This year's Black Hat Briefings and Def Con hacker conferences may have appeared more professional than in previous years, with an increased number of security professionals and government officials in attendance. But one thing the back-to-back events didn't produce, observers said, is a picture of an organized and mature hacker underground.
That's not necessarily seen as a good thing. The lack of maturity and organization may actually make less capable hackers more dangerous to companies, according to many of the security analysts who were among the 5,000 attendees at the two conferences last week. Through their reckless probing and compromising of systems, "script kiddies" and Web page defacers may unwittingly be doing the bidding of highly skilled cybercriminals, said the analysts.
"The fact that script kiddies will blindly launch scripts against large IP (Internet protocol) blocks without any thought as to who they are attacking makes them dangerous, especially for those administrators who do not take security seriously," said Mandy Andress, president of ArcSec Technologies Inc., a consultancy in Dublin, California.
Andress said she didn't see any significant new details about vulnerabilities or methods of attacking systems while attending the Black Hat conference. But there was "enough information for the script kiddies to make them just a bit more dangerous," she added.
Although the hackers who attended the conferences represent a cross-section of the hacking community, security officials said they're more concerned about those who weren't there. "The more sophisticated exploits that the pros use are not being talked about at Def Con or Black Hat," said Chris Klaus, founder and chief technology officer at Internet Security Systems Inc. in Atlanta. "A hacker conference is probably the last place [they] want to be seen."
"There are others who shun the spotlight yet firmly believe in their agenda to undermine and disrupt e-commerce and commercial use of the Internet," said Gerald Freese, director of intelligence at Vigilinx Inc., a security firm in Parsippany, New Jersey, that specializes in threat intelligence. "These are the veterans. These are the ones that we fear the most."
Increasingly, those veterans are overseas, said Klaus, whose company offers managed security services. Many hackers in the U.S. lack the economic motivation to commit real crimes, he said. But that motivation is higher in Russia and other countries where economic conditions are much worse, Klaus added.
But while attending the Black Hat conference is like "going to a graffiti convention expecting to see those who design spray cans," many hackers actually are providing a public service, said John Pescatore, an analyst at Gartner Inc. in Stamford, Connecticut. "Before the vandal hackers became so prevalent, [software vendors] would take months before releasing a security patch - if they were even aware of the security bugs in their products," Pescatore said.