Cloud Security Under Scrutiny
At Black Hat USA 2024, a major focus was on cloud security. Aqua Security researchers highlighted vulnerabilities in the automatic setup of AWS S3 storage. Called Shadow Resource, this flaw can let hackers take over AWS accounts, leading to data breaches or remote attacks. The problem lay in the common names given to storage buckets, which attackers could exploit to access sensitive files when users enabled certain services.
Amazon quickly fixed these issues after being informed. However, Symantec issued a separate warning about hackers using cloud services like Google Drive and Microsoft OneDrive to hide their malicious actions. This tactic isn't new but is becoming more dangerous, especially alongside the AWS vulnerabilities. Clearly, keeping cloud systems secure is vital for companies.
CrowdStrike Meltdown Emphasizes Cyber-Resilience
The recent issues with CrowdStrike and Microsoft were on everyone's mind. At the conference, Hans de Vries from the European Union Agency for Cybersecurity stressed the need for readiness against supply chain attacks. These attacks test a CISO's resilience strategies. Jen Easterly from the US Cybersecurity and Infrastructure Security Agency emphasized building security into the design, noting threats from countries like China and North Korea.
Patching is No Panacea
Updating systems isn't foolproof, as shown by SafeBreach's presentation. Researcher Alon Leviev demonstrated a way to use Windows Update against itself, known as the Windows Downdate attack, which makes systems vulnerable by rolling them back to older, insecure versions. This highlights that even with updates, security remains a challenge.
AI Infrastructure Vulnerabilities
AI technologies also drew attention. Wiz researchers demonstrated how they could breach AI-as-a-service platforms like Hugging Face by exploiting security gaps. Their work showed that using harmful models could expose customer data, including private models and datasets, underlining the need for robust AI security.
Regulatory and Liability Concerns
The increasing legal pressure on senior security officials was discussed, citing SolarWinds' Tim Brown. Sessions focused on strategies to reduce risk, ensure compliance, and maintain trust amid stricter regulations.