‍

Hacker Summer Camp 2021 adopted a hybrid format this year, as the restrictions imposed by the ongoing coronavirus epidemic meant that the majority of participants to Black Hat and DEF CON tuned in online rather than turning up in Las Vegas.

CATCH UP Black Hat 2021: Zero-days, ransoms, supply chains, oh my!

Tools, techniques, and (hybrid) procedures

‍

Security researchers made up for the lack of audience interaction by showing that – like the athletes competing at this month’s Olympics and Paralympics – they could go faster, higher, and stronger together.

Still catching up on the proceedings?

‍

Attacking Let’s Encrypt

‍

At Black Hat, researchers from the Fraunhofer Institute for Secure Information Technology showed how the security controls introduced with Let’s Encrypt’s multi-perspective validation feature might be abused.

Circumventing these controls, which were introduced in February 2020 in response to earlier attacks, makes it possible for attackers to get digital certificates for web domains they do now own, offering a springboard for phishing attacks or other scams.

By introducing packet loss or latency to connections to some of the nameservers, an attacker could force the system to rely on a nameserver of their choice – downgrading the security offered by multiperspective validation.

The work shows that domain validation, though it enjoys advantages because it is low cost and lends itself to automation, is not yet secure and needs to be refined in order to become more effective as a barrier to fraud.

‍