Building a Culture of Security: 73 articles Summarizing Black Hat USA 2019

If there was a common theme at the 2019 Black Hat USA conference in Las Vegas, it may well have been security culture. Culture emerged in some of the most prominent sessions and talks, including, notably, a keynote address by Dai Zovi and a session presented by Equifax CISO Jamil Farshchi.

That’s our observation as we spent the week both at the show – and monitoring news that emerged. As we did with the Black Hat USA 2018 conference, and the 2019 RSA Conference, we’ve curated the following links so that it might serve as a useful reference.

Cloud Native Now

While we do highlight a few points that stood out for us, the order in which these articles are listed are not intended to convey merit or importance.

Summarizing the Black Hat Keynote

1) Black Hat 2019: Security Culture Is Everyone’s Culture (Dark Reading) via Kelly Sheridan

“Business management and political leaders recognize the importance of security; now, the infosec community must learn how to handle the spotlight.”

2) Black Hat Keynote: Why Security Culture Needs to Change (CSO Online) via J.M. Porup

“Finding ways to make security everyone’s responsibility, and ensuring failure is treated as a learning experience, and not a blame game, is the best way to scale security across an organization.”

3) Black Hat 2019 Keynote: Software Teams Must Own Security (Search Security) via Michael Heller

“In the keynote for Black Hat 2019, Square’s Dino Dai Zovi emphasizes security as a collaborative effort by all software teams that relies on communication, automation and feedback.”

4) Black Hat 2019: Security’s Powerful Cultural Transformation (Threat Post) via Tara Seals

“Digging beyond this umbrella idea, Dai Zovi highlighted three transformational principles for boosting the impact of security within organizations. One: Work backward from the job to be done. Two: Seek and apply leverage, develop feedback loops and scale with software automation. And three: Understand that culture trumps strategy and tactics, every time.”

7) Ill Communication: Improving Security by Talking It Out (Decipher) via Dennis Fisher

“Communication is just transmitting information between humans. Risks are shared. If you can reinforce that security is everyone’s job, you can move toward a more generative culture.”

8) Black Hat USA 2019 Keynote: Every Security Team is a Software Team (Black Hat / YouTube)

>>> Also see: “It is everyone’s business and responsibility” – 40+ Cybersecurity Professionals Share What They Wish Business Leaders Would Understand in Their Own Words

Talks and Threats from Black Hat

9) Black Hat: Lessons Learned from the Equifax Data Breach (Channel Futures) Edward Gately

“[Current Equifax CISO] Farshchi was with Home Depot at the time and recalls the home improvement giant being negatively impacted because it was an Equifax customer. He also was with NASA when the Space Shuttle Challenger exploded and said all of these incidents occurred because of an issue with culture. The main issue is failing to bridge an organization’s technical aspects with its non-technical aspects.”

10) Equifax CISO: ‘Trust Starts and Ends with You’ (Dark Reading) Jai Vijayan

“One of the main takeaways from major data breaches like the one at Equifax in September 2017 is that organizational culture is fundamental to a good security posture, said Jamil Farshchi, the credit monitoring bureau’s CISO, in a talk here today.”

11) 13-Year-Old Encryption Bugs Still Haunt Apps and IoT (Wired) via Lily Hay Newman

“Chau’s research focuses on flaws in how RSA cryptography can be set up to handle signature validation, checks to ensure that a “signed” chunk of encrypted data was actually verified by the sender, and that the signature hasn’t been tampered with or manipulated along the way. Without strong signature validation, a third party could manipulate data or send fake data that appears to come from a trusted source.”

12) Hidden Algorithm Flaws Expose Websites to DoS Attacks (Wired) via Lily Hay Newman

“But new research detailed Thursday at the Black Hat cybersecurity conference in Las Vegas shows how a small, seemingly innocuous input for an algorithm can cause it to do a huge amount of work—slowing a service down or crashing it entirely in the process, all with just a few bytes.”

13) Project Zero Wants You To Help Make 0-Day Hard (Decipher) via Dennis Fisher

“Good defense requires a detailed knowledge of offense. We approach vulnerability research the way that an attacker does.”

