Black Hat 2010 discuss China Google hack

Google's revelation that attacks out of China resulted in the theft of some of its data drew attention to the broader question at the Black Hat conference over what can be done to the villains.


Google's revelation last month that attacks out of China resulted in the theft of some of its data drew attention to the broader question at the Black Hat conference over what can be done to the villains.

Cyberattacks give rise to anger and a very human desire to strike back, but pursuing hackers in ways that matter isn't accomplishing much. The number of people who are arrested and convicted for any of the phishing attacks, intrusions and thefts is tiny.

Several countries, Russia and China in particular, don't want to cooperate on cybersecurity enforcement, said Andrew Fried, a security researcher at the Internet Systems Consortium, a non-profit group, and a former special agent at the US Treasury Department.

"The reality is they don't want to do squat to help anybody," he said, on a panel at the cybersecurity conference today.

After an attack, such as the China - Google incident, there's always interest in establishing "attribution" - identifying the source of the attack. But Jeff Moss, the founder of Black Hat and director of the conference, questioned whether too much emphasis is placed on that effort. Moss also serves on the Department of Homeland Security's security advisory council.

"We should be spending more energy on dealing with the containment of an attack, reducing the effects of an attack," Moss said. "I don't think we will ever be able to stop the attack."

Techies can argue over the source of the Google attack, Moss said, but "is China ever going to extradite anybody? No," he said. "Are we going to go to war over it? No. So we should probably have a mechanism, a strategy in place, for mitigating, minimising these attacks."

Last month, Google said it was considering pulling out of China after revealing the attacks.

Secretary of State Hillary Clinton, in a recent speech on Internet freedom, offered an impassioned defense for the "freedom to connect." But Moss questioned whether Clinton was proposing a US policy for the Internet akin to the "freedom of seas model."

"The US Navy spent a lot of time beating up pirates," Moss said. "Is that a call for us to go police the cyber seas ... or does it mean something else, because I don't think that we've got the capability [to defend] the world's cyberspace and keep it free."

Google's battle with China in some ways is little more than sideshow compared with what some companies are dealing with. Take GoDaddy, for instance, the world's largest domain registrar with more than 38 million domain names. Ben Butler, director of network abuse at GoDaddy, said his department's 19-member staff conducted 232,000 investigations last year over a range of abuses, including spam, phishing and copyright enforcement.

For its trouble, GoDaddy is sued 30 to 40 times a day over the actions it takes, such as suspending a domain, but despite those attempts, "nobody has been successful in suing us yet," said Butler, who was also on a panel.

Among the multitude of security issues, spam is high on the list.

Although most spam is caught in traps, there's enough that gets by to prompt Richard Cox, the CIO of The Spamhaus Project, a UK nonprofit group that tracks spam senders and services, to offer what may be a novel theory as to one of the enablers of the housing bubble. He claimed that spam contributed significantly in the selling of subprime mortgages.

But Cox was particularly harsh on the US efforts to address security issues. Air travelers may be screened and searched for explosives, but foreign entities can easily establish a server foothold with co-location providers. "You wouldn't let it happen at the airport, so why would you let the ISPs do it? That's effectively what you are doing," he said on a conference panel.

In another panel, Nicholas Percoco, senior vice president of SpiderLabs at Trustwave, highlighted the need for more focus on protection. His company's research has found that the lapse between initial breach and detection in an organisation's security systems is about 156 days.

"Attackers basically know that they have unlimited amounts of time once they get into an environment," he said.

The conference keynote speaker, Gregory Schaffer, DHS assistant secretary of the Office of Cybersecurity and Communications, was asked by one attendee about the US responsibility to defend against attacks launched in other countries.

"I think the DHS role, at this point, is to defend the federal civilian executive branch networks," Schaffer said. "We have a leadership role in assisting with the .com space," he said, referring to the commercial sector.

"Recommended For You"

Homeland Security has failed on US network security readiness: report Plans to reveal software flaw stopped by vendor concerns