Good hackers meet to seek ways to stop the bad hackers

Hundreds of hackers on the side of good -- or ethical hackers -- gathered at the 14th Hacker Halted global conference, held for the first time in Miami, to talk about strategies to thwart cyber terrorists.

Ethical hackers understand how to hack a system in order to better protect against attacks, or to know where the vulnerabilities are in a program.

"A good defense is a good offense," said Sean Arries, a security engineer at Terremark Worldwide. "If you understand your opponent and you understand how the attacker is going to attack you, then it makes it a lot easier for you to defend yourself."

Arries gave a cautionary presentation detailing how hackers can take advantage of a vulnerability in Windows Vista and Windows Server 2008 _ a gateway for hackers that Microsoft hasn't yet patched.

Arries did a scan of 43,000 domains and found 110 of those sites were vulnerable to that exploit.

"Now 110 is quite a lot, because that becomes a staging process for an attacker to launch against other sites and internal networks," he added.

Bloggers have been writing about this flaw for two weeks, so it wasn't exactly news to the audience. But while going through slides filled with programming code, he warned attendees that hackers will likely launch a worm to take advantage of this flaw any day now.

"We are in a scramble state to secure our clients and customers and secure ourselves internally before this worm shows up -- and it will be coming," Arries said in an interview afterward.

Not everyone who comes to events like this is a good guy, so to speak. Talk to anyone at that conference and they believe at least some "black hat" hackers were among them in anonymity -- or more likely, programmers who work in a morally gray area.

"The same techniques that you learn to protect a system are the same things people look at to break into systems," said Howard A. Schmidt, president of the Information Security Forum. "You have the good guys trying to out-thwart the bad guys, and the bad guys going to learn from the good guys. "

In the world of hacker conferences, Hacker Halted is pretty tame compared to the DefCon and Black Hat conferences in Las Vegas.

"That's where you get more of the black hat subculture to learn what's going on and extract information that maybe you should or shouldn't be privy to," said Solutient technical trainer Ernie Campbell, who flew in from Cleveland to attend.

Malicious hackers are usually grouped into subsets.

There are the "script kiddies," a derogatory term given to hackers who use programs to cause trouble because they don't have the skills to write their own code. There's also the typical movie stereotype of pale guys pounding down energy drinks in a basement full of computer screens as they wreak havoc.

"That certainly exists, but it is a small, small subculture," said Erik Laykin, managing director of Duff & Phelps in Los Angeles and honorary chairman of the Electronic Commerce Council, which organized the conference.

The hackers that Laykin and other investigators focus on are the criminal hackers -- many working out of the country -- who keep coming up with ways to steal financial information.

And while these criminals work 24/7, it's a constant job of playing catch up for the ethical hacker who is trying to stay on top of the latest exploits. And as people become more attached to mobile devices, cellphones will be the target down the road.

But it could be worse than that.

"Defibrillators that are implanted in people's chests today have electronic remote sensors so they can be reprogrammed using wireless technology. That's an early technology that's potentially susceptible to hacking," Laykin said.

"Now if I can hack a computer, why can't I hack somebody's defibrillator or pacemaker? Scary stuff."
___

(c) 2009, The Miami Herald.
Visit The Miami Herald Web edition on the World Wide Web at http://www.herald.com
Distributed by McClatchy-Tribune Information Services.