• Investment World
• eWorld
• Brand Line
• Mentor
• Life
• Canvas
• Praxis
• Urban Pulse
• Brand Quest
• The New Manager

Stocks

• Quotes
• SE Diary
• Scoreboard
• Open-End Mutual Fund

Cross Currency

• Rates
  
  

Shipping

• Ports
  
  

Archives

• Yesterday
• Datewise
• Resources
• In Focus
• In Depth

Group Sites

• The Hindu
• The Hindu ePaper
• Business Line
• Business Line ePaper
• Sportstar
• Frontline
• The Hindu eBooks
• The Hindu Images

R.K.Raghavan

In a world where cyberspace dominates our lives, ‘hacking’ has come close to acquiring an aura about it. The word now stands for ‘daring’ and ‘adventure’, qualities that were once upon a time associated only with warriors in ancient history. The activity may now be banned by law, and a penalty also imposed on those who indulge in it. Nevertheless, hacking is no longer looked upon as a wholly unethical enterprise. This is why we frequentl y hear of forums where it is discussed with the rigour that goes with an academic discipline.

As I wrote at about the same time last year (Hackers show the way, eWorld August 21, 2006), the Black Hats Security Conference and the DefCon that follows it are two annual events in Las Vegas, where how to defend yourself against hacking or how to hack a computer system are discussed with equal passion.

It is perhaps not farfetched to compare gambling with hacking, because there is a certain recklessness associated with both that one has come to admire!

The two conferences are held amidst great fanfare, and attract a wide spectrum of people who come from the academics, cyber security professionals, law enforcement, the media, and a cross-section of freelancers who just enjoy being there, some with honourable, and a few with not so honourable intentions. Yet there is a subtle difference between them.

While the Black Hats gathering is considered to be the softer of the two, DefCon is sometimes referred to as the bawdier crowd, almost “an underworld hacking convention”. There is also an element of controversy each time the conferences are held, making them noticed by the media. This time it came in the form of an NBC (the famous US TV channel) reporter who sneaked in to capture important moments of the occasion. She was not an accredited member of the press corps that is normally present on invitation.

She chose to be different, turned down the invitation and wanted to do some clandestine recording. She was found out, and was unceremoniously eased out as a penalty for her indiscretion!

The crowds at the conferences are getting bigger and bigger. In the conferences just concluded, there were more than 4,000 at the Black Hats’ and nearly 7,000 at the DefCon. Nearly 50 countries were represented. Naturally, there is a scramble for sponsorship, and this time the whole conference was “purchased” by CMP Media, a huge technology marketing company in the US.

Technology giants such as Microsoft, Apple and others look forward to the event, because there is an opportunity here to test their products, particularly their vulnerability. It may be recalled that last time the focus was on the MS Operating System Vista, which was considered to have many holes. This year it was Apple’s iPhone that garnered attention. A close second were social networking sites such as Facebook and the increasingly popular Internet telephony and the vulnerability of the software used by it.

The conferences were being held against the backdrop of two major occurrences, namely, the attacks against systems (both government and private) in Estonia (see my column A loud wake-up call, July 2,2007) and the breach at TJ Maxx and the Marshalls Stores owned by it, which exposed 45 million credit card and debit cardholders to fraud. These two instances naturally figured in discussions and other transactions at the conferences, for highlighting the lessons drawn from them.

Significant was the Black Hats’ change of sight this year. From the previous years’ obsession with Internet viruses, emphasis shifted to application security. To be specific, the weaker features of proprietary business systems received a lot of attention from the agenda. Attacks on specific software applications that cause consternation to the ordinary user were specifically discussed.

According to Billy Hoffman of SPI’s Labs Group, AJAX-based applications have been found to carry far too many holes, stressing the need for greater care on the part of code writers. Hoffman believes that security issues here have not received the scrutiny they deserved.

A major theme was the growing danger to the intranet of major corporations. It is well known that the latter are obsessive about their exposure to the Internet, and are at the same time smug about the security of their Intranets.

They do not appreciate the fact that new techniques such as cross-site request forgery (CRSF) pose a threat to their internal systems.

Two leading researchers, Jeremiah Grossman and Robert "RSnake" Hansen. while making their presentation, were categorical that intruders who were adepts at CRSF could easily lift passwords and browser history data from ill-protected Intranets. A review and a re-architecture of internal URLs are definitely indicated if major corporations are to protect themselves. This is advice that can hardly be ignored in these tumultuous times, when not a day passes without a security breach.

Grossman and Hansen look upon Phishing attacks as an example of how end-users can be fooled into accessing a Web site that carries a CRSF trick.

Danger also lurks in the form of what is recognised as a cross-site scripting technique (XSS). It is CRSF and XSS that are deployed to swipe money during online banking transactions. The two presenters suggested that public-facing Web sites should, on no account, be allowed access to intranets. This is an effective way to ward off potential intruders.

Charlie Miller of Independent Security Evaluators, who shot to fame recently with his expose of the frailties of iPhone security (see Is the iPhone secure, July 30, 2007), was present at the Black Hats’ to carry on from where he left off last month in his attempt to prove that the new gadget had too many holes for the comfort of its user.

He catalogued numerous old programmes and libraries patched in other Operating Systems that Apple was installing by default. He shared with the audience a number of techniques of how to break into iPhones.

In his view, there are a number of tools available that make hacking into Apple-based systems extremely simple.

We need to await Apple’s response to Miller’s claims before we can pass on any judgment on how secure iPhones are, although a lot of doubts have been raised since the wonder gadget was released to the public some weeks ago.

An interesting sidelight was a presentation on image manipulation techniques used by the al Qaeda. Neal Krawetz of Hacker Factor focused on video appearances of the number 2 man in the organisation, al Zawahiri, to show how details in the settings were being introduced after shooting the original picture.

For instance, in one video picture, Zawahiri was shown as if he was at a TV studio, which invited ridicule that the US could not get him even though he was freely visiting a prominent public place for the recording. Intensive image analysis, however, clearly proved that the studio setting and the pictures in view at the studio were added subsequent to the recording.

This presentation may not have been strictly relevant to hacking and the issues associated with it in cyberspace. Nevertheless, it reinforced the validity of the belief that there were no limits to human ingenuity, a quality that came in handy to notorious hackers.

Writing for the second time on the Las Vegas conferences, I wonder whether we have similar events in India. If there are none, I am not sure whether we should encourage those who would like to float them in our country. This is an interesting thought that I would like to leave for the readers to mull over.

The writer is a former CBI Director who is currently Adviser (Security) to TCS Ltd.

More Stories on : Security | Insight | Security Musings

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
What’s in store for storage services

Copyright © 2007, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line