Top 3 Takeaways from Black Hat 2016

While I’ve been working in identity and access management (IAM) space since the early 1990s, this was the first year that I attended Black Hat, and it is the first year that Centrify has sponsored the event with a booth. 

IMG_4193

In preparation for it, we heard from many who had attended in the past about potential cyberattacks at the event. As a result, we made sure that everyone attending was prepared and knew what to expect based on previous reports from Black Hat events that we found including:

The Black Hat website also posted an article about a new vulnerability in Apple iOS and OS X, which has been fixed in the latest update from Apple. So, we made sure everyone was running the latest version of iOS and OS X and then told everyone not to use any public WiFi or even the hotel WiFi, as well as to only to use their cell phone to connect to the Internet with cable based tethering and not to user Bluetooth. See, we’d heard about the Wall of Sheep and didn’t want to have anyone from our company show up on the wall, even though we have enabled multi-factor authentication (MFA) on nearly everything. People show up on the Wall of Sheep if they were hacked by an attacker that found out their user ID and password. Well, I was frankly disappointed to not find the Wall of Sheep, which apparently would go up the day after at DefCon.

However, despite that disappointment, I found the sessions I went to very interesting, and here are my top three takeaways: 

  1. Apple is now widely used enough that hackers and security professionals are turning their attention to the platform. The hackers are finding vulnerabilities, as described in a session I attended on “Rooting OS X via the Window Server,” while others are building utilities to help find malware and to lock down security settings that would help prevent those attacks. Apple also explained during a session how they built the security for the latest version of iOS and OS X and announced a bounty program to reward the efforts of those who help find vulnerabilities so that they can fix them. I’ve always been a fan of Apple and still feel safer with my Apple devices now that I know a lot more about the built in security and the security that we provide at Centrify to keep them secured with both EMM services and AD Group Policies.
  2. There were also several very interesting sessions on Amazon Web Services that, based on the popularity of AWS, were filled to near capacity. These sessions point to just how cool the automation within AWS can be for both the admin legitimately using the service as well as an attacker. AWS services such as Lamba can be put to use by an attacker to persist and maintain control of a pwned AWS account simply by setting up scripted rules that automatically create IAM access keys for all IAM users and sends them to the attacker — this even works for any new accounts created because it allows an attacker to persist a total purge and to recreate the user accounts. However I didn’t hear anyone talking about federation as an alternative for AWS user login, which provides a much better defense since it doesn’t require an IAM user account because login is based on SAML and any access keys created for users are only temporary.
  3. Another interesting session highlighted the fact that some vulnerabilities are based on very old technologies that are in every version of Windows dating back to Windows 95, so it pays to be old enough to remember why some of the older basic firewall rules are in place to block the NetBIOS traffic, such as port 137. Yang Yu showed how to exploit this old technology to hijack the network traffic and establish a BadTunnel even over a firewall that wasn’t configured to block port 137.

I left Black Hat with an appreciation for the persistence of the hacker, and, more importantly, for the security vulnerability experts that provide the checks and balances needed to keep software companies honest and able to build the best security they can into their products to prevent vulnerabilities. It’s one of the reasons that we take security seriously at Centrify and work hard to maintain our track record with our SOC2 auditors and white hat consultants.

But, I’m still disappointed I didn’t get to see the Wall of Sheep, so next year I’ll have to stay for DefCon.

Learn more about Centrify’s IAM solutions here