Security experts and law enforcement officers often talk about the fact that hacking is a full-time, 24-hour-a-day job for the bad guys. They have no hobbies, they don't go to movies or ball games or museum openings. All they do is dismantle code looking for new vulnerabilities, build exploits and attack your networks. That's not a very comforting thought if you're a security manager.
But the good news is that there are folks on the right side of the fence who are just as dedicated, smart and motivated as the attackers are. The last few years has seen an explosion in the number of researchers doing serious work on rootkits, hardware security, P2P malware and other advanced problems. Some of these people are well-known, but many others work mainly behind the scenes and are not in a position to seek the limelight. In an effort to remedy that situation, here is an admittedly non-comprehensive list of researchers, hackers and security professionals you should keep an eye on. (Note: This is not a Top 6 or any kind of ranking; just a look at some folks doing good work.)
- Dino Dai Zovi. He's gotten a lot of attention of late for finding the QuickTime vulnerability that won the MacBook hacking contest at CanSecWest, but Dai Zovi has done a lot of interesting high-quality work in the last few years. Dai Zovi is the rare researcher who is as comfortable digging into OS X as he is tinkering with Windows. A former researcher at @stake and Matasano Security, Dai Zovi developed a virtual machine rootkit called Vitriol designed to subvert the Mac OS X kernel. And, along with Shane "K2" Macaulay, he built a wireless client security assessment tool called KARMA that enables users to see which wireless networks any client in range is probing for. "Dino is one of the top vulnerability researchers out there based on his skill. He doesn't do much research so he is not prolific but if he has a particular target in mind he can usually find a vulnerability," said Chris Wysopal, CTO of Veracode, who worked with Dai Zovi at @stake and co-authored a new book called "The Art of Software Security Testing" with him. "He is especially adept at OS X research which is a platform that most researchers haven't bothered with so there aren't many out there that have honed their skills on it." Any wagers on who might be the first one to p0wn an iPhone?
- Dave Dittrich. Dittrich is one of those unassuming researchers who goes about his work because he loves the intellectual challenge of it and not because he loves seeing his name in the paper. Best known for his expertise on DDoS attacks and his work with The Honeynet Project, Dittrich may be the most knowledgeable guy in the industry on botnets and the evolution of distributed attacks. The kind of advanced research and forensics work that Dittrich is doing right now on peer-to-peer malware and the command-and-control systems of massive botnets is beyond the scope of work being done just about anywhere else, including the federal government. Dittrich, a senior security engineer and researcher at the University of Washington's Center for Information Assurance and Cybersecurity, works closely with the government on some projects and is known to work long hours on his own time to solve particularly thorny forensic problems. "Dave Dittrich is truly a world-class expert on botnets. His research is not only impressive but seminal in that he offers new, leading-edge views into the very dark side of the world of cybercrime and cyberwarfare," said Ernie Hayden, manager of enterprise information security at the Port of Seattle. "Without Dave's efforts and focus on this problem, I'm convinced that our knowledge of this issue would be barren and at best shallow."
- Nate Lawson. Known to DVD hackers everywhere as the co-designer of the copy protection scheme for Blu-Ray discs, Lawson has a wide range of talents, including cryptography, reverse engineering and the security of embedded devices. Few researchers are as adept at moving between the worlds of software and hardware as Lawson is. To wit: He designed RealSecure, the first commercial IDS, and later, Decru's fibre channel encryption appliance. Lawson also has been involved with the development of the FreeBSD kernel for five years. Lawson doesn't fit the classic definition of a researcher in that he doesn't spend his days looking for vulnerabilities in software. But he's one of the few guys, along with Bunnie Huang and a handful of others, doing serious work on the security of hardware devices and embedded software. Lawson spent several years with Cryptography Research and is now out on his own as a consultant with Root Labs doing a lot of work on cryptography, security assessments of software, hardware and firmware. He's also working on the crypto for an incredibly cool device that Huang's company is building, called the Chumby. "[Nate] is one of the rare individuals that can bridge the gap between academic research and practitioner's work. He understands the role of both offensive and defensive technologies and mindsets in attaining improved security postures, and he doesn't fear math nor crunching quality code," said Ivan Arce, chief technology officer of Core Security. "His insights, his work at CRI, Decru and ISS as well as his contributions to the FreeBSD project have not been in the spotlight but they have certainly helped evolve the info security discipline quite a bit."
- Joanna Rutkowska. Like Lawson, Rutkowska is very well known in some circles, and she's been doing pretty high level research for several years. But her recent work on virtual rootkits and other types of stealth malware have thrust her into the spotlight in a big way. Rutkowska gave a presentation at this year's Black Hat Federal conference on various techniques for defeating hardware-based RAM acquisition that had a number of other top hackers shaking their heads in amazement. She recently started her own security consultancy, Invisible Things Lab, which will be doing security assessments and research. Rootkits have gotten a lot of attention in the last year or so, but the number of researchers who have done significant research on their attributes and ways to go about defeating them is quite small, to include Rutkowska, Jamie Butler, Greg Hoglund, John Heasman and Mark Russinovich. Watch for more from her. Soon.
- Vern Paxson. Paxson is sort of the Internet analog of a baseball umpire: If everything is running smoothly, you'll never even know he's there. Things rarely run smoothly on the Internet, but Paxson, an adjunct associate professor at UC Berkeley and a key member of the team at the International Computer Science Institute's Center for Internet Research, has several projects in the works to help remedy that. An authority on the early detection and containment of worms and other rapidly spreading malware, Paxson is part of team working on the network telescope project funded by the National Science Foundation, which aims to provide early warnings about new worm activity by monitoring unallocated IP address space. He also is working on DETER, a collaborative research effort among a number of major universities and SRI International, which comprises a handful of individual investigative projects on worm behavior and defenses. Paxson's piece of DETER is an effort to model the behavior of the Slammer worm on a testbed network. "Vern is one of these guys who is a total expert on network protocols and systems architecture and knows as much as anyone about worm behavior modeling," Lawson said.
Who else should be on this list? Let me know what you think at firstname.lastname@example.org.
This was first published in May 2007