A week of hacking sees new tactics and vendors put under pressure

Opinion by Dan Raywood

While the black hat community over in Las Vegas are learning about the bad things that can be done, I am sitting at my relatively safe desk in Hammersmith not at all envious of the events in Nevada..

While the black hat community over in Las Vegas are learning about the bad things that can be done, I am sitting at my relatively safe desk in Hammersmith not at all envious of the events in Nevada.

In conversation with ScanSafe's Spencer Parker the other day, he claimed that the first thing he would do when returning from the annual Black Hat conference would be to give his laptop a deep clean.

Not that he (I suspect), or even I, are suggesting that the attendants of the conference are a bunch of hackers intent on learning new tricks, more that with so much hacking knowledge and ability in one place surrounded by money the dangers are far too obvious to point out.

As I said I unfortunately did not get to join in with the festivities, but the stories coming out about the exposure of vulnerabilities are particularly interesting, and I believe that the right to publicise an exploit can often have positive effects. See my recent blog on Aviv Raff's month of Twitter bugs for an appraisal of how raising awareness of vulnerabilities can often be the best medicine for a company to fix them.

What really caught my attention from Black Hat this week was a report that Microsoft was effectively ‘strong armed' into releasing out-of-band patches this week after it discovered that a flaw in Internet Explorer was going to be demonstrated at the conference.

A commentary I received from Shavlik about the details of the patches recommended ‘installing the Internet Explorer patch as soon as possible as it helps protect against a flaw being demonstrated at Black Hat tomorrow (Wednesday) that might allow an attacker to bypass the killbits that were set to protect a machine against unsafe ActiveX controls'.

Meanwhile Andrew Clarke, senior vice president, international at Lumension, said: “Microsoft has really had its arm bent behind its back on this one. The pressure of the researchers signalling that they intended to reveal the way to bypass a critical security mechanism in Internet Explorer at the Black Hat Conference yesterday has forced it to break its scheduled patch cycle.

“If you consider that this is only the third time in two years that Microsoft has officially released an out-of-band patch, and on the other occasions there were active exploits in the wild, you can grasp just how important it is that IT users ensure this update is applied.”

Another flaw that was exposed this week was on the Apple iPhone, which would allow an attacker to take over the phone so that the victim would not be able to make phone calls or send text messages, and any WiFi or Bluetooth capability would be disabled.

UK network operator 02 has since said that it will release a software patch to address the security flaw.  An O2 spokesperson told BBC News the patch would be available on Saturday through iTunes. The spokesperson said: “We will be communicating to customers both through the website and proactively. We always recommend our customers update their iPhone with the latest software and this is no different.”

So as systems, programs, applications and PCs have vulnerabilities they need to be fixed, that is part of security I guess, but is the stand and deliver tactic of fixing them the best way forward?

After all, I cannot help feeling that if this had been any company other than Microsoft that may not have had the capability and manpower to issue a patch at such short notice, the vulnerability could have been detailed at Black Hat and a major exploit would be a hit all over the world.

Speaking of hacking, today saw the latest stage in an eventful year for Gary McKinnon. He was hoping to have the High Court rule against his extradition to the United States on spying and hacking charges against NASA and the US Navy, instead that was overturned meaning that McKinnon may not have many options left to him.

Following the announcement there was an unusual mix of responses on the micro-blogging site Twitter, with some users claiming that they could not believe the ruling, and some others claiming that he should not have done it in the first place. Another user claimed that ‘Gary McKinnon deserves everything he gets. You can't hack a government's computers and then whine about it when they get angry'.

This has been a week that has seen hacking rise to the surface and is likely to see it prolonged. I suspect that the McKinnon case will continue on in the coming months (with rumours that the European Court of Human Rights will be his next stop) and a new approach for publicising and patching vulnerabilities demonstrated. What happens next is anyone's guess, but advice on patching and keeping up-to-date may not be more apparent.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events