- Email: [email protected]
DefCon Recruiting JamFest
COSEv19no6.qxd
9/11/00
9:43 AM
Page 493
Computers & Security, Vol. 19, No. 6
with others in the underground”, says Rica. He would know. One of his clients hired a well-known hacker to do penetration testing and later found the hacker’s exploits inside his company’s system splashed across a cover story in underground hacker magazine 2600. Off the record, some computer-security managers expressed sympathy for Mitnick. Others suggested that convicted hackers be given a second chance in a limited arena until they prove themselves trustworthy and loyal. “You can bring someone in for a part of a project or to do only certain parts of the audit. You don’t have to give them the keys to the kingdom”, says Jim Williams, the director of business development at computer-services and consulting firm S3 Networks. For his part, Williams will not hire criminals and openly briefs customers on the background of his security consultants.And he looks to hire people with security clearances and backgrounds at big corporations or in the government. He’s not alone: @stake, Foundstone, and PricewaterhouseCoopers all prize candidates with clearances and Fortune 500 pedigrees. The presence of such individuals, in most cases, represents a clear sign of the integrity of the company. That’s bad news for the Kevin Mitnicks of the world. That said, hackers clearly have an important contribution to make. “Do you want to hire someone who went to school for four years in car security, or do you want to hire the person who is an expert at stealing the car?” asks Mitnick.The answer is both. But just be careful who has the keys and who’s left alone in the parking garage with the Ferraris.
DefCon Recruiting JamFest The mercury soared as high as 118 degrees, and still the number of people decked out all in black at the Alexis Park Hotel remained a constant, at about two thirds of the more than 5000 who showed up. The attraction was the eighth annual DefCon, a gathering of computer hackers and information security professionals. While there are many other hacker meetings that take place around the country, there is only one DefCon, and it is considered the height of the hacker social season.
In its own way, DefCon is not unlike the annual summer rendezvous held by the fur-trapping mountain men of the Old West. Then again the mountain men didn’t have chat rooms. DefCon is the place for people who typically interact exclusively on the chat channels of Internet Relay Chat get together in real life, to compete in hacking wargames, learn new skills and party. What often strikes people unfamiliar with the world of hacking as unusual is that the event takes place at all, let alone out in the open. Computer hacking, while more often associated in the public mind with illegal activity than as a legitimate intellectual pursuit, is typically carried out in a far-from-illegal manner. Yet hackers as a group tend only to come to public attention in the aftermath of a notorious criminal incident, say a virus outbreak or a denial of service attack. But corporate America was not averse to showings its face at this year’s DefCon. Dell Computer donated equipment for the event’s wireless network, while employees from Symantec gave a presentation on a new security system. But in a twist, officials with several federal agencies, including the CIA, the Department of Defense and the National Security Agency, were in attendance and on stage.Their attendance is not new. Being so open about it is.The overwhelming message from these officials to the hacker community: “Come work for us”. “If you are extremely talented, and you are wondering what you’d like to do for the rest of your life, join us, and help us educate our people”, said Arthur Money, an assistant secretary of defence during a presentation called The Fed Panel, which included representatives from the Federal Computer Incident Response Capability and the US Air Force. Money’s presentation was complete with a uniformed Naval officer waiting in the back of the room to accept applications.“I like to get out and listen to very smart people who can teach me things that I don’t know”, says one federal intelligence officer who asked that his name and agency affiliation not be used. One key lure may be the opportunity to play with the advanced ‘toys’ referred to by some of the feds at the convention. “I know hackers who love to play with
493
COSEv19no6.qxd
9/11/00
9:43 AM
Page 494
Security Views/Dr. BIll Hancock
cool toys and that’s a given”, says Jeff Moss, the event’s main organizer, who also goes by the hacker handle Dark Tangent. “When I jumped jobs in the past it was to work with cool people and interesting stuff. I would take a $20 000 pay cut to be with an interesting group of people doing cool stuff.” Should the government be wary of hiring hackers? Probably not, at least not as long as they don’t have a conviction record, Moss says. He knows a thing or two about hiring hackers. He himself worked for Secure Computing until October 1999, when he devoted himself full time to putting on DefCon. “When I was at Secure Computing, we admitted that yes, we hire hackers, but we don’t hire computer criminals. We wanted smart, old-school hackers who knew what they were doing.” The heavy federal presence made the traditional ‘Spot the Fed’ contest almost pointless.The idea behind the contest has always been to ‘out’ a federal officer who may be quietly lurking at the convention.A suspected