August 17, 1998
Black Hat: We have seen the enemy and they are ... being interviewed on CNN
One of the oldest guidelines for establishing strong corporate
information security is proper risk assessment. Otherwise, a company
can spend an exorbitant amount of money on technology to defend its
network from less than worthy adversaries.
The InfoWorld Security Team recently journeyed to the infamous DefCon annual hackers conference (http://www.defcon.org),
taking place amidst the shimmering heat and jingling slot machines of
Las Vegas. This year's sixth iteration was accompanied for the second
time by a peripheral event of a different sort: The Black Hat Briefings
(http://www.blackhat.com).
Promoted by Secure Computing's Jeff Moss, who founded the original
DefCon gathering, Black Hat is dedicated to training IT professionals
who may not otherwise get the nod to attend the more notorious DefCon.
The Black Hat concept is a worthy one at first glance: Gather hackers
and corporate adversaries into one room so both sides can properly size
each other up. In this environment, the potential for real-world risk
assessment and quantifying security threats is greater: There are few
forums in which one can get up close and personal with renowned members
of the hacking community whom you hear so much about but still can't
quite identify with. The experience is truly fascinating, but the
resulting conclusions of this meeting of the minds may surprise
security-minded networking folk who stay up late at night worrying
about those omnipotent hackers emphatically stalking them over the
wires.
The threat is real
It turns out most of the big names in hacking happen to be human. While
hackers such as Mudge, Dildog, and Hobbit are undeniably dedicated
tinkerers and provocative thinkers, they exhibit typical human
frailties that suggest the threat may be somewhat overestimated. For
the most part, this is an eccentric and egotistical bunch, quick to
play insider/outsider with their knowledge and skills. They rely
heavily on creating the perception of omnipotence with all things
digital, projecting an undeservedly fearsome reputation.
In many ways, it's hard to take some of these individuals seriously
when they're spreading gloom about inherent vulnerabilities in
low-level operating system code one moment and hyping their latest
Microsoft exploit program in front of CNN's klieg lights the next.
We're all for the release of such utilities into the public domain
(assuming proper protocols are followed), but it still rubs us the
wrong way when we see such tools blatantly pushed into the public's
face on national television. The release of Cult of the Dead Cow's new
Windows 95/Windows 98 exploit, Back Orifice, is a primary example of
this phenomenon. (See http://www.cultdeadcow.com and the related links on their homepage to CNN, MSNBC, and others.)
The Back Orifice software is being tested in our labs and will be
detailed in next week's column, but appears to take advantage of the
numerous insecure aspects of the Windows 95/Win 98 API set.
Although the theatrics of hacker groups sometimes masks their important
work, the hyped threat is as much noise as substance. Listening to the
cacophony coming out of major media outlets, one can easily get the
impression that hackers are the enemy of network administrators
everywhere. As their trade gains more exposure and legitimacy in the
mainstream, this viewpoint will no doubt continue to be blown out of
proportion.
Ironically, these folks are doing more than any vendor to further the
goals of secure computing, performing valuable functions for the IT
community by pointing out unforgivable design flaws in so-called
"secure" products. Understanding the hackers who attend Black Hat and
DefCon -- who are fueled by ego and motivated by curiosity -- is a key
to putting the threats into perspective. Who do you trust to tell the
truth about product security -- hackers or vendors? Let us know at security_watch@infoworld.com.

Test Center Support Manager Stuart McClure and Technology Analyst
Joel Scambray have managed information security in academic, corporate,
and government environments for the past nine years.
Missed a column? Go back for more.

Copyright © 1998 InfoWorld Media Group Inc.