Five key takeaways from Black Hat Asia 2016

Here is what we learned at Asia's biggest computer security conference, Black Hat Asia 2016 in Singapore:

Disincentivising Hacking

At Dino Dai Zovi's talk, he explained how hacking like any other human action, requires a motive. If the reasons why hackers are attacking a particular target are well understood, disincentivising an attack could have a very profound impact. Viewing attack and defense strategies through the lens of economics could often be beneficial in such a case. While the traditional approach is to try and raise the cost for the attacker as much as possible to make attacks difficult, the approach also results in high costs for the defender and scaling problems. You could instead focus on a more scalable approach that reduces the reward from a successful attack.

Enterprise iOS apps open new attack vectors

One of the most important aspects of iOS's security policy is that the App store acts as a gatekeeper for all code on devices running iOS. The Apple Developer Enterprise Program is, however, an exception to that policy. It allows enterprises to ignore this validation process and create their own apps for iOS devices which they can directly deploy to the devices. The certificates owned by enterprises can be easily misused to create malicious apps for use by anybody from state actors to cyber criminals.

Google reCAPTCHA has been broken

Security researchers Iasonas Polakis and Suphannee Sivakorn have managed to perform a low-cost attack using deep learning technology that could solve over 70% of all image reCAPTCHA challenges taking under twenty seconds per challenge. The same attack could achieve an accuracy of over 83% when used to solve the Facebook image captcha.

Knowing what IoT devices are out there is important

The Internet of Things is the new buzzword in the tech world and the number of IoT devices and their adoption is only increasing. This poses a unique threat in terms of security because all of these devices are unique and run on software created just for that device. It is not like mobile where the ecosystem is mainly divided between iOS, Android, Windows, and Blackberry. We are far away from knowing the threats that will emerge from this new ecosystem because we haven't even analyzed what are the different types of devices out there and what kind of software and wireless technology they utilize.

Car hacking is more accessible now

Controller Area Network (CAN) is the most widely used protocol for networking in automobiles. If an attacker can gain access to CAN, it will give him or her the ability to change system operation, perform diagnostics and disable the system. Security research in this field was a lot more expensive before but thanks to CANtact, an open source hardware CAN bus tool by Eric Evanchick that costs 60 US Dollars, there is a lot more research going into making safer cars.