Defcon: A Veritable Hack Fest 
By Michelle Delio

09:00 AM Aug. 05, 2002 PT
LAS VEGAS -- If the quantity of hacking that happens at a computer security conference is any measure of the conference's quality, then Defcon X was a winner.

A gaggle of computers was happily hacked into at the annual Capture the Flag contest, as teams battled to secure their own computers while breaking into other teams' machines. Conference attendees were also taught how to hack their way into printers, video game consoles, handheld devices and other hardware, and how to exploit newly discovered security holes in systems such as Mac OS X and Microsoft's .Net.

An attempt to hack the entire city of Las Vegas was conducted with a very loosely organized WarDrive contest. Two dozen teams in cars cruised the streets of the city on Saturday afternoon, scoring points for each unprotected wireless network that they could locate and tap into.

Shortly after the conference started Defcon's online discussion forums were taken offline. A note posted later tersely explained that the forums were down because someone attending the convention had exploited a bug in the forums' vBulletin software, reportedly replacing the lively discussions on Defcon events and parties with an obscene image.

"They did it from the (convention), and we are aware of who did it. We would prefer them to contact us so we can deal with it rather than federal agents," read the statement that was posted on the scrubbed-clean forum site.

But Defcon seemed to be lacking something more than its forums this year -– many felt the mood was more universally somber than it has ever been at this annual event billed as the "computer underground's biggest party."

Particularly evident in the standing-room-only crowds at presentations on anti-hacking legislation and privacy issues was a pervasive feeling that corporations and governments are using technology to get a little too personal with both hackers and the general populace.

People were also concerned that openly sharing information could result in arrest, citing strict U.S. laws recently passed which define hacking as an act of terrorism.

"Last year I was here selling CDs of hacking tools," said a vendor who declined to be identified. "This year I'm selling nothing but T-shirts. I decided I don't want to chance spending 20 years to life in Uncle Sam's Sleep-Away Camp for Bad Boys."

The serious mood was also evident at Black Hat Briefings, a three-day training session for computer security professionals that precedes Defcon. Although they are separate events, both are held in Las Vegas during the same week, and for most people, the two conferences blur together.

But legal concerns didn't stop some demonstrators from detailing exactly how to hack into systems and hardware.

At Black Hat, Aaron Higbee of Foundstone and Chris Davis from RedSiren Technologies revealed ways to worm into a network through virtually any device that can be connected to that network, including a customized attack video game console.

Higbee and Davis demonstrated how a Sega Dreamcast console running special Linux software could be covertly connected to an out-of-the-way network port, and then used to move data onto and off of the network.

"My first thought was, 'Uh, right -- if I see a game box hooked into my network, I'd know right away there's a problem and pull its plug," Ken Shapiro, a systems administrator, said after the presentation.

"Then I started thinking how small those consoles are and how easy it would be to hide one under a desk. For $100 and some customizing, you really could have a nasty little toy."

A new "hackback" method that could be used to neutralize a worm-infested computer was also discussed at Black Hat when Timothy Mullen, chief information officer of AnchorIS, showed security experts how to temporarily deactivate infected computers that are attempting to infect other systems.

Mullen noted that hackbacks -- tampering with a computer without its owner's permission in order to stop it from damaging other systems -- are probably banned under U.S. law, but said he would like to see the law changed.

And many of the systems experts agreed that the long-term survival of worms such as Nimda and Code Red prove that self-replicating malicious code cannot be stopped simply through polite attempts to notify the owner of the infected machine.

Insecure software was, not surprisingly, the focus of many presentations, and attendees at both conferences were divided on how to best deal with it.

Richard Schaeffer, deputy director of the National Security Agency, and Presidential Cybersecurity czar Richard Clarke spoke at Black Hat and Defcon. Both men agreed that the current level of software security is "terrible," as Clarke put it.

But both Schaeffer and Clarke also strongly requested that security experts act with discretion when they discover holes in software, delaying public disclosure until companies have time to release patches.

Others firmly believe that swift, open disclosure of discovered flaws serves users better than trusting the software companies to quickly deal with and publicly admit responsibility for security issues discovered in their products.

At Black Hat, security experts and hackers in favor of speedy and full disclosure announced the formation of a new volunteer-staffed "open-source" security information service that will offer news on discovered vulnerabilities, malicious hack attacks and security tools.

The Internetworked Security Information Service will combine information from various security news sites and mailing lists, and will host a new open-source software vulnerability database and the new "VulnDiscuss" forum, a discussion group where people can openly share information about security issues.

Conference organizers said that videos and transcripts of all this year's Defcon and Black Hat Briefings presentations will be available on the Web within the next several weeks.

© WiredNews