[ISN] Las Vegas Hosts Computer Security Events

From: InfoSec News (alerts@private)
Date: Wed Aug 02 2006 - 02:19:49 PDT


http://www.phillyburbs.com/pb-dyn/news/95-08012006-691988.html

By DAN GOODIN
The Associated Press
8/2/2006 

The middle-aged G-men who wear crisp suits and consort with teenage 
hackers sporting purple hair can make the two conferences that will 
converge in Las Vegas this week look like a scene from a science-fiction 
movie.

In fact, the gatherings are the most important in the world of computer 
security, drawing a "who's who" list of leaders from companies such as 
Microsoft Corp. and Cisco Systems Inc., government agencies including the 
FBI and underground groups that act as a neighborhood watch for the 
Internet.

The motley band of researchers, federal agents and cyberhobbyists come to 
learn how to fortify networks against the latest attacks, share research 
on new vulnerabilities and recruit people in a field where competition for 
talent is growing increasingly fierce.

Laced with an abundance of raucous parties and high-tech pranks, the 
five-day event is equal parts boot camp, hard-core technical forum and 
carnival of bacchanal proportions.

"This is a circus with many rings," said Richard Thieme, whose book 
"Islands in the Clickstream" explores the effect computers and other 
machines have on society and individuals. "There's a constant exchanging 
of energy and information, morning, noon and night, and that's what is so 
powerfully attractive to hackers and anyone who wants to learn."

Black Hat, which runs Wednesday and Thursday, is more the university:  In 
its 10th year, it is a corporate-driven event, with an admission fee as 
high as $2,500.

By contrast, Defcon is the fraternity party. Held every year since 1993, 
the Friday-Sunday show thrives on chaos, loud parties and a crowd that's 
decidedly more anti-establishment.

True to the insatiable curiosity at the heart at the hacker ethos, the 
events keep participants on their toes, lest they fall victim to high-tech 
pranks of fellow attendees.

In past years, pay phones have been said to disappear off hotel walls and 
hotel TV billing systems and wireless computer networks have been 
penetrated, allowing those with the technical know-how to one up their 
fellow attendees.

Bo Holland, the founder of several startups that work with large financial 
services companies, said he was cruising the floor of last year's Defcon 
when he came upon an automated teller machine that had a skull and 
crossbones and the conference logo displayed on its monitor.  Upon closer 
inspection, he noticed someone had attached alligator clips to the cable 
on the ATM's backside and run a wire into the ceiling.

"I lost a real sense of security," said Holland, who had long assumed ATM 
networks were invulnerable. "I came away with a real appreciation for the 
powers these hackers had developed."

Other pranks have included dye that, in different years, has turned hotel 
pools purple, orange and blue. A large "wall of sheep" displays names and 
partial passwords sniffed from unsecured computers that connected to 
wireless networks. Click Here!

A few years ago someone disguised a wireless network to look like the one 
officially sanctioned by Defcon. When unwitting attendees connected to the 
rogue network, their Web pages were appended with vulgar images.

"An awful lot of what you will see is people gleefully poking holes in 
things," said Jon Callas, a longtime attendee and chief technology officer 
of encryption software maker PGP Corp. "It's a cross between a computer 
security conference and a punk rock concert."

Although some of the events clearly cross the line into illegality and 
good taste - past pranks have included pouring cement into toilets, 
setting off smoke bombs and stealing hotel satellite dishes - the 
conferences have been known to expose weaknesses in products made by some 
of the world's most powerful companies.

At last year's Black Hat, Cisco Systems Inc. tried to stop researcher 
Michael Lynn from speaking about a vulnerability that he said could let 
hackers virtually shut down the Internet.

Cisco managed to get pages documenting the flaw torn out of all 2,000 
conference binders, but ultimately the biggest maker of Internet routing 
and switching equipment was unable to squelch Lynn's talk.

The tension between hacker activism and corporate interests may generate 
more friction this year as two researchers demonstrate ways to hijack some 
of the most popular brands of laptop computers by exploiting a flaw in 
their wireless connections.

A third researcher plans to demonstrate software that can drop 
undetectable programs for snooping into computers running Windows Vista, 
the next generation of Microsoft's operating system.

But there are signs that technology companies may be getting more 
comfortable discussing the security of their flagship products.  
Microsoft scheduled a day of talks for Thursday on new approaches to 
hardening its products; it also wants feedback from participants.

And a Cisco executive is scheduled to sit in on a panel that includes 
people who have criticized the company in the past.

Adam Laurie, chief security officer of Thebunker.com, a U.K.-based site 
for storing sensitive information, said past conferences are partly to 
thank for the growing willingness of Microsoft and Cisco in disclosing 
potential weaknesses in their key products.

"We are having this stuff forced upon us, and you can't choose not to have 
it," said Laurie, who goes by "Major Malfunction." "If they don't do it 
properly, that puts me at risk."

-=-

On the Net:

http://www.blackhat.com 
http://www.defcon.org


_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com



This archive was generated by hypermail 2.1.3 : Wed Aug 02 2006 - 02:28:58 PDT