6 min read

Guess we’ll have to get secure with insecurity

For those who net challenged, all we can do is be cautious and skeptical

The annual Black Hat, DefCon events…you can almost smell the cyber napalm in the morning.

While there are a lot of good things about Las Vegas (business-friendly policies), it’s a logical location for a hacking, malware, cyber penetration convention. After all, it was founded on a fundamental human frailty … personal greed, beating the odds.

HINT:It’s impossible to beat the odds!

Unfortunately, you also can’t beat the odds when it comes to protecting personal, corporate and government secrets.

Malicious and pain-in-the-behind bad guy hacking, hacktivism wins more often than the good guys.

It’s why no one with half a brain uses any of the ATM machines when the nearly 9,000 “attendees” are in town. They’re hacked just for the heckovit!

It was here that Aruba wanted to demonstrate the strength of their cryptographic technology and wireless technology by provisioning the two events.

Now that takes … well, you know!

Conference Fun

Seems like everyone took a whack at them, generating:

– 670 rogue attacks

– 191 AP flood attacks

– 489 AP spoofing

– 1,659 hotspot attacks

– 1,700 Block ACK attacks

Yeah, there was a lot of fun ‘n games; but a lot of serious business was discussed and I gotta’ tell you, the future isn’t all that bright.

The “noise” highlight of the two conferences was McAfee’s report of a five-year global study.

Their report (Operation Shady Rat) is available on their Web site but they focused on the cyber-espionage activities against 70 targets – sensitive government, business and private organizations.

The bottom line was they had all been penetrated/ripped off; but the real news was how long they had gone unnoticed – some for months, but many for a year or more.

Dmitri Alperovitch, of MacAfee Labs, noted that pretty much anyone with data worth stealing had been compromised and that was just the tip of the iceberg.

McAfee’s five-year study uncovered cyber penetrations everywhere, even in the most aggressively protected organizations. The countries, areas not shown? Those folks haven’t uncovered the malicious, vicious work or they swept the attacks under the rug. Complex programming produces a lot of the openings for hackers, hactivists, cybercriminals but users who bypass organization program/network security pose the best opportunities for getting inside.

The conclusion was, companies (and folks) could be divided into two categories: Those Global that know they’ve been compromised and those that don’t yet know.

Us? Ignorance is bliss.

The security folks weren’t ignorant of the problem though and didn’t mince words in the sessions about management’s poor response to all the bad things that can happen when security sucks.

Instead of beefing up security staffs (the shows were hunting grounds for new employees), organizations were buying hack insurance.

Why protect company information and secrets when you can pass the buck?

While Anonymous has scored some impressive penetrations in company, government and law enforcement organizations, one of the panels didn’t give them much credit except for showing folks how their network security sucked.

The DefCon and Black Hat sessions brought forward industry leaders and lots of discussions including concern over Net neutrality, privacy, and cyberwar activities/concerns. Mudge noted that added layers of security not only add to the complexity but increase the attack surface. Robert Clark of the U.S. Army Cyber Command, who packed his session, said governments need to monitor/seize data and user rights.

Bad Kids at Play

People who hack/secure for a living didn’t think much of Anonymous or LulzSec equating their self-righteous activities to a bunch of kids sneaking into a school to smash and steal stuff.

Releasing private, personal, secret documents may be cool; but increasingly, personal information about people is being outed ruining reputations and putting folks in danger.

The professional hackers/hacktivists didn’t condone that type of reckless activity, since the whole objective of the two shows was to point out weaknesses in the systems and get people to correct them.

When that doesn’t happen, they let everyone know how they can get inside the organization.

Or, if the organization is doing really bad stuff, dig it up and expose it to the world.

Sounds reasonable to us.

A lot of the speakers like Pieter Zatko or “Mudge” were seasoned hackers who went legit working for businesses and organizations to improve programming/network quality and beef-up security.

Zatko noted that because today’s systems are so complex, they’re breeding grounds for malicious coders.

A recent IBM report showed that for every 1,000 lines of code, one to five bugs were introduced, providing open doors for kids who are really good at hacking and crooks who are really “inspired.”

Back in the good old days of the two events, it was only natural that most of the discussions centered on the big target in the room — Microsoft Windows.

With “everyone” using the OS, it was fun/easy for hackers, crackers and attackers to beat the living c__p out of Microsoft without even trying.

But that has slowly changed because Microsoft:

– is investing a lot in security technology

– improved the quality of their programming/development

– has been more responsive when problems have been uncovered

Or…it’s just no fun kicking the old dog anymore.

Then too, some folks see Windows as irrelevant in the brave new “post PC World.”

The rogues have turned their attention on Jobs’ Apple. The disorganized Anonymous said Mac OS X and other OSes were their big focus for the coming year.

It wasn’t a big issue when IT departments kept Macs at a safe distance.

Office Apples

But now that companies have “bent” their policies, and are allowing people to BYOD (bring your own device), security holes are becoming a major problem.

We knew that Apple increasing their marketshare wasn’t something that would lead to any good.


We will always have hackers – good and bad – who are better, smarter, faster than the generations that try to protect the Net/users. Like this 10-year-old who attended the two events, every new generation is wired differently and digging around stuff just to uncover problems, issues, opportunities is natural to them. Little things like security are minor inconveniences, not locks on the doors.

The issue seems to be that the more secure the OS and your device, the less convenient it is to use; and you’ve gotta’ admit Apple’s devices are easy to use.

DefConers and BlackHatters like to point out that one of the reasons hackers, hactivists and cybercriminals succeed so well is that folks just turn off the security features to make their stuff easier to use.

Crud…we wanted it both ways!

.

LOne of the highlights of the two events – beside hacking ATMs and rubbing shoulders with the CIA, FBI, DEA, etc.. — is the annual Pwnie awards.

Every year, companies, hackers, discoveries are “honored” for their inability to protect their content, for the bugs/holes they uncovered, their deeds (good and bad). The conclusion from this year’s DefCon, Black Hat Conference was that there will be even more awards presented next year and the malicious, vicious attacks will be bigger and more profuse.

Individuals, companies as well as malware discoverers and breakers are honored with a garish gold My Little Pony prize each year.

Prize Winners

Gates had a matching collection of them and he passed them on to Ballmer who also has an unbroken record.

Sony got theirs, so did a lot of individuals who weren’t able to attend because they were doing hard time.

Then there are the folks who wanted to bask in the spotlight, but outing themselves to the crowd just didn’t seem really “prudent.”

Jobs won’t send anyone next year–period.

Other than a few people getting job offers, others getting ticked because they were one-upped by a **** little 10-year-old no less; Black Hat and DefCon are two conferences you can bet will be around for years.

While attention is being focused on the bad guys/gals and the havoc they cause, the security industry still isn’t doing a good job of protecting computer users from themselves and the hostile world around them.

Yes, law-enforcement agencies around the globe are tracking down and arresting more malicious folks and cybercriminals.

While some of the hacking community has a strong sense of social responsibility, there are more who think nothing of hacking, defacing, exposing an organization and individuals because they feel they’ve been wronged.

Many get carried away with their own “power” and hurting people because the Net gives them invisibility; and bragging about their exploits is a big ego booster. But there are a lot of ethical hackers out there who get a real rush out of finding a firewall hole or software bug that gives them entrance into an organization’s database so the weaknesses can be corrected.

For the rest of us who are system/net challenged, all we can do is be cautious, skeptical, alert.

The hackers can be a pain in the behind, but the really bad guys? If it looks/sounds too good to be true…it probably is!

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment