GOOD, BAD & TECHIES
August 3, 2007 - 9:00 pm
Call it a case of good nerds doing bad things. Or maybe it's bad nerds doing good things.
Either way the 4,000 guys and gals at the Black Hat USA conference in Las Vegas are breaking into computers and cell phones now to prevent criminals from hacking in later.
And with more Americans putting their personal and professional lives online and in digital form, corporate security pros and government cyber cops are paying closer attention than ever to the goings-on during Black Hat events.
"You don't have to worry about a car thief coming from New Zealand and trying to steal your car," said Mikko Hypponen, a researcher who recently identified a computer worm that used news headlines as bait to trick people into exposing digital data. "But you do have to worry about a hacker from New Zealand getting into your computer."
The conference is a collaboration of techies with corporate, government, university and underground connections who gather to swap tips and stories about security lapses in everything from Web browsers to social networking sites like MySpace and even iPhones. It ran from Saturday through Thursday at Caesars Palace. A related event calls Defcon runs today through Sunday at the Riviera.
An estimated 100 million Americans, roughly a third of the nation's population, have had their personal information compromised, according to the Privacy Rights Clearinghouse. Computer security breaches hurt companies, too. A study by the Ponemon Institute said a single compromised record can cost a company $182. The institute studied 31 incidents for a 2006 report and found cases that cost companies anywhere from less than $1 million to $22 million.
Although Black Hat sponsors include corporate giants like Microsoft, Cisco and Google and federal agents mingle freely with attendees, tension can still mount when people distrust each other's motives.
One source of constant friction is the issue of disclosure. It rears up whenever somebody identifies a security flaw in a product or system. The debate centers on whether the person who found the flaw should give the software or system operators time to fix the defect before going public with the details.
Some say immediate public disclosure puts people at risk by making it easier for bad guys to exploit flaws. Others say disclosure, or the threat of disclosure, provides motivation for companies or the government to move quickly to improve security.
Charles Miller was among the first to identify a security flaw in iPhones, the highly touted cell phone and Internet devices with sleek touch screen key pads and price tags of more than $500.
But even though Apple sold as many as 500,000 iPhones the weekend the devices went on sale, Miller said company officials weren't interested in talking to him about a flaw that gave hackers a chance to break into and hijack the phones.
"If you could control a lot of these iPhones you could make them all dial a certain phone number all at once," said Miller, describing a type of action called a denial of service attack that occurs when hackers make a computer server or switchboard crash by bombarding it with incoming data.
Miller said he offered to detail the flaw and suggest a fix but Apple wasn't interested. He also said he planned to disclose the flaw Thursday during an already scheduled talk at Black Hat. Miller said Apple asked him to postpone the disclosure. He refused and Apple devised a patch to cover the flaw in time for the conference.
"They wanted a free pass to take as long as they wanted," Miller said, adding that Apple's patch covered the flaw he exploited but didn't add new layers of security to the iPhone to address the root of the problem. "My motive is getting people's devices protected sooner rather than later. Their interest is making money."
Apple did not return a call for comment.
Leaders of other companies take a more genial approach to criticism. Company officials from Mozilla, makers of the open-source Web browser Firefox, offer bounties to people who identify flaws. Web browsers are the programs people use access the Internet. They transmit everything from personal financial information to clues about users' personal tastes, habits and interests.
The complexity of browser software and intimacy of the information it transmits makes security a constant issue. Browsers need features that prevent hacking by expert criminals but are easy for everyday users to operate.
"Ninety-nine percent of the sites you go to aren't going to do anything awful to you. But it is hard to know that ahead of time," said Mike Shaver, director of ecosystem development for Mozilla.
Mozilla officials prefer when critics give the firm's workers a chance to fix a problem before going public. But they don't try to influence the disclosure decision or withhold the bounty, said Mozilla's Window Snyder, who goes by the title chief security something-or-other.
"It is a real pain in the butt when somebody reveals a vulnerability without giving us the time to fix it," Snyder told an audience during a seminar at the conference.
Later, Shaver said software makers are responsible for making secure products even if they don't like the way a problem is disclosed.
"One of the most important things here is hearing what other people think about security," Shaver said. "That is exactly the type of feedback we are looking for."
The conference also focused on security measures that come from common sense as opposed to technology.
Some of the most blatant of these lapses occur when people use social networking sites like MySpace or Facebook.
"A lot of people are tempted to put personal information out there," said conference speaker Stephen Patton. "They don't ever realize how publicly available that information is."
Patton said young people don't always think about the implications of posting class schedules, planned activities or personal details that could be used by stalkers.
Criminals can also use the information to perform social engineering, a process of collecting information about a person or place and leveraging it to get more information that can be used to commit a crime.
"It is almost like talking to strangers without realizing you are doing it," Patton said.
David Mortman, chief security officer in residence for Echelon One of Columbus, Ohio, said at its core Black Hat is essentially nerds doing what they do best to improve technology for everyone.
COMPUTER MEDIA PLAYERS VULNERABLE Media players in personal computers have serious vulnerabilities that could allow online criminals to attach malicious code and infect computers without the user's knowledge, a researcher said Thursday. As a result, audio and video downloads can be turned into digital weapons that hackers could use to hijack or corrupt computers, said David Thiel, senior security consultant with San Francisco-based researcher Isec Partners. Thiel, who exposed the flaws on relatively obscure open-source media players during a presentation at the Black Hat hacker conference, said he has found several flaws in popular commercial players. But he declined to provide their brand names because, he says, he is still disclosing the exploits to the companies so they can issue fixes. He isn't aware of any current attacks using the vulnerabilities he's discovered but said they're hard to track. "The actual potential for attack is reasonably severe because nobody cares about actually playing videos from YouTube or playing music on Web pages -- you can't get music to stop playing at you," he said. &Quot;Because this stuff is launched automatically, i think the impact could be significant.&Quot; THE ASSOCIATED PRESS