Hackers' Delight: Security Holes Abound at DefCon

Now in its eighth year, Def Con has grown from a small private party to a large hacker social event featuring workshops on exploitable vulnerabilities, defence strategies and the latest technology and tools for the security community. It attracts hackers from around the world whose refined skills bedevil network administrators everywhere.

This year's event also drew officials from the U.S. Central Investigation Agency, the National Security Agency and the U.S. Department of Defence, making the annual game of "spot the fed" an easy exercise. During the opening session, Arthur Money, CIO at the Pentagon, gamely thanked audience members for withholding attacks against the Pentagon's systems during the Y2k transition and appealed to attendees to use their talents on behalf of the U.S. government.

"More hackers are getting their lunch money from the feds as they work with security companies and the [government]," said Tweetyfish, a member of the hacking group Cult of the Dead Cow. "All the cool stuff happening on the Internet now, and the cool stuff happening in security, is being built by hackers."

One of the most anticipated events was the annual presentation by the Cult of the Dead Cow, which released the Back Orifice hacking tool at Def Con in 1998 and announced an updated version of the Trojan horse program that targets Windows NT systems at last year's conference. This year, members of the group offered information on a type of denial-of-service attack that can disable NetBIOS services on Windows machines.

The NetBIOS protocol flaw was described by a member of the Cult of the Dead Cow known as Sir Dystic, who developed a tool called NBName that he said can exploit the hole by rejecting all name-registration requests received by servers on TCP/IP networks. NBName can disable entire LANs and prevent machines from rejoining them, according to Sir Dystic, who said nodes on a NetBIOS network infected by the tool will think that their names already are being used by other machines. "It should be impossible for everyone to figure out what is going on," he added.

However, Microsoft last week posted an advisory on its Web site saying that the company is aware of the potential NetBIOS vulnerability. The company said a patch addressing the problem on Windows 2000 systems can be downloaded now, while others for the various versions of Windows NT 4.0 are due "to be released shortly." Microsoft added that external attacks shouldn't be possible "if normal security practices have been followed" by companies.

Members of the Cult of the Dead Cow, whose tools potentially could be used to both attack and defend corporate networks, also appealed to so-called script kiddies to stop vandalising Web sites during their Def Con presentation - after which they were attacked by two teen-agers armed with Silly String.

Other well-attended sessions included a workshop on Web application security led by a hacker named D-Krypt. Attendees were warned about the ability of the JavaScript programming language to capture Internet cookies that often store detailed information about Web browsing activities of users.

D-Krypt noted that the ability to seize the cookies creates the potential for attackers to impersonate users in online transactions such as stock trades. JavaScript also allows crackers to change item prices and other input variables in Web-based shopping cart applications, he said.

To avoid these kinds of attacks, D-Krypt advised, application developers should store cookies in secondary domains and use tools that strip out JavaScript code executed on the browser or from message boards and chat rooms.

More advice was offered by a hacker named Daremoe, who reviewed techniques that crackers use to profile systems - including ping sweeps, port scanning and analysis with a tool called Nmap. These tools can profile host systems and provide enough access to give potential attackers a general map of firewalls and other network defences, he said.

While inexperienced script kiddies typically target systems with obvious vulnerabilities, Daremoe noted that more experienced crackers will map specific hosts and create a vulnerability matrix that profiles their applications. The profile can then be compared against a database of known vulnerabilities to see which exploits could be used to access information and gain entry. "Protect against profiling," Daremoe said. "What other people know about you can hurt you, and you need to take network mapping seriously."

Daremoe suggested several defensive strategies to prevent network mapping, including setting up controls at firewalls to manage access requests based on the Internet Control Message Protocol, removing the ability of NetBIOS traffic to pass into a network and using registry keys to limit remote access. He also suggested deploying intrusion-detection technology and so-called "honey pots," which set up apparent vulnerabilities to lure in would-be crackers.

In addition, Daremoe encouraged hackers to simply learn from network profiling and move on instead of exploiting the vulnerabilities they discover. And he strongly cautioned against trying to map government or military networks. "They will come looking for you," he warned.

In another session, respected cryptographer Bruce Schneier cautioned the audience to be alert to flaws in biometrics systems, which authenticate users by scanning their fingerprints or other identifying characteristics. The systems can be highly useful if they include a human observer who can witness users confirming their identities via fingerprints, Schneier said.

But he added that biometrics technology has the potential for "terrific failure modes" because the potential for fraudulent use of such systems is high. "It's very easy for me to capture your digital finger and inject it into the stream," said Schneier, founder of Counterpane Internet Security in San Jose, where he is chief technical officer.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ann Harrison

PC World
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?