Black Hat 2023 UK - A Dive into the World of Cybersecurity

For decades, those curious about the future of cybersecurity have turned to Black Hat, the event where the brightest minds in the industry converge. Held at the prestigious ExCel London venue, over 3,600 experts gather for four days to discuss the latest trends, threats, and solutions that make our field so captivating. For us, it's the prime opportunity to learn from professionals in business, academia, and leaders from both the public and private sectors

Next, Ollie Whitehouse, the CTO of the UK National Cyber Security Centre (NCSC), addressed the audience. He provided insights into certain challenges he personally faced. Some of his one-liners will always stick with us: “How do we build something we can trust on something we can’t trust?”, “Hollywood is Hollyfact”, and “Cybersecurity shouldn’t be an extra premium cost for SaaS”.

Several talks stood out to us, including one on an exploit where millions of patient records were vulnerable, a method to steal autofill passwords, and a case demonstrating how internet traffic can leak through a VPN client.

The latter talk was delivered by Mathy Vanhoef, a professor at KU Leuven. In a highly accessible manner, he explained two potential attacks to leak network traffic sent by a VPN client. A ‘rogue’ WIFI network can exploit these vulnerabilities to make the victim's IP packets leak readable text outside the VPN tunnel. The adversary achieves this by manipulating the victim's routing table. Our attacks are independent of the VPN protocol used, meaning they apply to protocols such as IPsec, OpenVPN, and WireGuard.

In between, there was ample time for networking in the Business Hall or exploring demos in Arsenal. And because one cannot be serious all the time, we headed to the Tower Bridge in the evening for some relaxation!

When we checked in on our first day, we not only received a backpack with a few stickers but also a stamp card. At certain booths, you could collect stamps, hoping to win a prize. Spoiler alert: we returned home empty-handed. Many speakers discussed APSEC, which stands for Applied Security. We learned that everyone wants to protect systems, networks, and programs from digital attacks and ensure the confidentiality, integrity, and availability of your data.

In the Business Hall, they organized a lockpicking contest, where you had to pick locks of varying difficulty. The more you could open, the greater your chance of winning a prize. Did we mention we returned home empty-handed? Additionally, there was a large inflatable pool filled with Lego blocks, where you had fifteen minutes to create the most original design possible. Again, prizes were at stake - and the rest is history.

Fortunately, there were plenty of interesting talks, including a presentation on data breaches on a TLD scale. We learned that deleted domains can still be used to send emails, potentially exposing sensitive information. Lemmings to the rescue! This was developed by SIDN to alert former owners of deleted domains when their domain is likely still in use for sending email.

We also discovered how ChatGPT-4 could be used to write code, how a million ASUS routers are vulnerable due to using ASUS DDNS, and how DHCP DNS Dynamic Updates are armed. Incredibly fascinating topics, which we can undoubtedly apply in our daily jobs.

If it wasn't clear already: Black Hat is crucial for anyone involved in cybersecurity. It is the ideal platform for collaboration, knowledge exchange, and learning new skills. Our eyes were already open, but after this conference, they are even more so. We are ready to double down on cybersecurity!