Concisely summarizing my thoughts is not exactly my strong suit, especially when I’m about to run out the door. Normally, I opt not to write because I’d rather write something impactful and grammatically correct, which means I don’t get it done. See? Look! I’m already off on another tangent.
OK. The Black Hat briefings are done and here are my main takeaways from the everything I tried to soak in:
Day One: It’s all about people
I have long argued that cyber security is a human issue, not a technical issue, and continue to do so. There were three sessions I hit on Day One that really drove this home. In “Exploiting Curiosity and Context,” Zinaida Benenson presented her research on spearphishing to get people to click on malicious links. Even though most people were aware that clicking could be dangerous, they were curious, so clicked anyway. What was telling is that after her Black Hat talk abstract was published, she fell victim to two spearphishing attacks, herself.
Elie Bursztein presented “Does Dropping USB Drives in Parking Lots and Other Places Really Work?” later in the day. And [spoiler alert!] sadly, it does. And yeah, curiosity was a big motivator for people to pick up a USB off the ground and pop it into their computers. His best quote was something along the lines of, “You wouldn’t eat food off the ground; it could make you sick. So why would you pick up a USB off the ground?” The second half of his talk was around his project to make his own USB sticks, which you can read about on his site.
Could some of these show up on the ground at the next 1NTERRUPT? I’m not saying…
The final presentation I attended was “Watching Commodity Malware Get Sold to a Targeted Actor” by Israel Barak, which was nothing short of fascinating. He got into the business of selling bots (compromised computers) by walking through one of the black market sites that deals in bots. The level of professionalism, maturity of the market, and the volume of bots for sale were a mind-blowing, sobering reminder of what we in the security community are up against. It also drove home the point that everybody needs to realize that they are a target, regardless of how worthless they think their information is.
Look, people are not going to change millennia of psychological evolution to fall in line with technology. Our innate curiosity is a double-edged sword. Where it has motivated us to explore, invent, and re-create, it’s also what gets us to click on a link we know we shouldn’t. We are also motivated by self-interest and will often take the path of least resistance. I would argue that’s also an evolutionary advantage (think of when hunting while we lived in caves) that can also have negative side effects in our connected society. If we want to be effective defenders and truly make a difference, we have work with humans at the human level and realize technology is just a tool that, when applied appropriately, can help us, but it’s not the solution.
The Day Two wrap up will follow soon.