fed, sometimes spotted by his or her more conservative dress, is quizzed by about his or her profession, and if they work for a federal or other government agency, they’re asked to produce a badge or official identification. Of course it’s all meant in good fun. The prizes? An ‘I Spotted the Fed’T-shirt for the spotter, and an ‘I Was the Fed’T-shirt for the spottee. For the past two years, hackers attending DefCon have looked forward most of all to the annual visit from the Cult of the Dead Cow (cDc), a hacker troupe with a 16-year history, known for its collection of interesting personalities and superior skills. DefCon has recently been the place where cDc releases its latest and most controversial software tools. At DefCon 6 in 1998, the group released Back Orifice, a network administration tool that would allow a user to remotely manage a Windows-based computer. It was also useful for some of the malicious hackers who used it — by sneaking a copy into a computer — as a way of monitoring the activity on a target computer without the knowledge of the computer’s owner. Computer security firms rushed to find ways to counteract the misuse of the program, many declaring it a Trojan horse. Then last year, at DefCon 7, cDc
494
released a new version of the program, Back Orifice 2000, which was smaller, faster and more powerful than the original. So what did cDc have for the crowd at DefCon this year? A big show that included, among other things, a mock human sacrifice, but almost nothing else.“We’re not a software company, so people shouldn’t be expecting a new tool every year”, says a member of cDc who goes by the name of Tweety Fish. (“I wanted a name so ridiculous that if I ever got arrested, a judge would laugh it out of court”, he says of the name.) Yet cDc, having recently released a software tool called NDNames, continues to be a thorn in the side of software giant Microsoft. The program takes advantage of an apparent weakness in the Windows operating system by blocking a computer’s ability to get a unique identifying name on a network, thereby interfering with its ability to talk to other machines on the network. The group told Microsoft about the weakness, and patch has been issued, but only for Windows 2000. Microsoft said in a security bulletin that the weakness lies not in Windows, but in the NetBIOS protocol. Another vulnerability was revealed at the conference in Lotus Notes, a Internet server platform sold by Lotus Development, a unit of IBM, by Chris Goggans, of Security Designs International, who used to go by his hacker handle Erik Bloodaxe and the Trust Factory, a Netherlands-based computer security firm. Essentially, the weakness could, Goggans says, in the most extreme cases, allow an attacker to usurp the identification information of a Notes user, gaining access to that server. Lotus has suggested ways to fend off such an attack, but Goggans says that while this is a good start, they still don’t cover all the ways it could be carried out. No word yet if Lotus plans to recruit at DefCon 9.
Hacker Target: Mobile Phones Mobile phones have become the focus of attacks by virus writers and hackers, according to Russian antivirus firm Kaspersky Lab. The Moscow-based company said that in the past few months, mobile phones and their users have had increasing attention paid to
9/11/00
9:43 AM
Page 493
Computers & Security, Vol. 19, No. 6
with others in the underground”, says Rica. He would know. One of his clients hired a well-known hacker to do penetration testing and later found the hacker’s exploits inside his company’s system splashed across a cover story in underground hacker magazine 2600. Off the record, some computer-security managers expressed sympathy for Mitnick. Others suggested that convicted hackers be given a second chance in a limited arena until they prove themselves trustworthy and loyal. “You can bring someone in for a part of a project or to do only certain parts of the audit. You don’t have to give them the keys to the kingdom”, says Jim Williams, the director of business development at computer-services and consulting firm S3 Networks. For his part, Williams will not hire criminals and openly briefs customers on the background of his security consultants.And he looks to hire people with security clearances and backgrounds at big corporations or in the government. He’s not alone: @stake, Foundstone, and PricewaterhouseCoopers all prize candidates with clearances and Fortune 500 pedigrees. The presence of such individuals, in most cases, represents a clear sign of the integrity of the company. That’s bad news for the Kevin Mitnicks of the world. That said, hackers clearly have an important contribution to make. “Do you want to hire someone who went to school for four years in car security, or do you want to hire the person who is an expert at stealing the car?” asks Mitnick.The answer is both. But just be careful who has the keys and who’s left alone in the parking garage with the Ferraris.
DefCon Recruiting JamFest The mercury soared as high as 118 degrees, and still the number of people decked out all in black at the Alexis Park Hotel remained a constant, at about two thirds of the more than 5000 who showed up. The attraction was the eighth annual DefCon, a gathering of computer hackers and information security professionals. While there are many other hacker meetings that take place around the country, there is only one DefCon, and it is considered the height of the hacker social season.
