Inside Black Hat's big tent

It was founded in 1997 as a way of getting 'skilled programmers' together with security pros in the government and commercial sectors to better understand IT vulnerabilities, attack vectors and best practices. In less than a decade, the Black Hat Briefings have grown in importance to the point where no one thinks twice when an FBI official gives the keynote address to an audience that includes some of the world's smartest computer hackers.At this month's Black Hat Briefings in Las Vegas, that FBI official was Dan Larkin, unit chief of the FBI's Internet Crime Complaint Center, who was looking for help in fighting cybercrime.Everything was on the table at the Black Hat Briefings, from security holes in popular voice over IP and Really Simple Syndication technologies, to the growing threat of spyware (see sidebar for Black Hat coverage available at GCN.com). With the security community crammed shoulder-to-shoulder at Caesar's Palace, a few de- velopments stood out.For a decade federal law enforcement officials have been preaching the gospel of private-sector cooperation. The need has long been obvious, but Larkin told the gathering of computer security experts and hackers that the government is getting serious about the effort.'Critical information about terrorism and other cybercrimes we are working on often resides with you folks, and will come to you first,' Larkin said at the opening of the Black Hat Briefings.But gaining the trust of the private sector has been difficult, in part because of government's failures to follow through in using the data it collects and accommodating the private sector's needs.An academic study on the use of the Internet to investigate organized crime, commissioned by the FBI in 1999, identified two channels of funding used by al-Qaeda in planning the Sept. 11, 2001, attacks. When the FBI saw the results of that study, a light went on in the bureau.'We need to go after these partnerships more aggressively,' the FBI's Larkin said.The stakes in the game of cat and mouse between law enforcement and cybercriminals are getting higher.'Spam and cybercrime are really about the money,' Larkin said. 'It's not just the script kiddies any more. There are people making a lot of money out there.'Security experts have noted the commercialization of malicious code for several years, as a sophisticated black market in malware has changed the goal of hacking from bragging rights to financial gain. Unreported vulnerabilities are auctioned off in this online marketplace and exploits are packaged into retail toolkits that can be used to snare potentially val- uable information.Finjan Inc. of Santa Clara, Calif., reported in a quarterly study of threat trends that new exploits are focusing on active content used on Web sites. Finjan's Malicious Code Research Center found vulnerabilities in Microsoft's Internet Explorer and Vista operating system being offered to the highest bidder through the Full Disclosure e-mailing list. The list is hosted and sponsored by Secunia, a Danish security company that monitors vulnerabilities and reverse engineers software.According to the list's guidelines, 'any information pertaining to vulnerabilities is acceptable,' including announcements of exploits, code and tools.The center also found a Web Attacker toolkit offered on a Russian Web site for about $300. The kit, which lets the user create a malicious Web site that infects browsers with drive-by installations, even comes with an update subscription for $20.Thus the FBI's interest in working with the private sector. Larkin now heads up the ICCC's Cyber Initiative Resource Fusion Unit, which is coordinating a number of initiatives targeting specific areas of crime.Operation ReLEAF (Retail and Law Enforcement Against Fraud) started in 2003, helped gather private-sector data that could spot emerging fraud schemes. The Slam Spam initiative has assembled two teams of analysts, funded by industry and staffed by law enforcement, to respond to spam problems. It's a model for the new Digital Phishnet program, which aims to tackle phishing scams.The Defense Department issued a challenge to coders in an effort to get help in computer forensics and data analysis. Contestants will compete to uncover and recover digital data that's been hidden or damaged.'They will be dealing with all of the things we encounter to obfuscate data,' said James Christy, director of the Cyber Crime Institute of the Defense Cyber Crime Center, in announcing the Challenge at the Black Hat Briefings. One of the center's primary jobs is to provide forensics services for criminal investigations.'We're trying to stimulate some research into tools and processes for data recovery,' Christy said. 'We in law enforcement don't have much money for R&D.'A panel of 10 current and former federal IT security officials discussed the challenge the government faces in securing its IT systems. So far, they said, agencies are scrambling just to keep up with threats.Robert Lentz, director of information assurance in the Office of the Secretary of Defense, described DOD's departmentwide information assurance platform as the most sophisticated in the world, but not quite good enough.'We're spending about $2.2 billion a year building this platform now, and that probably still isn't enough to keep up with the threat,' he said.Being in a defensive posture means that it will always be difficult to catch up with the attackers, Christy said.'We'll always be behind the power curve,' he said. 'The bad guys are coming at us at light speed. It could be a lethal engagement.'The challenge issued by DC3 will be to extract data that's either hidden or sitting on damaged media such as floppies, CDs and DVDs. The challenge will include steganography, password cracking and image analysis.The contest is open to teams of up to four U.S. citizens living in the United States. They can register online at www.dc3. mil/challenge. Teams will have to submit a copy of each proprietary tool used to recover data, but will retain rights to those tools. Registration began Aug. 1 and challenges will be sent to teams on Sept. 1. Results must be submitted by Dec. 1.The good news from the war on spyware is that there seems to be less support for organizations that engage in the questionable behavior of installing adware on the computers of unsuspecting users.'We're starting to see more of a distinction between what is and is not spyware,' said Ari Schwartz, deputy director of the Center for Democracy and Technology. That distinction has resulted in enforcement of existing laws against spyware distributors at both the state and federal levels.But the bad news is that as the gray hats are weeded out, the real bad guys are left with the field to themselves. 'We're seeing a lot more cases of keystroke loggers,' Schwartz said. 'There is no question that all of this has to do with money.'Schwartz moderated a panel discussing the threat of spyware during the Black Hat Briefings. The CDT coordinates the Anti-Spyware Coalition industry group. In the past year the coalition has grown to 40 companies, including Internet, hardware and software heavyweights such as America Online, Dell Corp. and Microsoft Corp., as well as public interest groups such as the Samuelson Law, Technology and Public Policy Clinic at the University of California, Berkeley School of Law.There have been calls for anti-spyware legislation, but it has been difficult to say just what spyware was. That question has been answered in large part by applying existing laws on fraud and deception rather than by crafting new legislation.Federal laws brought to bear against spyware in the past year include the Federal Trade Commission Act, the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act; along with a number of state fraud laws.According to the Center for Democracy and Technology, FTC has initiated six spyware cases, resulting in orders for $6.2 million in forfeitures; the Justice Department has prosecuted 11 criminal cases, resulting in $307,100 in fines and forfeitures, and sentences of up to five years probation; and the states of New York and Washington have secured judgments totaling more than $8 million. Additional cases are pending.What's left are the unequivocal bad guys who are using tools such as keyloggers to steal passwords, account information and other valuable data. Those threats are not likely to disappear soon.'It seems like it's going to exist for the foreseeable future, because so much of it exists underground,' Schwartz said. 'It's going to take a long time to clean that up.'