Black Hat USA and DefCon: Finding Security Risks in All the Things

In years past, the security of payment systems was a primary topic as attackers demonstrated how to hack ATM systems as well as point of sale terminals. That topic will be discussed at this year’s Black Hat event as well. Two talks will focus on breaking payment systems, including one from security firm Rapid7 on how to hack next-generation ATMs.

There is also a session from NCR security researchers Nir Valtman and Patrick Watson on breaking payment points of interaction (POI), including how to bypass EMV (chip and PIN).

Among the big highlights of the Black Hat 2015 event was a session in which security researchers Charlie Miller and Chris Valasek detailed flaws they found in a Jeep that led to the recall of 1.4 million vehicles. The two car hackers are back again this year, with even more research into how cars, and specifically the CAN (Controller Area Network) message bus, can be attacked.

“In this talk, we discuss how physical, safety critical systems react to injected CAN messages and how these systems are often resilient to this type of manipulation,” the talk abstract states. “We will outline new methods of CAN message injection which can bypass many of these restrictions and demonstrate the results on the braking, steering, and acceleration systems of an automobile.”

Cyber Grand Challenge to Take Place at DefCon

DefCon 24, which runs Aug. 4-7 at Las Vegas’ Bally’s and Paris hotels, will also provide all manner of interesting security talks and challenges. Among the big events is the U.S. government’s Defense Advanced Research Projects Agency (DARPA) Cyber Grand Challenge (CGC), in which seven autonomous computing systems will compete in what is being billed as the world’s first all-machine hacking tournament.

DARPA isn’t the only U.S. government agency represented at this year’s DefCon. Terrell McSweeny, commissioner of the Federal Trade Commission, will speak about how the FTC wants to improve consumer privacy and how security professionals can help.

A talk that federal officials are likely to have an interest in is one from security researcher Sebastian Westerhold, who is set to detail critical flaws in the Traffic Collision Avoidance System (TCAS) used in modern aviation.

Security researcher Chris Rock, meanwhile, is looking to give an even more intriguing talk this year than the one he gave last year. At DefCon 23, Rock gave one of the more interesting talks—on how to forge birth and death certificates. This year, he is back but this time his talk isn’t about life and death, but rather about how to overthrow a government, using digital tools.

“Chris will walk you through a cyber regime change from start to finish on a real country and show you how to architect a coup achieving the same result as a traditional mercenary operation without any blood spilt,” the session abstract states.

Looking forward to the massive volume of threat information coming this week is somewhat overwhelming, as it would seem that no stone of our digital world has been left unturned in the search for vulnerabilities.

While anxiety over security risks is understandable, soliciting fear is not what Black Hat and DefCon are all about. The simple truth is that there is no such thing as security by obscurity and by bringing issues to light in internet of things (IoT) and internet protocols and everything in between, fixes can be made, infrastructure can be hardened and the world might just become safer as a result.

Originally published on eWeek

Quiz: What do you know about cybersecurity in 2016?