Sponsored: What really goes down on Blackhat wifi networks - Risky Bulletin

Summary4 min read

Risky Bulletin: Sponsored Episode Summary Title: What Really Goes Down on Blackhat Wi-Fi Networks Release Date: May 11, 2025

In this sponsored episode of Risky Bulletin, host Tom Nguyen engages in an insightful conversation with James Pope, Director of Technical Enablement at Corelight. The discussion delves into the intricate dynamics of Wi-Fi networks at Black Hat conferences, shedding light on the security challenges and vulnerabilities encountered in such high-stakes environments.

1. Corelight’s Involvement with Black Hat Conferences

Establishing and Monitoring the Network

James Pope elaborates on his dual role at Black Hat Singapore, where he serves as both the SOC lead for the Network Operations Center (NOC) and the Director of Technical Enablement at Corelight. He explains how Corelight collaborates with reputable technology partners like Palo Alto Networks, Cisco, Arista, and Corelight itself to establish a secure and segmented network for the event.

“[We] select the right technology to help us solve a problem, whether it be Palo Alto Networks, Cisco, Arista or Corelight.”
[00:48]

Corelight’s primary responsibility involves network monitoring, leveraging a team of experts from various departments to oversee all traffic within the Black Hat network. Their goal is to identify and mitigate any malicious activities or security threats in real-time.

2. Detection Strategies and Black Hat Positive Alerts

Understanding Expected vs. Anomalous Behavior

James discusses the balance between recognizing legitimate activities aligned with conference sessions and identifying potential threats. Corelight employs AI and machine learning baselining to discern patterns that match the curriculum and expected behaviors within the classrooms.

“At Black Hat we let [Black Hat Positive alerts] go because you might be in that classroom learning it. You could be a presenter on stage presenting it. You could be doing a demo on the floor and we don’t want us breaking and stopping any of that.”
[02:18]

This approach ensures that essential educational activities are not disrupted while still maintaining vigilance against genuine security risks.

3. Common Vulnerabilities and Misconfigurations

Instances of Data Leakage and Mismanagement

Despite the ostensibly secure environment, James highlights several instances where vulnerabilities have been exploited. One notable example involved a weather application with five million downloads that continuously leaked GPS locations, enabling real-time tracking of users within the conference center.

“An application was misconfigured in one spot is sending out credentials.”
[03:13]

Additionally, Corelight has observed numerous cases of self-hosted services being improperly configured, leading to the exposure of sensitive information such as API keys and credentials in plain text. These oversights pose significant security threats, not only at Black Hat but across various networks globally.

4. Encryption Practices and Corporate Security

The Reality Behind Encrypted Networks

James discusses the misconception that all corporate environments maintain robust encryption practices. Despite widespread claims of encrypted communications, a substantial portion of network traffic remains unencrypted, leaving organizations vulnerable to data breaches.

“Everything’s encrypted. There’s probably not a lot you’re going to find in here every single time. Find stuff. Enterprise is still sitting 60, 40% encrypted, unencrypted.”
[06:32]

He emphasizes the importance of organizations actively monitoring and validating their encryption protocols to ensure comprehensive security.

5. Global Perspectives: Black Hat Networks Across Regions

Regional Differences in Security Practices

The conversation shifts to the variations in security practices observed in Black Hat conferences around the world. James notes that regions like APAC (Asia-Pacific) tend to implement more encryption compared to other areas, often driven by distrust in governmental oversight.

“APAC Asia typically has more encryption than anywhere else. There’s a lot more in Asia, like side loaded APKs for Android things. And that definitely increases the amount of detections and weirdness.”
[12:21]

Furthermore, he points out the prevalence of Android devices and side-loaded applications in the APAC region, contributing to a higher detection rate of anomalies and security incidents.

6. Notable Incidents and Case Studies

Real-World Examples of Network Compromises

James shares compelling stories from his experience monitoring Black Hat networks. One such incident involved a presenter’s laptop that triggered numerous security alerts due to malware infections. Despite initial resistance from the presenter, Corelight’s intervention led to the resolution of the issue after collaboration with the organization's IT team.

“We have this line and I wait in this line and I get to them at the end and I say, hey, I’m from the black adnoc. You weren’t by chance presenting on malware or on some like sandbox that you were detonating? And they said, no, I’m the CTO of Org.”
[13:07]

This incident underscores the constant threat of security breaches, even among participants who are presumed to be security-conscious.

7. Conclusion and Key Takeaways

The episode concludes with James emphasizing the critical need for continuous monitoring and proactive security measures. He advocates for organizations to utilize available tools, such as Zeek, to analyze their own network traffic and identify potential vulnerabilities.

