AUGUST 25, 2004
 Cameras   Notebooks   Desktops   Printers   Monitors   Home Networks   PDAs 


Find the best prices on the technology products you want.

Get our weekly news recap or daily downloads digest.

Enter your e-mail:

School for Hackers
Security consultants join with hackers to learn how to be the first to find Web server flaws.

Victor R. Garza, special to PC World
Monday, August 02, 2004

LAS VEGAS--A presentation on how to be the first to exploit new flaws in Web server software was deemed "just as cool for white hats as for black hats" attending the Defcon 12 conference here over the weekend.


The session offered new tools, as well as insight into the mindset of the so-called black hat, or malicious hacker, community, said one enthusiastic attendee, who works for a security consulting company that secures Web servers for the financial sector. The two presenters, German security consultants "FX" and Halvar Flake, spoke about taking advantage of new-found holes, known as zero-day Web-based vulnerability exploitation.

Hacking Advice

Finding vulnerabilities to exploit is real work, the presenters said. The large, packed crowd listened to them talk about "making script kiddies into real hackers," referring to novice hacker wannabes who simply use other hackers' tools to deface Web sites.

The pair outlined the procedural steps of drilling down and finding Web server weaknesses--effectively offering tips to those who want to do so, but also providing knowledgeable warning to those who guard against such action.

"You've got to like assembly language, because you'll be spending lots of time with it, and it'll make your head hurt," Flake said, referring to the detailed functionality of the low-level programming language. They also advised would-be hackers that they need to know the programming language better than the programmer of the Web site they want to crack.

FX and Flake also humorously offered opposing views on which programming or scripting language is better suited to automate the process of disabling a Web server.

FX advised attendees to "become a C language lawyer so you can find ambiguities in the code," likening familiarity with programming code to an attorney's understanding of the intricacies of the law.

Armed for Defense

The presentation was not really intended to make script kiddies into malicious hackers, but rather to tell "people how not to be a script kiddie and instead do useful work," Flake said after his talk. Wannabe hackers should do something useful with their time, he added, saying he hoped they would realize the intellectual challenge of understanding the underlying Web technologies and "see that it's exciting taking things apart instead of just defacing Web pages."

"A lot of kids will realize that [finding Web-based vulnerabilities] is hard work, and do something else," Flake added.

The security consultant in the audience said she appreciated the presenters' emphasis that finding Web-server bugs to take advantage of is a time-consuming and difficult process--but noted that offering such a challenge only makes the exercise more attractive for the tenacious. The session may be "dropping script kiddies, but helping those that are interested in robbing the bank," she added.

Still, the insight she gained will makes her job easier, she said. The detailed presentation provided useful programming tools as well as knowledge to help her anticipate and replicate a black-hat hacker's tactics--"to be a black hat so I can attack a bank's Web site and save them millions, if not billions of dollars," she said.

Printer Friendly Version

    PC World's Marketplace
    • Save 15% on Bass book
      PC World's Steve Bass - "PC Annoyances, How to Fix the Most Annoying Things About Your PC".

    Special Bonus: Free Software CD-ROM!

    Digital Subscriptions

    Receive 2 RISK-FREE Issues of PC World and 15 FREE Power Guides!
    Enter your trial subscription and you'll receive 2 Risk-Free Issues plus 15 FREE Instant Power Guides and Bonus CD-ROM. If you like PC World, pay just $19.97 for 10 more issues (12 in all). Otherwise, write "cancel" on the bill, return it, and owe nothing.

    Try PC World Risk-Free, just fill in the form and click Submit!
    Name City
    Address 1
    State Zip Code
    Address 2 E-Mail

    Canadian residents, click here | All other foreign residents, click here

    Customer service, click here


    RSS Feeds

    About Us   |  Contact Us   |  Advertise   |  Corrections   |  Member Services
    Site Map   |  Terms of Service Agreement   |  ASME Guidelines   |  Privacy Statement