Black Hat 2021: my preferred talks

Last week, I attended Black Hat 2021. It was a hybrid conference, i.e., both on-site and virtual. As a consequence, there were only four concurrent “physical’ talks at any moment. The number of attendees was far lower than in 2019. I attended the physical ones exclusively with a focus on hacking.

I enjoyed the most the two following talks

Breaking the Isolation: Cross-Account AWS Vulnerabilities by Shir Tamari and Ami Luttwak
They explored the AWS cross services such as CloudTrail or the Serverless Repository. Such services allow to store some data in the same location for several services or read data from the same location for several services. They discovered that the security policy configuration did not define the referenced accounts. Thus, it was possible to use CloudTrail to store files in an S3 bucket that you did not control.
AWS has fixed the issue. Unfortunately, it is up to the customer to update the policies correspondingly; else, the holes are still present.
Fixing a Memory Forensics Blind Spot: Linux Kernel Tracing by Andrew Case and Golden Richard
The ePBF is a programming language that makes access to the Linux kernel tracing easy. The tracing system is mighty. It allows to read registers, hook subsystem calls, etc. From the userland!! Powerful but nasty.
They presented some extensions of their open-source tools to list the hooked calls and other stealthy operations.
I was not aware of ePBF. It opened my eyes and scared me. An earlier talk With Friends Like eBPF, Who Needs Enemies? The authors presented a rootkit based on ePBF. Unfortunately, I did not attend this talk. Would I have known ePBF, I would have attended it. It seems that there were three other ePBF-based talks at DefCon 2021.

In the coming weeks, I will listen to some virtual talks and report the ones I enjoyed.

Law 7 – You Are the Weakest Link

laws7This post is the seventh post in a series of ten posts. The previous post explored the sixth law: Security is not stronger than its weakest link.  Although often neglected, the seventh law is fundamental.  It states that human users are often the weakest element of the security.

Humans are the weakest link for many reasons.  Often, they do not understand security or have an ill perceived perception of it.  For instance, security is often seen as an obstacle.  Therefore, users will circumvent it when security is an obstruction to the fulfillment of their task and will not apply security policies and procedures.  They do not believe that they are a worthwhile target for cyber-attacks.

Humans are the weakest link because they do not grasp the full impact of their security-related decisions.  How many people ignore the security warnings of their browser?  How many people understand the security consequences and constraints of Bring Your Own Device (BYOD) or Bring Your Own Cloud (BYOC)?  Employees put their company at risk by bad decisions.

Humans are the weakest link because they have intrinsic limitations.  Human memory is often feeble thus we end up with weak passwords or complex passwords written on a post-it.  Humans do not handle complexity correctly.  Unfortunately, security is too complex.

Humans are the weakest link because they can be easily deceived.  Social engineers use social interaction to influence people and convince them to perform actions that they are not expected to do, or to share information that they are not supposed to disclose.   For instance, phishing is an efficient contamination vector.

How can we mitigate the human risk?

  • Where possible, make decisions on behalf of the end user; as the end users are not necessarily able to make rational decisions on security issues, the designer should make the decisions when possible. Whenever the user has to decide, the consequences of his decision should be made clear to him to guide his decision.
  • Define secure defaults; the default value should always be set to that for the highest or, at least, an acceptable security level. User friendliness should not drive the default value, but rather security should.
  • Educate your employees; the best answer to social engineering is enabling employees to identify an ongoing social engineering attack. This detection is only possible by educating the employees about this kind of attack.  Training employees increases their security awareness and thus raises their engagement.
  • Train your security staff; the landscape of security threats and defense tools is changing quickly. Skilled attackers will use the latest exploits.  Therefore, it is imperative that the security personnel be aware of the latest techniques.  Operational security staff should have a significant part of their work time dedicated to continuous training.

Interestingly, with the current progress of Artificial Intelligence and Big Data analytics, will the new generation of security tools partly compensate this weakness?

If you find this post interesting, you may also be interested in my second book “Ten Laws for Security” that will be available end of this month.   Chapter 8 explores in details this law. The book will be available for instance at Springer or Amazon.

Shared Responsibilities on the Cloud

Microsoft recently published a paper titled “Shared Responsibilities For Cloud Computing.” The aim is to explain that when migrating to the cloud not everything relies on the lapses of the cloud provider to reach a secure deployment. This reality is too often forgotten by cloud customers. Too often, when assessing the security of systems, I hear the statement, but cloud provider X is Y-compliant. Unfortunately, even if this declaration is true, it is only valid for the parts that the cloud provider believes are under its responsibility.