“There’s no real excuse for an organization to not look.”
[07:08]

James encourages both individuals and organizations to take ownership of their security practices, leveraging technology to safeguard against increasingly sophisticated threats.

Final Thoughts

This episode of Risky Bulletin offers an in-depth exploration of the complexities surrounding network security at high-profile conferences like Black Hat. James Pope’s insights reveal the delicate balance between facilitating educational activities and maintaining stringent security protocols. The discussions highlight the pervasive challenges of encryption mismanagement, regional variations in security practices, and the ever-present risk of network compromises. For cybersecurity professionals and enthusiasts alike, the episode serves as a compelling reminder of the importance of vigilance and proactive measures in safeguarding digital environments.

Loading summary

Transcript36 lines

[00:04]
A
Hello everyone, this is Tom Nguyen. I'm here with a Risky Business News sponsor interview. Today I have with me James Pope of corelight. G' day James. How are you?
[00:14]
B
Good. Nice to meet you.
[00:16]
A
James is the director of Technical Enablement at corelight, among other titles. And you were telling me, James, that you have recently been at Blackout Singapore, where you were part of a team that spun up the network there and then also did security monitoring. And it seems like you've got a few interesting stories to tell from that. So can we start with like, what's the process? How do you end up being involved? And like, what do you do? And then what did you see?
[00:48]
B
Yeah, so I have a kind of a dual role there. Right. So I am the SOC lead for the Blackout noc, and then I'm also corelight Technical Marketing, Engineering, technical enablement director there. And so I oversee a team of super smart people. So for Black Hat, we get there early and we work with all of our partners and they're truly partners. Right. None of these organizations are pay to play. At Black Hat, we select the right technology to help us solve a problem, whether it be Palo Alto Networks, Cisco, Arista or corelight. So we stand up this network, we make it available, we make it function the way it's supposed to, segmented, and then we turn around and monitor that network. So CoreLife's job is network monitoring.
[01:31]
A
And.
[01:31]
B
And we have a lot of very smart people coming from our labs, our research team, our TME team, and our sales engineers who rotate in and work shifts, and we actually monitor all the traffic in that network, looking for anything. Attacks against registration, our backbone, classroom to classroom, illegal stuff and interesting findings.
[01:51]
A
Yeah, it seemed like an interesting network in that in theory at least, you have a whole population of people who should have good security practices. Yet at the same time, do you get tipped off on what classrooms are going to be doing and what kind of attacks you might expect to see legitimately, if you know what I mean. Or is it just we've got to try and sort out the wheat from the chaff on the fly?
[02:18]
B
It's both. I mean, we know what the classrooms are, we know what the trainers are, we even know what their curriculum is. And we actually do a lot of stuff around AI ML baselining where these are the number of sources this attack is coming from to the same type of destinations. Does that match the curriculum of the class? Would that be expected behavior? Would you promote this as a. We call it Black Hat Positive. A Black Hat positive is something where it is Clearly a detection that is good. It's not a false positive, it's a very good detection that matched on something. But at Black Hat we let it go because you might be in that classroom learning it. You could be a presenter on stage presenting it. You could be doing a demo on the floor and you don't want us breaking and stopping any of that. So yeah, we definitely know what's in the classrooms. But there's definitely some wheat shaft in there too. Right. There's definitely people who are on gen WI fi and doing something else.
[03:11]
A
Something else like what?
[03:14]
B
So whether it's a person knowingly, probably not knowingly, or an application or a misconfiguration. So some examples was at Asia there was this weather app and it's 5 million downloads of this weather app. So it wasn't like it was three people who had access to this and it was posting their GPS location pretty consistently, pretty often. So you could follow them around the conference center, see exactly where they're at. But that's happening not just at Black Hat, but that's happening everywhere they go, every network they're on their GPS location because an application was misconfigured in one spot is sending out credentials.
[03:53]
A
So it was tied to their like user ID or something like that as well.
[03:57]
B
Yeah, yeah. Location and then information about them.
[04:00]
A
That doesn't sound ideal but we also.
[04:03]
B
