HITB: An eco-system of disruptions and dependencies

• Tense moments, some history made, interesting discussions, and a fascinating intersection of different worlds
• F-Secure’s celebrity chief research officer Mikko Hypponen chops off his trademark ponytail for charity

THE Hack In The Box Security Conference in Kuala Lumpur (HITBSecConf2012 or HITB2012KUL) that ran from Oct 10-11 was a fitting monument to the series’ 10^th anniversary.
 
It was the biggest ever, exceeding the 1,010-attendee target set by organizer Hack In The Box (HITB), and had its share of historic moments too – while the much-anticipated iOS 6 jailbreak did not happen, the panel discussion involving the iOS ‘Dream Team’ of experts who have unleashed many jailbreak tools and carrier unlocks found a rapt audience – both physically at the conference, and via a live video stream.
 
The two-day conference itself had more than 700 attendees, and HITB2012KUL saw about 1,100 visitors at the exhibition areas, which were open to public at the Intercontinental Hotel in Kuala Lumpur.
 
The Capture The Flag (CTF) live network hacking competition saw hotly contested battles, with Japanese Team Sutegoma2 eventually retaining its title for another year and walking away with the US$3133.7 cash grand prize, HITB said in a statement.
 
The second place winner was Team LOL from Vietnam and third was Team Nandy Narwhals which comprised university students from Singapore.

“It’s always fun to watch the Vietnamese go head-to-head with the Japanese every year,” said Amin Hamid, founder of Stryke Labs and organizer of the 2012 CTF competition. “I'd also like to thank Trustwave SpiderLabs and PandaLabs for sponsoring and also being part of the game,” he said in a statement issued by HITB.
 
At the Mozilla HackWEEKDAY hackathon, developer teams had to complete compelling proofs of concept after the 36-hour period. There was stiff competition, which saw DICOM-WAVE eventually emerging the winner with a project that uses Microsoft’s Kinect as a controller to translate gestures for surgeons to view MRI (magnetic resonance imaging) images.
 
Malaysian developer Firdaus Abhar Ali walked away with US$1,337 for ‘Most L33t Coder’, courtesy of Mozilla. In traditional hacker spirit, all source code from submitted projects have been made available on Github for download: https://github.com/hackweekday/HW2012KUL
 
But the real climax of the event, at least for this reporter, was the charity auction finale on the final day, which saw F-Secure’s celebrity chief research officer Mikko Hypponen allowing his painstakingly-maintained trademark ponytail to be chopped off (00:57:50 onwards in the video-stream) in the name of charity.
 
The items on the block included a one-of-a-kind Microsoft custom-designed XBox 360, the Pwnium 2 team laptop and Apple accessories signed by the Dream Team, but none got as much as Mikko’s sacrifice.
 
It was a challenge by Katie Moussouris by senior security strategist at the Microsoft Security Response Center (MSRC), who offered to have her locks lopped off too. “Sometimes you have to give personal things … very personal things. Perhaps things that you grew yourself … grew, on your head,” she challenged Mikko on stage.
 
“I will match Mikko’s donation, inch for inch,” she added to grand applause from the audience.
 
Mikko (pic, with his new look) said he’d always had long hair, even as a teenager. He had to cut his hair when he joined the army, but started growing it long again after he left. “I cut it once around 1999 or thereabouts, after I was promoted to manager and thought I had to look more like a businessman,” he told the audience.
 
“The next morning, I woke up and realized I had made a big mistake,” he added.
 
The bid for sympathy failed; off came his golden locks, in the name of charity. The highest bid was RM1,200, while more than 50 audience members chipped in RM100 each. Furthermore, a participant offered an additional RM1,500 for HITB founder and chief executive officer Dhillon Andrew Kannabhiran to actually perform the act. All in all, more than RM7,000 (US$2,290) from this single act alone.
 
The auction itself, to raise money for the Needy Cancer Patient Fund managed by Mount Miriam Cancer Hospital in the northern Malaysian island of Penang, saw a grand total of RM23,980 (more than US$7,840) being raised.
 
“There is a super special place in all our hearts for Katie and Mikko. Their extremely generous donation to the charity auction this year is indescribable and the team and I cannot thank them enough,” Dhillon said later in a statement.
 
“Much love also to all our donors who put up some very special items for us this year and of course our bidders, for their support in raising funds for Mount Miriam’s Needy Cancer Patients Fund,” he added.
 
HITBSecConf2012 had its tense moments, like when the founders of The Pirate Bay did not turn up, or when the 500Mbps pipe sponsored by TIME dotCom Bhd wavered at certain points of the day.
 
However, what will be remembered is the excitement and hard work, the many interesting discussions on vulnerabilities and exploits – mostly delivered in a no-holds-barred fashion – and more. HITBSecConf2012 was an interesting here-and-now intersection of the worlds of info-security researchers and experts, hackers and their targets, and the ICT vendors.
 
