.

In comparison, the DFIR folks in their various presentations were still bumbling and fumbling with basics.

Imagine what this weaponized technology will do in the hands of a nation state or some well-funded criminel organization.

A chilling thought.

(Update 16-8-08: Apparently the human Carnegie-Mellon team won the CTF, not their machine Mayhem. As mentioned above, at some point - sooner rather than later - the machines will win yet again.)

Unicorn, Keystone, Capstone

Chris Eagle was right on the mark when he emphasized the importance of Keystone, Capstone, and Unicorn.

This work produced a scriptable assembler, disassembler, and emulator.

When coupled with state-of-the-art AI, the resulting automation will be powerful.

Weaponizing AI, Automation

The presentation on weaponizing AI to automate spearphishing caught my attention. Weaponized AI coupled with automation means that the speed and impact of the attack is greatly enhanced.

In both presentations on AWS security that I attended, the theme of automation was mentioned: using AWS lambdas for offense as well as defense. (And BTW the Boeing peoples' AWS DFIR automation tools looked impressive.)

It is clear that the defenders will need task-specific, intelligent bots and other scalable automation to adequately protect against what is coming.

Just when you think things can't possibly get any worse ...

They do.

Http/2, QUIC

At Black Hat, various speakers pointed out the rapid, widespread deployment of Http/2 and especially QUIC.

Security tools haven't kept up. The QUIC protocol is encrypted. Both protocols have compression, multiple streams, and binary formats.

This makes it next to impossible to find corporate data being exfiltrated, or malware sneaking in.

Worse yet, Impera pointed out the lack of maturity of Http/2 and showered us with bugs to prove it.

Credential Guard / VBS

Rafal Wojtczuk from Bromium elegantly dissected MS' VBS. He pointed out the compromises MS had to make in the design, the areas of weakness, the complexity, the need to configure precisely, the dependencies on other protections such as secureboot and TPM.

This technology is definitely not the panaceas that MS would have had us believe when the technologies were first announced.


The Empire folks released Bloodhound - a tool that uses graph theory to analyze AD relationships and attack patterns.

We all knew that AD will willingly spew out tons of valuable configuration information to any authenticated user that asks. We also knew that local admin group contents are vital; that the Help Desk folks are some of the most valuable targets in the enterprise AD.

I was nonetheless totally blown away when I saw the visualization graphs showing AD attack paths. Nothing less than incredible.

The death of the password

Yep, I was late to the party. But a kind soul at BH pointed out the new NIST proposed password standards. It was as if someone had said that motherhood was a lie.

No more expiration or password complexity requirements? The reusable password is a what? a vulnerability?

And yet this is obvious technical reality.

(Update 16-8-08: The NIST blog article was an April Fool's gotcha. Oups. But then I noticed that BSidesLV has a Passwords16 track exclusively dedicated to "(in)security of passwords". There is even a Con (https://passwordscon.org/) about AuthN. So must be an important issue. Right?)

No comments: