Reporter’s Notebook: In the most entertaining presentation that I have ever attended at
a technical conference, the infamous hacker Johnny Long explained to a
capacity Black Hat audience how Hollywood has accurately portrayed hacking.
Long took humorous excerpts from various Hollywood films that
portrayed hacking and asked the audience whether they were “l33t”
(pronounced Leet) or lame?
“Leet” (sometimes spelled 1337 or l33t) means “elite” or “cool.” And Long had the enthralled over-capacity audience shouting out “leet” or “lame” after he showed his excerpts. The
same leet or lame measure could well be an accurate gauge for the entire
Black Hat 2006 conference itself.
You would typically not expect an FBI agent to be so humorous while publicly
addressing an audience.
Yet, FBI Unit Chief Dan Larkin did make a number of attempts at humor during his opening Black Hat keynote.
Part of Larkin’s appeal in presenting at Black Hat was to encourage security
professionals to work with the FBI. Larkin recounted that in its FBI
admission form there is a question which states, “Do you support the overthrow of the U.S. government by force, subversion or violence? ”
The question was supposed to be a true or false answer. Larkin
noted that one individual asked if it was a multiple choice question.
Very leet.
On the second day of the conference there was a great deal of talk about
cross-site scripting, cross site request forgery, JavaScript and AJAX-related attack vectors and vulnerabilities.
Considering the rapid rise and
adoption of AJAX- and XML-based technologies for enhancing user experience
and creating content mashups, you would think that security for those types
of applications would have been front and center from their inception.
Apparently that’s not necessarily the case.
Have you ever heard of RSS being used as a delivery system for malicious attacks? I certainly hadn’t until I attended a Black Hat session that exposed the very serious risks.
Alex Stamos, principal partner at iSEC Partners in his presentation titled
“Breaking AJAX Web Applications” leveled the blame for AJAX insecurities
squarely on the shoulders of Web developers.
“You can’t leave security to Web developers,” Stamos said. “They’re just
kids in a sandbox.”
When I was at the Interop conference
earlier this year, I heard vendor after vendor talking about the benefits of
some form of network admission control (NAC) methodology.
Typically the
only negative comments I heard were from one vendor or another
disparaging the NAC approach that their competitor was taking.
Then along comes Black Hat and suddenly NAC doesn’t look as good to me as it
once did.
In a 60-minute session, Ofir Arkin, CTO of security
research firm InsightiX, convinced me that DHCP-based approaches (as opposed
to 802.1x) to NAC are hardly infallible.
Again, very leet.
And of course I knew about H.D Moore’s Metasploit Framework before attending Black
Hat.
Yet seeing the master of Metasploit himself detail and demo the
innovation in the upcoming Metasploit 3 was a
surreal treat.
Moore commanded the stage as a technical rock star racing
through exploit details and wowing the audience with licks against IDS
vendors whom he accused of being lame.
So how does Hollywood’s representation of hacking stack up against the real
thing?
Apparently, it stacks up quite well, according to Long. That is
if Google is to be regarded as an authority on what is real and what isn’t.
Long, who looks like he belongs in a Hollywood film, is perhaps best
known for his online encyclopedia (Johnny.ihackstuff.com) of Google hacks and is the co-author of the book Google Hacking for Penetration Testers.
Though Long’s presentation was certainly entertaining, perhaps the
most extraordinary aspect of it was his social conscience.
Both at the
beginning and end of his presentation he made sure to note that the proceeds
of all purchases made via his site from Amazon would be donated to various
charities benefiting orphans and widows in Uganda.
A hacker with a social
conscience. Now how leet is that?
So was Black Hat USA 2006 leet or lame? It’s almost a rhetorical question.
With vulnerabilities and potential attack vectors detailed for VoIP, RFID, AJAX, NAC, RSS and Vista, among other technologies, it would be very lame to call Black Hat 2006 anything but leet.
