Quack hackers chase headlines, obfuscate about holes

Hoax hacks. Rigged demos of make-believe security holes. Those, it appears, are the real big news that came out of the Black Hat USA security conference earlier last month. Two of the headline-grabbingest claims by independent security researchers at the show have since turned out to be bogus.

One, a reportedly easy-to-exploit security problem in a Cisco firewall appliance, isn't reproducible. The other, an allegedly even-easier-to-exploit hole in Apple's Wi-Fi drivers, didn't actually involve attacking Apple's products after all.

So much for one of IT's last great myths: the honest hacker.

More than a dozen security problems were showcased by Black Hatters this year.

Lots of the people who turned up those problems gained their security expertise the old-fashioned way: by hacking into systems they weren't supposed to be anywhere near. They've since cleaned up, dressed up and hung out their shingles as security researchers. But we know at heart they're still hackers.

And that's been highly valuable to us, especially since IT product vendors aren't always, um, completely candid about security issues.

Vendors don't much like it -- security holes make them look bad.

Now we're learning that some of these hackers have all the reliability of an IT vendor dog-and-pony show.

Consider Hendrik Scholz, the guy who said at Black Hat that he found a "really easy to do" technique for bypassing Cisco's firewall appliances. His claim consisted of a single slide he tacked onto the end of his talk (it wasn't in the version of Scholz's presentation that Black Hat attendees received).

But in interviews, Scholz admitted that an attack would require insider knowledge and pre-existing control of a device inside the firewall. No wonder Cisco can't reproduce a successful real-world attack.

Or consider SecureWorks researcher David Maynor and hacker Jon "Johnny Cache" Ellch, who worked the press like champs with a Black Hat demonstration of hacking into a wireless-equipped Apple MacBook in 60 seconds. It generated plenty of "Mac hack" publicity.

But SecureWorks has now distanced itself from its employee's published claims that he can hack Mac Wi-Fi. Turns out the Black Hat demo was on third-party Wi-Fi products that Maynor won't identify. He's never shown an attack on Apple's built-in wireless hardware and software -- not even privately to Apple. And Maynor has acknowledged that he demoed on the Mac because he thought Mac users were smug about security -- and because of the headlines a Mac attack would generate.

True enough: a drive-by cheap shot at Cisco or Apple is sure to score headlines. Never mind the collateral damage to the credibility of other security researchers or to the trust of their potential customers in corporate IT.

IT people don't need more dog-and-pony shows. We've been cleaning up the mess from those for years.

We need security research we can trust. And the stuff Black Hatters are selling just got harder to buy.

After all, when it comes to uncovering security holes, if you can't trust hackers, who can you trust?

Frank Hayes, Computerworld's senior news columnist, has covered IT for more than 20 years

Join the newsletter!

Error: Please check your email address.

More about AppleCiscoHayesHISIT PeopleSecureWorks

Show Comments