It’s that time of the year, where like the last several years, we would have landed and would be checking into either the Mandalay Bay or the iconic Luxor next door in all the anticipation of a week full of some badass hacking, technical conversations and loads of fun! Alas, the pandemic has had other plans, so this year as well, we will be at Black Hat virtually.
Kloudle is one of the virtual sponsors at Black Hat USA this year. We have setup a booth for your folks to come hang out at, see what we are building in the cloud security monitoring and auto remediation space, see a demo of the product, talk to us about your cloud security problems and grab some swag on the way out!
This year the conference is running from July 31 to August 5 and is both in person and virtual. Black Hat started with several virtual training programs running from July 31st to August 3rd with the in-person (and virtual) briefings scheduled on August 4th and 5th. It’s a fun conference to begin with and the endless post training and evening parties add a whole different charm to how we experience the conference.
There are over a 100 talks at the briefings running in parallel across multiple physical rooms and as virtual talks. This is a problem every year that I experience where it is difficult to attend all the talks that I would want to. This year as well, focusing our interests to Cloud & Platform Security, we have curated a list of talks that we would not want to miss at Black Hat! If you are like us breaking, monitoring and securing the cloud gives you the adrenaline rush, this list is for you!
This is going to be an interesting talk especially given that the attack vector is an implementation of DNS. DNS as a Service via services like Route53 in AWS are attacker favorites but going by the description that the talk has it appears that Shir Tamari and Ami Luttwak were able to setup rogue DNS servers and capture lookup requests coming over the Internet. It will be interesting to see what the exact attack was and what the mitigations would like for organisations. DNS is often overlooked when securing infra and this could be one of those talks that creates more discussion around DNS implementation security.
A lot of assumptions are going to be broken in this talk. Cross account vulnerabilities in cloud providers can exist because the permission model and access is controlled and implemented by policies either via the ones that you have written or managed policies provided by the cloud platform.
From the description, it appears that the researchers, Shir Tamari and Ami Luttwak found policy mis-configurations that caused the AWS API to interact with services and resources across accounts simply because the policy was implemented insecurely. The talk will also highlight a very important observation that I have made in the past about how it is difficult to track vulnerabilities in the cloud especially when there is no CVE or are not tracked by organisations like NIST which results in customers remaining vulnerable simply because the vulnerable version of the policy receives a version update (the policy itself is not overwritten but an updated version is provided) and the onus of using the latest and greatest secure version of the policy lies with the customer. Can’t wait to see this one.
This one is heavy on architecture and design but will be an excellent insight into how enterprises who are gradually moving to the cloud but need access to a lot of their Data Centre resources face unique challenges and how custom engineering a solution with both cloud and data centre resources is the key while the transition is occurring. Michael and the folks at Square will talk about how they constructed a workload identity in AWS Lambda to bridge the absence of trusted authentication to exist in both the environments.
Lots of learning through this talk, especially for folks in security engineering who may be in the same phase of transformation as the good folks at Square.
James Kettle never disappoints with the whacky research he produces in the web security space. This one is no different. Building on his research into desync attacks, this time focussing on HTTP/2, James promises to showcase weaknesses in implementation and RFC imperfections of HTTP/2 across AWS Load Balancer, WAF’s and other tech stacks out there.
James uses a lot of real world examples and shows how the weaknesses that he uncovers can actually be used to perform wide scale attacks and exploitation. This one’s going to be houseful and I’m secretly glad this is virtual only!
Kloudle will also be running an on-demand virtual sponsor session titled “Master Multi Cloud Security with Visibility and Automated Response” on Wednesday, August 4 at 8:00 AM. Stop by our virtual booth on Swapcard and talk to us about what challenges you face with the security of your cloud. We have some awesome swag to give away and there’s a chance you could take home an Apple watch too!
Come see what we are doing at Kloudle!