Like, weirdly enough our industry and this is probably true for it and it's true for me frankly. We like to host our own things. I don't know if it's because we don't want to pay to host it. Maybe it's because we don't trust the things that we're sending. Having some SaaS application that we're sending it to, maybe it's just convenience to prove that we can. But we run into often a ton of self hosted things that are misconfigured. We're sending things in clear text, whether it's some NAS system or this last Asia show we had somebody's GitLab, their internal GitLab from their house and their API keys or credentials, everything going to their repository of their code just sitting there in the clear or another one. There was a no code soar that has the word AI around it and soar applications are super interesting from my vantage point. Those are keys to a lot of kingdoms and a lot of organizations. That's the credentials to do the block on the firewall or stop an agent host isolation or other. And yeah, just having these things sitting out there in the clear or shoot. There was one SMB over the Internet in 2025. And unfortunately, the SMB, the Internet, Tom, was, it was somebody sending security findings from their job. And, and they definitely did work for governments and financial organizations. And there was API keys and access. Like if we couldn't have validated what it was, it almost felt honey potish. Right. Like it was everything that you shouldn't be doing in 2025.
[05:33]
A
Yeah, right. I find it a really interesting dynamic that you have people who are at least notionally security savvy. I'm assuming it's just difficult for people to actually lock down every single thing all the time. Otherwise, like, it would be better.
[05:51]
B
I, I tell people's like, oh, would you, do you join that network? Black Hat's a very dirty and untrusted network. And I'm like, yeah, I join it every single time. And I, I, I, after I join it, I go look at my own data, right? I go see what data is coming in and out of my phone and in and out of my laptop. What am I leaking out? And people are like, oh, that's a nice luxury to have. And that's a true statement. But Zeek is free. You can just run Zeek at your house. You can wireshark, you can TCP dump. You have the ability to look at these things yourself. It doesn't take a magic giant enterprise. Obviously, that makes it easier and deploying and accessing. But you can TCP dump right now on your laptop and see if anything's in the clear.
[06:33]
A
Yeah, yeah. So Zeek is the product that corelight maintains. And I guess you sell services around Zeek, Right? So there is, to be clear, there's an element of self promotion. But that's exactly what I was wondering, because I was thinking if I was in that situation, I could record everything to PCAP or whatever. But I was thinking, like, what would I do next? Would it be wireshark? I don't think that seems a practical way to actually look at all your own traffic. But you're saying that something like Zeek, some sort of network monitoring system, would pull out. Here's the small percentage of stuff that you actually have to worry about.
[07:09]
B
Yeah, I mean, we have the luxury of dropping a sensor and getting all that data sent to our investigator cloud tool. That brings a lot of that out. But yeah, I mean, pcapping and then pulling metadata from that and trying to get answers from it. So if I was an organization, I definitely would look at my vpn, because every conference we go to we find people with VPNs that are set up incorrectly. A, just misconfiguration, but B, sometimes just split tunneling. You, you have people who are set up at your organization to VPN to this destination and you get to a conference or some restaurant wi fi and the subnet matches your split tunnel and you are now routing everything through the clear. Very sensitive things that you shouldn't be routed in through the clear. So I mean, at the end of the day, just go look is I guess what I'm trying to say. There's no real excuse for an organization to not look.
[08:00]
A
Right? Right. So there's an excuse for a person, but not for an organization.
[08:05]
B
And as people, we would expect the weather app, we have to not be sending our GPS locations out and adding to that to our risk profile. But from a corporate enterprise, is your SASE product sending out proxy information about every URL you're going to. You might not know that unless you go look.
[08:23]
A
Yeah. So what are the other kind of surprising things you find at a network like Black Hat?
[08:30]
B
Yeah, there's a lot of applications that will have something misconfigured like they'll do everything right. But then there's one part wrong. An example again. In Asia we had a giant hardware manufacturer based out of apac and logging in, everything seemed okay except for one part. There's like a post of an employee doing something in this employee portal and that put their credentials right there in the clear. And so we have disclosures. So we send out disclosures to these companies and organizations and let them know of the things that we're seeing in hopes that they'll actually listen and try to improve it. Right. We're not sending out big bounties asking for money. We're sending out, hey, you really should try to fix this so it improves it for your users. But yeah, things like applications where when they uploaded a avatar, their little icon avatar that turned into basic auth through the clear. I wouldn't really expect a user to know or check and maybe even some organizations. But yeah, we gotta start looking because you can do everything right. Certificate, set it all right for login, and then have one piece that maybe the developer just didn't want to use certificates during that process and then it never got applied before it got shipped. I couldn't tell you the exact reason why each one of these have this vulnerability or issue in it, but there's more than there should be.
[09:48]
A
So this all makes me think about things like public WI FI networks where I guess the conventional wisdom nowadays is that it's all okay because everything's encrypted. But perhaps if you're looking at a network like Black Hat, maybe everything isn't.
[10:03]
B
