Hacking Vegas at Black Hat and DEF CON: One Geek's Experience

Since 1992 Las Vegas has been descended upon each July by an underground society that is--even by Las Vegas standards--conspicuously dressed, unpredictable and in some cases downright scary. They speak English only part of the time, tend to mistrust outsiders, and many of their habits and leisure activities are of questionable legality. Not surprisingly, their public events are always well-attende

You may think the Furry Lil' Sith Lord is talking about a Gambino summit. He's actually talking about hackers.

DEF CON, which began as a relatively small get-together for members of the IS underground, has grown in recent years to become the world's largest and most publicized annual gathering of the diverse groups that comprise Information Systems Security. But despite its growth and more-or-less-mainstream success (measured in numbers and news articles), DEF CON is first and foremost for hackers.

The term "hacker" carries a lot of baggage, and, popular belief to the contrary, many people who call themselves hackers don't break into other people's systems. (Okay, maybe occasionally the systems of people they know, but not anybody who'd mind.) Whether one defines hackers as "computer criminals" or as "those who push computers, networks and even society beyond their creators' imagined limits", the term still has connotations of not-quite-strict legality and nonconformance taken to extremes.

So a few years ago DEF CON's creator, the Dark Tangent (aka Jeff Moss), decided it might be useful to precede DEF CON with an event more friendly to corporate and other "button-down" info-sec types. With the help of some corporate sponsorship he created Black Hat Briefings.

Black Hat has grown even more quickly (and much more profitably) than DEF CON; the two-day event takes place right before DEF CON, also in Las Vegas, and again every few months or so in Amsterdam, Singapore and Hong Kong (sequentially, not simultaneously).

Whereas DEF CON's registration fee is only $50, Black Hat costs $1,095. Also, while DEF CON has taken place for several years at (taken over, actually) the Alexis Park Hotel, Black Hat is held at the exponentially more lavish Caesar's Palace.

Darth Elmo had the good fortune to attend both this year. Unlike many Black Hat attendees he went with somewhat more of an underground perspective, or at least a non-corporate one. And unlike many DEF CON attendees, Darth can remember where he was, what he saw and what he drank for most of the time he was there. Here, then, are one geek's observations and opinions on these two fine events.

Black Hat Briefings

Of the two, as befits an expensive commercial event, Black Hat was way better organized and executed. Coffee and bagels ran out too quickly during the pseudo-complimentary breakfasts (complimentary to anybody who'd paid upwards of $1,095 to be there in the first place), but other than that things went smoothly and appeared to be consistent with the published schedule.

And the content itself? Several of the sessions Darth Elmo attended and all three keynotes (one the first morning and one during each of the two lunch banquets) were outstanding. A number of the other talks he attended were less technical and/or original than he'd hoped, though they were probably useful to newcomers to the field. But a few simply didn't deliver as promised; in Darth Elmo's keenly insightful opinion several of the talks he attended in the "Very Technical" track weren't very technical at all.

For example, one session on Automated Penetration Testing (i.e., automating the process of conducting security audits) had plenty of slides with lengthy lists of bullet-points, but absolutely no screenshots or code examples. Worse, it was delivered in a near-monotone. Being both boring and over-general are not the way to a geek's heart.

(Ironically, this particular session got some attention in the press since the system it described could, in theory, be used by anybody to perform a comprehensive penetration test of even complex networks and systems. Darth supposes this could revolutionize the pastime of Script Kiddie-ing, which is a scary thought. But his own suspicion is that the presenter's product, which it turns out the talk was really about, will be an extremely comprehensive but not earth-shattering security scanner; Nessus On Steroids, if you will. But Darth digresses.)

On the other hand, Darth Elmo also sat in on some excellent stuff. The opening keynote by author James Bamford on his experiences researching and writing about the ultra-secretive National Security Agency provided Black Hat with an auspicious start. Mr. Bamford gave a fascinating glimpse into the absurdity which ensues when a government agency needlessly tries to withhold non-sensitive and unclassified information from law-abiding taxpayers.

Jose Nazario gave a chilling but coherent, plausible and technical description of the imminent onset of Internet worms which will not only replicate themselves (what sets worms apart from viruses--viruses depend on other programs to propagate) but will also adaptively mutate themselves in ways that make them both more dangerous and more difficult to identify and neutralize. This lecture came out of research Jose is conducting in his pursuit of a PhD in Biochemistry.

