Wednesday, August 13, 2008

Defcon – "And this is very illegal! So the following material is for educational use only."

I’m not a hacker, but I live with them. I took the pilgrimage to Defcon, attended by many of the world's best-known security experts, and felt much like the kid reporter in the movie “Almost Famous.” Among other (sometimes bewildering) presentations, Defcon showcases demonstrations of the latest discovered weaknesses in computer systems.

The big brew-haha this year was “The Anatomy of a Subway Hack” of the Boston T that got blocked. A federal judge ordered three college students to cancel a Sunday presentation where they planned to show security flaws in the automated fare system used by Boston's subway. I wouldn’t have thought this was any different than the presentation the SecureState team gave where we released various new tools, including SA Exploiter. However I guess when one of your slides proclaims: "And this is very illegal! So the following material is for educational use only," it draws attention to you.

At SecureState, we believe everyone (most especially those organizations trying to protect themselves) should have access to all information available. The belief is if you hide the findings (zero-day exploits) it’s not going to stop the bad guys who have the time and incentive to find the vulnerabilities themselves. It just keeps the good guys on the forefront.

Many organizations without the resources to properly research the latest and greatest vulnerabilities use penetrations tests to get the results of the research with the ability to see how it affects them specifically. Penetration tests are the foundation of security since you don’t know what you don’t know. Thus, keeping security problems secret, or the “Security through obscurity” idea, doesn’t protect the businesses relying on those systems.

In short, our goal at SecureState is to make security better. We don’t look to disclose things that can hurt people. That’s especially true if there is nothing they can do about it. Releasing exploits and tools gives researchers and ethical hackers the opportunity to learn from the experience we have, gives organizations a better idea about the attacks that are possible, and the steps they need to take to prevent them. The bottom line is that while there are risks, the public good is better served by having knowledge freely available. Besides, H4CK3RS are people too.


Anthony Lai said...

Dear all,

I have found Dave has used a tool to scan an executable and show which line of assembly code could trigger the virus signature detection, in addition, it suggests possible correction. Anyone could let me know that tool's name and its download link?

Anthony Lai, Hong Kong

Anthony Lai said...

Releasing vulnerability and exploit is always an art between vendor and finder. Vendors always keep their flaws in low profile and, unless, they are confident of fixing it immediately and have adequate resources/people.

I attended DefCon twice and the value is how hacker (good guys) to think of possible exploits (creativity), trying to mapping out every possible attack routes.

However, we also need to take care of public impact and national security. The issue is exploits in critical infrastructure could be causing lives loss. As professional, we should follow VSR (Vulnerability Summary Report) and its follow-up process with vendor/system owner before publicly announcing it.

For the colleges' presentation, I am not sure whether they follow the vulnerability disclosure process. However, I need to emphasize a point that if the vendors/system owners avoid testing and are fear to know vulnerabilites, it does not mean you are safe.

Just a simple slogan: Test it, deal with it and correct it.