TechieGroups

THE PRESENTATIONS at Black Hat might make headlines, but what is important is what the show tells us about the overall state of the IT security industry.

In the years I’ve been covering the show, it has evolved from a motley crew of phreaks, hackers, crackers and security wonks to something that feels more and more like other IT security industry conferences. Black Hat means business now, and the smart IT companies are moving in.

Purists will tell you that Black Hat went to the dogs in 2005, when founder Jeff Moss, known as The Dark Tangent, sold the show to CMP Media. While it’s true that the briefings have suffered, in some ways it’s a sign that the hacking industry is getting old.

I nearly choked on my lunch at the Wednesday press conference when renowned hacker Dan Kaminsky turned up in a suit for possibly the second most historic press conference of his life.

I’m ashamed to say I gave him a little ribbing about it, as did others, but in fact it’s a very positive sign. And he wasn’t alone. Moxie Marlinspike was wearing a collar, and a lot of otherwise non-conformists were looking surprisingly dapper.

I was told afterwards that the venture capitalists behind Kaminsky’s new company Recursion Ventures had taken him shopping and enrolled him in a gym. I’m not sure how true that is, but he’s looking good and achieving some great things. DNSSec is something to be very proud of.

“You need the research and the breaking, but it can’t stop there,” said Kaminsky. “You have to work on a fix, get it out there, and then occasionally put on a suit.”

The hacking industry is growing up. The early pioneers are now working out which side they want to go on, and all the gradations in between.

It used to be the dream of every script kiddie that they’d discover a great hack and then be hired by the National Security Agency or a security firm, and spend the rest of their life hacking around in the company of glamorous nymphomaniac spies.

Shows like Chuck perpetuate the myth, but instead the hacking community has got smart.

Just as criminals have realised that malware is much more useful for profit rather than bragging rights, the hacker industry is coming to the conclusion that there’s a better life to be had at solving problems than being sarky.

But this is a two-way street. Companies that used to hoard information like politicians go after directorships are now talking to each other, and shared information offers the best shot at providing long-term security. As many have acknowledged, the criminal hackers have been winning the security wars.

Cisco’s chief security officer John Stewart summed it up perfectly. “We all get together and there aren’t many venues in which we get to do this,” he said,

“On the first-principles effort, we’re largely very interested in the same thing: keeping what we use on a day-to-day basis safe enough for us to use. Research is turning into a profit model.”

For a conference that used to play ‘Spot the Fed’, the idea that a Department of Homeland Security director – even if it was a very poor keynote speech – and an ex-head of the NSA would be giving presentations is a sign of real change.

Now the US Department of Defense is actively recruiting at the show, and all the major security firms are keeping an eye out for hot new talent as well.

Black Hat has lost its hacker edge in the process, though. The critics are right; it’s a corporate affair now. But this is no bad thing. That corporates and government are willing to talk to the experts, rather than engaging in mindless enforcement, can be seen as progress.

This was also the biggest show in Black Hat history. The lunch area hosts over 5,000 people and a second room had to be opened up. That’s a lot of very dedicated people, albeit with plenty of hangers on. However, the overspill of enthusiasts doesn’t stop there.

The Bsides conference, running concurrently with Black Hat, is seen by some as a sideshow, but in fact it’s more a collection of the companies that weren’t big enough to make it onto the main stage. Big doesn’t necessarily mean smart, and the Bsides show looks very interesting.

But Defcon has picked up Black Hat’s mantle. Moss made a very smart move in not selling this conference along with Black Hat and, if companies and enthusiasts want to see what’s really cutting edge, they should head over to that show. µ

WRITING BAD CHEQUES is back with a criminal gang, thought to be operating out of Russia, using technology to revive this old form of fraud.

The criminals broke into three cheque archiving image sites, which are used to store pictures of all cheques that pass through retailers. The gang downloaded 200,000 examples and used the account numbers, sort codes and signatures to write cheques drawn on over 1,200 legitimate accounts.

A team at Atlanta-based security firm SecureWorks uncovered the fraud, which is thought to have netted the gang at least million (£5.75 million). The company is working with the FBI, but none of the gang have been arrested so far.

Counterfeit cheque writing is a very old form of fraud, but the gang had put a high-tech twist on it, explained Michael Cote, CEO of SecureWorks.

The image sites involved have been notified, but others are no doubt being targeted, he warned.

The gang sent the bogus cheques to money mules around the world using overnight shipping paid for with stolen credit cards. SecureWorks said that six mules had been contacted, all of whom denied sending money to the gang.

The fraud involved 3,285 cheques against 1,280 accounts since June 2009. Most were for less than ,000 (£1,920) in an attempt to evade anti-fraud measures. µ

A USB STICK holding some standard keys purchased on the Internet was able to override an ATM’s firmware and cause it to spew fake million dollar bills at Black Hat 2010.

Security researcher Barnaby Jacks demonstrated that attack and another on the conference’s first day. Most ATMs use Windows CE or a cut down version of Windows XP but Jacks used a cloned version of the machines’ firmware to carry out the attacks.

With the second attack Jacks used the remote updating capabilities of the ATM to upload code that not only caused it to empty itself but also took a record of the cards used and their PIN numbers.

However these two hacks have now been countered by companies and in the case of the second hack, firmware updates now require a digital signature before they can be installed on ATM machines.

Jacks, the head of research at cybersecurity consultancy IO Active, said, “”Every ATM I’ve looked at I’ve found a game-over vulnerability that allows me to get cash. So far I’ve looked at four and running four for four at the moment.”

Jacks was due to give his presentation at last year’s Black Hat conference but was stopped by legal action because fixes for the problems weren’t available. µ