Okay, yeah, I mean A there's a lot of insights you can get on encrypted traffic, a lot of inferences of things that you can do. But B, Yeah, I mean 2025, when I started this, you'd be like, yeah, everything should be encrypted. It shouldn't have a need for it. But there's surprisingly a lot. And every giant enterprise I've ever been in, I did threatening for three plus years. I got that statement every time. Everything's encrypted. There's probably not a lot you're going to find in here every single time. Find stuff. Enterprise is still sitting 60, 40% encrypted, unencrypted. And you think cloud, cloud should be more secure. Right? We move to the cloud. That's not been my experience. Every time I see somebody's inside their cloud hard perimeter, once inside of it, it is somehow worse than their on prem. They don't go back through and actually validate things. You got a giant VPC that's open, everything's in clear. Yeah, that's not the case. There's plenty of, plenty of misconfigurations and things that should be improved that are not.
[11:00]
A
So you get involved in black hats around the planet, I presume. Like how does a black hat network differ from a regular run of the mill one? I would have thought that it's built both a perfect place for a sock to sit in terms of being interesting but also somewhat non representative.
[11:19]
B
Yeah, both are true. Right. I do Asia, Black Hat Asia, Black Hat Europe and Black Hat usa. So around the world. And I've definitely hunted in a lot of organizations in their environments and they're definitely different. Black Hat does have more encryption than a typical organization because it is mostly your host to the Internet which has a higher chance of having more encryption than you on prem with all of these on PREM devices. Now there are some organizations that are all cloud first and have just SASE products connecting and so it depends on the org, but there's plenty that have on prem databases, application systems, internal tool systems, CMSS and those organizations, there's a lot of stuff inside of those that are definitely not as encrypted as you would think it would be.
[12:10]
A
So one thing I was wondering about is are the different black hats in different parts of the world, do they have like a different Character or hackers everywhere. All the same.
[12:21]
B
Yeah. I mean, there is some commonality between hackers, but APAC Asia typically has more encryption than anywhere else. One time when pressed asking some people, they said they didn't trust their government, which I thought was an interesting comment. And there's a lot of different governments of APAC coming to a central place. Right. And so that's always interesting. And there's a lot more in Europe and Asia. Definitely more in Asia, like side loaded APKs for Android things. And that definitely increases the amount of detections and weirdness. Less iOS devices, more Android devices, and a lot more side loaded APKs.
[12:57]
A
Yeah. And so is there a particular story that you like in your time that is like, it seems just like a fascinating network to be sitting on top of and having a look at?
[13:08]
B
Yeah. A lot of times people come infected to the conference. Probably one to three people come infected, and we try to do what we can.
[13:16]
A
One in three.
[13:17]
B
One, two, three. Sorry.
[13:18]
A
Oh, one, two, three.
[13:20]
B
A range of one to three people come infected and we try to do our best to locate them and let them know. And one show we had a device popped on the Internet and immediately started connecting to all the bad things ever known in the entire world. I mean, it was like every detection was firing off on this thing. And we did some quick, who is this? Where are they? And it turned out they were on stage presenting at that moment. And so they told me that I run down there and I'm waiting for them to. You know, when you're done presenting, people come up to you and they start talking about your presentation and how it went and asking you questions. So there's this line and I wait in this line and I get to the, I get up to them at the end and I say, hey, I'm from the black adnoc. You weren't by chance presenting on malware or on some like, sandbox that you were detonating? And they said, no, I'm the CTO of Org. I said, okay, then we should have a conversation over here. And I brought him over to the side and I said, hey, I don't like to make definitive statements, but I'm pretty sure your laptop's compromised. And they, they did not like that. And they said something ineffective. But I have insert EDR agent here on my machine, so therefore that can't happen. And I, I don't know the context. I said, for all I know, it did get alerted on that and that thing's firing off too, and nobody's looking at it. But if you're, if you'd like to, I'm happy to share you all the logs and work with your IT team on what we saw. And later their IT team did reach out. I gave them all the logs and they said thank you. So just trying to help tools and applications improve and get better and trying to help people. Right. People come infected, we're going to try to let you know and you know, hopefully he got that remediated and it wasn't a big deal.
[15:02]
A
I guess there's quite a long history of North Korean actors targeting security researchers in particular. So I suppose it's like successfully too. So I suppose it's not a surprise that you might come across people at a conference who've been targeted and I guess that's just the nature of the business. Well, James, thanks a lot for a fascinating discussion. I've learned many things. James Pope, director of Technical Enablement at corelight. Thank you.
[15:28]
B
Thanks, Doug.