Hacker Conferences Highlight Security Threats

LAS VEGAS -- This year's Black Hat Briefings and Def Con hacker conferences may have appeared more professional than in previous years, with an increased number of security professionals and government officials in attendance. But one thing the back-to-back events didn't produce, observers say, is a picture of an organized and mature hacker underground.

That's not necessarily seen as a good thing. The lack of maturity and organization may actually make less-capable hackers more dangerous to companies, according to many of the security analysts who were among the 5000 attendees at the two conferences last week. Through their reckless probing and compromising of systems, "script kiddies" and Web page defacers may unwittingly be doing the bidding of highly skilled cybercriminals, say the analysts.

"The fact that script kiddies will blindly launch scripts against large IP [Internet protocol] blocks without any thought as to who they are attacking makes them dangerous, especially for those administrators who do not take security seriously," says Mandy Andress, president of ArcSec Technologies.

Amateurs Stock Up on Ammo

Andress says she didn't see any significant new details about vulnerabilities or methods of attacking systems while attending the Black Hat conference. But there was "enough information for the script kiddies to make them just a bit more dangerous," she adds.

Although the hackers who attended the conferences represent a cross section of the hacking community, security officials say they're more concerned about those who weren't there. "The more sophisticated exploits that the pros use are not being talked about at Def Con or Black Hat," says Chris Klaus, founder and chief technology officer at Internet Security Systems. "A hacker conference is probably the last place [they] want to be seen."

"There are others who shun the spotlight yet firmly believe in their agenda to undermine and disrupt e-commerce and commercial use of the Internet," says Gerald Freese, director of intelligence at Vigilinx, a security firm that specializes in threat intelligence. "These are the veterans. These are the ones that we fear the most."

Increasingly, those veterans are overseas, says Klaus, whose company offers managed security services. Many hackers in the United States lack the economic motivation to commit real crimes, he says. But that motivation is higher in Russia and other countries where economic conditions are much worse, Klaus adds.

But while attending the Black Hat conference is like "going to a graffiti convention expecting to see those who design spray cans," many hackers actually are providing a public service, says John Pescatore, an analyst at Gartner.

"Before the vandal hackers became so prevalent, [software vendors] would take months before releasing a security patch--if they were even aware of the security bugs in their products," Pescatore says.