This is a guest post by Sean Michael Kerner
The week known colloquially as "Hacker Summer Camp" is a week like no other on the infosec calendar, with not one but three large security conferences that serve to inform and educate IT professional.
Across Bsides LV, Black Hat USA and DEF CON 27, just about every conceivable (and some inconceivable) topic related to information security and privacy were discussed. While Black Hat and DEF CON in particular have long been home to researchers disclosing some of the most innovative attacks and risks, an overarching theme was the need for improved collaboration across all aspects of security.
Part of the improved collaboration starts with empowering IT security teams to say Yes, more often than they say No. During the Black Hat keynote, Jeff Moss, the founder of Black Hat and DEF CON commented that security now has the attention of management and executive teams, but now is the time to figure out what to do with that potential influence.
"If you communicate well to the board, you might get more budget, but if you communicate poorly, you might get fired," Moss said. "The quality of our communications determines a lot of our outcomes."
According to Moss, many problems are communications problems and if organizations can fix communications problems they will end up with better technical outcomes. Moss' message was amplified in the main keynote delivered by well-known security researcher and security advocate Dino Dai Zovi.
"Security is all about cultivating empathy," Dai Zovi said. "The reason I say cultivating is because it's something you practice, it's something you can grow."
He added that by better understanding and communicating about the needs are from developer and operations teams, better security outcomes can be achieved.
Security Exploits and Bug Bounties
Black Hat wouldn't be Black Hat without the big exploit disclosures and the 2019 event didn't disappoint. Among the large disclosures was Qualpwn, which was discussed in sessions at both Black Hatand DEF CON. According to the researchers from Tencent, the full exploit chain allows attackers to compromise the Android Kernel over-the-air in some circumstances.
Among the most interesting sessions at Black Hat was one titled, GDPArrr: Using Privacy Laws to Steal Identitiesin which Oxford University researcher James Pavur outlined how ambiguity in one some of the European Union's General Data Protection Regulation (GDPR) enabled him to gain un-authorized access to his finance personal information.
Apple made a big splash at the event, announcing an increase in its bug bounty program, which will now pay researchers up to $1 million for responsibly disclosing security vulnerabilities. Apple first announced its bug bounty program, which awards researchers for privately disclosing vulnerabilities at the Black Hat USA 2016 event, with a top reward of $200,000.
Printer security was also in the crosshairs over at DEF CON with researchers from NCC Group, detailing a litany of flaws in commonly deployed printers that could potentially enable attacker compromise. The big theme from a media perspective coming out of DEF CON this year however was once again election security, as multiple speakers, sessions and a hands-on lab in the Voting Village talked about the challenges facing election infrastructure.
Fundamentally though across the dozens of presentations and sessions that I attended across Hacker Summer Camp, researchers almost always had the same message at one point or another - that there is the need to communicate and collaborate. Whether it's the need to collaborate on election security, improve regulations to actually protect users, or fix specific flaws in technology, there is a clear need for all stakeholders in the IT security community to continue to collaborate better.
"Start with Yes, we need to engage the world, starting with Yes and here's why, it keeps the conversation going, It keeps the conversation collaborative and constructive," Dino Dai Zovi said. "It says I want to work to solve this whatever other problems you have."
###
The contents or opinions in this feature are independent and may not necessarily represent the views of Cisco. They are offered in an effort to encourage continuing conversations on a broad range of innovative technology subjects. We welcome your comments and engagement.