Security UPDATE, Web exclusive, August 27, 2003

Windows & .NET Magazine Security UPDATE--August 27, 2003

1. In Focus: BlackHat Briefings Reflect Industry Changes

by guest columnist Mark Burnett, mb@xato.net

The security industry evolves constantly, and this year's BlackHat Briefings in Las Vegas (July 28 through 31) reflects the changes. The BlackHat Briefings is a security conference that addresses the technical and legal concerns security professionals face and focuses on the newest emerging threats and risks. "We are seeing a shift towards the policy and legal issues," said conference administrator Ping Look. "We are also seeing more awareness and participation from the higher education sector, \[among\] those attending and \[among\] those speaking."

The briefings consisted of 10 tracks, among them a new track dedicated to policy, law, and society. The new track included such sessions as "Criminal Copyright Infringement and Warez Trading" and "Introduction to Corporate Information Security Law." Also new this year was a series of panels discussing IT security trends, including the handling of security vulnerabilities.

As usual, BlackHat was full of presentations detailing the newest constantly evolving threats, many of which target authentication systems and core networking infrastructure. Kevin Mitnick, author of "The Art of Deception," (John Wiley & Sons, 2002) said, "It's always going to be a cat and mouse game; there are constantly new security technologies but people are still getting past them."

The number of threats has increased, but for IT and security professionals, the recommendations are still basically the same: Keep up with OS patches, use strong passwords, configure your firewall properly, and educate users. "The challenge is education," said Vincent Weafer, senior director of Symantec Security Response. "How do you create awareness across the organization?" Weafer added that corporate security spreads beyond the corporate networks: "Home security impacts corporate security; we need to do a better job reaching home users." Weafer emphasized Symantec's change in strategy toward consolidation to deal with the increasing number of security threats: "It is driving changes inside the corporation, forcing \[everyone involved\] to bring standalone systems together."

The conference topics expanded beyond technical threats to address related issues, including cyberterrorism, attacks on anonymity systems, and the legal concerns involved in vulnerability research and disclosure. "There is more interest in these issues," said Jennifer Granick of the Center for Internet and Society at Stanford Law School, "These issues are starting to matter to more people in their day-to-day lives."

Granick's presentation, "The Law of 'Sploits," tackled the US Digital Millennium Copyright Act (DMCA) and its effect on researching and publishing security vulnerabilities. In her presentation, she addressed the problem with which we all struggle: "The same information that allows more wide-spread exploitation of vulnerabilities is required to correct those vulnerabilities." According to Granick, "The law is grappling with these issues; the law recognizes that \[releasing security vulnerability information\] is important but also recognizes there is potential harm."

Despite the expanding coverage of topics at BlackHat, some things never change: Security researcher David Litchfield of Next Generation Security Software (NGSSoftware) released his usual 0-day exploits; Tim Mullen, CIO and chief software architect for AnchorIS.com, released his new Terminal Services password brute-force tool, TSGrinder; and Simple Nomad released two new anonymity tools, Ncrypt and Ncovert.

BlackHat produces five briefing and training events \[http://www.blackhat.com/html/bh-link/briefings.html\] each year, and attendance at the Las Vegas event has grown from the 110 people who attended the first conference in 1997 to more than 1700 this year.