Jay Beale, primary developer of the Bastille Linux system-hardening package, gave an excellent talk on securing Domain Name Services (DNS) and BIND (the most popular DNS package). Jay's talk included both the fundamentals of good DNS security and also specific techniques for and examples of applying them to BIND. He also discussed djbdns, an alternative to BIND.

Hacker-journalist Richard Thieme gave an extremely subtle and deep lunchtime keynote address on reality constructs and how they must adapt as the realities of computer security evolve. He used war in space as a metaphor. For example, consider the general who described high-velocity debris and even paint chips as a major threat to a spacecraft's structural integrity. Since technology has already advanced to the point where plasma/energy-shielding is possible, the general must change his understanding of the reality of threat-models in space. This sort of adaptation is necessary at a number of levels for all of us who deal with the rapidly-evolving world of info-sec.

Thursday's lunchtime keynote by Bruce Schneier was less heady but no less worthwhile. Bruce spoke largely off the top of his head on a range of current topics in cryptography and network security, but focused mainly on the need to rely less on prevention and more on monitoring and prosecution in dealing with computer crime.

In the real world, argues Schneier, we've so far had much more success using criminal justice as a means of deterring and containing crime than we've had with prevention. Similarly, in info-sec we need to pay more attention to intrusion-detection systems and rely less on firewalls. We also should spend more energy on catching and prosecuting computer criminals than on covering up the fallout of their actions.

Some of the afternoon sessions also stood out. Dr. Ian Goldberg of Zero Knowledge Systems gave an extremely technical talk on his successful cryptanalysis (i.e., cracking-wide-open) of the Wired Equivalent Privacy standard, used by wireless networking devices to provide security that is allegedly equivalent to cabled technologies. Descriptions of proofs and formulas that shattered WEP's integrity were interspersed with gleeful exclamations of "The attacker succeeds!", making for a convincing and humorous presentation.

Walter Gary Sharp, a geek-lawyer, held forth on the Legal Implications of Network Defense. Darth Elmo came away from this with the distinct impression that, at least in a general sense, the legal profession is starting to get a clue about how to deal with computer crime. Most of Sharp's examples alluded to non-electronic precedents, and one of Darth's pet rants for the last decade or so has been that cyberspace isn't really that different from meatspace. (Ask anybody who does this stuff for a living: the more of our real-world experience and common sense we apply to the electronic world, the better the whole thing works.)

Jericho gave an extremely iconoclastic and entertaining talk on why his Attrition group had stopped operating their mirror-site of defaced web pages, including a detailed background and history of the mirror.

Defacement mirrors are problematic on the one hand because they tend to glorify hacks whose sole point is macho posturing. (Something like, "Gr33tz to my kr3w! This sysadmin is so lame I hax0r3d his site in like 5 min. bekase he had his C: drive shaired hah hah hah!," etc. If only they all could be as S00p3r 3l33+ as Darth Elmo!). In fact, it's not uncommon for particularly self-esteem-impaired script-kiddies to register a domain-name, set up a phony web site, and then deface it themselves just for the honor of being mirrored.

On the other hand, mirrors also help security administrators and ordinary users alike see tangible results of bad security practices; in that respect they provide a sort of web-security barometer.

The last session our intrepid correspondent attended was an outstanding two-hour talk by the Honeynet Project, led by Lance Spitzner. If you're not familiar with him, Lance is the prolific author of useful hardening-procedures and white papers (his Solaris Hardening paper is required reading for Sun geeks), and a very personable guy besides.

Actually, the Honeynet show resembled a rap performance more than a seminar per se, as it featured a large number of Honeynet team-members (including Jay Beale, Fred Heidt and Marty Roesch), who alternated with Lance in relating the Honeynet story. And a compelling story it is.

A honeypot is a system deliberately left unsecured, usually in order to distract attackers' time and energy from one's "real" (important) systems; a honeynet is a whole network used for this purpose. The Honeynet Project's goal is to amass as much data and intelligence on current hacking/intrusion techniques as possible.

Darth Elmo's furry lil' opinion is that standalone honeypots are generally a waste of time for system administrators interested in protecting crucial systems. Such people should instead concentrate on securing those crucial systems, monitoring their logs, keeping their software and OSes up-to-date, etc.

But as a research project he finds the Honeynet Project fascinating. It seems to Darth that Lance et. al. are providing the Internet community with an immediately useful body of data that will help greatly in the construction of sane and reality-based threat models (i.e., in helping us identify real vs. unlikely threats to system/network security).