Fuzzing, Transparency, Bug Reporting, Security Basics and More Highlighted
Locknote panel from left: Jeff Moss, Leigh-Anne Galloway, Daniel Cuthbert, Marina Krotofil
As in years past, this year's Black Hat Europe in London ended with a "locknote" panel, designed to bookend the conference's opening keynote with takeaways at the close of the event.
On Thursday, the final day of this year's annual cybersecurity conference, Black Hat founder and organizer Jeff Moss (@thedarktangent) took to the stage, joined by several member of the Black Hat review board. The board reviews and selects all of the conference briefings. Organizers said they received more submissions for the year's even than ever and pointed to strong showings from academia as well as vendors in the final mix of briefings they selected.
Here are some of the locknote panelists' top takeaways from this year's conference.
Fuzzing is Hot
So, from a research standpoint, what's popular this year? "We saw plenty of submissions on fuzzing and AI," said Leigh-Anne Galloway (@L_AGalloway), a security researcher at Positive Technologies who not only joined Moss for the locknote panel but presented at this year's conference on vulnerabilities in contactless payment systems that use near-field communications.
Two briefings on fuzzing made the final cut, but none on artificial intelligence or machine learning.
"Fuzzing is a really interesting way to find bugs," said Abhishek Arya, a member of the Google Chrome Security Team, during "ClusterFuzz: Fuzzing at Google Scale," a briefing he co-delivered on Wednesday. "Think of it as a way of pushing a program so hard that it falls off a cliff ... and this turns up really unexpected issues."
Arya founded ClusterFuzz, a highly scaled and automated fuzzing workflow and infrastructure that Google uses to fuzz its own products. Since then, the effort has grown, providing free fuzzing to 200 open source projects - including OpenSSL and ImageMagick - and spotting more than 8,000 security vulnerabilities so far. But Arya said beyond finding security flaws, fuzzing can also locate more general engineering flaws. He noted a common misbelief he hears from software development groups is that "we don't need fuzzers if our project is well unit-tested."
Security Teaching: Implementation Problem
One trend that locknote panelist Marina Krotofil (@Marmusha) said gives her hope is that a notable number of the 45 briefings accepted this year were delivered by those working in academia, which she said shows that many academics are looking for solutions to meaningful problems. "We had more than seven works from academia, which is absolutely amazing," said Krotofil, who's an industrial control systems senior security engineer at a large chemical company.
But she said that many universities need to do more to give students more practical cybersecurity skills. "Where security is mostly broken is in implementation," she said. "We teach the fundamentals of security, but we do not teach, for example, how to build a successful authentication scheme."
Always Sexy: Doing the Basics
One question posed to the locknote panel by an audience member: Why does the industry continue to overcomplicate things, when so many times, doing the basics is what is going to best solve a problem?
"Give people a password manager and don't make them change passwords. That solves a lot of this." —Daniel Cuthbert
"Basic isn't sexy. Go to RSA. You're going to see something that fixes cancer. Really, it's phenomenal. And the problem is, that sells," said locknote panelist Daniel Cuthbert (@dcuthbert), global head of security research for Banco Santander.
What typically has the biggest impact is ensuring much more basic cybersecurity improvements are in place, he said. "Give people a password manager and don't make them change passwords. That solves a lot of this."
Cloud Offers Complexity Salvation
"Who thinks things will get more complex in the future, and who is trying to make their environments less complex?" Moss asked. He said that making the basics stick involves constant efforts to simplify, and, if necessary, to rebuild things from scratch to lose legacy engineering and achieve simpler results.
Cuthbert said help is available in the form of the cloud, which is enabling many organizations to fix what was wrong before, including making their environments less complex.
Transparency Is Increasing
Galloway said another trend she's been seeing is the "growth in vendors being more transparent, and we had a lot of talks in the schedule that represent that, which probably wouldn't have been in the schedule a few years ago."
Vendors Are Getting More Involved
Presentations at this year's conference were made by employees of such organizations as Facebook, Google, Microsoft and Panasonic, "including talks from Microsoft about how bad Azure is," Cuthbert said during the locknote panel. He noted that in August, at the Black Hat conference in Las Vegas, automotive manufacturer BMW even appeared on stage with cybersecurity researchers from Tencent, where they discussed Tencent's ethical hacking review of multiple BMW cars' electronic control units.
"Is that a recognition that there is some value in this community, and that we're not trying to burn your house down? And if so, why now?" Moss asked.
"This is really tricky, because I don't think it applies to all industries," Galloway said. But she noted that over the past decade, more and more vendors have been to disclose breaches or vulnerabilities, which may be making it more of a norm across many industries.
"It's like we're running out of industries" in which cybersecurity is not a key component, Moss said.
Consumer Selling Point: Security
But some industries' transparency moves still leave room for improvement, panelists said. On the other hand, it's being increasingly bolstered by consumer demand. "People have understood ... the danger [posed by] devices" as well as how they can be abused," Krotofil said.
"We don't buy a car that we know will kill us," Cuthbert said. "When you have an iPhone, you know it's secure, and that you're not going to get popped easily. You expect it to be secure, and that's now being sold as a benefit."
Vulnerability Reporting Needs To Be Easier
But the locknote panel agreed that more organizations need to ensure they make it easy to report security vulnerabilities. Cuthbert urged everyone to embrace the proposed "security.txt" standard which involves placing a file of that name in a specified directory inside every website and online service, so security researchers have a contact point for reporting vulnerabilities to an organization's security team.