Black Hat USA 2024, BSidesLV, And DEFCON 32: Your Hacker Summer Camp Guide

Cybersecurity heats up in August with conferences BSides, Black Hat and DEF CON each making Las Vegas the hacking epicenter of the world for about a week. This trifecta of cybersecurity conferences forms what the industry affectionately calls “Hacker Summer Camp.”

.

.

While each conference has its own unique chaotic charm, expect security throughlines to include post-CrowdStrike fiasco navel gazing, updates on election security, social-disinformation campaigns and, of course, today’s Taylor Swift of cyber topics: the promise and perils of artificial intelligence.

To help you not break a sweat trying to plot and plan for the blast furnace that is Las Vegas in August, SC Media reporters humbly offer a cheat sheet on major themes, sessions that interest us and we expect to make news. And it goes without saying, SC Media and its sister media brand Security Weekly will also be breaking a sweat on show floors for you covering each conference with live video reports and hourly news updates on SC Media’s website and our social channels.  

First up is BSides Las Vegas 2024, a nonprofit two-day event held at the Tuscany Suites and Casino that kicks off on Tuesday, Aug. 6. BSidesLV has become a worthy and affordable alternative to Black Hat and DEF CON for your Hacker Summer Camp attention.

Black Hat USA 2024 is the main draw between the three shows, with last year’s confab drawing 19,750 in-person attendees to the show’s home at Mandalay Bay Convention Center. Running from Aug. 3 to Aug. 8, the first part of Black Hat focuses on training, with the main conference events on Aug. 7 and 8. Big names taking the center stage at the event are Ann Johnson, corporate VP of Microsoft; Sherrod DeGrippo, director, Threat Intelligence Strategy Director at Microsoft; Danny Jenkins, CEO and co-founder of ThreatLocker; Jen Easterly, CISA director; and Harry Cocker Jr., National Cyber Director in the White House Office of the National Cyber Director.

DEF CON 32, running from Aug. 8-11, is arguably the most technical, dynamic and has hands-down the best attendee (hackable) electronic badges of any cybersecurity conference — period! This year DEF CON will be held at the Las Vegas Convention Center, a big departure from its longstanding Caesars Forum home. The theme is Engage, which organizers say is a nod to the clarion call to action by Cory Doctorow to “ensh*ttification” the internet.

BSides Las Vegas 2024: What to expect

We don’t have time to list all the talks worthy to attend, and short of human cloning, we’re physically not going to be able to attend them all. But here, in alphabetical order, are the five most interesting-sounding talks at BSides LV 2024. – Paul Wagenseil

.

.

Hacking Things That Think

We recently saw a conference talk that showed how to cajole large-language-model AIs into doing things they shouldn’t, such as showing how to build a bomb or disclosing their training models. Each successful attack involved social engineering — of a machine, not a human. Matthew Canham expands upon this topic by presenting the Cognitive Attack Taxonomy, a catalog of “over 350 cognitive vulnerabilities, exploits, and TTPs which have been applied to humans, AI, and non-human biological entities.” Awesome.

Insert coin: Hacking arcades for fun

We are so old that we remember running out of quarters and having to ride our BMX bike home from the arcade instead of playing more “Galaga,” “Joust,” “Q*bert” or “Tempest.” Boo! But Argentinian hacker Ignacio Navarro will show us vulnerabilities that he found in a cashless arcade-payment system used around the world, even in Las Vegas. Let’s hope it’s not fixed yet.

Microsoft f***ed it up

There’s no mention of the CrowdStrike meltdown in this talk description, but you can bet it’ll come up. Presenter kindnessispunk promises to “get into the details of how Microsoft’s C-Suite failures — and not that of Microsoft Security Humans — led to Chinese hackers reading the email of the Secretary of State.”

Wars and Rumors of Wars – What are the implications for Domestic Critical Infrastructure?

It’s a bummer of a topic, but the Volt Typhoon compromises made it clear that a foreign power (cough, China!) has been pre-positioning destructive malware throughout American critical infrastructure, apparently to be triggered in the event of war. I Am the Cavalry’s Beau Woods and Lastwall CEO Karl Holmqvist lead this two-hour talk on how bad the situation is, how much worse it could get, what’s being done about it, and how the cybersecurity community can help.

