Posted August 9, 2019
The 22nd annual Black Hat USA Conference was held this week in Las Vegas. Black Hat is one of the most important cybersecurity events, bringing together researchers, developers and hackers from around the world in a week of training sessions and briefings. As such, it is often the stage of major announcements that affect security professionals as well as the general public.
This year's Black Hat did not disappoint, and contained significant new developments that will interest both macOS and iOS users.
Read on for our round of Black Hat 2019 …
MacOS bug bounty
As rumored earlier this week, Apple announced a long-awaited bug bounty program ̵
Listeners of the checklist podcast will recall the controversy that arose earlier this year when a young security researcher discovered a serious keychain vulnerability – and delayed submitting details to Apple to address the lack of a macOS bounty program.
From many third-party security researchers, this is a welcome (albeit overdue) move from Apple.
Larger premiums, iPhones for hackers and more
Krstić also announced some other important changes in the way Apple will approach the security community in the future.
For one thing: the payments for the company's existing error amount program will be significantly increased. Previously, Apple had come under fire for many who considered the relatively modest sums the tech giant was willing to pay for exploits (especially when compared to Microsoft, Google or even the black market). In the future, Apple will pay security researchers who make their findings as much as $ 1 million for the most serious types of vulnerabilities.
Another important change is that the bug-bounty program starts this fall and will be open to all security researchers. Previously, Apple's iOS program for bug hunting was just an invitation. By expanding the field a bit and making security research a little more democratic, Apple hopes to improve the security of users in the face of increasingly common attacks targeting their platforms.
The third big news from Apple was that the company would soon start offering "dev device" iPhones – developer-friendly versions of mobile devices that allow security personnel to take a closer look at the operating system to conduct thorough research and testing. While this initiative may not be as "open to everyone" as the bug-bounty program, it will definitely help increase the number of researchers and developers working to make iOS as secure as possible.
Understating the need to engage more in the security community were a couple of briefs that revealed significant issues related to Apple products.
Google Project Zero's Natalie Silvanovich revealed several vulnerabilities in iMessage that could potentially allow a malicious actor to access files or even execute code on a target device. Apple has released patches, so it's probably a good time to update your device if you haven't done so in a while!
Joshua Maddux gave a speech highlighting the difficulty of building software that "plays" well with other applications, showing how Apple Pay can be integrated into some websites in such a way that they become vulnerable to Less an error in Apple's own design than in the way products are sometimes (poorly) implemented by third parties, it still shows how difficult it is to predict all readiness and account for all variables – and why it's so important to have so much help as possible in the battle for web security.
Note from main note
Also worth mentioning was the conference's main note by Dino Dai Zovi, the Head of Mobile Security for Square (as well as an expert on Mac security).
Dinos Lectures covered a lot of ground, but one theme that really struck us at home was his emphasis on changing the culture of cyber security to one of positivity, engagement and open communication as the best way to serve say the needs of organizations.
It's definitely something we in SecureMac can get behind!