The golden nugget of this document is this figure. It graphically highlights the distribution of responsibilities. Unfortunately, I think there is a missing row: Security of the Application executing in the cloud. If the application is poorly written and riddled with vulnerabilities, then game over. In the case, of SaaS, this security is the responsibility of the SaaS provider. For the other cases, it is the responsibility of the entity who designed the service/application.

The explanations in the core of the document are not extremely useful as many elements are advertising for Microsoft Azure (it is fair as it is a Microsoft document).

The document can be used to increase the awareness of the mandatory distribution and sharing of responsibilities.

Some notes on the Content Protection Summit 2015

These motes are personal and reflect the key points that raised my interest. They do not report the already known issues, already approved best practices and security guidelines.

The  conference was held on 7th December at Los Angeles. The audience was rather large for such event (more than 120 attendees) with representatives of content owners, service and technology providers and a few distributors. CPS is becoming the annual event in content protection. The event was as interesting as last year.

A special focus has been placed on cyber security rather than purely content protection.

Welcome remarks (ROSE M.)

The end of EU safe harbor is an issue.

CDSA: A focus on the right things at the right time (by ATKINSON R.)

A set of work streams for 2016 with nothing innovative. Some focus on training and education. A second focus on opportunity versus piracy.

IP security the creative perspective (by McNELIS B.)

An attack against YouTube that does not have in place a strong enough position against piracy. Google does not play the game despite it could (for instance, there is no porn on YouTube, proving the efficiency of curation). The difference between Apple and Google is the intent.

Creators do usually not want to bother about content protection. They want to communicate directly with consumers. The moderator explained that indie filmmakers are far more concerned as piracy may be more impacting their revenue stream. The middle class of creators is disappearing.

The BMG / Cox communication legal decision is a good promising sign.

Breakthrough in watermark (by OAKES G.)

NNSS (Nihil Nove Sub Sole, i.e., nothing new under the sun)

The move to digital pre-release screeners: DVD R.I.P. (panel with ANDERSON A., TANG E., PRIMACHENKO D.)


  • Nobody any more uses exclusively DVD at home, they use additional media. The user experience of DVD is bad (dixit Fox).
  • E-screener is more eco-friendly than DVD distribution.
  • Less liability due to no need to dispose of the physical support.
  • Higher quality is possible.
  • According to Fox, on-line screeners are intrinsically more secure than DVD screeners.


  • The challenge is the multiplicity of platforms to serve. Anthony pleads for 2FA.
  • Some guild members want to build a library.
  • Connectivity is still an issue for many members.

Suspicious behavior monitoring is a key security feature.

The global state of information security (by FRANK W.)

Feedback on the PcW annual survey of 40 questions.

  • Former employees are still the most cited sources. Third party related risk is rising.
  • Theft of employee and customer records raised this year.
  • 26% of increase of security budget over 2014.
  • ISO27001 is the most used framework. 94% of companies use a security framework.
  • Top Cyber threats: vulnerabilities, social engineering and zero-day vulnerabilities.
  • Data traversal becomes a visible issue with leaks via Dropbox, Google Drive…)

Would you rather be red and blue, or black and blue (by SLOSS J.)

A highlight on high-profile attacks. A plea for having an in-house red team (attack team)

He advocates the stance of assuming that you’re already penetrated. This requires:

  • War game exercises
  • Central security monitoring
  • Live site penetration test (not really new)

Secrets to build an incident response team (panel with RICKELTYON C., CATHCART H., SLOSS J.)

An Incident Response Team is now mandatory together with real-time continuous monitoring.

Personalize the risk by making personal what the consequences of a breach would be.

Hiring experts for a red team or IRT is tough.

Vulnerability scanning penetration testing (panel with EVERTS A., JOHNSON C., MEACHAM D., MONTECILLO M.)


Best practice for sending and receiving content (by MORAN T.)


  • Consumer grade cloud services: Dropbox, etc
  • Production. Media deal, signiant, mediafly, etc
    • Usually isolated system within a company
    • Owned by production rather than IT
  • Enterprise: Aspera
    • Owned by IT

Cooperation between IT and production staff is key.

Don’t tolerate shadow IT. Manage it

Monitor the progress of Network Function Virtual (NFV)and Software Defined Network (SDN) as they may be the next paradigms

Production in the cloud (panel with BUSSINGER B., DIEHL E., O’CONNOR M., PARKER C.)

CDSA reported about this panel at

Production security compliance (panel with CANNING J., CHANDRA A., PEARSON J., ZEZZA L.)

It is all about education. The most challenging targets are the creatives

New Regency tried on a production of a TV show to provide all creatives with the computer, tablet, and phone. They also allocated a full-time IT guy.

