[ISN] Security showdown in Vegas

From: InfoSec News (isnat_private)
Date: Thu Jul 12 2001 - 02:57:19 PDT

  • Next message: InfoSec News: "[ISN] Security UPDATE, July 11, 2001"

    By Robert Lemos
    Special to CNET News.com 
    July 10, 2001, 5:35 p.m. PT 
    Las Vegas plays host to two separate security conferences this
    week--one for people who guard computer systems, another for those who
    break into them.
    System administrators and hackers, CIOs and script kiddies will all
    gather in the desert to trade information, swap stories and take each
    other's measure.
    At the Black Hat Briefings security conference Wednesday and Thursday
    at Caesar's Palace, security experts will teach network administrators
    and information-technology managers how to protect their critical
    Starting Friday, hackers will emerge at Def Con, with many from the
    underground culture coming out into the hot Las Vegas sun to trade
    code, learn new tricks and, in some cases, finally meet in real life.
    "They are very different conferences," said Scott Culp,
    security-program manager for Microsoft, who plans to attend Black Hat
    but not Def Con. "Def Con is very focused on attacking systems, while
    Black Hat is focused on defending them."
    Computer security is an area of intense interest among governments,
    corporations and consumers worldwide. Break-ins often amount to little
    more than pranks but also can result in systems being taken out of
    commission and information being stolen or corrupted.
    In recent weeks, hackers have gained access to computer systems at a
    financial services company, a news site in the United Arab Emirates
    and a corporation that controls the distribution of 75 percent of
    California's power. Meanwhile, a CIA official warned Congress that in
    the next decade Russia and China may have computer-based tools that
    could do long-lasting harm to the U.S. economy.
    Last month, online financial services provider S1 suffered an
    electronic break-in in which an unknown attacker exploited a security
    flaw to access one of the company's servers. In the California attack,
    which also occurred last month, an inexperienced intruder took control
    of two servers that were supposed to be protected by a firewall.
    And in May, online vandals launched a denial-of-service attack on the
    Whitehouse.gov Web address, much like the assaults that crippled Yahoo
    and other major Web sites a year earlier.
    Much attention--from both attackers and defenders--also has gone to a
    security hole in Microsoft's flagship Web server software that the
    company has called a "serious vulnerability." Just last week, a
    Japanese hacker surreptitiously posted a program that could exploit
    that hole in the Internet Information Service software and give remote
    attackers complete control of vulnerable servers.
    Microsoft tests the wind yearly at Black Hat to see what security
    threats system administrators are most worried about, Culp said. Last
    year, the major worries were the virulent spread of worms through
    e-mail and the high cost of properly managing security.
    In response to hearing such worries at Black Hat and other
    conferences, Microsoft focused more heavily on getting the bugs out of
    its own programs, announcing its "war on hostile code" in April.
    Don't expect any panacea for the high-tech world's security woes,
    "If you're looking for a killer technology that has radically altered
    the security landscape in the past year, it's not there," Culp said.
    "Security is about banging out incremental improvement every day."
    The flip side of the security coin shows up at Def Con. While the past
    few years of media frenzy surrounding hackers has caused the crowds to
    swell at the conference, actual hackers still do show up, said Jay
    Beale, security team director for Linux software maker MandrakeSoft.
    "Def Con just mirrors the population of hackers in general," he said.
    "The bulk are just script kiddies, but there is some small portion
    that really know what they are doing."
    With its "capture the flag" contest, where teams of attackers try to
    crack a handful of servers set up for the tourney, Def Con is a big
    game for some. Others barely attend the conference, meeting in rooms
    behind closed doors to swap information and finally chat in real life.
    Though there are two distinct conferences, the attendees have a lot in
    common. Some system administrators come early to Black Hat to attend
    seminars including "Ultimate Hacking," a two-day course that teaches
    them to hack their own systems, the idea being that knowing your own
    weaknesses is the best defense.
    Others officially attend Black Hat on behalf of their company, then
    stay on to meet the other side at Def Con.
    In the end, the worst thing about the conferences may be that security
    and hacking have become too popular, Beale said. "The only complaint I
    have is that there are too many people who know about it at this
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Thu Jul 12 2001 - 03:28:31 PDT