Hackers' Delight: Security Holes Abound at DefCon

Now in its eighth year, Def Con has grown from a small private party to a large hacker social event featuring workshops on exploitable vulnerabilities, defence strategies and the latest technology and tools for the security community. It attracts hackers from around the world whose refined skills bedevil network administrators everywhere.

This year's event also drew officials from the U.S. Central Investigation Agency, the National Security Agency and the U.S. Department of Defence, making the annual game of "spot the fed" an easy exercise. During the opening session, Arthur Money, CIO at the Pentagon, gamely thanked audience members for withholding attacks against the Pentagon's systems during the Y2k transition and appealed to attendees to use their talents on behalf of the U.S. government.

"More hackers are getting their lunch money from the feds as they work with security companies and the [government]," said Tweetyfish, a member of the hacking group Cult of the Dead Cow. "All the cool stuff happening on the Internet now, and the cool stuff happening in security, is being built by hackers."

One of the most anticipated events was the annual presentation by the Cult of the Dead Cow, which released the Back Orifice hacking tool at Def Con in 1998 and announced an updated version of the Trojan horse program that targets Windows NT systems at last year's conference. This year, members of the group offered information on a type of denial-of-service attack that can disable NetBIOS services on Windows machines.

The NetBIOS protocol flaw was described by a member of the Cult of the Dead Cow known as Sir Dystic, who developed a tool called NBName that he said can exploit the hole by rejecting all name-registration requests received by servers on TCP/IP networks. NBName can disable entire LANs and prevent machines from rejoining them, according to Sir Dystic, who said nodes on a NetBIOS network infected by the tool will think that their names already are being used by other machines. "It should be impossible for everyone to figure out what is going on," he added.

However, Microsoft last week posted an advisory on its Web site saying that the company is aware of the potential NetBIOS vulnerability. The company said a patch addressing the problem on Windows 2000 systems can be downloaded now, while others for the various versions of Windows NT 4.0 are due "to be released shortly." Microsoft added that external attacks shouldn't be possible "if normal security practices have been followed" by companies.

Members of the Cult of the Dead Cow, whose tools potentially could be used to both attack and defend corporate networks, also appealed to so-called script kiddies to stop vandalising Web sites during their Def Con presentation - after which they were attacked by two teen-agers armed with Silly String.

Other well-attended sessions included a workshop on Web application security led by a hacker named D-Krypt. Attendees were warned about the ability of the JavaScript programming language to capture Internet cookies that often store detailed information about Web browsing activities of users.

D-Krypt noted that the ability to seize the cookies creates the potential for attackers to impersonate users in online transactions such as stock trades. JavaScript also allows crackers to change item prices and other input variables in Web-based shopping cart applications, he said.

To avoid these kinds of attacks, D-Krypt advised, application developers should store cookies in secondary domains and use tools that strip out JavaScript code executed on the browser or from message boards and chat rooms.

More advice was offered by a hacker named Daremoe, who reviewed techniques that crackers use to profile systems - including ping sweeps, port scanning and analysis with a tool called Nmap. These tools can profile host systems and provide enough access to give potential attackers a general map of firewalls and other network defences, he said.

While inexperienced script kiddies typically target systems with obvious vulnerabilities, Daremoe noted that more experienced crackers will map specific hosts and create a vulnerability matrix that profiles their applications. The profile can then be compared against a database of known vulnerabilities to see which exploits could be used to access information and gain entry. "Protect against profiling," Daremoe said. "What other people know about you can hurt you, and you need to take network mapping seriously."

Daremoe suggested several defensive strategies to prevent network mapping, including setting up controls at firewalls to manage access requests based on the Internet Control Message Protocol, removing the ability of NetBIOS traffic to pass into a network and using registry keys to limit remote access. He also suggested deploying intrusion-detection technology and so-called "honey pots," which set up apparent vulnerabilities to lure in would-be crackers.

In addition, Daremoe encouraged hackers to simply learn from network profiling and move on instead of exploiting the vulnerabilities they discover. And he strongly cautioned against trying to map government or military networks. "They will come looking for you," he warned.

In another session, respected cryptographer Bruce Schneier cautioned the audience to be alert to flaws in biometrics systems, which authenticate users by scanning their fingerprints or other identifying characteristics. The systems can be highly useful if they include a human observer who can witness users confirming their identities via fingerprints, Schneier said.

But he added that biometrics technology has the potential for "terrific failure modes" because the potential for fraudulent use of such systems is high. "It's very easy for me to capture your digital finger and inject it into the stream," said Schneier, founder of Counterpane Internet Security in San Jose, where he is chief technical officer.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ann Harrison

PC World
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?