Merritt Group Blog

Merritt’s Security Team Takes On Black Hat!

Blackhat

Earlier this month, the Merritt Security team traveled out to Las Vegas for one of the hottest industry shows of the year – Black Hat. This year’s show had more attendees than ever, with an estimated 9,000 folks from 91 countries!  We always enjoy observing how diverse the attendee base is and that is apparent from the apparel, which varies from suits to “I Heart Hacking” t-shirts.

Now that we’ve recovered (for the most part), here are some of the big themes we took away from the show. Keynote speaker Jeff Moss stated repeatedly, “this is our time,” and he couldn’t be more right.

Welcome

  • Incident Response – what happens next?: Sessions by Bruce Schneier and other industry experts were overflowing with attendees this year. According to Schneier, “the days of letting the industry take care of incident response are quickly coming to an end.” He was referring to the possibility of government regulations overtaking data safety in the private sector. This was a scary and highly debated premise among attendees.
  • Healthcare avoided the limelight: At last year’s Black Hat, medical device security was buzzing around the show with presentations from the late Barnaby Jack, and other researchers addressing critical vulnerabilities within medical devices. This year, healthcare sessions were a bit more under the radar, but that doesn’t mean they don’t deserve attention. Susceptibility of USB drives was also brought into question by German cybersecurity researchers, Jakob Nohl and Karsten Lell, from SR Labs who presented on the threats potential when medical devices charge their batteries over USB.
  • POS system security: With major breaches like Target and Neiman Marcus flooding the news in early 2014, it was no shock that point of sale (POS) system security played a huge role at Black Hat this year. Presentations from the likes of Nir Valtman and Lucas Zaichkowsky shed light on the dangers of POS systems and how hackers target customers’ personal information. Zaichkowsky’s presentation featured a live demo showing what sensitive data is passed through both magstripe and EMV chip readers, mapping it from peripheral all the way through the electronic payments infrastructure.

Our favorite breaking vulnerabilities:

  • Watch your car! Prior to Black Hat, videos were floating around showing a hacker controlling a car from a remote location, sparking worry among the public and automobile manufacturers. At the show, Charlie Miller from Twitter and Chris Valasek from IOActiveunveiled an analysis of automobile network data and identified a list of 20 specific models most significantly at risk. A malicious attacker can leverage a remote vulnerability and do anything from enabling a microphone for eavesdropping, to turning the steering wheel, to disabling the brakes.
  • Airport X-Ray scanners: Billy Rios from IOActive identified issues with two devices approved for use by the Transportation Security Administration (TSA) and called for device manufacturers to make significant improvements to prevent access to the underlying software. These vulnerabilities could be targeted locally to gain access and manipulate critical functions.

Overall, it was another successful year filled with new and familiar faces, groundbreaking hacking skills, and a little bit of crazy. We look forward to seeing you next year!

Blackhat001

Blackhat002