Cloud Security: a Metaphor

Last year, at the annual SMPTE Technical Conference, I presented a paper “Is the Future of Content Protection Cloud(y)?”  I explained that the trust model of public cloud was theoretically inherently weaker than the trust model of private cloud or private data center.  The audience argued that at the opposite, the security of public cloud may be better than the security of most private implementations.  As usual in security, the answer is never Manichean.

Metaphors are often good tools to introduce complex concepts.  Analogy with the real world helps to build proper mental models.  The pizza as a service metaphor that explains the IaaS, PaaS and SaaS is a good example.  In preparation of the panel on cloud security at the next Content Protection Summit, I was looking for a metaphor to illustrate the difference between the two trust models.  I may have found one.

On one side, when using a private cloud (or a private data center), we can likened the trust model to your residential house.  You control whom you invite into your home and what your guests are allowed to do.   You are the only person (with your family) to have the keys.  Furthermore, you may have planted a high hedge to enforce some privacy so that your neighbors cannot easily eavesdrop.


On the other side, the trust model of the public cloud is like a hotel.  You book a room at the hotel.  The concierge decides who enters the hotel and what the hosts are allowed to do.  The concierge provides you with the key to your room.  Nevertheless, the concierge has a passkey (or can generate a duplicate of this key).  You have to trust the concierge as you have to trust your cloud provider.


The metaphor of the hotel can be extended to different aspects of security.  You are responsible for the access to your room.  If you do not lock the room, a thief may enter easily regardless of the vigilance of the hotel staff.  Similarly, if your cloud application is not secured, hackers will penetrate irrespective of the security of your cloud provider.  The hotel may provide a vault in your room.  Nevertheless, the hotel manager has access to its key.  Once more, you will have to trust the concierge.  The same situation occurs when your cloud provider manages the encryption keys of your data at rest.  The hotel is a good illustration of the risks associated to multi-tenancy.  If you forget valuable assets in your room when leaving the hotel, the next visitor of the room may get them.  Similarly, if you do not clean the RAM and the temporary files before leaving your cloud applications, the next user of the server may retrieve them.  This is not just a theoretical attack.  Multi-tenancy may enable it.  Clean your space behind you, the cloud provider will not do it on your behalf.  The person in the room next to your room may eavesdrop your conversation.  You do not control who is in the contiguous rooms.  Similarly, in the public cloud, if another user is co-located on the same server than your application, this service may extract information from your space.  Several attacks based on side channels have been demonstrated recently on co-located server.  They enabled the exfiltration or detection of sensitive data such as secret keys.  Adjacent hotel rooms have sometimes connecting doors.  They are locked.  Nevertheless, they are potential weaknesses.  A good thief may intrude your room without passing through the common corridor.  Similarly, an hypervisor may have some weaknesses or even trapdoors.  The detection of colocation is a hot topic that interests the academic community (and of course, the hacking community).  My blog will follow carefully these new attacks.

Back to the question whether the public cloud is more secure than the private cloud, the previous metaphor helps to answer.  Let us look more carefully at the house of the first figure.   Let us imagine that the house is as the following illustration.


The windows are wide open.  The door is not shut.  Furthermore, the door has cracks and a weak lock.  Evidently, the owner does not care about security.  Yes, in that case, the owner’s assets would be more secure in the room of a hotel than in his house.  If your security team cannot secure properly your private cloud (lack of money, lack of time, or lack of expertise), then you would be better on a public cloud.

If the house is like the one of the next image, then it is another story.


The windows have armored grids to protect their access.  The steal door is reinforced.  The lock requires a strong password and is protected against physical attacks.  Cameras monitor the access to the house.  The owner of this house cares about security.  In that case, the owner’s assets would be less secure in the room of a hotel than in his house.  If your security team is well trained and has sufficient resources (time, fund), then you may be better in your private cloud.

Now, if you are rich enough to afford to book an entire floor of the hotel for your usage, and put some access control to filter who can enter this level, then you mitigate the risks inherent to multi-tenancy as you will have no neighbors.  Similarly, if you take the option to have the servers of the public cloud uniquely dedicated to your own applications, then you are in a similar situation.

This house versus hotel metaphor is an interesting metaphor to introduce the trust model of private cloud versus the trust model of public cloud.  I believe that it may be a good educational tool.  Can we extend it even more?  Your opinion is welcome.

A cautionary note is mandatory: a metaphor has always limitation and should never be pushed too far.


The illustrations are from my son Chadi.

