Black Hat: Do Companies Have the DNA to Thwart Hacks?

LAS VEGAS—Do businesses and other organizations have the right stuff to fight off hacks and other attacks against their computer systems? Speakers at Black Hat, a security convention, debated those issues and more Thursday at sessions that sounded better suited for a war college than a casino conference center.

Some highlights:

  • Companies need to respond faster when attacked by hackers, said Kevin Mandia, president of Mandiant, a consultancy based in Alexandria, Va., and a former special agent who conducted investigations for the U.S. Air Force. Mandia said his clients take too long going through logs to analyze causes, although that is partly because hackers are clever at hiding their tracks. For example, hackers name malicious files after Windows files to make them harder to find.

  • Dave Thomas, deputy assistant director of the FBI’s Cyber Division, said companies should follow a strategy championed by Air Force fighter pilot Col. John Boyd when they confront hackers: the OODA Loop. The acronym stands for Observe, Orient, Decide and Act against one’s enemy. A man in the audience who identified himself as chief technology officer of nCircle, a San Francisco-based security vendor, told Thomas that model doesn’t work so well for companies. “Their objective is to run their businesses … not to catch the crook,” he pointed out. Thomas said companies should get together with local law enforcement so the two groups can “educate each other.”

  • Companies faced with zero-day exploits–flaws in their systems for which the vendor has no patches–can use patches from third parties, at least temporarily, said Alexander Sotirov, a researcher from Determina of Redwood, City, Calif. Determina and other third parties can make patches more quickly than Microsoft, he said, because they target just the flaw, without worrying much about compatibility with other software. But these patches may be a poor choice when the flaw is so serious that Microsoft has to rearchitect part of the application to fix it, Sotirov added.

  • There was little agreement over who should be told about security flaws, and when the telling should occur. Publicizing flaws makes vendors look bad and may put customers at the mercy of hackers, a panel concluded. But vendors can also be slow to fix flaws, which endangers customers as well.

  • Attacks on Web applications are growing, and everybody should worry about those, warned Billy Hoffman, the lead researcher at SPI Dynamics of Atlanta. MySpace and Yahoo were both attacked by Web worms this year, and such attacks will become more dangerous as hackers learn how to exploit the software in which Web applications are written. Two Web programming languages–JavaScript and Ajax–have big security holes. Hoffman advises companies to use only trusted code and stick to good practices, such as enforcing security from the server and not the PC.

    More from Black Hat: Ajax Vulnerabilities Could Pose Serious Risks.”