School for Hackers

LAS VEGAS--A presentation on how to be the first to exploit new flaws in Web server software was deemed "just as cool for white hats as for black hats" attending the Defcon 12 conference here over the weekend.

The session offered new tools, as well as insight into the mindset of the so-called black hat, or malicious hacker, community, said one enthusiastic attendee, who works for a security consulting company that secures Web servers for the financial sector. The two presenters, German security consultants "FX" and Halvar Flake, spoke about taking advantage of new-found holes, known as zero-day Web-based vulnerability exploitation.

Hacking Advice

Finding vulnerabilities to exploit is real work, the presenters said. The large, packed crowd listened to them talk about "making script kiddies into real hackers," referring to novice hacker wannabes who simply use other hackers' tools to deface Web sites.

The pair outlined the procedural steps of drilling down and finding Web server weaknesses--effectively offering tips to those who want to do so, but also providing knowledgeable warning to those who guard against such action.

"You've got to like assembly language, because you'll be spending lots of time with it, and it'll make your head hurt," Flake said, referring to the detailed functionality of the low-level programming language. They also advised would-be hackers that they need to know the programming language better than the programmer of the Web site they want to crack.

FX and Flake also humorously offered opposing views on which programming or scripting language is better suited to automate the process of disabling a Web server.

FX advised attendees to "become a C language lawyer so you can find ambiguities in the code," likening familiarity with programming code to an attorney's understanding of the intricacies of the law.

Armed for Defense

The presentation was not really intended to make script kiddies into malicious hackers, but rather to tell "people how not to be a script kiddie and instead do useful work," Flake said after his talk. Wannabe hackers should do something useful with their time, he added, saying he hoped they would realize the intellectual challenge of understanding the underlying Web technologies and "see that it's exciting taking things apart instead of just defacing Web pages."

"A lot of kids will realize that [finding Web-based vulnerabilities] is hard work, and do something else," Flake added.

The security consultant in the audience said she appreciated the presenters' emphasis that finding Web-server bugs to take advantage of is a time-consuming and difficult process--but noted that offering such a challenge only makes the exercise more attractive for the tenacious. The session may be "dropping script kiddies, but helping those that are interested in robbing the bank," she added.

Still, the insight she gained will makes her job easier, she said. The detailed presentation provided useful programming tools as well as knowledge to help her anticipate and replicate a black-hat hacker's tactics--"to be a black hat so I can attack a bank's Web site and save them millions, if not billions of dollars," she said.