CANS 2015 submissions

The 14th International Conference on Cryptology and Network Security (CANS 2015) will be at Marrakech in December.  The submission deadline is 19 june 2015.  The topics of interest are rather broad:

  • Access Control for Networks
  • Adware, Malware, and Spyware
  • Anonymity & Pseudonymity
  • Authentication, Identification
  • Cloud Security
  • Cryptographic Algorithms & Protocols
  • Denial of Service Protection
  • Embedded System Security
  • Identity & Trust Management
  • Internet Security
  • Key Management
  • Mobile Code Security
  • Multicast Security
  • Network Security
  • Peer-to-Peer Security
  • Security Architectures
  • Security in Social Networks
  • Sensor Network Security
  • Virtual Private Networks
  • Wireless and Mobile Security

The accepted papers will be published in Springer LNCS.  It is an IACR event.

Some notes on Content Protection Summit 2014

The conference was held on 9th December at Los Angeles. The audience was rather large for such event (more than 120 attendees) with representatives of content owners, service and technology providers and a few distributors.

The big trend and message is that cyber threats are more and more severe.  Traditional Content Protection is not anymore sufficient.  It has to be extended to IT cyber threats.  The SPE issue was cited very often.

The conference did not disclose surprisingly new information and technology.  Nevertheless, the event is a good occasion to share knowledge and basic best practices.  The following part will highlight interesting points or figures I collected during the event.

Welcome Remarks (by ROSE M., Ease)

He highlighted that the cyberwar is a reality.  It is performed by government funded teams or hacktivists,  It has serious implications such as wild censorship…

The Global State of Information Security (by BANTHANAVASI S., PcW)

The cyber world becomes more dangerous.  The state seems to degrade.  Some interesting figures from PcW’s annual report:

  • In 2014, the U.S. government notified 3,000 U..S. companies that they had been attacked
  • There was 48% more reported incidents in 2014.  Furthermore, the average cost of a breach increased.
  • Investment in security diminished
  • More and more incidents are attributed to third parties with trusted access

What to do (and who to call) (panel)

The usual stuff.  The most interesting advices were:

  • Log must be switched on.   This is essential in a cloud environment where low-cost plans may not have the logging feature available.  It is worthwhile to pay for it.  It is mandatory to learn and analyze when an incident occurs.
  • Have a response team available beforehand.  You will not have to time to look for and organize it when the incident will occur or will be detected.

The focus of the discussion was always on script kiddies, and never on Advanced Persistent Attack (APT)

This script will self destruct in 2 hours (panel)

The script is of high value, especially when the actual shooting was not started, or that the decision was not yet taken.  Nevertheless, it needs to be convenient.   Typical challenge for a confidential sensitive document that needs controlled distribution.  Warner announced that sometimes they even used 3-factor authentication.  Creative people may have hard feeling about privacy and traceability.

Protecting content: where creativity and security meet (panel)

Key message:  embed security within the existing ecosystem

According to Fox, TV is more forgiven than feature movie in case of leakage (excepted perhaps for the opening and closing episodes).  The biggest coming challenge is the request of international day+1 release of TV shows.

How to Secure Workflows in the age of digital services (panel)

Key message:  be aware of third parties (and their own third parties) and freelancers

The creative process behind great storytelling (panel)

Refreshing session with creative people.  The end of the session was a playdoyer for copyright.  The arguments were similar to the ones in the book Free Ride.

It’s about the money: strategies to disrupt funding piracy (LAWRENCE E., ABS-CBN and SUNDERLAND J., Lionsgate)

According to me, the most interesting session.  They presented real use cases.

Elisha explained how she drastically reduced the online piracy against ABS-CBN (the Philippines Netflix).   She performed different steps:

  1. Analyze the pirate landscape
  2. With SEO, increase the RANK to get the official sites as the first links in Google and bring pirate sites back to farther pages.
  3. Use investigators to collect proofs to enable shutdown sites
  4. Lawsuits with high fines.  The arrested webmaster are interviewed to learn all their techniques and tricks,

Jane explored the methods to have good brands advertising on pirate sites.   80% of the revenues of streaming cyberlockers are coming from advertisement.  Among them, 22% are coming from institutional brands. Tools exist to filter out placement on malicious sites, but brands have to opt-in. Brands should be worried to place their advertisement in such sites as they are sometimes also hosting malwares.

The culture of piracy: A European perspective (VERSTEEG G., Rights Alliance)

He explained the historical rationales why much piracy went from Sweden (Kazaa, The Pirate Bay…)  He asked that there should be a transactional VOD release window concurrent with Theatrical and Home windows.   The price could be dynamic, starting high and decreasing with time.

Being European, I did not see what was specifically European.   It was more his opinion.

What’s the forecast for securing the cloud? (panel)

According to me, the worst session.   No serious discussion on actual security of the cloud.   No discussion of hybrid clouds.  No precise definition of cloud (even no mention of NIST definition).  It seemed even to me that there was a consensus that implementations in cloud would be more secure than today’s implementations.

The topic is far more complex than the simplified vision drawn during the panel.