Unsheathing The Double-Edged Sword Of Black Hat 2009 In Vegas

What I'm about to teach you could land you in jail and destroy your life and family if you choose to use it for nefarious purposes. These words and others like them have been repeated many times in the nearly 50 security classes being given during the training portion of <a href="http://www.blackhat.com">Black Hat</a>, now onto its fourth day in Las Vegas. The "classrooms" here at Caesar's Palace are filled with everyone from self-proclaimed hackers (their badges say so) to digital forensics s

David Berlind, Chief Content Officer, UBM TechWeb

July 28, 2009

7 Min Read

"What I'm about to teach you could land you in jail and destroy your life and family if you choose to use it for nefarious purposes." These words and others like them have been repeated many times in the nearly 50 security classes being given during the training portion of Black Hat, now onto its fourth day in Las Vegas. The "classrooms" here at Caesar's Palace are filled with everyone from self-proclaimed hackers (their badges say so) to digital forensics specialists from the US government's most secretive agencies (their badges say nothing). There's even a male registered nurse/CISSP here (hmmmm).Such is the double-edged sword that has always typified what many consider to be the world's most important security confab (disclosure: Black Hat is produced by TechWeb, the parent to the InformationWeek Business Technology Network which includes both InformationWeek and the security site DarkReading.com). At the same time that the world's most renowned digital security researchers are here sharing their exploits with their disciples for ethical purposes, everyone is painfully aware of how most of the content can also be put to use for unethical ambitions as well.

For the last couple of days, I've been poking my head in and out of the various sessions that are still underway and I what I can tell you is that most of what I'm bearing witness to would be incredibly enlightening to any digital security pro looking to harden their systems and networks. But given the vulnerabilities being discussed and the dangers they pose to every day computing on the Web, it's quite frightening as well. Not only that; I've been routinely warned by those in the know to stay off any of the networks in the building so long as this crowd is around (thankfully, I have a Verizon Wireless MiFi card).

As something of a power user, I usually fancy myself as running my systems more securely than the average person. But am I any more secure? If there's one thing I've learned since arriving here on Sunday, it's that many of the knobs and levers associated with securing online computing are completely out of my reach. Yes, there's plenty that we as end users can do to batten down our hatches and practices. For example, not clicking through those dialogs saying that some site's digital certificate has expired (Guilty, but c'mon who hasn't done that and what's the alternative?). But, short of going completely off the grid (the thought has definitely occurred to me in the last 24 hours), there's a whole host of other things where, to put it bluntly, your only real hope of not getting compromised could be the dumb luck of not being in the wrong place (online) at the wrong time.

Have you been to a coffee shop that runs an an open WiFi hotspot? Suppose the published SSID of that hotspot is "CoffeeShop." What prevents me from spoofing that hotspot (giving my access point the same SSID) and what prevents you from logging onto my access point versus the authentic one. Once you're on my network, you're toast. Think you can take solace in the venerated SSL protocol (the "HTTPS" or "secure" version of the Web)? Come to Black Hat and you might be thinking again.

It's behind the closed doors of the Black Hat training sessions that have been running since Saturday that attendees have been learning how things are not nearly secure as popularly thought to be, and what if anything can be done about it. I say anything because not even Web site operators are in full control of the situation. For example, there are many ways (think coffee shop) a hacker can put him or herself in between you and the Web sites you're browsing. Once there's a man in the middle (MITM), the actual Web site you might be trying to visit is no longer in control (nor are you). And then there are all the Web browsers and how they're many foibles are ripe for the picking.

How many people have been trained to look for a padlock to ensure that the information they're about to pass across the Web is secure. How many end-users do you know that might get fooled by a Web site that uses a padlock as its favicon (the little icon that appears to the left of a browser's URL field)? I know plenty. Are they really that sensitive to where the padlock appears? The various browsers didn't always support favicons in this way. But now that they do, the door for men in the middle to socially engineer end-users is wide open and what happens next may not be pretty.

Sidebar: Judging by the number of highly technical women in attendance here at Black Hat (percentage-wise, it's significantly higher than many other IT events I've been to), perhaps it's time to show some respect by coming up with a less chauvinistic description for a man in the middle attack than "man in the middle." The next person to steal your identity could easily be a woman (hopefully, not one of the ones here) and, in fact, one thing I learned is that it's often the allure of supposedly female user-generated content that successfully puts a hacker in the middle (HITM?)

