Black Hat 2019: Q&A with McAfee
Now in its 22nd year, Black Hat is an information security event showcasing the latest research, newest technology, scariest threats, and biggest trends. Around 19,000 security professionals will be taking over Las Vegas’s Mandalay Bay during the six-day event.
Before the security world convenes the first week in August, I spoke with McAfee leadership and threat researchers about the major themes we should expect to see at Black Hat and DEF CON this year.
Q: What should attendees watch out for at this year’s Black Hat?
Steve Povolny, Head of Advanced Threat Research: This year will piggyback on some of the themes we’ve seen developing in recent Black Hat briefings, including a growing focus on emerging technologies such as autonomous and connected vehicles, blockchain, and 5G, among many others. Some of the key industries under extra scrutiny include industrial control systems, aviation and aerospace, and supply chain. Finally, there is a continued and now-standard focus on crypto, mobile, and cloud/virtualization security.
Douglas McKee, Senior Security Researcher: Once again, Black Hat will have a great variety of talks for both the offensive- and defensive-minded individual. One of the newest topics we are starting to see will be on deepfakes. As social engineering continues to have a large impact on every security discipline, the concept of deepfakes becomes something to watch out for.
Q: What topic(s) do you think will play an important role at this year’s Black Hat and DEF CON?
Povolny: I foresee vehicle security continuing to generate heavy interest, as well as cloud and virtualization attacks. The more popular mobile device sessions are typically well attended, and we’ve had a spate of recent high-profile vulnerabilities that may drive even heavier traffic this year. Industrial controls are receiving renewed focus, though I’m surprised to see little to nothing in the area of medical devices given the security research community’s focus on this topic for the last 12-18 months.
McKee: Topics focused around our critical infrastructure and transportation will continue to play an important role, as these topics are growing fast with a security focus. As major companies continue to strive towards greater automation, how we protect this automation will play a key role in our everyday lives.
Philippe Laulheret, Senior Security Researcher: Although it’s not new, hackers and security researchers are looking into the security of secondary targets and then pivoting towards their main goal, which is usually hardened and more difficult to reach. Of particular interest are two talks centering on communication modules, and few others concerning equipment. Targeting VoIP phones, printers, faxes, etc., is really interesting: These devices sit on the network, are hard to monitor, and if compromised, can be used as a stepping stone to attack other machines. At the same time, they’re also valuable targets for eavesdropping or stealing confidential information.
Q: What is one of the biggest cyber concerns in 2019, and how can consumers or enterprises stay protected?
Povolny: The BlueKeep vulnerability (CVE-2019-0708) is a prime example of what should be top of mind for both enterprises and consumers. As WannaCry quickly taught the world, eliminating legacy operating systems and defunct protocols should be a foremost priority. These systems tend to be the most valuable targets, as attackers can reach millions of targets quickly through self-propagating code. I anticipate we will likely still see BlueKeep exploited publicly, perhaps (and maybe likely) turned into a worm in 2019. This is a rare opportunity for consumers and enterprise to address a likely breach before it happens, and to invest extra attention into removing or securing similar systems.
McKee: In 2019 it is almost impossible to buy a device that doesn’t have an IP address; everything is network connected. As both consumers and enterprises, we need to stay vigilant about what devices and information we are allowing to connect to the internet. Both our homes and offices are only as strong as our weakest device. The industry needs to continue to invest in developing secure products from the beginning while consumers direct extra attention to what they are buying.
Q: What are you hoping to get out of Black Hat or DEF CON this year and what do you want your attendees to take away from your session?
Povolny: I’m always interested in which topics tend to generate the most interest and why. So, I will be curious to see if my assessments of the most interesting topics are on point and will be spending additional time networking with researchers and attendees to find out what is driving them towards the topic. I’ll be speaking on IoT security, which encompasses threats across many of the industries, devices, protocols and technologies being presented at this year’s Black Hat. I’m hoping to give attendees a better understanding of the breadth and depth of the problem space and what the impacts are to them by showing them first-hand research from McAfee’s Advanced Threat Research team on a few IoT targets.
McKee: As a security researcher, I am always most interested in what new techniques the industry has uncovered to continue to find new vulnerabilities. It’s a constant game between evolving protections and new bypasses. In my session at DEFCON, I hope to convey some of the new methods we have used over the last year. More importantly I hope to highlight how, when researchers work together with vendors, very critical vulnerabilities can be swiftly mitigated.
Laulheret: My presentation, “Intro to Embedded Hacking—How You, Too, Can Find A Decade-old Bug In Widely Deployed Devices,” is part of the DC 101 track and has the same aspiration of sharing one’s passion. The goal of this track is to get people up to speed on topics they are not familiar with yet. Hardware hacking can be intimidating if you are coming from a software background or if you never had any electronic/electricity classes. What I really want for this session is to show people that hardware hacking is neither hard nor scary, and by learning the basics, they will be able to investigate devices from their day-to-day life, potentially finding previously unknown critical flaws. There’s something extremely empowering in gaining the ability to dissect devices that used to be magic black boxes sitting on your network.
Best ways to catch McAfee at Black Hat & DEF CON:
Steve Povolny, Head of Advanced Threat Research
Wednesday, August 7 | 12:40pm PT | Business Hall Theater B
DEF CON: Intro to Embedded Hacking—How You, Too, Can Find A Decade-old Bug In Widely Deployed Devices
Philippe Laulheret, McAfee Security Researcher
Thursday, August 8 | 1:00pm PT | Paris Theater
DEF CON: HVACking: Understand the Difference Between Security and Reality
Douglas McKee, McAfee Senior Security Researcher
Mark Bereza, McAfee Security Researcher
Friday, August 9 | 1:00pm PT | Track 2
Visit us at Booth #914 and test your hacking skills with our Capture the Flag contest.
Be sure to follow @McAfee for real-time updates from the show throughout the week.