Security showdown in Vegas

[InfoSec News <isn () c4i org>]

http://news.cnet.com/news/0-1003-200-6540219.html?tag=mn_hd

By Robert Lemos
Special to CNET News.com 
July 10, 2001, 5:35 p.m. PT 

Las Vegas plays host to two separate security conferences this
week--one for people who guard computer systems, another for those who
break into them.

System administrators and hackers, CIOs and script kiddies will all
gather in the desert to trade information, swap stories and take each
other's measure.

At the Black Hat Briefings security conference Wednesday and Thursday
at Caesar's Palace, security experts will teach network administrators
and information-technology managers how to protect their critical
systems.

Starting Friday, hackers will emerge at Def Con, with many from the
underground culture coming out into the hot Las Vegas sun to trade
code, learn new tricks and, in some cases, finally meet in real life.

"They are very different conferences," said Scott Culp,
security-program manager for Microsoft, who plans to attend Black Hat
but not Def Con. "Def Con is very focused on attacking systems, while
Black Hat is focused on defending them."

Computer security is an area of intense interest among governments,
corporations and consumers worldwide. Break-ins often amount to little
more than pranks but also can result in systems being taken out of
commission and information being stolen or corrupted.

In recent weeks, hackers have gained access to computer systems at a
financial services company, a news site in the United Arab Emirates
and a corporation that controls the distribution of 75 percent of
California's power. Meanwhile, a CIA official warned Congress that in
the next decade Russia and China may have computer-based tools that
could do long-lasting harm to the U.S. economy.

Last month, online financial services provider S1 suffered an
electronic break-in in which an unknown attacker exploited a security
flaw to access one of the company's servers. In the California attack,
which also occurred last month, an inexperienced intruder took control
of two servers that were supposed to be protected by a firewall.

And in May, online vandals launched a denial-of-service attack on the
Whitehouse.gov Web address, much like the assaults that crippled Yahoo
and other major Web sites a year earlier.

Much attention--from both attackers and defenders--also has gone to a
security hole in Microsoft's flagship Web server software that the
company has called a "serious vulnerability." Just last week, a
Japanese hacker surreptitiously posted a program that could exploit
that hole in the Internet Information Service software and give remote
attackers complete control of vulnerable servers.

Microsoft tests the wind yearly at Black Hat to see what security
threats system administrators are most worried about, Culp said. Last
year, the major worries were the virulent spread of worms through
e-mail and the high cost of properly managing security.

In response to hearing such worries at Black Hat and other
conferences, Microsoft focused more heavily on getting the bugs out of
its own programs, announcing its "war on hostile code" in April.

Don't expect any panacea for the high-tech world's security woes,
however.

"If you're looking for a killer technology that has radically altered
the security landscape in the past year, it's not there," Culp said.
"Security is about banging out incremental improvement every day."

The flip side of the security coin shows up at Def Con. While the past
few years of media frenzy surrounding hackers has caused the crowds to
swell at the conference, actual hackers still do show up, said Jay
Beale, security team director for Linux software maker MandrakeSoft.

"Def Con just mirrors the population of hackers in general," he said.
"The bulk are just script kiddies, but there is some small portion
that really know what they are doing."

With its "capture the flag" contest, where teams of attackers try to
crack a handful of servers set up for the tourney, Def Con is a big
game for some. Others barely attend the conference, meeting in rooms
behind closed doors to swap information and finally chat in real life.

Though there are two distinct conferences, the attendees have a lot in
common. Some system administrators come early to Black Hat to attend
seminars including "Ultimate Hacking," a two-day course that teaches
them to hack their own systems, the idea being that knowing your own
weaknesses is the best defense.

Others officially attend Black Hat on behalf of their company, then
stay on to meet the other side at Def Con.

In the end, the worst thing about the conferences may be that security
and hacking have become too popular, Beale said. "The only complaint I
have is that there are too many people who know about it at this
point."




ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.