Unsheathing The Double-Edged Sword Of Black Hat 2009 In Vegas
"What I'm about to teach you could land you in jail and destroy your life and family if you choose to use it for nefarious purposes." These words and others like them have been repeated many times in the nearly 50 security classes being given during the training portion of Black Hat, now onto its fourth day in Las Vegas. The "classrooms" here at Caesar's Palace are filled with everyone from self-proclaimed hackers (their badges say so) to digital forensics s
"What I'm about to teach you could land you in jail and destroy your life and family if you choose to use it for nefarious purposes." These words and others like them have been repeated many times in the nearly 50 security classes being given during the training portion of Black Hat, now onto its fourth day in Las Vegas. The "classrooms" here at Caesar's Palace are filled with everyone from self-proclaimed hackers (their badges say so) to digital forensics specialists from the US government's most secretive agencies (their badges say nothing). There's even a male registered nurse/CISSP here (hmmmm).Such is the double-edged sword that has always typified what many consider to be the world's most important security confab (disclosure: Black Hat is produced by TechWeb, the parent to the InformationWeek Business Technology Network which includes both InformationWeek and the security site DarkReading.com). At the same time that the world's most renowned digital security researchers are here sharing their exploits with their disciples for ethical purposes, everyone is painfully aware of how most of the content can also be put to use for unethical ambitions as well.
For the last couple of days, I've been poking my head in and out of the various sessions that are still underway and I what I can tell you is that most of what I'm bearing witness to would be incredibly enlightening to any digital security pro looking to harden their systems and networks. But given the vulnerabilities being discussed and the dangers they pose to every day computing on the Web, it's quite frightening as well. Not only that; I've been routinely warned by those in the know to stay off any of the networks in the building so long as this crowd is around (thankfully, I have a Verizon Wireless MiFi card).
As something of a power user, I usually fancy myself as running my systems more securely than the average person. But am I any more secure? If there's one thing I've learned since arriving here on Sunday, it's that many of the knobs and levers associated with securing online computing are completely out of my reach. Yes, there's plenty that we as end users can do to batten down our hatches and practices. For example, not clicking through those dialogs saying that some site's digital certificate has expired (Guilty, but c'mon who hasn't done that and what's the alternative?). But, short of going completely off the grid (the thought has definitely occurred to me in the last 24 hours), there's a whole host of other things where, to put it bluntly, your only real hope of not getting compromised could be the dumb luck of not being in the wrong place (online) at the wrong time.
Have you been to a coffee shop that runs an an open WiFi hotspot? Suppose the published SSID of that hotspot is "CoffeeShop." What prevents me from spoofing that hotspot (giving my access point the same SSID) and what prevents you from logging onto my access point versus the authentic one. Once you're on my network, you're toast. Think you can take solace in the venerated SSL protocol (the "HTTPS" or "secure" version of the Web)? Come to Black Hat and you might be thinking again.
It's behind the closed doors of the Black Hat training sessions that have been running since Saturday that attendees have been learning how things are not nearly secure as popularly thought to be, and what if anything can be done about it. I say anything because not even Web site operators are in full control of the situation. For example, there are many ways (think coffee shop) a hacker can put him or herself in between you and the Web sites you're browsing. Once there's a man in the middle (MITM), the actual Web site you might be trying to visit is no longer in control (nor are you). And then there are all the Web browsers and how they're many foibles are ripe for the picking.
How many people have been trained to look for a padlock to ensure that the information they're about to pass across the Web is secure. How many end-users do you know that might get fooled by a Web site that uses a padlock as its favicon (the little icon that appears to the left of a browser's URL field)? I know plenty. Are they really that sensitive to where the padlock appears? The various browsers didn't always support favicons in this way. But now that they do, the door for men in the middle to socially engineer end-users is wide open and what happens next may not be pretty.
Sidebar: Judging by the number of highly technical women in attendance here at Black Hat (percentage-wise, it's significantly higher than many other IT events I've been to), perhaps it's time to show some respect by coming up with a less chauvinistic description for a man in the middle attack than "man in the middle." The next person to steal your identity could easily be a woman (hopefully, not one of the ones here) and, in fact, one thing I learned is that it's often the allure of supposedly female user-generated content that successfully puts a hacker in the middle (HITM?)
In one class, a researcher with a talent for executing MITM attacks spoke of how he was able to glean the credentials of 117 email accounts, 16 credit card numbers, and 7 PayPal logins in less than a day. It's apparently not big news. At least not yet. Tomorrow, after the four days of training has concluded and the now infamous Black Hat briefings begin, he is among several researchers who are expected to drop various security bombshells that will surely spur security specialists everywhere into immediate action.
But in the same breath that he spoke of his successful exploits, he also made sure to speak of how the sensitive data was automatically discarded after his research was complete. But herein lies the double-edged sword of ethical responsibility that gets unsheathed every time a Black Hat conference takes place (the next one is scheduled for January 2010 in Washington, D.C.). The information that researchers are sharing and the networking with other like-minded individuals is so critical to the attendees that not even Caesars Palace's nude sun-bathing area (which Black Hat's conference area in the hotel overlooks) is enough to distract them from their studies or the socializing that happens during lunch and the coffee breaks.
One can only hope that long after these students have completed their coursework and sat through Wednesday and Thursday's briefings that they'll remain equally undistracted by the dark side of digital security as well.
David Berlind is the chief content officer of TechWeb and editor-in-chief of TechWeb.com and will be reporting, podcasting and tweeting from Black Hat over the next couple of days. David likes to write about emerging tech, new and social media, mobile tech, and things that go wrong and welcomes comments, both for and against anything he writes. He can be reached at email@example.com and you also can find him on Twitter and other social networks (see the list below). David doesn't own any tech stocks. But, if he did, he'd probably buy some Salesforce.com and Amazon, given his belief in the principles of cloud computing and his hope that the stock market can't get much worse. Also, if you're an out-of-work IT professional or someone involved in the business of compliance, he wants to hear from you.
Server Market SplitsvilleJust because the server market's in the doldrums doesn't mean innovation has ceased. Far from it -- server technology is enjoying the biggest renaissance since the dawn of x86 systems. But the primary driver is now service providers, not enterprises.
InformationWeek Tech Digest, Nov. 10, 2014Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?