Morally-loaded
 
No talk encapsulated this ecosystem disruptions and dependencies better than Moussouris’ presentation on How to Get Along with Vendors Without Really Trying: A Guided Tour for Hackers on Current Vendor Disclosure Policies and Upcoming Standards.
 
In the old days – pre-1999 – the divide between hackers and their targets was much more pronounced and antagonistic. Few vendors recognized the value of having outsiders test their systems, and let’s face it, there were many hackers interested in only embarrassing vendors by publishing exploits on the Web, especially after said vendors make some ridiculous claims as to the impenetrability of their products.
 
There is still a bit of that, of course, but increasingly, both sides are beginning to appreciate each other. Part of this is thanks to a hacker called Rain Forest Puppy, who brought some semblance of order with his ‘responsible’ disclosure policy which gave vendors a five-day ‘grace period’ in which to acknowledge the bug, fix it or have the vulnerability exposed. The policy also required the hacker to grant the vendor time to fix it. Adhering to the policy was voluntary of course, but at least gave both sides a common ground for conversation and compromise.
 
In further discussing how vendors and the security community, including hackers, can work together, Moussouris said, “There are many ways to make illegitimate cash … but I am not going to talk about that.”
 
Moussouris (pic) noted that hackers have different motivations. “Some of you may be doing it to make money; some to increase your reputation and fame; some of you for the influence you may be able to wield.”
 
“Why would you want to work with vendors? Life’s just too short to be fighting with vendors – everyone can get along and gain something,” she added.
 
While acknowledging Rain Forest Puppy contribution to the info-security space –incidentally, Microsoft was the first vendor to go for it – Moussouris said she was uncomfortable with the term ‘responsible disclosure.’
 
“It’s a morally-loaded term – it probably came from the vendor or government community because they would still rather keep it all quiet,” she said.
 
Bodies like the International Organization for Standardization (ISO) have been looking into coming up with an acceptable set of practices for both vendors and hackers. The ISO dropped ‘responsible’ from its taxonomy and used the term ‘vulnerability disclosure.’
 
Moussouris also described how there are three parties involved here: Finders (for example, hackers who discover a vulnerability in a system), Coordinators (third party bodies or persons that acts as liaison between the Finder and the company) and of course, the Vendors (the companies).
 
Microsoft has what it calls a Coordinated Vulnerability Disclosure policy, according to Moussouris. “We published our policy for the first on our site in April 2011, because we were preparing to disclose third-party vulnerabilities.
 
“Microsoft, through the MSRC, is also a Finder and a Coordinator – we have to be, because of the nature of blended threats,” she added.
 
A blended threat uses a combination attack, or as software security company Symantec describes it, an attack that combines "viruses, worms, Trojan Horses, and malicious code with server and Internet vulnerabilities to initiate, transmit, and spread an attack."
 
Jocks and nerds
 
While the ISO is working towards having an industry standard disclosure policy, there are some obstacles, Moussouris noted.
 
“The ISO is full of cliques, just as in high school,” she said. “It’s like the jocks versus the nerds all over again.”
 
The nerds are of course the subject matter experts, like Moussouris herself, with industry experience and technical knowledge. The jocks are of course the ISO experts!
 
“These are experts at creating standards, and this is the funny thing about the process – they do not need to be experts in the area they are creating standards for. Even though some of them have good intentions, I find this strange,” she said.
 
“There is also the tale of two standards, with some overlap,” she added.
 
One is the ISO Standard of Vulnerability Disclosure (29147) which dictates how vendors should deal with vulnerability reports from external finders; while the other is the ISO Standard of Vulnerability Handling Processes (30111).
 
“30111 dictates how vendors should investigate, triage and resolve all potential vulnerabilities, whether reported from external finders of from their own internal testing,” Moussouris explained. “It requires, amongst other things, vendors to perform root-cause analyses – it’s amazing that we still have to bring this up in 2012.”
 
“Many vendors today still have no structure for how they support vulnerability investigation and remediation,” she added. “They are still relying on typical bug-fixing processes.”
 
Work on standards for vulnerability disclosure has been going on since 2006, with a target date of 2013 for the standards to be finally ratified.
 
“If you look at the timeline – stretching back to 2006 – you realize how contentious this whole process has been,” Moussouris said.
 
Not that there aren’t any benefits. ISO 29147, for instance, would make it easier for finders to report vulnerabilities to vendors, and also help make the advisories a vendor releases more useful. ISO 30111 would help raise the level of security investigation and remediation that vendors do.
 
“But there is a flaw in this whole ISO plan – I don’t know of many hackers who would want to be ISO-compliant,” she added.