Security pros working hard to stay ahead of hackers
- By William Jackson
- Aug 02, 2006
LAS VEGAS'The Black Hat Briefings manages to stay two to three years ahead of the popular curve in identifying trends in IT vulnerabilities, threats and countermeasures, according to conference founder and organizer Jeff Moss.
Researchers will demonstrate 25 new tools and 15 new exploits during the two-day gathering this week at Caesar's Palace.
'Highlights include new root kit tools, new VOIP exploits, a dozen high-level feds, exciting zero-day [exploits] and some secret golden eggs,' Moss said.
'There are a couple of big-picture trends this year,' he added. Five years ago, Black Hat began offering classes in reverse engineering of software, the process of taking apart existing code to see what makes it tick or not tick. 'Last year we were offering six reverse-engineering courses,' Moss said, and it is a major theme again in this year's conference and training sessions.
Last year's conference featured the first talks on hardware hacking, the process of looking inside hardware devices to evaluate embedded code.
'This year, the number of people submitting talks about hardware hacking dramatically increased,' Moss said. 'It's evolving very quickly' among advanced security professionals, he added.
Reverse engineering is a sometimes-touchy area that often involves taking apart someone else's copyrighted work. It is useful in identifying and classifying malicious code and finding vulnerabilities. It also is generally prohibited by the Digital Millennium Copyright Act, although there is a specific exemption for security research.
'Everybody is working under that exception,' Moss said. 'But nobody really knows what it means.'
The limits and restrictions imposed by copyright law have not yet been worked out in court, but so far this has not had a chilling effect on the development of research tools. The field has advanced past the level of the shade tree mechanic, and tools for reverse engineering now are being produced by organizations with research budgets, Moss said.
Web application security has also emerged in the last two years as an area of interest. A new generation of Web application software development is proving to be a rich source of vulnerabilities.
'Everybody is making the same mistakes they were making 10 years ago, but now they get to make them on Web applications,' Moss said.
The problem is not that software development processes have not improved in the last decade, Moss said. 'In traditional software development there have been a lot of strides.'
It is a matter of complexity. 'The complexity of the systems is beyond what a single developer can understand,' he said. Web apps also are at the cutting edge of technology, a frontier where time-to-market with new products often outweighs the need to build in better reliability and security.
An emerging area of interest at the briefings in the last couple of years has been IT forensics
, the process of capturing, preserving and analyzing data for criminal investigations. Forensics has been around for a while, but in the past the tools were intended to serve the needs of police and focused on shutting down and impounding servers for evidence. This is disruptive and counterproductive for organizations that have been the victims of cyberintrusions.
'The only buyers were law enforcement,' Moss said. 'All of the tools were developed for law enforcement programs, which were useless for companies for incident response.'
Investigators and developers are looking now at less disruptive tools and techniques for securing data as evidence. An entire track on forensics is being offered at this year's briefings.
The Black Hat Briefings is the lead-in to the DefCon hackerfest held each year in Las Vegas, providing IT professionals with a firsthand look at what the hacker community is up to. Black Hat now is a division of CMP Media LLC, and, although there are more suits and less orange hair at Black Hat than at DefCon, it still is not what you would call buttoned-down. Black Hat is a venue where security professionals have an opportunity to mix with and learn from some of the people who give them headaches the rest of the year. More than 3,000 people are expected to attend this year's briefings.
William Jackson is a Maryland-based freelance writer.