School for Hackers
Security consultants join with hackers to learn how to be the first to find Web server flaws.
Victor R. Garza, special to PC World
Monday, August 02, 2004
LAS VEGAS--A presentation on how to be the first
to exploit new flaws in Web server software was deemed "just as cool
for white hats as for black hats" attending the Defcon 12 conference
here over the weekend.
The session offered new tools, as well as
insight into the mindset of the so-called black hat, or malicious
hacker, community, said one enthusiastic attendee, who works for a
security consulting company that secures Web servers for the financial
sector. The two presenters, German security consultants "FX" and Halvar
Flake, spoke about taking advantage of new-found holes, known as
zero-day Web-based vulnerability exploitation.
Finding vulnerabilities to exploit is real work,
the presenters said. The large, packed crowd listened to them talk
about "making script kiddies into real hackers," referring to novice
hacker wannabes who simply use other hackers' tools to deface Web sites.
The pair outlined the procedural steps of
drilling down and finding Web server weaknesses--effectively offering
tips to those who want to do so, but also providing knowledgeable
warning to those who guard against such action.
"You've got to like assembly language, because
you'll be spending lots of time with it, and it'll make your head
hurt," Flake said, referring to the detailed functionality of the
low-level programming language. They also advised would-be hackers that
they need to know the programming language better than the programmer
of the Web site they want to crack.
FX and Flake also humorously offered opposing
views on which programming or scripting language is better suited to
automate the process of disabling a Web server.
FX advised attendees to "become a C language
lawyer so you can find ambiguities in the code," likening familiarity
with programming code to an attorney's understanding of the intricacies
of the law.
Armed for Defense
The presentation was not really intended to make
script kiddies into malicious hackers, but rather to tell "people how
not to be a script kiddie and instead do useful work," Flake said after
his talk. Wannabe hackers should do something useful with their time,
he added, saying he hoped they would realize the intellectual challenge
of understanding the underlying Web technologies and "see that it's
exciting taking things apart instead of just defacing Web pages."
"A lot of kids will realize that [finding Web-based vulnerabilities] is hard work, and do something else," Flake added.
The security consultant in the audience said she
appreciated the presenters' emphasis that finding Web-server bugs to
take advantage of is a time-consuming and difficult process--but noted
that offering such a challenge only makes the exercise more attractive
for the tenacious. The session may be "dropping script kiddies, but
helping those that are interested in robbing the bank," she added.
Still, the insight she gained will makes her job
easier, she said. The detailed presentation provided useful programming
tools as well as knowledge to help her anticipate and replicate a
black-hat hacker's tactics--"to be a black hat so I can attack a bank's
Web site and save them millions, if not billions of dollars," she said.
Printer Friendly Version