14) ‘Dupe’ There it is: SAML Authentication Bypass Threatens Microsoft (Search Security) via Rob Wright

15) Black Hat: GDPR Privacy Law Exploited to Reveal Personal Data (BBC) Leo Kelion

16) Talk about unintended consequences: GDPR is an identity thief’s dream ticket to Europeans’ data (The Register) via Iain Thomson

17) #BHUSA: How GDPR Can Help Attackers Steal Identities (Infosecurity Magazine) via Sean Kerner

“The weak point in GDPR targeted by Pavur is the Right of Access provision, which gives European citizens the right to request all of their data from a given provider that holds information on them.

Using a simple email, that included basic information, such as name, email and phone number, Pavur sent off requests to over 150 organizations to see what kind of response he could get, and ended up getting some surprising results.”

18) #BHUSA: DevSecOps, Looking Beyond the Buzzword (Infosecurity Magazine) via Sean Kerner

19) #BHUSA Empathy is Key to Hiring and Retaining Women in Cybersecurity (Infosecurity Magazine) via Eleanor Dallaway

“Not only is the industry not seeing positive trends in this space, but actually in many areas we are seeing worsening statistics. For example, there has been a steady decrease in women graduating with computer science degrees over the past 35 years.”

20) Black Hat and Defcon Look to Boost Diversity Through Day Care (CNET) via Alfred Ng

“It’s harder than you think to run a day care at the largest hacking conferences in the world.”


21) Warshipping: Attackers can Access Corporate Networks Through the Mailroom (Help Net Security) via Zeljka Zorz

“The expression has been coined by IBM X-Force Red researchers to describe a new attack vector, which consists of covertly delivering to the target’s premises small devices that can be used to gain access to the home or office wireless network and assets connected to it.”

22) Black Hat USA 2019: IBM X-Force Red Reveals New ‘Warshipping’ Hack To Infiltrate Corporate Networks (Forbes) via Jeb Su

“Similar to wardriving, when you cruise a neighborhood scouting for Wi-Fi networks, warshipping allows a hacker to remotely infiltrate corporate networks by simply hiding inside a package a remote-controlled scanning device designed to penetrate the wireless network–of a company or the CEO’s home–and report back to the sender.”

23) Hackers Arrive via Special Delivery (Axios) via Joe Uchill

24) Hack-age delivery! Wardialing, wardriving… Now warshipping: Wi-Fi-spying gizmos may lurk in future parcels (The Register) via Iain Thomson

25) Security Flaw Could Turn Load Balancers into Beachheads for Cyber attacks (Help Net Security)

26) Microsoft Ignored RDP Vulnerability Until it Affected Hyper-V (Bleeping Computer) via Ionut Ilascu

27) New Windows Process Injection Can Be Useful for Stealthy Malware (Security Week) via Eduard Kovacs

“Malware can use process injection techniques to inject code designed for a specific operation into a legitimate process that can help it achieve its goal. Malware can leverage process injection for stealth and to bypass security mechanisms.”

28) Black Hat 2019: Microsoft Protocol Flaw Leaves Azure Users Open to Attack (Threat Post) via Lindsey O’Donnell

29) Researchers Discovered a Big Security Flaw in This Important Microsoft Product (Fortune) via Jonathan Vanian

“Researchers have found a big security hole in some popular Microsoft software that they speculate could have impacted the company’s Azure cloud computing service.”

30) Vulnerability Exposed Microsoft Azure Users to Cyberattack (Motherboard) via Karl Bode

31) Boeing 787 On-Board Network Vulnerable to Remote Hacking, Researcher Says (Dark Reading) via Kelly Jackson Higgins

“Ruben Santamarta last fall discovered an Internet-exposed Boeing Co. server housing firmware specifications for the aviation manufacturer’s 787 and 737 airplane networks…He meticulously reverse-engineered the binary code and analyzed configuration files – uncovering multiple security vulnerabilities that could allow an attacker to remotely gain access to the sensitive avionics network of the aircraft, also known as the crew information systems network.”

32) Researchers Find Vulnerabilities in Boeing 787 Firmware (Security Week) via Ionut Arghire

33) Not just customer databases lying around on the web. 787 jetliner code, too, security bugs and all (The Register) via Iain Thomson

34) #BHUSA: Cult of the Dead Cow Members Discuss Hacktivism, Influence & Politicians (Infosecurity Magazine) via Dan Raywood


35) You can easily secure America’s e-voting systems tomorrow. Use paper – Bruce Schneier (The Register) via Iain Thomson

36) Election Hacking Takes Center Stage

(CBS News) via Dan Patterson

37) Election Security Threats: From Misinformation to Voting Machine Flaws (Threat Post) via Lindsey O’Donnell

“From insecure voting machines to social media misinformation, governments have a lot to think about when it comes to securing elections.”

