Hoax hacks. Rigged demos of make-believe security holes. Those, it appears, are the real big news that came out of the Black Hat USA security conference earlier this month. Two of the headline-grabbingest claims by independent security researchers at the show have since turned out to be bogus.
One, a reportedly easy-to-exploit security problem in a Cisco firewall appliance, isn't reproducible. The other, an allegedly even-easier-to-exploit hole in Apple's Wi-Fi drivers, didn't actually involve attacking Apple's products after all.
So much for one of IT's last great myths: the honest hacker.
Hey, I still believe honest hackers exist. More than a dozen security problems were showcased by Black Hatters this year. Some have already been fixed; some have hardware and software vendors hard at work correcting very real issues.
Lots of the people who turned up those problems gained their security expertise the old-fashioned way: by hacking into systems they weren't supposed to be anywhere near. They've since cleaned up, dressed up and hung out their shingles as security researchers. But we know at heart they're still hackers.
And that's been highly valuable to us, especially since IT product vendors aren't always, um, completely candid about security issues. These hackers compete to build credibility by finding security holes and telling us about them. It's in their interest to be honest players in this free market for information about IT vulnerabilities. That's how they build business.
Vendors don't much like it -- security holes make them look bad. And it's a pain for us to learn that our production systems are at risk. But the real bad guys already know about these flaws. We're just finding out what we need to know to protect ourselves -- at least when the hackers keep it honest.
Now we're learning that some of them have all the reliability of the phoniest vendor dog-and-pony show.
Consider Hendrik Scholz, the guy who said at Black Hat that he found a "really easy to do" technique for bypassing Cisco's firewall appliances. His claim consisted of a single slide he tacked onto the end of his talk (it wasn't in the version of Scholz's presentation that Black Hat attendees received).
But in interviews, Scholz admitted that an attack would require insider knowledge and pre-existing control of a device inside the firewall. No wonder Cisco can't reproduce a successful real-world attack.
Or consider SecureWorks researcher David Maynor and hacker Jon "Johnny Cache" Ellch, who worked the press like champs with a Black Hat demonstration of hacking into a wireless-equipped Apple MacBook in 60 seconds. It generated plenty of "Mac hack" publicity.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts