Hackers' Delight: Security Holes Abound at DefCon

Now in its eighth year, Def Con has grown from a small private party to a large hacker social event featuring workshops on exploitable vulnerabilities, defence strategies and the latest technology and tools for the security community. It attracts hackers from around the world whose refined skills bedevil network administrators everywhere.

This year's event also drew officials from the U.S. Central Investigation Agency, the National Security Agency and the U.S. Department of Defence, making the annual game of "spot the fed" an easy exercise. During the opening session, Arthur Money, CIO at the Pentagon, gamely thanked audience members for withholding attacks against the Pentagon's systems during the Y2k transition and appealed to attendees to use their talents on behalf of the U.S. government.

"More hackers are getting their lunch money from the feds as they work with security companies and the [government]," said Tweetyfish, a member of the hacking group Cult of the Dead Cow. "All the cool stuff happening on the Internet now, and the cool stuff happening in security, is being built by hackers."

One of the most anticipated events was the annual presentation by the Cult of the Dead Cow, which released the Back Orifice hacking tool at Def Con in 1998 and announced an updated version of the Trojan horse program that targets Windows NT systems at last year's conference. This year, members of the group offered information on a type of denial-of-service attack that can disable NetBIOS services on Windows machines.

The NetBIOS protocol flaw was described by a member of the Cult of the Dead Cow known as Sir Dystic, who developed a tool called NBName that he said can exploit the hole by rejecting all name-registration requests received by servers on TCP/IP networks. NBName can disable entire LANs and prevent machines from rejoining them, according to Sir Dystic, who said nodes on a NetBIOS network infected by the tool will think that their names already are being used by other machines. "It should be impossible for everyone to figure out what is going on," he added.

However, Microsoft last week posted an advisory on its Web site saying that the company is aware of the potential NetBIOS vulnerability. The company said a patch addressing the problem on Windows 2000 systems can be downloaded now, while others for the various versions of Windows NT 4.0 are due "to be released shortly." Microsoft added that external attacks shouldn't be possible "if normal security practices have been followed" by companies.

Members of the Cult of the Dead Cow, whose tools potentially could be used to both attack and defend corporate networks, also appealed to so-called script kiddies to stop vandalising Web sites during their Def Con presentation - after which they were attacked by two teen-agers armed with Silly String.

Other well-attended sessions included a workshop on Web application security led by a hacker named D-Krypt. Attendees were warned about the ability of the JavaScript programming language to capture Internet cookies that often store detailed information about Web browsing activities of users.

D-Krypt noted that the ability to seize the cookies creates the potential for attackers to impersonate users in online transactions such as stock trades. JavaScript also allows crackers to change item prices and other input variables in Web-based shopping cart applications, he said.

To avoid these kinds of attacks, D-Krypt advised, application developers should store cookies in secondary domains and use tools that strip out JavaScript code executed on the browser or from message boards and chat rooms.

More advice was offered by a hacker named Daremoe, who reviewed techniques that crackers use to profile systems - including ping sweeps, port scanning and analysis with a tool called Nmap. These tools can profile host systems and provide enough access to give potential attackers a general map of firewalls and other network defences, he said.

While inexperienced script kiddies typically target systems with obvious vulnerabilities, Daremoe noted that more experienced crackers will map specific hosts and create a vulnerability matrix that profiles their applications. The profile can then be compared against a database of known vulnerabilities to see which exploits could be used to access information and gain entry. "Protect against profiling," Daremoe said. "What other people know about you can hurt you, and you need to take network mapping seriously."

Daremoe suggested several defensive strategies to prevent network mapping, including setting up controls at firewalls to manage access requests based on the Internet Control Message Protocol, removing the ability of NetBIOS traffic to pass into a network and using registry keys to limit remote access. He also suggested deploying intrusion-detection technology and so-called "honey pots," which set up apparent vulnerabilities to lure in would-be crackers.

In addition, Daremoe encouraged hackers to simply learn from network profiling and move on instead of exploiting the vulnerabilities they discover. And he strongly cautioned against trying to map government or military networks. "They will come looking for you," he warned.

In another session, respected cryptographer Bruce Schneier cautioned the audience to be alert to flaws in biometrics systems, which authenticate users by scanning their fingerprints or other identifying characteristics. The systems can be highly useful if they include a human observer who can witness users confirming their identities via fingerprints, Schneier said.

But he added that biometrics technology has the potential for "terrific failure modes" because the potential for fraudulent use of such systems is high. "It's very easy for me to capture your digital finger and inject it into the stream," said Schneier, founder of Counterpane Internet Security in San Jose, where he is chief technical officer.

Join the PC World newsletter!

Error: Please check your email address.

Struggling for Christmas presents this year? Check out our Christmas Gift Guide for some top tech suggestions and more.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ann Harrison

PC World

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?