By Frank Hayes
August 28, 2006
Hoax hacks. Rigged demos of make-believe security holes. Those, it
appears, are the real big news that came out of the Black Hat USA
security conference earlier this month. Two of the
headline-grabbingest claims by independent security researchers at the
show have since turned out to be bogus.
One, a reportedly easy-to-exploit security problem in a Cisco firewall
appliance, isn't reproducible. The other, an allegedly
even-easier-to-exploit hole in Apple's Wi-Fi drivers, didn't actually
involve attacking Apple's products after all.
So much for one of IT's last great myths: the honest hacker.
Hey, I still believe honest hackers exist. More than a dozen security
problems were showcased by Black Hatters this year. Some have already
been fixed; some have hardware and software vendors hard at work
correcting very real issues.
Lots of the people who turned up those problems gained their security
expertise the old-fashioned way: by hacking into systems they weren't
supposed to be anywhere near. They've since cleaned up, dressed up and
hung out their shingles as security researchers. But we know at heart
they're still hackers.
And that's been highly valuable to us, especially since IT product
vendors aren't always, um, completely candid about security issues.
These hackers compete to build credibility by finding security holes
and telling us about them. It's in their interest to be honest players
in this free market for information about IT vulnerabilities. That's
how they build business.
Vendors don't much like it -- security holes make them look bad. And
it's a pain for us to learn that our production systems are at risk.
But the real bad guys already know about these flaws. We're just
finding out what we need to know to protect ourselves -- at least when
the hackers keep it honest.
Now we're learning that some of them have all the reliability of the
phoniest vendor dog-and-pony show.
Consider Hendrik Scholz, the guy who said at Black Hat that he found a
"really easy to do" technique for bypassing Cisco's firewall
appliances. His claim consisted of a single slide he tacked onto the
end of his talk (it wasn't in the version of Scholz's presentation
that Black Hat attendees received).
But in interviews, Scholz admitted that an attack would require
insider knowledge and pre-existing control of a device inside the
firewall. No wonder Cisco can't reproduce a successful real-world
Or consider SecureWorks researcher David Maynor and hacker Jon "Johnny
Cache" Ellch, who worked the press like champs with a Black Hat
demonstration of hacking into a wireless-equipped Apple MacBook in 60
seconds. It generated plenty of "Mac hack" publicity.
But SecureWorks has now distanced itself from its employee's published
claims that he can hack Mac Wi-Fi. Turns out the Black Hat demo was on
third-party Wi-Fi products that Maynor won't identify. He's never
shown an attack on Apple's built-in wireless hardware and software --
not even privately to Apple. And Maynor has acknowledged that he
demoed on the Mac because he thought Mac users were smug about
security -- and because of the headlines a Mac attack would generate.
True enough: A drive-by cheap shot at Cisco or Apple is sure to score
headlines. Never mind the collateral damage to the credibility of
other security researchers or to the trust of their potential
customers in corporate IT.
IT people don't need more dog-and-pony shows. We've been cleaning up
the mess from those for years.
We need security research we can trust. And the stuff Black Hatters
are selling just got harder to buy.
But even if we now have to view these researchers with the same
jaundiced eye we once reserved for our most shameless vendors, they're
still worth our attention. We may believe them less, but we haven't
got much choice.
After all, when it comes to uncovering security holes, if you can't
trust hackers, who can you trust? w
Frank Hayes, Computerworld's senior news columnist, has covered IT for
more than 20 years. Contact him at frank_hayes (at) computerworld.com.
HITBSecConf2006 - Malaysia
The largest network security event in Asia
32 internationally renowned speakers
7 tracks of hands-on technical training sessions.
Register now: http://conference.hitb.org/hitbsecconf2006kl/