Light Dark
August 2, 2016 By Douglas Bonderud 2 min read

Who hacks the hackers? As it turns out, just about anyone.

According to CSO Online, the official app for this year’s Black Hat conference contained a number of serious social flaws — worrisome enough that organizers stripped out specific functions before the app went live.

Thankfully, the nearly two-decade old event, which bills itself as “the most technical and relevant global information security event in the world,” had the foresight to disclose the app for testing before a public rollout. Here’s a look at where this Black Hat app went off the rails.

Of Lies and Logins

After some hands-on time with the Black Hat app, researchers from Lookout had some serious concerns about its social functionality.

It all started with the sign-up process, which allowed users to build a profile, browse sessions and send messages to other attendees. The problem: With no verification for email addresses, users could either create entirely fake profiles or sign up using the name of someone else at the conference.

Black Hat App: A Troll’s Playground

For those interested in simply trolling the event, it was possible to enter nonsense email address details and create fake profiles with the photo and corporate details of their choice. Since corporate email addresses often follow a set pattern, there was also potential for impersonation. People could sign up as an attendee who works for a competitor, use their real email address and then send messages to other users or make offensive comments on posts in a conferencewide activity feed.

It gets worse. If users discovered someone else had registered their name and email address, it was possible to ask for a password reset. The problem: This reset didn’t end the session of other users logged in to the same account, meaning that so long as impostors didn’t manually sign out, they retained access to all features and data enjoyed by the legitimate account owner, without that owner’s knowledge.

As a result of this disclosure, the app was pulled; better to release a truncated piece of software than a significant security risk at a conference designed to address these exact types of security issues.

Hats Off to Black Hat

Black Hat continues to do good work in the security community, especially when it comes to tapping the pulse of emergent issues.

As noted by The Wall Street Journal, the conference received 50 proposals this year for talks related to the Internet of Things (IoT). While it only had space for 13, the trend is obvious: A bigger attack surface makes for a more appealing target.

Black Hat has been right before. In 1997, attacking Windows was a key conference focus; a decade later, cracking iPhones was the big draw. This year, there’s talk about proof-of-concept attacks on network-connected vehicles moving at significant speed, unlike last year’s 5 mph maximum.

Nothing Is Safe

But here’s the takeaway, and it’s inherent in the Black Hat ethos itself: Nothing is safe. No device, no app and no data is immune from potential misuse or compromise. Even an application specifically designed for a high-level security conference contained a number of glaring and potentially devastating flaws. Thankfully, organizers practiced what they preach and used critical feedback to pull the plug on social security risks.

Heading to Black Hat this year? Enjoy Vegas and learn more about advanced threats — but for the sake of corporate safety, maybe give the official app a pass.

 |  |  |  | 
Douglas Bonderud
Freelance Writer

More from

November 21, 2024

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

November 20, 2024

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

November 19, 2024

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature