February 10, 2010, 3:00 PM — The Black Hat Briefings came to the Washington, DC area (Arlington, VA) last week, drawing roughly a thousand representatives from the black and white hat communities together to learn how to attack and defend our systems. With a keynote by Greg Schaffer from the Department of Homeland Security and three tracks of briefings that covered everything from "the big picture" to tricks you can play with metasploit, this hackerfest took on the global perspective on hacking while simultaneously drilling down to the nitty gritty on various attack methods.
Some of the more interesting take homes from this conference are 1) Many of us are missing the boat when it comes to securing our enterprises. We fail to realize that some of the original exploits are still very much in use (like exploiting default passwords) while we also fail to grasp that many of the tools we use routinely may be completely unable to deal with the more virulent threats we face today. 2) The Russian and Chinese hacker communities are far better organized and capable than many of us might like to believe. If I hadn't recently read "Inside Cyber Security", it would have been shocking to hear what those who have penetrated these communities have to say. I also learned the basic difference in the focus between these hacker communities --- the Chinese are primarily going after military secrets and commercial know-how with money falling behind nationalism as a major theme. The Russians, on the other hand, are primarily focused on money. In both cases, corrupt and/or indifferent governments are not cracking down as most of us would wish they would. These hacker communities provide cover up for other activities and are easily recruited into nefarious campaigns to harm or discredit opposing regimes. 3) I also learned that ISPs are decidedly NOT all the same when it comes to how they police their customers. Some take down sites that don't follow the rules; others just look the other way. GoDaddy, for example, has a zero tolerance spam policy that it takes very seriously. This means that they "whack" domains as needed, even though they may be sued by the site owners when these sites are found to be spewing spam or malware. None of these suits has been successful to date, but that doesn't mean there aren't costs associated with the defense and I, for one, fully appreciate companies like GoDaddy that refuse to be part of the problem.
Spam is even more prevalent than I ever imagined. According to one speaker, 98% of it never reaches our systems. Where is it all coming from? A big registrant might process 5,000 newly registered domains in a single morning. Many spam and malware sites, when they are blocked or suspended, simply pick up and move to another domain. Even so, 90% or so of spam and malware sites are not malicious, only infected.