We removed passwords, now what?

Passwords are dying! Everyone’s going passwordless! Great — right? Well, getting rid of passwords does make account recovery just a leeeeetle bit tougher (i.e., sometimes a lot tougher). HYPR’s Aldo Salas looks at “the challenges encountered for account recovery and identify verification that are now present as we remove more and more passwords every time.”

Bonus extra five:

Black Hat USA 2024: What to look for

Besides the pre-written keynotes and pre-approved presentations, the conversation at Black Hat this year will likely be dominated by talk of the CrowdStrike bungled update that caused massive service outages around the world.

.

.

While the outage wasn’t due to any malware or exploits, the entire situation will raise questions as to the roll of security platforms in the overall IT landscape and whether IT execs will decide to sacrifice some security protections in order to maximize uptime.

We expect many of the panel sessions, fireside chats, and Q&As at the event to touch on, if not focus on, what the massive global outage will mean for the security industry and those who work in it going forward.

Also likely to dominate coverage will be talk of election hacking. With a number of countries already having held major elections, things will only pick up this fall when the hotly contested presidential election takes place in the U.S.

Then there is the ubiquitous talks on the role AI will be playing in the information security field. Researchers have been looking at how AI platforms can be used on both the offensive and defensive side to make attacks and defenses more effective.

Supply chain attacks are no doubt going to be a hot topic. With the memories of SolarWinds and Snowflake fresh in the minds of security professionals, supply chain will continue to be a hot topic throughout the week’s festivities. We already have research showing that attackers are increasingly looking to target technology service providers and developers with the aim being a compromise that can be used to conduct further attacks on client companies.

Outside of the big newsmakers, a number of topics are of particularly interest to this reporter.

Firmware-level attacks are particularly nasty infections due to the persistence they offer threat actors and the difficulty administrators have in permanently removing them from systems.

Such attacks are not easy to exploit (they usually require the attacker to already have root access to the target system) but with researchers uncovering new techniques on a regular basis, firmware is a fascinating area to follow.

Finally, there’s the oft-overlooked field of network layer security. Though server and end-user vulnerabilities are often considered the most vulnerable components of the IT infrastructure, attackers are increasingly looking to exploit the network appliances that are often overlooked when it comes to maintenance and patch deployment. – Shaun Nichols.

Five sessions catching our eye:

DEF CON 32: New venue, same spirit

This year DEF CON 32 will host 104 talks, 29 workshops and 32 hacker villages that go by the names of Aerospace, Voting and Hardware Hacking/Soldering Skills Village. One village of note will be the Artificial Intelligence Cyber Challenge (AIxCC). Created by DARPA, this village is an effort to have DEF CON attendees compete for a $4 million prize (to be awarded at DEF CON 2025). This year AIxCC enters its semifinal phase where attendees partner with DARPA to create a create “AI systems capable of addressing vital cybersecurity issues, such as the security of critical infrastructure and software supply chains.”

.

.

Moving to talks, we’ll be paying close attention to sessions such as “Kicking in the Door to the Cloud: Exploiting Cloud Provider Vulnerabilities for Initial Access” where Datadog researchers detail how bugs in Amazon Web Services allowed them to access protected cloud environments.

Another talk “Outlook Unleashing RCE Chaos: CVE-2024-30103 & CVE-2024-38021” by Morphisec will go deep into a zero-click bug patched by Microsoft in June that was discovered and exploited by adversaries.  

Jeff “The Dark Tangent” Moss will MC the event with cybersecurity big shots such as Paul Nakasone, retired U.S. Army general who served as the commander of U.S. Cyber Command; Anne Neuberger, deputy assistant to the president and deputy national security advisor, cyber & emerging tech at the National Security Council and The White House.

Private sector speakers include Peiter “Mudge” Zatko, renowned hacker, former leader of the L0pht hacker collective, and former head of security at X (formerly Twitter); HD Moore, creator of the Metasploit Project and Harriet Farlow, CEO at Mileva Security Labs and known for her research in adversarial machine learning techniques. – Tom Spring

Leading talks of interest:

See you in Las Vegas where SC Media and Security Weekly staff will be on-site all week for BSides, Black Hat and DEF CON. Follow us for the latest news and analysis from all three shows.

READ MORE HERE