Adobe attends Black Hat in Las Vegas each year and this year was no exception. The Adobe security team as well as several security champions from Adobe’s product teams attended Black Hat and a few stayed on for DEF CON too. What follows is the experiences and takeaways of Rajat and Karthik security researchers on ASSET, from Black Hat and DEF CON 2014.
Security is often characterized as a dichotomy between “breaking” and “building”. Presentations at Black Hat and DEF CON are no exception – focused on these categories as a result of the approach that hackers take towards their research. For example, Charlie Miller and Chris Valasek’s, “A Survey of Remote Automotive Attack Surfaces” was a memorable talk in the breaking-security category, where they disassembled the onboard computers in over twenty commercial cars and analyzed ways to remotely control them. It was refreshing to take a step back and observe that security scrutiny can be brought to bear on all engineering design, not just software design.
In the building-security category, we appreciated the format of the various roundtables at Black Hat because they mirrored many of the themes of security conversations across Adobe. For example we found the roundtable discussions on API Security and Continuous Integration and Deployment to be valuable lessons for our researchers and security champions. At DEF CON, we came across DemonSaw, a new tool that lets you securely share files in a peer-to-peer network without requiring cloud storage. We found it to be an impressive implementation of cryptography fundamentals to meet security and privacy.
We noticed the gradual shift in focus of the talks from last year, in that more hackers are going after hosted services and mobile/embedded applications. This gave Adobe security champions the opportunity to see how hackers adapt to changes in the industry and to get an attacker’s perspective on compromising applications that may be similar to our own. Often times security champions had to strike a balance between talks that apply to their day-to-day work, like Alex Stamos’ Building Safe Systems at Scale and talks that were interesting given the impact to the industry, for example the talk about BadUSB. We also saw the recurring theme that each year the security community finds more serious vulnerabilities than the last, as a result of new products and platforms flooding the market. It was a reminder that with the universal growth of technology there’s a need for deeper investment in security.
Adobe-hosted event at the Cosmopolitan’s Chandelier Bar on August 7th.
Black Hat and DEF CON offer much more than the presentations and trainings. The Black Hat Arsenal showcased cutting-edge security research, with prototypes of packet-capturing drones and tools that harvest information from various embedded devices. Most of the tools on display were open-source and it was great to see research shared in the security community. The Vendor Expo was an expansive mix of large companies promoting their product suites, along with newcomers exploring niche problems such as log mining, threat intelligence, and biometric security. No DEF CON conference is complete without a Capture the Flag (CTF) event, which is a place for professionals–or hobbyists–to build their skills and compete with each other in solving real-world challenges related to forensics and Web exploitation – this year’s competition was won by PPP.
It was evident that Black Hat and DEF CON have steadily grown in popularity. For the first time at Black Hat we were standing in line to enter briefings. The size and scale of these events keep increasing, which is a testament to the expanding influence of security in technology and business. Despite the growth, the atmosphere at Black Hat and DEF CON remains collegial. Meeting and talking with people about the challenges we all face always makes for a valuable learning experience.
Karthik Raman, Security Researcher
Rajat Shah, Security Researcher