Security reflections and implications from Black Hat and DEF CON
Every year, two of the most significant security conferences are held together in Las Vegas, Black Hat and DEF CON. Black Hat is basically the leading practical information security event and DEF CON is the associated hacker event. Both include tons of practical and real world examples, learnings and live hacks and tests. It’s been a few weeks since the events and we have had some time to reflect on what we saw and heard and the significance for security and payments, so we decided to give you a brief rundown on our thoughts from the two events.
During the keynote, there was an interesting perspective shared around increasing disparity between attackers and defenders. Increasingly, defenders typically are security professionals trying to defend digital assets of their organizations and they have to play by the rules, have limited resources and deal with organizational challenges such as improving security while maintaining agility. On the flip side, attackers have no rules, they can fully focus on their targets and are more and more generally well resourced.
Some of the key themes that were explored at Black Hat/Defcon this year were AI, Machine Learning, Blockchain, IoT and Election security. AI and Machine Learning is being used at many organizations (including WePay) to strengthen security and fraud management tools and approaches across the gamut of possible approaches. But there are serious real world consequences for using these technologies without adequate testing and controls. The future of cryptocurrencies is highly debatable, however, its underlying technology, blockchain, has some real promise. It can help build highly secure distributed systems for a variety of applications across different industries. The financial services industry has already adopted blockchain for use cases such as payments and insurance. IoT security still remains a highly worrying area where there have been numerous hacks targeting everything from smart home appliances to cars to baby monitors.
Some of the other highlights from the conferences included:
- In terms of security issues relevant to payments, mPOS came under scrutiny again. Researchers identified a flaw where fraudulent merchants can modify what customers see on the screen. That meant the mPOS device could show that a transaction failed when it really didn’t and prompt customers to pay twice. The display could also be adjusted to ask customers to use the magnetic stripe on the credit card, instead of the more secure chip. That would make victims vulnerable to known attacks around swiping the card. Another flaw discovered with these devices was insecure bluetooth pairing between the mPOS device and a mobile device which potentially allows an attacker sitting in a cafe to connect with the mPOS device without being detected. Overall, the recommendation is to avoid using swiped transactions and stick to secure chip transactions, which offer better protection.
- With quantum computing gaining momentum in the last few years there have been discussions about whether current secure crypto algorithms could withstand the computational power provided by quantum computing. In the security community, the mindset generally is that AES-128 level encryption can be broken with quantum computing (in theory), while AES-256 may survive for a while.
- One researcher presented on how to break private RSA keys using public key information collected from the internet using a key reaping machine. They examined over 340M public keys for patterns and managed to break PGP, SSH and other keys.
- While one 11-year old was busy hacking a replica of the Florida election information website, another one was presenting at the Biohacking village about a “WaterBot” designed to dispense liquid (water, plant food, other media) and report how much and when it was administered. It was really fascinating to see how the future generation of hackers are now involved in addressing real-world problems at such a young age!