10 Must-See Talks at Black Hat and DEF CON

Last summer, the two biggest hacker conventions happened remotely, and we lost the usual in-person interactions at the back-to-back events in Las Vegas. This year Black Hat and DEF CON have returned with a hybrid format, which should be appealing no matter what your comfort level with pandemic protocols. 

It’s been a tumultuous year in cybersecurity, which makes all of the presentations a little more interesting. Here are 10 of the talks I won’t miss and don’t think you should either (and they’re all streaming, so you can view them whether or not you’re in Las Vegas). 

1. The ripple effect: Building a diverse security research team

This is a non-technical talk about an all-white, all-male security research team that saw an issue with the unconscious bias that kept them stagnant and how they addressed it by building a more diverse staff. They’re open-sourcing some of the HR tools they built to create a more inclusive environment and add voices they didn’t previously have on their research team. 

For Kenna’s part, we believe that everyone plays a role in accelerating diversity, inclusion, and collaboration.

2. Zero – The funniest number in cryptography

Bugs found in four cryptographic signature schemes? Yeah, this one is definitely a technical talk. It revolves around the equation that for all x, x*0 = 0 and the power of the number zero. It is the key to the bugs these researchers found in BLS signatures. This looks like a fascinating talk on how “splitting zero” earned a bug bounty of $35,000. 

3. Bypassing Windows Hello for business and pleasure

Just this week, a federal judge ordered one of the rioters at the U.S. Capitol to unlock his laptop, which the FBI had seized. After he claimed he couldn’t remember his password, the government compelled him to use his biometrics to unlock the device using the Windows Hello feature. This talk introduces new research on bypassing the automatic login and it looks like one of the must-see talks of the week. 

4. Whoops, I accidentally helped start the offensive intel branch of a foreign intel service

It’s not quite “Honey, I Shrunk the Kids.” A former NSA employee will explain a cybersecurity job that turned out to be too good to be true. This is one story of more than a dozen former U.S. intelligence operatives that were recruited to work on the United Arab Emirates’ surveillance program, called Project Raven. As it turns out, the project eventually targeted Americans and these recruits were too naive to see the warning signs.

5. Diving into spooler: Discovering LPE and RCE vulnerabilities in Windows Printer

This is the talk that launched PrintNightmare and became a major headache for Windows Administrators earlier this month. We actually made it our Vuln of the Month here at Kenna. The researchers bypassed a patch issued by Microsoft, and when Microsoft updated with a new one, the researchers immediately exploited it again. 

6. Bring your own print driver vulnerability

Similar to the Black Hat talk, this DEF CON presentation explores how 2021 is the year of printer vulnerabilities. Researchers here will release a zero-day exploit to show how a print driver can gain access to a fully patched system. 

7. Between two servers—A Q&A with Sec. Mayorkas and Dark Tangent

Department of Homeland Security Secretary Alejandro Mayorkas will be front and center taking questions, including some submitted by viewers. If it stays on topic — DHS has a purview far beyond cybersecurity — this will be interesting to get some commentary on the government’s role in critical infrastructure. 

8. DHS rebooting critical infrastructure protection

This is a panel discussion about some of those critical infrastructure attacks, like the one on Colonial Pipeline, and includes CISOs and Eric Goldstein, the Executive Assistant Director for Cybersecurity for DHS’s Cybersecurity and Infrastructure Security Agency (CISA). With the recent ransomware attacks, it will be interesting to see if they have a vision for the future. 

9. No key? No PIN? No combo? No problem! P0wning ATMs for fun and profit

A live demo of unknown ATM hacks? This could easily be the best talk of the week. An executive from Zoom became a “licensed ATM operator” and will show several vulnerabilities that can gain access to ATMs. No word on whether that means door prizes of cash for anyone who sees this talk live.

10. UFOs: Misinformation, disinformation, and the basic truth

Richard Thieme might be worth the price of admission to DEF CON on his own, especially considering some of the talks he’s given in the past. His address at DEF CON 21 (in 2013), has more than 17,000 views on YouTube. He helped research a book titled “UFOs and Government: A Historical Inquiry,” and returns to DEF CON this year in light of new sightings, particularly Naval footage.