Previewing Black Hat Europe 2023 in London: 16 Hot Sessions

•
December 4, 2023    

Winter in London features Hyde Park’s Winter Wonderland, Christmas lights galore, and for those who love cybersecurity, the return of Black Hat Europe.

See Also: Fog of War | How the Ukraine Conflict Transformed the Cyber Threat Landscape

The four-day conference at the ExCel conference center in London Docklands features two days of training followed by two days of keynotes and research presentations.

The more than 40 keynotes, briefings and panel presentations promise to touch on everything from kernel exploits, quantum cryptography and the mass pwning of routers, to tracking nation-state attackers, dissecting iOS zero-days and training generative AI to attack.

Here’s a preview of just some of the hot-looking sessions:

Day 1: Wednesday, Dec. 6

• Industrializing Cyber Defense in an Asymmetric World – 9:00 a.m.: How can defenders create an industrialized approach to cybersecurity that better stands up against attackers who know no legal, moral or ethical rules? Ollie Whitehouse, who recent joined Britain’s National Cyber Security Center as its CTO, details his vision for a better cyber defense tomorrow.





• Millions of Patient Records at Risk: The Perils of Legacy Protocols – 10:20 a.m.: A massive quantity of patients’ medical images, stored in the industry standard DICOM format – for Digital Imaging and Communications in Medicine – are sitting on internet-exposed endpoints ripe for exfiltration or alteration by hackers, warn researchers from Aplite GmbH. To help, they’ll detail “practical recommendations for medical institutions, healthcare providers and medical engineers to mitigate these security issues and safeguard patients’ data.”




• LogoFAIL: Security Implications of Image Parsing During System Boot – 10:20 a.m.: Customizing the logo displayed by a Windows system when it boots might sound like harmless fun, but a team of researchers from firmware supply chain security platform Binarly discovered that many of the image parsers now built into UEFI firmware have flaws that attackers could subvert to execute arbitrary code on a system before Secure Boot even activates. Count device vendors Intel, Acer and Lenovo among the concerned, as the full extent of the problem remains unclear (see: LogoFAIL Bootup Flaw Puts Hundreds of Devices at Risk).





• The Magnetic Pull of Mutable Protection: Worked Examples in Cryptographic Agility – 11:20 a.m.: Four top security researchers promise to demystify what organizations need to do now to begin transitioning to post-quantum secure methodologies by helping them to answer this question: “How do you go about fully understanding what cryptography you have, how it is used and if it’s good or bad?”
  
  
  
• Something Rotten in the State of Data Centers – 1:30 p.m.: Researchers from Trellix detail critical vulnerabilities they’ve discovered in two widely used types of data center appliances. Some are in a DDI solution – which combines DNS, DHCP and IP address management, or IPAM – while the others exist in a kernel-based virtual machine. The researchers say the flaws are a reminder that data centers are not inherently more secure than any other type of computing environment.





• Through the Looking Glass: How Open-Source Projects See Vulnerability Disclosure – 2:30 p.m.: Marta Rybczyńska, who’s part of the Eclipse open-source software development community, will share lessons learned for avoiding misunderstandings and communication problems for researchers when reporting flaws to open-source project teams, as well as what project teams can do to not just improve the quality of reports received but their developers’ ability to rapidly respond to them.




• TsuKing: Coordinating DNS Resolvers and Queries Into Potent DoS Amplifiers – 2:30 p.m.: Researchers from Beijing’s Tsinghua University will detail “TsuKing,” a DNS amplification attack they’ve discovered that can be used to chain together vulnerable DNS resolvers to create massive denial of service attacks. They say more than 1 million open DNS resolvers suffer from the vulnerabilities, and fixes from multiple vendors are in progress.





• Security Through Transparency: Scaling Your Customer Trust Program – 3:20 p.m.: Ayoub Fandi, a staff field security engineer with GitLab, will detail how to use such tactics as using public-facing wikis and security Q&A databases to improve cybersecurity communications with customers and prospects.





• Locknote: Conclusions and Key Takeaways from Day 1 – 4:20 p.m.: Black Hat’s creator and founder, Jeff Moss, will take to the stage joined by fellow security experts Daniel Cuthbert and Saša Zdjelar, who both serve on the Black Hat submission review board, to recap takeaways from the day’s presentations and how practitioners might employ them.

Day 2: Thursday, Dec. 7

• My Lessons From the Uber Case – 9:00 a.m.: Joe Sullivan, Uber’s former CSO, recaps lessons he thinks all cybersecurity professionals should learn from the federal case against him, which resulted in two felony convictions. Sullivan was sentenced to probation.




• My Invisible Adversary: Burnout – 10:20 a.m.: Google’s “Response Whisperer” Johan Berggren and “Chaos Specialist” Matt Linton promise to share lessons learned from the technology giant’s efforts to not just keep the members of its on-call security team sane but to give them a health work/life balance.





• Old Code Dies Hard: Finding New Vulnerabilities in Old Third-Party Software Components and the Importance of Having SBoM for IoT/OT Devices – 11:20 a.m.: For device manufacturers, the guiding principle of “security via obscurity” too often reigns, warn researchers from Forescout Technologies. They’ll detail 20 serious flaws they discovered in the open-source and internal code running on a widely used wireless gateway device, as well as how multiple commercial tools for building a software bill of materials failed to detect the open-source components running on the devices.





• Sweet QuaDreams or Nightmare Before Christmas? Dissecting an iOS 0-Day – 1:30 p.m.: “What does a modern, top-tier, iOS spyware implant look like? What is the state-of-the-art in mobile threats? And what is the likelihood of you or your employees being targeted by such an attack?” Researchers Christine Fossaceca from Microsoft and Bill Marczak from Citizen Lab will detail a zero-click exploit – known as both “KingsPawn” and “EndOfDays” – used by QuaDream, a commercial spyware vendor that competes with NSO Group.




• Kidnapping Without Hostages: Virtual Kidnapping and the Dark Road Ahead: 2:30 p.m.: Virtual kidnapping involves attackers knocking a victim offline – using technical or social engineering means – then demanding a ransom from their relatives. Attackers are continuing to refine their tactics using generative AI, warn two researchers from Trend Micro, who will analyze tools and tactics used in actual cases of virtual kidnapping, as well as potential red flags and defenses.





• 1 Million ASUS Routers Under Control: Exploiting ASUS DDNS to MITM Admin Credentials – 2:30 p.m.: Researchers from Japan’s National Institute of Information and Communications Technology detail a critical flaw they discovered – and reported to the vendor – in 1 million in-use Asus routers that can be used to steal admin credentials for the devices via a man-in-the-middle attack.






• Locknote: Conclusions and Key Takeaways from Day 2 – 4:20 p.m.: This daily wrap-up will feature takeaways from the conference and how these trends will affect information security as we know it, analyzed by Black Hat founder Jeff Moss, joined by conference review board members and speakers.

The above list isn’t meant to be exhaustive but rather to give a flavor of the many superb-looking briefings happening at Black Hat Europe 2023. Hope to see you there.