38) New Speculative Execution Vulnerability Gives CISOs a New Reason to Lose Sleep (Dark Reading) via Curtis Franklin

“The vulnerability, dubbed SWAPGS, is an undetectable threat to data security, similar in some respects to Spectre and Meltdown.”

39) Spectre, Meltdown Patches Won’t Fix New ‘SwapGS’ Intel Flaw (PC Magazine) via Neil Rubenking

“All of these attacks make use of a technology called speculative execution. Effectively, the CPU guesses that execution is going to proceed down one of two branches, so it executes that branch in a kind of trial mode. If in fact the other branch is appropriate, it discards the traces of the trial. A tech running the program in a debugger can’t see the speculative execution, but leaves traces in CPU caches.”

40) News & Analysis / How Often Can One Program Infect Another? Let Us Count the Ways (PC Magazine) via Neil Rubenking

41) Black Hat 2019: Addressing Supply-Chain Risk Starts with People, Microsoft Says (Threat Post) via Tara Seals

“People like to think about hardware as the main supply-chain threat, but really, you need to start with people – your contractors and partners.”

42) Single Sign-on Still Open to Attack: An Inside Look (Tech Beacon) via Robert Lemos

“Between 2010 and 2016, only seven vulnerabilities reported in the National Vulnerability Database included the term “authentication bypass.” In 2017, that number rocketed to 50. In 2018, some 85 vulnerabilities were reported, and 2019 is on track to log a similar number.”

43) Mimecast Rejected Over 67 Billion Emails. Here’s What It Learned (Dark Reading) via Steve Zurier

“The report, ‘Mimecast’s Threat Intelligence Report, Black Hat Edition 2019,’ leverages the processing of some 160 billion emails during the period of April 2019 to June 2019. During this time, Mimecast rejected more than 67 billion of those emails and based its subsequent analysis on rejections classified as spam, opportunistic and targeted attacks, and impersonation detections.”

44) Black Hat 2019: 5G Security Flaw Allows MiTM, Targeted Attacks (Threat Post) via Tara Seals

“…many of the security protocols and algorithms for 5G are being ported from the previous 4G standard, which researchers have found can still allow device fingerprinting for targeted attacks as well as the possibility of man-in-the-middle (MiTM) offensives.”

45) Critical RCE Bug Found Lurking in Avaya VoIP Phones (Threat Post) via Tara Seals

46) Ransomware Sees Triple-Digit Spike in Corporate Detections (Threat Post) via Tara Seals

“This year we have noticed ransomware making more headlines than ever before as a resurgence in ransomware turned its sights to large, ill-prepared public and private organizations with easy-to-exploit vulnerabilities such as cities, non-profits and educational institutions.”

47) Researchers Bypass Apple FaceID Using Biometrics ‘Achilles Heel’ (Threat Post) via Lindsey O’Donnell

48) Hackers Can Break Into an iPhone Just by Sending a Text (Wired) via Lily Hay Newman

“At the Black Hat security conference in Las Vegas on Wednesday, Google Project Zero researcher Natalie Silvanovich is presenting multiple so-called “interaction-less” bugs in Apple’s iOS iMessage client that could be exploited to gain control of a user’s device.”

49) Apple Opens up Hacker-friendly iPhone to Researchers at Black Hat (CNET) via Alfred Ng

50) How Apple Pay Buttons Can Make Websites Less Safe (Wired) via Lily Hay Newman

“But at the Black Hat security conference in Las Vegas on Thursday, one researcher is presenting findings that this integration inadvertently introduces vulnerabilities that could expose the host website to attack.”

