Black Hat: Do Companies Have the DNA to Thwart Hacks?

By Deborah Gage Print this article Print

Computer security experts debate whether businesses possess the mind-set--never mind the resources--to combat zero-day exploits, Web worms and other attacks.

LAS VEGAS—Do businesses and other organizations have the right stuff to fight off hacks and other attacks against their computer systems? Speakers at Black Hat, a security convention, debated those issues and more Thursday at sessions that sounded better suited for a war college than a casino conference center. Some highlights:
  • Companies need to respond faster when attacked by hackers, said Kevin Mandia, president of Mandiant, a consultancy based in Alexandria, Va., and a former special agent who conducted investigations for the U.S. Air Force. Mandia said his clients take too long going through logs to analyze causes, although that is partly because hackers are clever at hiding their tracks. For example, hackers name malicious files after Windows files to make them harder to find.
  • Dave Thomas, deputy assistant director of the FBI's Cyber Division, said companies should follow a strategy championed by Air Force fighter pilot Col. John Boyd when they confront hackers: the OODA Loop. The acronym stands for Observe, Orient, Decide and Act against one's enemy. A man in the audience who identified himself as chief technology officer of nCircle, a San Francisco-based security vendor, told Thomas that model doesn't work so well for companies. "Their objective is to run their businesses … not to catch the crook," he pointed out. Thomas said companies should get together with local law enforcement so the two groups can "educate each other."
  • Companies faced with zero-day exploits--flaws in their systems for which the vendor has no patches--can use patches from third parties, at least temporarily, said Alexander Sotirov, a researcher from Determina of Redwood, City, Calif. Determina and other third parties can make patches more quickly than Microsoft, he said, because they target just the flaw, without worrying much about compatibility with other software. But these patches may be a poor choice when the flaw is so serious that Microsoft has to rearchitect part of the application to fix it, Sotirov added.
  • There was little agreement over who should be told about security flaws, and when the telling should occur. Publicizing flaws makes vendors look bad and may put customers at the mercy of hackers, a panel concluded. But vendors can also be slow to fix flaws, which endangers customers as well.
  • Attacks on Web applications are growing, and everybody should worry about those, warned Billy Hoffman, the lead researcher at SPI Dynamics of Atlanta. MySpace and Yahoo were both attacked by Web worms this year, and such attacks will become more dangerous as hackers learn how to exploit the software in which Web applications are written. Two Web programming languages--JavaScript and Ajax--have big security holes. Hoffman advises companies to use only trusted code and stick to good practices, such as enforcing security from the server and not the PC.

    More from Black Hat: Ajax Vulnerabilities Could Pose Serious Risks."

    This article was originally published on 2006-08-04
    Senior Writer
    Based in Silicon Valley, Debbie was a founding member of Ziff Davis Media's Sm@rt Partner, where she developed investigative projects and wrote a column on start-ups. She has covered the high-tech industry since 1994 and has also worked for Minnesota Public Radio, covering state politics. She has written freelance op-ed pieces on public education for the San Jose Mercury News, and has also won several national awards for her work co-producing a documentary. She has a B.A. from Minnesota State University.

    eWeek eWeek

    Have the latest technology news and resources emailed to you everyday.