Black Hat attendees are surprisingly lax about encryption

LAS VEGAS-—At a conference dedicated to information security, you might expect its attendees to be on their best information security behavior. You would be wrong.

At the Network Operations Center of the Black Hat USA conference here, run by Black Hat’s parent firm, UBM, with contributions from security companies such as Cisco Systems, RSA Security, Gigamon, and Palo Alto Networks, a large amount of e-mail and Web traffic has been traveling through the conference Wi-Fi network unencrypted, wide open to eavesdropping by anyone on the same network.

Unencrypted connections can also lead to spear-phishing attacks. And if sites accept usernames and passwords over those connections, their users risk immediate compromise of those accounts and any others at which they’ve used the same password—a bad habit that hasn’t vanished here or anywhere else.

There might be nothing better than highlighting security professionals’ unprotected personal communications at a conference full of hackers to reveal just how lax we still are about encryption. Black Hat’s NOC operators are doing just that.

Postcard-secure e-mail

My NOC guides, RSA security-engineering senior manager Percy Tucker and Cisco senior manager for business development Jessica Bair, had an operator display a PDF of an invoice on one of the dozens of NOC screens, set up in a room on the second floor of the Mandalay Bay convention center here.

It’s a common type of email attachment, and its sender had used an unencrypted mail connection, allowing anybody to read (and copy) the full content of the message. The five-figure bill contained more than enough personal details “to do a spear-phishing attack,” Tucker said.

Bair said Black Hat NOC technicians log every packet of data sent over its network, in case they need to trace an attack at the conference back to an attendee. Black Hat visitors traditionally have gone to great lengths to trick other attendees into weakening their security, including setting up honeypot hot spots in unusual places: “We’ve had access points be put in on potted plants; we’ve had access points on drones,” Bair said.

The invoice email had plenty of encryption-free company: 28 percent of e-mail sent over the Black Hat Wi-Fi network Wednesday was unencrypted, Tucker said, though that figure could have been inflated by conference classes demonstrating the dangers of unencrypted messaging.

Even so, at a security conference, one might expect a much lower percentage of unencrypted communications. (At the RSA Conference in April, Tucker said, network operators logged an even higher rate of unencrypted mail sent over Wi-Fi: 33 percent.)

In the consumer mail market overall, encryption in transit has become a nearly universal default: 90 percent of messages going from users of Google’s Gmail to people using other mail services were protected by TLS (Transport Layer Security) encryption, according to Google’s latest stats.

That’s a significant jump from the end of 2013, when only 27 percent of messages from other services reached Gmail users encrypted.

Two things helped facilitate the jump. First Edward Snowden made the tech industry aware of the National Security Agency’s bulk collection of unencrypted traffic. Then Google—which for years was the only major Web mail service to support TLS—began shaming mail providers neglecting to support it by adding a red open-padlock icon in messages sent to correspondents using them.

At 2016’s Google I/O conference, security manager Stephan Somogyi reported that 45 days after the addition of that warning in March of 2016, the percentage of TLS-encrypted mail had risen 20 percent.

At Black Hat, Tucker mused about a different sort of persuasion: redirecting people using encryption-starved e-mail providers to a captive-portal page warning them of their risks.

HTTP, not HTTPS

Black Hat opened with a keynote speech by Google’s engineering director, Parisa Tabriz, who emphasized the importance of encrypting the connections between sites and browsers. Without encryption, she said, neither the site nor the visitor can have any confidence in the security and privacy of a connection.

Tabriz’s talk noted how Google has worked since 2014 to push the adoption of HTTPS encryption, executing a patient strategy built around ratcheting up Chrome’s warnings about the absence of site encryption. That’s helped drive the share of encrypted traffic to Chrome for Android from 29 percent in March of 2015 to 77 percent today, she said, though that still leaves such high-profile holdouts as Fox News and ESPN.

The data on display at the Black Hat NOC a little after noon Wednesday painted a much darker picture: Only 20.93 percent of the total Internet traffic on Black Hat WiFi was HTTPS, versus 58.44 percent for unencrypted HTTP.

Security experts intent on improving those stats might take a page from Tabriz, publishing the names of the unencrypted sites most visited by hackers at Black Hat. Alas, Bair and Tucker did not answer an e-mail asking for a list of them.

Correction, August 10 at 1:40 p.m. PST: A previous version of this story mischaracterized the organizational structure of the Black Hat NOC. It is run by UBM.