This year's Black Hat information security conference in Las Vegas set an attendance record -- and brought attention to a host of severe security threats. Presentations ranged from how any USB device could be hacked and creating fake Web sites, to the discoveries that Russian hackers had amassed 1.2 billion logins and that 2 billion smartphones were vulnerable to hijacking.
Dan Geer, the chief information security officer for In-Q-Tel, an Arlington, Virginia-based non-profit venture capital firm, focused on public policy recommendations for information security in his keynote address.
Geer said a mandatory reporting system for significant security vulnerabilities should be created, similar to the system the federal Centers for Disease Control and Prevention has for pandemic outbreaks. He also said software developers should legally liable for their source code, and the government should compensate people who discover security flaws.
Geer supported a recent European Union court finding that individuals have the "right to be forgotten." "There is something important about being able to reinvent ourselves," he said at a press conference following his keynote.
New Year, New Threats
Attendance at Black Hat grew from 7,500 last year to a record 8,000 this year, forcing the conference to relocate from Caesar's Palace to the more spacious Mandalay Bay Convention Center, with attendees from 91 countries. The conference, which wrapped up Thursday, was the 17th such meeting since its launch in 1997.
Researchers presented their latest findings on the newest threats and vulnerabilities to information security. This year's conference touched not only on security for Web sites and personal computers, but also on the increasing number of devices and infrastructure being connected through the Internet. Researchers from Qualys, for example, demonstrated that airport scanners used by the U.S. Transportation Security Administration could be attacked through backdoor accounts embedded in the agency's firmware.
Berlin-based security firm Security Research Labs demonstrated that the firmware that controls USB functions could be used by hackers to take control of computers. The finding could represent an entirely new class of attack for which there are no current defenses. The flaw allows hackers to reprogram a USB device's firmware with malicious code, allowing them to gain access to PCs connected to the infected device, and issue their own commands. Unauthorized users could use the flaw to install malware, access files, or issue commands.
Another major vulnerability revealed at Black Hat affects the HTTPS protocol, which uses encryption to help users browse the Web securely. The so-called Cookie Cutter attack detailed at the conference allows hackers to steal users' cookies and impersonate Web sites hosted by Akamai, including popular sites such as CNN, LinkedIn and the National Security Agency (NSA).
Researchers Mathew Solnik and Marc Blanchou, meanwhile, demonstrated that 2 billion devices around the world are vulnerable to remote hijacking by malicious attackers, thanks to secret management control software installed on the devices by manufacturers at the behest of telecoms.
Passwords, the perennial whipping-boy of the Internet, came in for even more abuse this year as a Chinese/American research team was able to show how algorithms could extract passwords by analyzing video of users' finger movements while accessing their accounts.
One of the bigger themes from this year's Black Hat was the danger presented not by individual hackers operating alone and for their own benefit, but by governments with the money and resources to surveil, control and attack the information systems of their own citizens.
Over a year after the revelations of ex-NSA contractor Edward Snowden, government agencies continued to generate a significant amount of the heat in the information security sector. The Tor network, a system for browsing the Internet anonymously, was revealed to be vulnerable to attacks designed to eliminate user anonymity.
In one of Black Hat's most dramatic story lines, Alexander Volynkin, the Carnegie Mellon researcher who discovered the flaw, abruptly canceled his presentation that would have divulged more details, at his employer's insistence. Tor discovered it was the victim of an extensive attack designed to divulge the user details of its network. Although the identity of the attacker is unknown, an article by reporter Glenn Greenwald had previously disclosed that the NSA had attacked the Tor network.
But the Russian underworld proved that governments have not yet cornered the market on terrifying online behavior. A group of a dozen or so criminals operating out of southern Russia without apparent government connections were reported to have amassed a database of more than 1.2 billion login and password combinations, according to U.S. security firm Hold Security.