Feds seek help in fending off cybercrimes

Feds seek help in fending off cybercrimes

Private-sector cooperation is particularly valuable because citizens can do things that the police can only legally do with search warrants.
'Federal Instructor Kevin Manson

Thirteen years after the Defense Department established the first computer emergency response team, and three years after formation of the National Infrastructure Protection Center, white hats still are outgunned in the battle against cybercrime.

'There is a tremendous shortage of trained investigators and analysts and a lack of forensic standards,' Gregory S. Miles, a principal with Jawz Inc. of Toronto, told an audience at the July Black Hat Briefings in Las Vegas.

The situation is not likely to get better any time soon, said retired FBI agent William Tafoya, now a professor of criminal justice at Governors State University in University Park, Ill.

'The attackers always have the advantage,' Tafoya said. 'The best we can work for is to catch up as fast as we can.'

Despite its disadvantage, the government is doing what it can to level the playing field.

'One of the reasons I am standing here today is to enlist your help for law enforcement,' said Kevin Manson, a senior instructor in financial fraud at the Federal Law Enforcement Training Center at Quantico, Va.

Manson solicited the audience of several thousand hackers, security experts and systems administrators to become instructors. He and Tafoya urged greater cooperation with law enforcement.

'The business community continues to hesitate to report intrusions,' Tafoya said.

Deputy users

Private-sector cooperation is particularly valuable because citizens can do things that the police can only legally do with search warrants, Manson said. That includes probing the source of an intrusion or other attack. Private individuals can turn the results of such searches over to police, so long as the police did not request the unofficial probe.

One thing that keeps the good guys at a disadvantage in protecting systems is that examining code for security flaws is tedious and time-consuming. The black-hat hacker only needs to find one vulnerability in a piece of software to break in. The white hat who is trying to protect a system has to find them all.

'You can see why black hats are usually more relaxed,' said HalVar Flake, a reverse engineer for the consulting company Black Hat Inc. of San Jose, Calif.

Copyright laws complicate the quest for security. Reverse engineering'recreating a design by analyzing the final product'can find flaws but can also be construed as a copyright violation. The discoverer of a flaw might become liable if it were exploited.

Risky business

Although security testing is exempted, any useful information uncovered belongs to the copyright holder, making such security efforts a commercially risky venture, Flake said.
Analyzing code for flaws is necessary because software can be so complex. Errors that leave an operating system or application vulnerable to buffer overruns are common.

'Buffer-overrun bugs can be very subtle and are not going to go away,' Flake said.

Although many security experts fault vendors for producing buggy software, Flake said it is unrealistic to expect error-free products. Analyzing software for flaws is a tough job, but not as hard as writing error-free code, he said.

'It's always better to be the guy analyzing the code than the guy writing it,' he said.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above