Securing Computers

October / November 2008 By: Dean Takahashi Volume 6 Number 5

Print this Article

E-mail this Article

The Black Hat and Defcon—€”the twin security conferences (one for corporate security officers, one for hackers) always bring together an odd amalgam of people interested in computer security each August in Las Vegas. The back-to-back conferences are the only places where you can find a mix of federal agents, big company security experts and free-wheeling hackers. But the potential enemies find it valuable to gather in neutral ground to deal with the problem of enabling security technology to catch up with fast-spreading communications technology in the era of the internet.

A case in point: Dan Kaminsky, the top penetration tester at IOActive, described at the conference how he found a bug that could have disabled the entire internet. Kaminsky found that the internet's phone book could be compromised by hackers. Specifically, he discovered it was possible for hackers to redirect users to fake web sites by changing the addresses for web sites in Domain Name Servers, or DNS. More than a thousand people listened as Kaminsky told how the implications of the bug were huge. Not only would it compromise web sites, it also undermined technologies that depend on the accuracy of DNS servers. That includes email, forgotten password routines and the issuance of certificates for secure web sites.

While Kaminsky discovered the flaw earlier this year, he kept it secret and worked with dozens of security vendors and software companies to come up with a patch so that users and internet service providers could protect their machines. It was only at Black Hat, the corporate-focused event of the twin conferences, where Kaminsky told all. It was his ninth talk, and the gravity of the basic security flaw surprised no one.

"We're so dependent on technology and it's so half-baked and jury-rigged," said Jeff Moss, the founder of the conferences. "You poke any bit and it comes tumbling down. Automobiles aren't like that. We put engineering thought into buildings and airplanes. But technology is really shaky."

Joe Gersch, vice president of engineering at Secure64, said that the Kaminsky bug was a big wake-up call for the security community to shift to a more secure address system, dubbed DNSSEC. He said that it takes a sensational news event such as the Kaminsky bug to make the world realize how important security remains. Too often, it remains an afterthought when it comes to information technology budgets.

Just as the show kicked off, there was a grim reminder that security is an everyday concern. A laptop with the sensitive information of 33,000 job applicants was stolen from the company that operates the "fast pass" security pre-screening authorization at San Francisco International Airport. The theft was serious enough that the Transportation Security Administration temporarily suspended new enrollments in Clear, the program that allows people to skip long security lines at airports.

But the attendees who make it to Black Hat and Defcon (which has a cash-only policy and appeals more to fringe hackers) are typically aware of the risks that society faces if it doesn't pay attention to security technology. The question at hand is whether or not companies and countries can afford to invest in security technology at a pace that will allow them to keep up with all of the cyber criminals in the world. This year's Black Hat drew 4,500 attendees while Defcon drew 8,000. Both were up from last year.

Besides the Kaminsky bug, there were a lot of other headline-grabbing vulnerabilities that were the subject of talks. Security researchers Nathan Hamiel and Shawn Moyer said that it was all too easy to subvert the security measures of social networking sites such as Facebook and MySpace. They showed how they could make someone befriend a total stranger, who could then gain access to the web pages of a user's inner circle of friends.

Meanwhile, Oliver Friedrichs found that a lot of scammers were "typo squatting," or reserving domain names of slightly misspelled web sites for the presidential candidates. The former Symantec research director said that there are 47 typo sites that hope to siphon off legitimate traffic from www.barackobama.com. There are more than 160 possible ways to misspell the candidate's site, such was www.narackobama.com. Each time someone visits the typo sites, scammers have a chance to rip off a user who might make an unwitting donation to the bogus site.
Both the social networking and typo squatting scams take advantage of an increasingly common problem, Hamiel said. That's the combination of social engineering—€”or tricking someone into doing something—€”and technological tricks.
"You never really feel that good about security after you leave a conference like this," said Linton Wells, principal deputy assistant secretary of defense. "You go back and think of all of the work you have to do."

But the researchers remember that every vulnerability is also an opportunity to come up with a novel security technology, Moss said. Microsoft announced two security initiatives at the show aimed at fighting back against hackers. It will release an Exploitability Index that tells consumers just how much risk they incur if they don't protect themselves against a particular kind of threat. And it also released its Microsoft Active Protections Program in which it warns the security community of upcoming announcement about vulnerabilities in Windows software. The early warning will allow researchers to patch their associated software before Microsoft announces the vulnerabilities. Mike Reavey, group manager of the Microsoft Security Response Center, said that both initiatives are part of the company's six-year-old "trustworthy computing" initiative.

Reavey noted that there are 60 percent fewer infections cleaned off machines with Windows Vista, compared with those with Windows XP Service Pack 2. But he added, "Customer pain is still there. The attacks are evolving. We see more attacks with social engineering (such as tricking people out of their passwords) and more targeting of business and personal information coming online."

While big companies such as Microsoft are dedicated enormous resources to security, there are still plenty of places where startups can contribute. Debix, for instance, has released an identity theft protection service for just $24 a year. It uses a combination of voice recognition and telephone alerts to warn a user every time that someone tries to open a new credit card account in his or her name. If the user says that he or she did not open the account in question, Debix cancels the transaction and then immediately launches a fraud investigation while the trail of the criminal is still hot.

David Scott Lewis, the hacker who was the original inspiration for the 1983 film "War Games," said that he believes that the responses to cyber threats will have to become increasingly automated. Those responses, driven by artificial intelligence technology, will be able to detect attacks based on behavioral analysis, not by the simple matching of one threat's digital signature to one stored in a database.

"That's going to be the way that we can keep up with bad guys in the future," he said.

Dean Takahashi is a writer for VentureBeat at http://venturebeat.com and covers Silicon Valley for Innovation.