FRAMINGHAM (08/01/2000) - Unsuspecting attendees logging on to the wireless network at the Def Con hackers convention here last weekend immediately found themselves targets in the event's annual "capture the flag" hacking competition. One visitor found his machine pinged within 10 seconds and had several of his Windows utilities disabled within minutes - but that was all part of the fun.
Now in its eighth year, Def Con has grown from a small private party to a large hacker social event featuring workshops on exploitable vulnerabilities, defense strategies and the latest technology and tools for the security community. It attracts hackers from around the world whose refined skills bedevil network administrators everywhere.
This year's event also drew officials from the U.S. Central Investigation Agency, the National Security Agency and the U.S. Department of Defense, making the annual game of "spot the fed" an easy exercise. During the opening session, Arthur Money, CIO at the Pentagon, gamely thanked audience members for withholding attacks against the Pentagon's systems during the Y2k transition and appealed to attendees to use their talents on behalf of the U.S. government.
"More hackers are getting their lunch money from the feds as they work with security companies and the [government]," said Tweetyfish, a member of the hacking group Cult of the Dead Cow. "All the cool stuff happening on the Internet now, and the cool stuff happening in security, is being built by hackers."
One of the most anticipated events was the annual presentation by the Cult of the Dead Cow, which released the Back Orifice hacking tool at Def Con in 1998 and announced an updated version of the Trojan horse program that targets Windows NT systems at last year's conference. This year, members of the group offered information on a type of denial-of-service attack that can disable NetBIOS services on Windows machines.
The NetBIOS protocol flaw was described by a member of the Cult of the Dead Cow known as Sir Dystic, who developed a tool called NBName that he said can exploit the hole by rejecting all name-registration requests received by servers on TCP/IP networks. NBName can disable entire LANs and prevent machines from rejoining them, according to Sir Dystic, who said nodes on a NetBIOS network infected by the tool will think that their names already are being used by other machines. "It should be impossible for everyone to figure out what is going on," he added.
However, Microsoft last week posted an advisory on its Web site saying that the company is aware of the potential NetBIOS vulnerability. The company said a patch addressing the problem on Windows 2000 systems can be downloaded now, while others for the various versions of Windows NT 4.0 are due "to be released shortly." Microsoft added that external attacks shouldn't be possible "if normal security practices have been followed" by companies.
Members of the Cult of the Dead Cow, whose tools potentially could be used to both attack and defend corporate networks, also appealed to so-called script kiddies to stop vandalizing Web sites during their Def Con presentation - after which they were attacked by two teen-agers armed with Silly String.
D-Krypt noted that the ability to seize the cookies creates the potential for attackers to impersonate users in online transactions such as stock trades.
More advice was offered by a hacker named Daremoe, who reviewed techniques that crackers use to profile systems - including ping sweeps, port scanning and analysis with a tool called Nmap. These tools can profile host systems and provide enough access to give potential attackers a general map of firewalls and other network defenses, he said.
While inexperienced script kiddies typically target systems with obvious vulnerabilities, Daremoe noted that more experienced crackers will map specific hosts and create a vulnerability matrix that profiles their applications. The profile can then be compared against a database of known vulnerabilities to see which exploits could be used to access information and gain entry. "Protect against profiling," Daremoe said. "What other people know about you can hurt you, and you need to take network mapping seriously."
Daremoe suggested several defensive strategies to prevent network mapping, including setting up controls at firewalls to manage access requests based on the Internet Control Message Protocol, removing the ability of NetBIOS traffic to pass into a network and using registry keys to limit remote access. He also suggested deploying intrusion-detection technology and so-called "honey pots," which set up apparent vulnerabilities to lure in would-be crackers.
In addition, Daremoe encouraged hackers to simply learn from network profiling and move on instead of exploiting the vulnerabilities they discover. And he strongly cautioned against trying to map government or military networks. "They will come looking for you," he warned.
In another session, respected cryptographer Bruce Schneier cautioned the audience to be alert to flaws in biometrics systems, which authenticate users by scanning their fingerprints or other identifying characteristics. The systems can be highly useful if they include a human observer who can witness users confirming their identities via fingerprints, Schneier said.
But he added that biometrics technology has the potential for "terrific failure modes" because the potential for fraudulent use of such systems is high. "It's very easy for me to capture your digital finger and inject it into the stream," said Schneier, founder of Counterpane Internet Security Inc. in San Jose, where he is chief technical officer.