Security: Final Report on Blackhat/Defcon Conference

As Chair of my company's Security Committee, I am often called on to provide consulting advice to other companies. Security is a complex area, so I try to keep it simple. (1) Do you have a security policy? (2) Does it actually protect sensitive data? (3) Is your security policy enforced? There is always a significant amount of discomfort around answering (or not answering) these questions. On the lighter side (or frightening side depending on your point of view) the goings on a the world's most notorious security conference are always interesting.

Blackhat/Defcon: The final report
Monday August 02, 2004 (01:00 AM GMT)By: Joe Barr

DEFCON 12, LAS VEGAS, NEVADA -- The week-long Defcon 12 and Blackhat Briefings ended Sunday. Taking center stage in our final report are Google, a video history of bulletin board systems, a healthy dose of "lessons not learned" by our federal bureaucracy, anarchy, and the threat of physical violence. If you missed the earlier reports from these security conferences, you might want to read these: Blackhat Briefings: Forget the borders, guard the goodies, Blackhat Briefings: Hacker Court 2004, Blackhat Briefings: It's the stupidity, stupid, and DefCon 12: Opening Day.

Google hacking

Johnny Long -- whose day job is as a researcher at CSC -- gave his presentation on Google hacking at both shows. He raced through more than 130 slides, each showing another twist in the game of learning passwords, credit card numbers, and other personal data using nothing but the Google search engine. I was impressed by what I saw. Others? Well, not so much. "O'Reilly has a book out on the subject," I was told by someone who was clearly implying a talk on the subject didn't deserve to be done at Defcon.

The one constant in Google hacking seems to be that there are some real idiots out there who can be harvested using these techniques. Most of them are designed to find default installation pages, error pages, or administration pages for a long list of applications, from MySQL to Apache to MyPHPAdmin.

One thing I want to to research further is Google's Numrange advanced operator. Long said he couldn't talk about it and expect to keep his day job. Hmm.

Before moving on, I would like to point out that there is a very good application for Google hacking. Have you ever needed to convince a PHB where you work that better security is needed? This is a great way to illustrate why.