51) Apple Upgrades Bug Bounty Program: Adds Macs, $1M Reward (Threat Post) via Lindsey O’Donnell

52) Apple Expands Bug Bounty Program, Opens it to all Researchers, Raises Rewards (Help Net Security) via Zeljka Zorz

53) Apple’s $1 Million Bug Bounty Comes Under Fire  (Infosecurity Magazine) via Dan Raywood

54) Black Hat: LeapFrog Tablet Flaws Let Attackers Track, Message Kids (Threat Post) via Lindsey O’Donnell

55) Security Vulnerabilities Are Increasingly Putting Kids at Risk

(Threat Post) via Lindsey O’Donnell

56) Black Hat 2019: Ethical Hackers Must Protect Digital Human Rights (Threat Post) via Lindsey O’Donnell

“Security has long focused on protecting company data and providing cyber-defense for governments, and ignoring a broader issue: Those utilizing the endpoint devices, some of whom may be a target of human rights violations. Society has a responsibility to recognize the importance of protecting these individuals’ rights as well, argued Bruce Schneier, fellow at the Harvard Kennedy School, Eva Galperin, director of cybersecurity at Electronic Frontier Foundation, and Camille Francois, chief innovation officer at Graphika.”

57) WhatsApp Hack Attack Can Change Your Messages (Forbes) via Davey Winder

58) Whatsapp Flaw Could Allow Hackers to Alter and Manipulate Messages (The Telegraph) via Margi Murphy and Hannah Boland

59) Why North Korea is a Different Kind of Cyberthreat (Fifth Domain) Andrew Eversden

60) How Uncertainty in the Cyber Domain Changes war (Fifth Domain) Andrew Eversden

“The origins of attacks in the cyber domain, particularly those of advanced persistent threats like nation-state actors, aren’t easy to pinpoint, making a decision to respond to a cyberattack with kinetic means, like missiles and bombs, more risky.”

>>> Also see: 5 Fundamentals for Mitigating the Risk of Laterally Spreading Malware

Observations from Black Hat 2019

61) What is Black Hat and why is it so important? (ZDNet) via Dan Patterson

62) Black Hat 2019: The Craziest, Most Terrifying Things We Saw (PC Magazine) via Neil Rubenking and Max Eddy

63) Analyzing the Black Hat USA 2019 Business Hall (Swagida) via Kelly Shortridge

“Exactly like last year, 46% of the vendors in the Business Hall are startups backed by venture capital (VC) firms. Private companies represent only 13% of total vendors this year (vs. 17% last year), and there are far more acquired companies (“M&A” within the chart) this year (8% vs. 5% in 2018).”

64) Looking for Answers at Black Hat 2019: 5 Important Cybersecurity Issues (CSO Online) via Jon Oltsik

“As Black Hat 2019 begins, the cybersecurity topics top of mind include network security platforms, threat detection/response services, new cloud security strategies, and clarification around security analytics.”

65) Live Blog: Black Hat USA 2019 Cybersecurity Conference (MSSP Alert) via Joe Panettieri

66) Photo Gallery: Black Hat USA 2019 (Help Net Security)

67) Photo Gallery: Black Hat USA 2019, Part Two (Help Net Security)

>>> Also see: What the Top 25% of Cybersecurity Pros do Differently in Strategy, Risk and Communication

Select Announcements Made at Black Hat 2019

68) Morphisec Announces 2019 Women in Cybersecurity Scholarship Winners (PRWeb)

“Scholarships awarded to three female students to encourage young women poised to enter the cybersecurity field globally.”

69) Secureworks® Extends Red Cloak™ TDR with Managed Services to Help More Companies Leverage the Power of Its Cloud-Native Software (Secureworks)

70) 20 Hot New Cybersecurity Products Unleashed At Black Hat Las Vegas 2019 (CRN) via Michael Novinson

71) AttackSurfaceMapper Automates the Reconnaissance Process (Help Net Security) via Zeljka Zorz

“AttackSurfaceMapper, a new open source OSINT tool created by Andreas Georgiou and Jacob Wilkin, security consultants at Trustwave SpiderLabs, automates the process of collecting data that can help pentesters find a way into targets’ systems and networks.”

72) Microsoft Names Top Security Researchers, Zero-day Contributors (ZDNet) via Catalin Cimpanu

73) NSA’s Reverse-engineering Malware Tool, Ghidra, to get New Features to Save Time, Boost Accuracy (CyberScoop) via Shannon Vavra

* * *

Do you have a link you think should be added? Tweet us up @BricataInc.

If you enjoyed this post, you might also like:
Four-Time CEO Says Corporate Culture is the Most Important Defense in Cybersecurity

*** This is a Security Bloggers Network syndicated blog from Bricata authored by Bricata. Read the original post at:

Cloud Capabilities Poll