Connect with us

Hi, what are you looking for?


Black Hat

Dispatches from Black Hat USA 2016

Let me put on my roving reporter hat for a minute and share some dispatches from this year’s Black Hat conference in Las Vegas.

Let me put on my roving reporter hat for a minute and share some dispatches from this year’s Black Hat conference in Las Vegas.

Registration was surreal because the adjacent conference was an pet-related conference called SuperZoo so the hallways featured scary hacker hoodie posters on one side, and then happy pets wearing poo-proof purple plastic gloves bounding through grass on the other. 


Jeff Moss, the Dark Tangent himself, gave a short speech on how speed was the most important metric in security right now. Speed is what CEOs and CIOs are talking about. For example: speed to mediation. Speed is the current language in security.

Dan Kaminsky gave a ranging (some have said “rambling”) but passionate speech where he acknowledged that “this” Internet is designed so that nobody is in charge (and “this” Internet is very good at moving cat pictures). But it would benefit from a group like the “NIH for Cyber” to at least vet out and endorse technology/best practices.

Kaminsky described that, without SSH, Cloud may not have happened, given that without remote access, we would all be maintaining servers on-premises. He also believes that DNS is guaranteed to be around for another 25 years.

Dan mentioned the need for an “Autoclave”; a way to put virtual machines back into known good states after exploitation. The problem here is the “known” part: can we trust Cloud providers?

Recover a RSA Private Key from a TLS Session with Perfect Forward Secrecy

Advertisement. Scroll to continue reading.

Marco Ortisi described how previous research warned of the ability to obtain an RSA Private key by exploiting a vulnerability in the RSA-CRT algorithm, which is used by default in almost every known crypto algorithm.

SonicWall published a vulnerability in the past, but indicated the attack requires a sophisticated tool that is not available to the public. Ortisi smiled and said “until now.”

He launched into an elegant overview of RSA, the theory of the attack, and then demonstrated it using tools he had developed. In essence, there are vectors that can introduce faulty digital signatures used in RSA cryptography by disrupting the mathematics used: CPU overheating, RAM errors, exposure to solar rays.

RSA signatures are embedded during the SSL/TLS negotiation. Using methods to disrupt the math and cause a faulty signature, the p or q value can be obtained, and the RSA key calculated, from an uncompressed TCP stream. Ortisi’s slides can be found here.

Researchers find four flaws in HTTP/2

HTTP/2 adoption is spreading across the internet. HTTP/2 includes many speed-related inmprovements over HTTP/1.1 including compression, multiplexing and server push. However, researchers at Blackhat unveiled at least four different attacks against HTTP/2 servers, mostly involving denial of service. One particularly cute attack a compression bomb where the attacker can send about 4K of data and trick the server into unpacking nearly a 1G of junk into its ram. Enough of these will crash the server.

The researchers suggest that until the protocol can be fixed, sticking a web application firewall (WAF) in front of the service provides a point of remediation. That’s always good advice, HTTP/2 or no.

Chip and PIN Attack for $50,000

Researchers with Rapid 7 unveiled an attack against the EMV chip in your Chip and PIN card that enabled unauthorized transactions. By making a new skimmer device (which they called a shimmer), and transmitting information to a smartphone controller, the researchers posited they could trick an ATM into dispersing up to $50,000.

A colleague of mine, who prefers to remain unnamed, worked at a major credit card processing firm for a decade. He had this to say about the hack.

The idea was that since EMV was impossible to hack, then the only way fraudulent charges could be incurred was if the cardholder lost/surrendered/had stolen the card, and simultaneously shared the PIN. Under those circumstances, the banks and merchants could shift all fraud liability to the cardholder. This was scary indeed for cardholders. Fortunately, we have this hack to disprove the assertion that the cardholder is always responsible for fraud with EMV cards.”

Disrespecting Nonces: Attacks on GCM

Sean Devlin and Hanno Böck gave a great talk about GCM nonce disrespecting.  They probed “the internet” looking for bad uses of AES-GCM nonces, finding about 200 hosts repeating nonces and tens of thousands that use random 64-bit nonces.

Both are forbidden and can lead directly to forgeries (though the former is clearly more perilous). They implemented Joux’s attack against repeated nonces which was immediate, and with such high probability that the speakers presented their slides as forged content through a UK government website which misused nonces in this way.

Most of the Internet has switched over to AES-GCM, which means tens of millions of HTTPS servers are using it correctly. But it looks like a few aren’t J

Random Gossip

On the second day, word spread about massive layoffs (300-400 people) at FireEye. Yet FireEye had the largest, best-placed booth at the show. 

Notable for their absence was Juniper, who despite posting good numbers last quarter, didn’t front a booth at Black Hat this year. 

Splunk ran out of medium T-shirts before I could get over there. Again. This happens to me about half the time, so my collection of their hilarious shirts is growing but only slowly.

From One SuperZoo to the Next 

This year’s Black Hat conference had some great technical talks, good foot traffic, and was notable for a lack of glitches. Kudos to the organizers. 

Now your roving reporter is off to another zoo, this one called “Defcon 24.” Stay tuned. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Black Hat

Black Hat 2019 recently wrapped in Las Vegas, where somewhere between 15,000 and 20,000 experts descended to experience the latest developments in the world...

Black Hat

Cris Thomas, also known as Space Rogue, was a founding member of the Lopht Heavy Industries hacker collective.

Black Hat

Hundreds of companies and organizations showcased their products and services this week at the 2023 edition of the Black Hat conference in Las Vegas.

Black Hat

LAS VEGAS – The security industry makes its annual pilgrimage to the hot Sonoran desert this week for skills training, hacking demos, research presentations...

Black Hat

The cybersecurity industry heads to Las Vegas this week for Black Hat in a state of economic contraction, confusion and excitement. Can the promise...

Black Hat

Sin City, A.K.A Las Vegas, Nevada – is once again playing host this week to the Black Hat and DEFCON security conferences. With throngs...

Black Hat

Bypassing Air Gap Security: Malware Uses Radio Frequencies to Steal Data from Isolated Computers 

Black Hat

The first entirely virtual edition of the Black Hat cybersecurity conference took place last week and researchers from tens of organizations presented the results...