Black Hat 2018: What to Expect

As summer heats up, security researchers, government spooks, and industry elites head to Las Vegas for the Black Hat conference, followed immediately by its more storied progenitor, DefCon.

It's a week-long celebration of all things infosec, where researchers try to one-up each other with presentations on the latest, scariest vulnerabilities. After dark, it's glitzy parties with people casually tossing around phrases like "we swept the room for listening devices and found three!" Amidst all this bedlam will be your humble PCMag reporters Max Eddy and Neil Rubenking, clinging tightly to paper umbrella drinks as security secrets are whispered in their ears.

Black Hat is known for its showmanship as much as its research. Previous years have seen hacked Linux rifles, ATMs spewing $100 bills, insecure satellite phones, and high-tech "smart" cars driven off the road by researchers.

Here's what we're looking forward to in Black Hat's 21st year, and keep an eye on SecurityWatch for the latest from Black Hat 2018.

Google in the Spotlight

This year's keynote will be delivered by Parisa Tabriz, director of engineering at Google. Tabriz's talk will focus on embracing new ideas for security even when working at an enormous scale, and will surely touch on her work with the Chrome browser.

Car Hacking Is Back (Kind of)

After their headline-grabbing attack that literally drove a Jeep off the road, Charlie Miller and Chris Valasek said they had turned in their car-hacking keys for good. That is, until they got involved in self-driving vehicles. A talk on the dangers of autonomous cars headed by the kings of automotive attacks is sure to grab attention.

Hacking Humans

There's a common (if dismissive) joke among security professionals that says, "the biggest vulnerability in any system is between the chair and the computer." People are just as easily tricked as computers (perhaps more easily), and social engineering is certain to be a major topic. That's especially true as more and more organizations face the embarrassment of succumbing to phishing attacks. No one wants to be the Democratic National Committee circa 2016, and have their infighting and risotto recipes sprayed across the web.

Encryption and VPNs

Speaking from experience, VPNs are a hot commodity in the security industry. Global unrest and the desire to access free streaming video online has driven the popularity of this once sleepy and overlooked security tool. Given their recent popularity and the opaqueness of the companies involved, expect hackers to focus on VPN services.

Likewise, encryption is the technology that makes everything work online, from keeping secrets secret to verifying the identity of individuals. It's a powerful tool and also an exciting target. Researchers at the convention are sure to present work on how to pick apart, weaken, or otherwise circumvent encryption. We don't expect anything as groundbreaking as the SHA-1 hash collision, but a talk about a side-channel attack to steal encryption keys from routers sounds exciting.

Breaking (or Using) Blockchain

Cryptocurrencies are the darlings of the online underworld as well as tech investors. Their monetary value and digital existence make them easy targets for hackers, which is the subject of a few sessions this year. But it's the use of the underlying blockchain technology as a means to store information and establish trust online that may yield the most interesting research. Some sessions will focus on how to attack the foundations of crypto, for nefarious ends.

Hack the Vote

Russian attempts to influence the 2016 US election are a matter of fact, according to US intelligence and law enforcement agencies. It is the single biggest information security story since the Snowden leaks, and it's still going on. While we didn't see too much on the subject last year, election hacking and vulnerable voting machines are perennial topics at Black Hat, so expect them this year, too. One notable session looks at how to use the existing social graph to unmask Russian Twitter bots.

Two-Factor Authentication: Godsend or Curse?

Google recently squashed phishing with the use of physical two-factor devices, and introduced its own line of security keys at its NEXT conference. But every solution to a security problem is a new opportunity for a researcher to show off. We're sure to see some attacks on 2FA systems.

Hacking in the 21st Century

Black Hat and DefCon are the biggest events of the year for security professionals and hobby hackers, so it's also a time to look at the community as a whole. Although efforts have been made to make information security and conferences more friendly to women, people of color, disabled people, and other groups often marginalized in the tech biz, these events are where the rubber meets the road. There will be more than a few meetups of different groups and sessions addressing how to make infosec more welcoming. Several sessions address issues of depression and PTSD in the hacking community, a subject not often discussed.

How to Hack a Power Plant (or a Water Treatment Plant, or Factory, or Power Grid)

Most hackers are just out to make a quick buck, but some attackers (and nation state actors) have their eyes on bigger prizes: infrastructure. Previous years have seen sessions on how to destroy a factory with bubbles and tactics on how to take down the confusing, bespoke systems that make up most industrial complexes.

About Our Expert

Neil J. Rubenking

Principal Writer, Security

My Experience

When the IBM PC was new, I served as the president of the San Francisco PC User Group for three years. That’s how I met PCMag’s editorial team, who brought me on board in 1986. In the years since that fateful meeting, I’ve become PCMag’s expert on security, privacy, and identity protection, putting antivirus tools, security suites, and all kinds of security software through their paces.

Before my current security gig, I supplied PCMag readers with tips and solutions on using popular applications, operating systems, and programming languages in my "User to User" and "Ask Neil" columns, which began in 1990 and ran for almost 20 years. Along the way, I wrote more than 40 utility articles, as well as Delphi Programming for Dummies and six other books covering DOS, Windows, and programming. I also reviewed thousands of products of all kinds, ranging from early Sierra Online adventure games to AOL’s precursor Q-Link.

In the early 2000s, I turned my focus to security and the growing antivirus industry. After years of working with antivirus, I’m known throughout the security industry as an expert on evaluating antivirus tools. I serve as an advisory board member for the Anti-Malware Testing Standards Organization (AMTSO), an international nonprofit group dedicated to coordinating and improving testing of anti-malware solutions.

The Technology I Use

Much of the testing I do, particularly testing with real-world ransomware, is just plain dangerous. To perform such tests safely, I sequester them inside virtual machines managed by VMWare Workstation. For cross-platform testing, I use a MacBook Air, a Google Pixel 4, and a 6th-generation iPad.

I rely on my Delphi coding skills to create and maintain small applications. These include programs to check whether an antivirus correctly handled the malware it detected, launch dangerous URLs and record the security program’s reaction, and analyze the malware that I collect for use in testing. I also wrote a tiny browser and text editor for use in testing security apps that have predefined reactions for known products.

I do my writing and research on a Dell OptiPlex desktop, relying on Microsoft Word (my fingers know all the shortcuts). Many of my articles include charts and analysis; Excel is my go-to for those. When work hours end, though, I escape the bounds of Microsoft and Windows. There’s an iPhone in my pocket, I relax with my oversized iPad, and my Kindle Oasis is always loaded with the best science fiction and fantasy.

Read the latest from Neil J. Rubenking

Read full bio