I was lucky enough to represent The Cyber Hut as an analyst at the Blackhat EMEA event in London this week at the ExCel.
This four-day security extravaganza tours the world, and I attended the keynotes and briefings sessions on the 6th and 7th. Clearly this is a broader security conference, but as always the role of identity and access management appears in more ways than previous and often in slightly less obvious ways. Some highlights for me included:
Team Work to Counteract Adversarial Asymmetric Advantage
Ollie Whitehouse the recently appointed CTO at the UK’s National Cyber Security Centre opened the Wednesday session with what was essentially a keynote call to arms from industry. As we face adversarial pressure from a range of both nation state and highly motivated financially driven cyber criminals, the public and private sectors must work more closely to improve standards, share threat intelligence, architectural best practice and research ideas in order to gain an upper hand against those who have asymmetric advantage as it pertains to the legal and moral groundings defenders find themselves on.
Legacy Protocols and the Importance of Data Integrity
The next talk on Wednesday morning that caught my eye was “Millions of Patient Records at Risk…” a topic that surely makes the blood run cold of many patients and healthcare practitioners alike. The focus was on the DICOM and PACS image processing and storage protocols used to manage the the handling of things like MRI scans. The talk discussed research that highlighted how the backend services used to process this information is not only sometimes internet facing, but also has limited access control enforcement – often allowing remote updates using relatively simple-to-craft payloads. This brings a topic that The Cyber Hut has seen emerge in different areas over the past 12 months, which is the importance of data integrity. We tackled this in episode 32 of The Week in Identity podcast – where the ability to detect (or better prevent) unauthorized changes to things like profile data or personal records is becoming ever more important.
Password Managers on Mobile: Another Reason to Ditch the Password
Later on Wednesday, Ankit Gangwal gave a talk on AutoSpill: A Zero Effort Credential Stealing mechanism used against mobile password managers. We all hate passwords. Application owners and service providers hate having to store passwords. We now have a range of strong MFA and passwordless authentication standards such as FIDO2, WebAuthn and more latterly Passkeys. Yet, password managers on both the desktop and mobile provide a solid counter measure against password reuse and poor password generation. In his talk, Ankit showed how the Android API in conjunction with some malicious code can essentially allow apps outside of the scope of the one requesting specific usernames and passwords can gain access to the values. Yet another driver, if we need one, to ditch shared secret based authentication entirely.
Attacking AI with Images and Sound
It wouldn’t be a contemporary security conference without reference to AI and LLMs (Large Language Models). A novel approach to attacking multi-modal LLMs with an indirect prompt injection was discussed by the research team at Cornell Tech. Multi-modal models use image and sounds as well as text as inputs, before releasing the output solely as text. By maliciously manipulating the input images with embedded nudges and content can ultimately get the LLM model to consume this data and replay back to the requester. A difficult to detect approach which can have far reaching consequences. Could this be leveraged during impersonate attacks during identity proofing?
When the Physical Door Becomes a A Digital Entry Point
The final briefing I attended on Wednesday was a discussion taking a look at physical access control entry systems based on OSDP (Open Supervised Device Protocol). These door systems use an integrated circuit physical access card as a form of possession factor – the typical “something I have”. Clearly they can be stolen and if not tied to biometry or PIN overlay, can be used by an impersonator. However, this talk focused on the backend interactions of the OSDP based system and how this can be attacked to create a denial of service on the card recorder as well allow an adversary to move laterally via serial comms and ultimately gain access to the central processing service on the internal IP network.
Is the CISO Role Becoming Too Difficult?
Day 2 saw former Uber CISO Joe Sullivan give the morning keynote – where he provided a detailed and thought provoking talk into the trial he went through. The talk detailed the process of setting up and managing complex bug bounty programmes and the nuance this can create with respect to hunter payment and non-disclosure agreements. Sullivan raised the question of whether the CISO role is becoming too difficult to recruit for – with the liability of a breach and the bad publicity that can generate becoming potentially too off putting even for the most capable and resilient security leaders. He articulated the need to get the correct cyber security view in the regulation and legal discussions that are taking place across our industry – like they are for technologies such a digital currency and AI.
Router Credential Theft and Man in the Middle
The final talk on day 2 that gave me food for thought was a discussion on an exploit with respect to ASUS routers and the dynamic DNS process used to register their host name. ASUS routers are a popular selection for home use both in EMEA and north America. The talk highlighted how a combination of a mobile administration app and unsecured backend DNS services are manipulated to essentially create malicious DNS entries that can point towards spoofed sites that look like the local administration page of a home router. These malicious sites are then used to capture the admin credentials for the router, allowing takeover. The DNS service was accepting new entries for routers without performing any real authentication or authorization allowing a simple-to-craft record that could be sent with the malicious IP.