I’m not going to write about everything I did during my Black Hat experience, but I will try and at least mention most of the sessions. It started off with a mildly interesting keynote address. Then I went to a 25-minute briefing called “Detecting Deep Fakes with Mice.” (Briefings vary between 25 and 50 minute sessions.) It talked about how much time and processing goes into making a deep fake puppet of someone (like a politician–upwards of 17 hours of video footage was needed to make a deep fake of Obama). They also talked about how they were using mice that could distinguish sounds to detect when a human sounding voice was fake by training them to listen for certain characteristics.
The next briefing was a 50-minute presentation called “The Most Secure Browser? Pwning Chrome from 2016 to 2019.” As a lawyer, I chose this because I use Chrome on almost a daily basis and I thought it would be neat to get an idea of some of its vulnerability. While I understood the words coming out of the presenter’s mouth, it was like listening to a foreign language because I had no clue what they were talking about. The majority of the slides in the presentation were lines of code. I made a note to myself going forward to try and avoid the ones that looked they were going to mostly in code.
Despite the hit and miss nature of the three morning sessions, things picked up for me in the afternoon when I attended some briefings that were more up my alley. The first was called “Cyber Insurance 101 for CISOs.” The presenter was a cyber insurance broker who described what some cyber insurance policies offer these days. He specifically mentioned that they provide their insureds with a breach coach and legal counsel to help guide them through incidents. It was nice to hear them mention some of the roles that I can fill when these incidents occur.
After that I attended a briefing on Mitre ATT&CK. While I was not familiar with it, I chose it because it seemed to deal with assessing risk and, as I learned, it turns out it does. Mitre ATT&CK is an online database full of different hackers/organizations with their know techniques, tactics, and practices. Following that I was back in another briefing with a senior vice president over underwriting at Chubb talking about how insurance and cyber security interact. It was great to hear about what an underwriter looks at when they decide whether to take the risk and issue a cyber policy. They basically do a high level risk assessment and have other subject matter experts to take a deep dive into the analysis.
Finally, I attended a briefing that dealt with an exploit of the Trezor hardware wallet for cryptocurrency. This was of particular interest since I own this product. This researcher found a way to using electromagnetism to hack the device without altering the physical appearance of it. This would allow someone to access the cryptocurrency stored on the device and even get the required seed words without the owner knowing they had been breached. The good thing about this (and most of the breaches/exploits discussed at Black Hat) is that they already told the company that makes Trezor and the exploit has been successfully patched.