The Black Hat and Defcon security conferences both kick off in Las Vegas this week, and cyberthreats and security leaks seem as pervasive as ever. But security-minded corporations contend they’re making progress on dealing with multifaceted computer crime threats.
Microsoft said today that it has a trio of new programs and tools aimed at helping the security community to better protect against online threats. We’ll see how well the security community greets these and other announcements coming at the shows. The experience of attending the Black Hat conference at the swanky Caesar’s Palace convention hall is far different from the wild and woolly Defcon at the earthy Riviera Hotel. Law enforcement and big corporations favor Black Hat, while hackers with nicknames prefer Defcon.
Speakers at both shows typically wear black T-shirts and talk about their hacking exploits that embarrass the big firms. Once in a while, law enforcers will arrest an attendee at Defcon. But more often, they mingle uneasily with the crowd in an attempt to better understand the enemy.
This year, the topics will include the Obama administration’s efforts to deal with cybersecurity. Jeff Moss, the one-time hacker (a.k.a. Dark Tangent) who founded both the Black Hat and Defcon shows, is now an advisor to the adminstration on cybersecurity matters on the Homeland Security Advisory Council. Other matters will likely include the latest on the security of iPhones, the safety of the air traffic control system, parking meters and the security of cloud computing systems — Internet-based servers such as those run by Google — where we’re all preparing to store our personal data.
Last year, security seemed like a big joke, and there were threats everywhere. The industry had successfully come together to deal with a major threat: a flaw in the Domain Name System (DNS), a fundamental underpinning of the Internet. Dan Kaminsky, a security researcher, found that hackers could pollute the address book of the DNS system that redirects Internet traffic to correct locations for web sites. He pulled together an industry-wide team that patched the flaw.
That effort was a success, but it was emblematic of the patchwork quilt of security that holds the Internet together. Last year, researchers showed how easy it was to penetrate the security of social networks such as MySpace that rely on user-generated content. One of my most popular stories from last year had the headline, “Excuse me while I turn off your pacemaker.” Yep, a researcher had figured out how to hack pacemakers via wireless controls. Another big controversy from last year ensued when three MIT students sought to show how they hacked Boston’s subway token system — only to be sued by the transit authority.
Last year, Microsoft created several initiatives such as the Microsoft Exploitability Index that warned of the likelihood that certain flaws in software would be exploited. This year, it says that the index was 99 percent accurate in assessing 140 different threats in the past year. Tools like this are helping the industry come together and form more sophisticated defences, said Andrew Cushman, Microsoft senior director at the Microsoft Security Response Center.
In addition, there are now 47 global partners that have joined the Microsoft Active Protections Program introduced last year. Those partners are alerted ahead of the time when Microsoft publicly discloses vulnerabilities. Thanks to that program, one partner, Sourcefire, says it can now do in two hours what it once took eight hours to do: create software that detects a particular exploit identified in the latest reports.
By sharing data earlier, the industry can decrease the risks of attacks and narrow the window of time in which companies and consumers are vulnerable, Cushman said.
Asked if we’re better off, Cushman said, “It’s undeniable that the types of threats have evolved.” But companies are likely better off if they move fast to adopt recommended practices.
This year, Microsoft is providing a Microsoft Security Update Guide, which helps customers better assess their risks on a strategic and micro level. Microsoft is also letting out more information to help managers figure out security costs and to deconstruct attacks related to Microsoft Office.
Somehow, with all of the advances, cybercrime continues to snowball. Identity theft is still rampant, organized criminals have made cybercrime into a big business, botnets have attacked U.S. government sites, and the theft of Twitter’s innermost secrets has shed some light on the consequences of poor security (in Twitter’s case, an employee’s weak password).
At Defcon, the sideshows are always entertaining. A couple of years ago, a CNBC reporter tried to film the event undercover and got booted out. Last year, a group of French reporters thought it would be fun to steal the passwords of other reporters in the press room at Black Hat. (Luckily, I wasn’t among them). You can watch live “penetration testing” in action where teams compete in a Capture the Flag security game. And you can attend lockpicking workshops that draw frowns from the attending Feds.
One of the lessons I’ve learned is to avoid getting on unsecured WiFi networks of any kind at the conferences. Anyone who does will usually find their personal data displayed on Defcon’s Wall of Sheep display.
Yes, when I go to Black Hat and Defcon, I feel like one of the corporate lambs walking into the lion’s den. It’s one of the shows where what happens in Vegas gets broadcast all over the world. And you can always count on coming home from the show a tad more paranoid and less trusting.