[ISN] Toorcon 2004 Brings Hackers to Sunny San Diego

InfoSec News isn at c4i.org
Fri Oct 1 06:12:55 EDT 2004


By Humphrey Cheung 
September 30, 2004 

Defcon isn't the only hacker convention for people living on the West
Coast. Toorcon, a computer security conference in its sixth year,
provides a viable alternative to people who want to learn more about
computer security.

Toorcon was held Friday September 24 to Sunday September 26 at the
Manchester Grand Hyatt in sunny San Diego, California. With over 300
people in attendance, it provided a sizable yet still intimate arena
to learn about the secrets of computer security.

>From the informative seminars to the interesting vendor area, we will
give you glimpse into what was Toorcon 2004. You may just want to
attend next year.

Deep Knowledge Seminars

About 20 people ponied up $300 to $500 (depending on when they
registered) to attend the Deep Knowledge Seminars held on the Friday
night just before the main Toorcon session. These talks were 75
minutes long and were very informative.

One interesting seminar, Mobile Cyber Warfare Training, given by Scott
Kennedy of SAIC, talked about training IT staff against cyber attack.  
SAIC conducts "Red versus Blue" training, where IT staff, called the
Blue Team, must defend a network against a fictional group of Hackers
called the Red Team.

All the hardware necessary for the exercise is kept in a small rack
that is easily transportable for on-site training. Training costs
around $20,000 for a group of fifteen.

Red versus Blue training is important as everyday network
administrators don't usually get to practice against an insanely
knowledgable and determined foe. SAIC officials acting as the hacker
Red Team throw everything at the hapless Blue Team. In the battle,
some innovative solutions surface.

What is the craziest defense that Scott Kennedy has seen? In order to
stop kernel exploits, one team actually deleted the OS kernel on their
Sun box, which worked very well until they needed to reboot the
machine. Servers don't boot too well when the kernel is missing.

We all know that website defacements happen frequently. Hackers break
into a webserver and change the index.html file so that the website
displays some crazy and usually profane stuff. This is very
embarassing for the IT staff and for the attacked company.

One administrator, in act of simple genius, copied the index.html file
to another folder and then ran a cron/scheduled tasks job to overwrite
the original index.html file every second. While this doesn't stop the
attack, it does ensure that your original website stays up. Even if
the attackers change the index.html file, the next second the
offending file will be overwritten with the correct copy.

Some administrators go even farther by burning the file to a CD and
then having it copied to the Apache folder every second. Since the CD
is read-only, the attacker cannot deface the copy on the CD.


More information about the ISN mailing list