[ISN] Hacking Black Hat

From: InfoSec News (alerts@private)
Date: Tue Sep 05 2006 - 23:07:37 PDT


http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9003000

By Ira Winkler
September 05, 2006
Computerworld

I had some issues with last week's Computerworld.com column from Frank
Hayes on "quack hackers" -- specifically, with his apparent belief in
hackers as some generally noble breed. I believe I first met Hayes
when he covered my presentation at the Black Hat conference back in
1997 or so, where I'm sure he also gained exposure to some of the
less-than-honest "honest hackers." I also believe that he has enough
exposure to see through the stereotypes that are out there.

The hacker stereotype is that of a socially inept genius spending all
his free time in isolation in front of his computer -- driven by
never-ending curiosity, striving to understand the intricacies of
computer systems and breaking through social and technical barriers to
overcome adversity and make the only true advancements in computer
security. Again, that's the stereotype.

I have to admit that the socially inept aspect appears to be accurate
(see "So, what's wrong with being an introvert?"). The rest of it,
including the genius part, is more hype than fact. True, there are
some genuine geniuses in the so-called hacker community, but those
people are few and far between. Just as there are a few people who
scrawl graffiti who demonstrate true artistic talent, there are a few
hackers who demonstrate genuine technical ability. And just as a great
many graffiti vandals mistakenly claim to share the talent of those
rare artists, there are many, many people who meddle with computers
and like to think that describing themselves as hackers puts them in
the same category as the few brilliant hackers out there.

I'll grant that there may have been a justification of sorts for
hackers to infiltrate systems, once upon a time. The original hackers
may have had to intrude on computer systems because there were few
available, and information about how to work the computers was even
more sparse. They had to access the telecommunications networks to get
into computers so that they had any access to one. By the 1990s
though, computer intrusions were wholly unnecessary; computers were
and are readily available, as is reasonably thorough documentation.

As systems and documentation became more widely available, the
emphasis on actual technical prowess diminished, and we saw the rise
of hacking scripts. Those prewritten tools allowed any inept person to
take over a system that was ineptly protected -- hence the derisive
term "script kiddie" for a person who cares more about attacking a
system than learning about it.

The widespread hacks that we see these days -- the ones that can be
reliably traced -- are generally the result of someone wanting to be
considered "l33t" rather than a display of technical prowess.  
Essentially, it's criminal activity that results from too much free
time, again not unlike graffiti. There are many highly technical
people out there who make tremendous discoveries and help improve
security products, but they aren't hackers in the current sense. They
do it for the challenge, not for social recognition.

Of course, havoc-wreaking crackers have been perpetrating hoaxes long
before Black Hat was around, creating rumors that have become myths.  
Many self-anointed hackers discover and report vulnerabilities that
have been long since corrected. Then there was the hacker who garnered
a great deal of media attention by claiming to organize a vigilante
campaign against online child pornographers; that soon turned out to
be a hoax.

Then came the incident that should have permanently shut the door on
the "honest hacker" shtick: the 1999 uproar when Cult of the Dead Cow,
a particularly high-profile group of hackers, passed out CDs of the
newly released version of the Back Orifice hacking tool at DefCon.  
Those CDs were "somehow" infected with the Chernobyl virus. Cult of
the Dead Cow spokespeople claimed it was an accident, but do you
really believe that some of the most security-savvy hackers around
happened to not notice an infection from such a widespread,
high-profile virus?

The Black Hat conferences were designed to be a professional-grade
DefCon event, one dedicated to security professionals even as the
original show continued its evolution into an event for the script
kiddies and professionals trying to fit into the hacker community.  
Black Hat, with its premium entrance fee, was intended to attract
computer professionals who wanted in-depth technical knowledge about
trends and techniques. From a business perspective, it was a brilliant
expansion of the DefCon brand -- the very name, Black Hat, was both
selling point and stigma. (As a matter of fact, I had a falling out
with my employer at the time for being the first keynote speaker at
the event.)

The fee made the audience much more select, and while many of the
sessions were repeated at DefCon the following weekend, it seemed to
fill a void somewhere between the professional conferences that were
weak in technical depth, and the Usenix security conferences that
seemed to attract mainly academics and researchers.

Years later, much of the press that comes out of Black Hat is related
to the release of newly discovered vulnerabilities. Black Hat seems to
have some of the most stringent submission guidelines around -- after
all, it is prestigious to be a speaker at the event, and guidelines
work to weed out the speakers who would waste attendees' time. But
there is also a strong bias towards releasing new hacks -- so new that
would-be reviewers don't get the opportunity to verify researchers'
claims. It makes sense in some ways, but when it goes wrong ... well,
we just saw what happens when it goes wrong.

This year's events were the direct result of Black Hat review
policies. I know several people who are (or at least were) reviewers
for Black Hat, and I know that they have the technical skill to verify
hacks. Frankly, given past hacker antics, faking vulnerabilities for
the sake of getting attention at Black Hat was inevitable. Considering
the trouble last year's Michael Lynn's presentation caused, one would
think there'd be a serious push to verify what researchers were
presenting at this year's conference. Obviously, one would be wrong.

Genuine security researchers would not wait to reveal vulnerabilities
at Black Hat. They would contact the vendor responsibly as soon as
they discover the problem to have it corrected. On the other hand,
hackers looking to make waves understand the effect of announcing
vulnerabilities at Black Hat in front of all the media, who naturally
write up the announcements themselves as news. Sadly, the upshot is
that the event itself is now less prestigious, as Hayes observes.

Unfortunately, the Black Hat conference's review process for
evaluating new hacks doesn't seem to match the stringency of its
paperwork requirements for nonhacking sessions. With such a flaw in
the system, faked Black Hat demos are all but inevitable. Maybe we
should give these would-be hackers credit: They might not have hacked
Apple or Cisco, but they did hack Black Hat.


_________________________________
HITBSecConf2006 - Malaysia 
The largest network security event in Asia 
32 internationally renowned speakers 
7 tracks of hands-on technical training sessions. 
Register now: http://conference.hitb.org/hitbsecconf2006kl/



This archive was generated by hypermail 2.1.3 : Tue Sep 05 2006 - 23:21:15 PDT