Black Hat Europe 2023: Former Uber CSO Weighs if Being a CISO is Worth the Risk
A former Uber CSO convicted last year said CISO’s personal liability for organizational safety has many security pros rethinking the following career path.
- Black Hat Europe 2023 wrapped up on Thursday this week.
- Researchers presented some interesting cybersecurity findings at the year’s final Black Hat cybersecurity event as keynote speakers shared valuable insights into the cybersecurity industry from a technical and professional standpoint.
- Check out the important takeaways from Black Hat Europe 2023.
Hundreds of cybersecurity professionals converged in London this week for Black Hat Europe 2023, which concluded on Thursday, December 7, 2023. The European edition of the renowned Black Hat Briefings series of annual conferences may not attract as many eyeballs as the one held in the United States in the summer every year.
Still, it serves as a great avenue where attendees can soak into all things cybersecurity before heading into the following calendar year. As Black Hat concludes its final event of the year in Europe, not counting the full-day virtual event Cybersecurity Outlook 2024, let us look at some of the important takeaways from the cybersecurity conference.
Black Hat 2023 Takeaways
1. The keynotes
Black Hat Europe 2023 featured Ollie Whitehouse, CTO of the U.K. National Cyber Security Centre, part of the U.K.’s intelligence agency Government Communications Headquarters (GCHQ), as the keynote speaker alongside Joe Sullivan, CEO of Ukraine Friend.
At Black Hat USA 2023, Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Victor Zhora, deputy chairman and chief digital transformation officer of the State Service of Special Communication and Information Protection of Ukraine, took the stage as keynote speakers.
Whitehouse’s message? Don’t be afraid to adopt an approach that stumps attackers. In today’s asymmetric cybersecurity scenario, don’t be afraid to do the unexpected to ensure threat actors feel the repercussions of carrying out an attack.
To do that, organizations need to eliminate the costs of shoring up cyber defenses. One of the most essential factors in eliminating or reducing costs, Whitehouse said, is that cybersecurity vendors need to remove upcharges, whether they are on-premise or software-as-a-service products and services, and increase transparency on vulnerability disclosures and more.
He also urged software vendors to stop treating security as a premium. Speaking with Infosecurity Magazine, Whitehouse said, “I said that seatbelts are not a premium feature, and we should no longer tolerate vendors who sell them as such.”
On phishing, which is one of the most initial access methods employed by attackers, Whitehouse said, “I don’t have the answer to resolving this huge and hard problem, but I wanted to insist on that in front of the hundreds of cybersecurity professionals who came from around the world for. They, collectively, have the answers.”
Thoughts of a convicted cybersecurity leader
The biggest takeaway from the Federal Trade Commission’s (FTC) case against former Facebook and Uber CSO and current Ukraine Friends CEO Joe Sullivan is to have transparency on cybersecurity. Sullivan was, after all, convicted not for the reason that a data breach happened at Uber, which compromised the data of 50 million people, but for being found guilty of hiding it and obstructing FTC’s investigation.
Sullivan’s conviction, which is being appealed, was followed by a relatively lenient sentencing to three years in probation, 200 hours of community service, and a $50,000 fine instead of prosecutors’ demand for 15 months in prison.
Sullivan’s keynote at Black Hat Europe 2023 recounted his experience of the case, wherein his perception of the role of what a security executive constitutes has changed. Sullivan said that CISO’s personal liability to an organization’s safety has many security professionals rethinking the risk of following the career path.
The discouragement to pursue security leadership roles can also come from the Security and Exchange Commission’s (SEC) allegations against SolarWinds CISO Tim Brown and the company, in general, of misleading investors about its cybersecurity practices.
“The government, the FTC in my case, felt that my company wasn’t sufficiently transparent, and they sought to hold me personally accountable for that, even though it wasn’t my job to be the communicator of our security posture or answer any of their questions. In fact, I hadn’t seen a lot of the documents. And so, their case was about me being held personally responsible for the company’s approach to communication. Tim Brown’s case is the exact same thing,” Sullivan said.
He went on to express that there’s a possibility that investigators may not have a complete understanding of what it’s like in the proverbial trenches of cybersecurity within a company.
But there’s a silver lining, Sullivan says. He foresees regulatory changes that outline organizations’ approach to cybersecurity that can help reverse the trend of a disincentivized viewpoint concerning security leadership roles. This includes the SEC’s new transparency requirements.
“I think the SEC is trying to change the incentives through sticks rather than carrots. But that’s the tool that they have, which is better than nothing.”
“We have to figure out how to keep our hand in the technical stuff, but we also have to learn how to become real executives,” Sullivan continued. “The world’s changing right now, and we’ve got to get on with it, or we’re going to be left behind.”
See More: Microsoft Announces Major Security Leadership Change as it Replaces its Longtime CISO
2. Indirect prompt injection through large language models
Security researchers from Cornell University have explained the possibility of an indirect injection attack wherein images and sounds can be used for indirect prompt and instruction injection in multi-modal large language models (LLMs).
Researchers demonstrated in the paper — Abusing Images and Sounds for Indirect Instruction Injection in Multi-Modal LLMs — that when a manipulated audio or picture is input to an LLM chatbot, it can alter the LLM’s response with the hidden prompt injected by the attacker.
The image below demonstrates an indirect injection attack where a manipulated image input into PandaGPT forces the tool to output a phishing message.
Source: Cornell University’s Abusing Images and Sounds for Indirect Instruction Injection in Multi-Modal LLMs
The method achieved similar results with an audio file on PandaGPT.
Researchers also altered LLaVa LLM’s responses to be more sinister — in this case, to advise users on how to burn down a house.
Demonstration of Indirect Injection with LLaVa LLM
Source: Cornell University’s Abusing Images and Sounds for Indirect Instruction Injection in Multi-Modal LLMs
For an attack using this method to work, an adversary must manipulate a user into sending an altered image while conversing with an LLM chatbot.
3. Mobile security issue, but password manager vendors aren’t listening
An assistant professor at the International Institute of Information Technology (IIIT) discovered and shared his findings that lay bare the risk of using password managers with WebView on Android devices. Evidently, password managers can leak user credentials stored on devices when used alongside a malicious app loaded with the built-in autofill function WebView.
Assistant professor Ankit Gangwal and his students, Abhijeet Srivastava and Shubham Singh, discovered that the top 10 password managers could leak the username password through this security issue, dubbed AutoSpill.
However, password manager vendors are offloading their responsibilities on Google, except for 1Password, which promised to fix the problem. “The moment we discovered this thing, we documented everything. We have shared it with the affected password managers and the Google team,” Gangwal told Dark Reading.
“They said this is not our responsibility; this is a problem with Android. We try to argue with them again and again. We invested a lot of time in communication and explained the problem to them. Everything they just outright denied.”
However, as long as the users avoid downloading malicious apps and/or using password managers with WebView, they will be safe from AutoSpill.
Black Hat Europe 2023 will be followed by the one-day Cybersecurity Outlook 2023 virtual event that can help organizations prepare for the threats expected in 2024. Later, Black Hat Spring Trainings will be conducted in March 2024 in Washington, D.C., followed by Black Hat Asia in April 2024 in Singapore.
What was your biggest takeaway from Black Hat Europe 2023? Share with us on LinkedIn, X, or Facebook. We’d love to hear from you!
Image source: Shutterstock
MORE ON EVENTS
