Security Manager's Visit to Def Con Is an Eye-Opener

Mathias gets a glimpse into a growing and technically formidable hacker community at Las Vegas confab

If you're in any way involved in information security, you owe it to yourself to make a trip to Def Con. The ninth annual conference was held in Las Vegas during the insanely hot month of July. Originally advertised as "the largest underground Internet security gathering on the planet," it has through the years transformed itself into a much more commercial event. However, the conference still retains its underground, hacker look and feel.

I came to see and better understand the kind of people who may very well try to hack into my firm's systems. The experience is one I'd strongly recommend every security manager have at least once.


Internet Control Message Protocol (ICMP): An extension to IP that includes controls, error data and messaging information. Hackers may use ICMP to gain information about a host machine. For example, different operating systems respond in distinctive ways to specifically crafted ICMP packets. By examining the characteristics of return packets, a hacker may be able to determine the operating system used to generate them.


The 1998 Digital Millennium Copyright Act is worth a read, particularly if your job involves protecting intellectual property. Many sites offer opinions and explanations of the law, but you can read the actual text and
decide for yourself at this Cornell University Web page.

The Black Hat Briefings security conferences and training sessions are offered in Europe, Asia and the U.S. Check out Black Hat Inc.'s Web site for presentations from the most recent conference.

The Hackers On Planet Earth and SummerCon conferences are primarily for serious hackers, but they're also a good source of technical information.

The conference was divided into several areas. In one area, desks and tables were set up in what looked like a call center. Here, one could find hard-core hackers (many with tattoos, piercings, purple hair or Goth wardrobes) who had set up their computers and connected into the private Def Con network to participate in an online "capture the flag" contest. Participants attempted to hack into one another's systems while protecting their own machines from being hacked.

In another area, vendors were selling T-shirts, computer hardware, software, books and telephony equipment. And in yet another dark, smoke-filled area, a DJ or an occasional live band played techno and other music. Still other areas of the hotel were dedicated to lectures ranging from more general newbie hacker topics to hard-core "Ÿberhaxor" technical discussions.

Meanwhile, TV crews ran around trying to get someone to agree to an interview. But most attendees didn't want to be interviewed for fear that if they said the wrong thing, they'd get hacked. It's happened before.

Def Con is full of antics and traditions. One example is the scavenger hunt. The organizers pass around a list of items, and whoever collects the most items wins. This year, they listed a pay phone as one of the items. Believe it or not, someone actually unbolted a public pay phone from its hinges, but he got caught and was arrested.

Another favorite event is called "spot the fed." The game - which goes on throughout the conference - involves identifying a person who looks like a federal agent or government official, like a CIA or National Security Agency employee, and identifying that person in a public forum, such as in one of the lectures. If the identified person is indeed a fed, then the spotter and the official receive T-shirts emblazoned with "I spotted a fed" and "I am the fed," respectively.

For security managers, Def Con is a valuable event for many reasons. First, it gives you the chance to meet the enemy. Many of the people attending Def Con don't maliciously hack into other peoples' systems. But some do, and this is a good place to learn about them.

The first Def Con in 1993 attracted about 150 people. This year, there were well over 4,000. I guarantee that some of those individuals were criminals who had gained unauthorized access to computer systems for some sort of gain. If the increases in attendance are any indicator, the shear number of such criminals has increased dramatically.

The technical sessions are another attraction. Def Con's lectures are designed for hackers, and many discuss how to attack and compromise a system. But this year, more lecturers focused not just on exploiting vulnerabilities, but on how to close them as well.

For example, in a lecture on securing Cisco routers, the speaker presented ways to block different denial-of-service attacks, then went into detail as to how to further protect your network by using simple access-control lists. There is a simple command, "no IP-directed broadcast," that you can use to prevent smurf attacks. To prevent TCP SYN flood attacks, the speaker suggested using the TCP intercept capabilities of the router.

Another discussion demonstrated the use of the Internet Control Message Protocol (ICMP) to identify the operating system that a target computer is running. In the past, many tools used TCP to accomplish this task, so systems administrators protected their systems against the use of TCP. The key, however, is to ensure that you allow only the proper ICMP packets into the network. For example, if you're using ICMP with the ping utility to ensure system availability, then you should only allow ICMP packets related to ping. Most firewalls allow for this configuration.

There were also a few forums related to how to trace an attack back to its source. Although the discussions and methodologies were interesting, the bottom line is that there is still no surefire way to trace hackers without full cooperation from the upstream Internet service providers.

Another interesting discussion was a legal topic related to the Digital Millennium Copyright Act, passed by Congress in 1998, which governs the implications of the modification of code. One provision makes it illegal to "manufacture, sell or distribute code-cracking devices used to illegally copy software." In fact, it was under this provision that Russian programmer Dmitry Sklyarov was arrested at the conference this year for developing software that lets users break the copyright protection in Adobe Systems Inc.'s eBook Reader. It's interesting that this controversial law apparently excludes law enforcement, intelligence and other government organizations from its provisions.

Perhaps the most interesting part of the conference for me was observing the attendees. Many of them were capable of performing kernel rewrites on the fly and other programming feats with such speed that they put most seasoned IT professionals to shame.

There was some serious talent at the conference - talent that I would have liked to hire. But then, no one would give me their real names. I also realize that with all that talent out there, I could face some formidable adversaries. I'll have a lot of work to do to keep up.

Note: Problems with my HushMail account have left me unable to receive reader e-mails. If you have comments or didn't receive a response from me recently, please contact me at my new address:
This week' journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at or go to the Security Manager's Journal forums.


Copyright © 2001 IDG Communications, Inc.

Shop Tech Products at Amazon