In one class, a researcher with a talent for executing MITM attacks spoke of how he was able to glean the credentials of 117 email accounts, 16 credit card numbers, and 7 PayPal logins in less than a day. It's apparently not big news. At least not yet. Tomorrow, after the four days of training has concluded and the now infamous Black Hat briefings begin, he is among several researchers who are expected to drop various security bombshells that will surely spur security specialists everywhere into immediate action.

But in the same breath that he spoke of his successful exploits, he also made sure to speak of how the sensitive data was automatically discarded after his research was complete. But herein lies the double-edged sword of ethical responsibility that gets unsheathed every time a Black Hat conference takes place (the next one is scheduled for January 2010 in Washington, D.C.). The information that researchers are sharing and the networking with other like-minded individuals is so critical to the attendees that not even Caesars Palace's nude sun-bathing area (which Black Hat's conference area in the hotel overlooks) is enough to distract them from their studies or the socializing that happens during lunch and the coffee breaks.

One can only hope that long after these students have completed their coursework and sat through Wednesday and Thursday's briefings that they'll remain equally undistracted by the dark side of digital security as well.

David Berlind is the chief content officer of TechWeb and editor-in-chief of TechWeb.com and will be reporting, podcasting and tweeting from Black Hat over the next couple of days. David likes to write about emerging tech, new and social media, mobile tech, and things that go wrong and welcomes comments, both for and against anything he writes. He can be reached at [email protected] and you also can find him on Twitter and other social networks (see the list below). David doesn't own any tech stocks. But, if he did, he'd probably buy some Salesforce.com and Amazon, given his belief in the principles of cloud computing and his hope that the stock market can't get much worse. Also, if you're an out-of-work IT professional or someone involved in the business of compliance, he wants to hear from you.

Twitter: (@dberlind) My Facebook Page  (Facebook should have a namespace like Twitter, FriendFeed, and the others) Flickr (davidberlind) YouTube (TechWebTV) FriendFeed (davidberlind) Del.icio.us (dberlind ) Me on LinkedIn (LinkedIn should have a namespace as well) Plaxo (davidberlind) Disqus (DavidBerlind) Google Profile (David.Berlind)

Read more about:

20092009

About the Author(s)

David Berlind

David Berlind

Chief Content Officer, UBM TechWeb

See more from David Berlind
Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.
SIGN-UP

You May Also Like

More Insights
Webinars
More Webinars
Reports
More Reports

Editor's Choice

thumbnail
Cyber Resilience
‘They’re Coming After Us’: RSA Panel Explores CISO Legal Pressure‘They’re Coming After Us’: RSA Panel Explores CISO Legal Pressure
byShane Snider
May 6, 2024
3 Min Read
Ambassador-at-Large Nathaniel Fick at the RSA Conference 2024 in San Francisco.
Cyber Resilience
Questions for the Bureau for Cyberspace and Digital PolicyQuestions for the Bureau for Cyberspace and Digital Policy
byJoao-Pierre S. Ruth
May 16, 2024
5 Min Read
Business person draws a creative business project
IT Leadership
Why CIOs Are Under Pressure to InnovateWhy CIOs Are Under Pressure to Innovate
byLisa Morgan
May 15, 2024
8 Min Read
DNA (deoxyribonucleic acid) strand, illustration.
Data Management
DNA is an Ancient Form of Data Storage. Is it Also a Radical New Alternative?DNA is an Ancient Form of Data Storage. Is it Also a Radical New Alternative?
byRichard Pallardy
May 7, 2024
15 Min Read
Business innovative solution and creative concept as a paper boat tied to a light bulb
IT Leadership
9 Ways to Ensure Continuous Innovation9 Ways to Ensure Continuous Innovation
byLisa Morgan
Apr 2, 2024
9 Slides
Webinars
More Webinars
White Papers
More White Papers
Live Events
More Live Events
Reports
More Reports
May 2, 2024
While there are plentiful options in cyber resiliency and business continuity tools and platforms, there isn’t one that can knock out everything from sudden cloud outages to prolonged ransomware attacks in a single punch. What can you do to keep the company on its feet no matter what is thrown at it? Find out in this new virtual event.
Reserve Your Seat Now