In its own way, DefCon is not unlike the annual summer rendezvous held by the fur-trapping mountain men of the Old West. Then again the mountain men didn’t have chat rooms. DefCon is the place for people who typically interact exclusively on the chat channels of Internet Relay Chat get together in real life, to compete in hacking wargames, learn new skills and party. What often strikes people unfamiliar with the world of hacking as unusual is that the event takes place at all, let alone out in the open. Computer hacking, while more often associated in the public mind with illegal activity than as a legitimate intellectual pursuit, is typically carried out in a far-from-illegal manner. Yet hackers as a group tend only to come to public attention in the aftermath of a notorious criminal incident, say a virus outbreak or a denial of service attack. But corporate America was not averse to showings its face at this year’s DefCon. Dell Computer donated equipment for the event’s wireless network, while employees from Symantec gave a presentation on a new security system. But in a twist, officials with several federal agencies, including the CIA, the Department of Defense and the National Security Agency, were in attendance and on stage.Their attendance is not new. Being so open about it is.The overwhelming message from these officials to the hacker community: “Come work for us”. “If you are extremely talented, and you are wondering what you’d like to do for the rest of your life, join us, and help us educate our people”, said Arthur Money, an assistant secretary of defence during a presentation called The Fed Panel, which included representatives from the Federal Computer Incident Response Capability and the US Air Force. Money’s presentation was complete with a uniformed Naval officer waiting in the back of the room to accept applications.“I like to get out and listen to very smart people who can teach me things that I don’t know”, says one federal intelligence officer who asked that his name and agency affiliation not be used. One key lure may be the opportunity to play with the advanced ‘toys’ referred to by some of the feds at the convention. “I know hackers who love to play with
493
COSEv19no6.qxd
9/11/00
9:43 AM
Page 494
Security Views/Dr. BIll Hancock
cool toys and that’s a given”, says Jeff Moss, the event’s main organizer, who also goes by the hacker handle Dark Tangent. “When I jumped jobs in the past it was to work with cool people and interesting stuff. I would take a $20 000 pay cut to be with an interesting group of people doing cool stuff.” Should the government be wary of hiring hackers? Probably not, at least not as long as they don’t have a conviction record, Moss says. He knows a thing or two about hiring hackers. He himself worked for Secure Computing until October 1999, when he devoted himself full time to putting on DefCon. “When I was at Secure Computing, we admitted that yes, we hire hackers, but we don’t hire computer criminals. We wanted smart, old-school hackers who knew what they were doing.” The heavy federal presence made the traditional ‘Spot the Fed’ contest almost pointless.The idea behind the contest has always been to ‘out’ a federal officer who may be quietly lurking at the convention.A suspected fed, sometimes spotted by his or her more conservative dress, is quizzed by about his or her profession, and if they work for a federal or other government agency, they’re asked to produce a badge or official identification. Of course it’s all meant in good fun. The prizes? An ‘I Spotted the Fed’T-shirt for the spotter, and an ‘I Was the Fed’T-shirt for the spottee. For the past two years, hackers attending DefCon have looked forward most of all to the annual visit from the Cult of the Dead Cow (cDc), a hacker troupe with a 16-year history, known for its collection of interesting personalities and superior skills. DefCon has recently been the place where cDc releases its latest and most controversial software tools. At DefCon 6 in 1998, the group released Back Orifice, a network administration tool that would allow a user to remotely manage a Windows-based computer. It was also useful for some of the malicious hackers who used it — by sneaking a copy into a computer — as a way of monitoring the activity on a target computer without the knowledge of the computer’s owner. Computer security firms rushed to find ways to counteract the misuse of the program, many declaring it a Trojan horse. Then last year, at DefCon 7, cDc
494
released a new version of the program, Back Orifice 2000, which was smaller, faster and more powerful than the original. So what did cDc have for the crowd at DefCon this year? A big show that included, among other things, a mock human sacrifice, but almost nothing else.“We’re not a software company, so people shouldn’t be expecting a new tool every year”, says a member of cDc who goes by the name of Tweety Fish. (“I wanted a name so ridiculous that if I ever got arrested, a judge would laugh it out of court”, he says of the name.) Yet cDc, having recently released a software tool called NDNames, continues to be a thorn in the side of software giant Microsoft. The program takes advantage of an apparent weakness in the Windows operating system by blocking a computer’s ability to get a unique identifying name on a network, thereby interfering with its ability to talk to other machines on the network. The group told Microsoft about the weakness, and patch has been issued, but only for Windows 2000. Microsoft said in a security bulletin that the weakness lies not in Windows, but in the NetBIOS protocol. Another vulnerability was revealed at the conference in Lotus Notes, a Internet server platform sold by Lotus Development, a unit of IBM, by Chris Goggans, of Security Designs International, who used to go by his hacker handle Erik Bloodaxe and the Trust Factory, a Netherlands-based computer security firm. Essentially, the weakness could, Goggans says, in the most extreme cases, allow an attacker to usurp the identification information of a Notes user, gaining access to that server. Lotus has suggested ways to fend off such an attack, but Goggans says that while this is a good start, they still don’t cover all the ways it could be carried out. No word yet if Lotus plans to recruit at DefCon 9.
Hacker Target: Mobile Phones Mobile phones have become the focus of attacks by virus writers and hackers, according to Russian antivirus firm Kaspersky Lab. The Moscow-based company said that in the past few months, mobile phones and their users have had increasing attention paid to