I recently attended the 17th annual Defcon conference in Las Vegas. I was struck by how so much of what occurred at that conference can be seen as a metaphor for the problems we face on the Web today.

Things are much bigger than they seem
This year's Defcon was much larger than normal. With economic conditions still tight, many chose to forgo the pricier Black Hat conference immediately preceding. Unlike Black Hat, Defcon has no pre-registration. Using the 20% drop in Black Hat attendance as a judge, expectations were that 6,000 would attend Defcon. In reality, over 10,000 attended - a crowd that would make even the most mildly claustrophobic a bit squeamish and far more than Defcon organizers had planned.

The same can be said for today's Web threats - as with Defcon, there is no way to pre-count the number of sites that will be impacted by any given attack. Additionally, the total numbers of websites impacted at any given time is far greater than most perceive. And, as with Defcon, Web attacks are influenced by a variety of global, social, and economic conditions. Faced with struggling economies across much of the globe, attackers are more keen than ever to use the Web for illicit monetary gains.

Locks can't be trusted
Seeking respite from the crowds, I spent some time watching the lockpicking sessions held in a less populated part of the conference center. Big round tables were filled with seated participants who, brows furrowed, were trying to crack open various padlocks using a variety of sophisticated looking metal lockpicks. In sauntered a new guy who, not bothering to seat himself, whipped out a semi-rigid homemade plastic shim, grabbed a padlock from the table and with simple slight of hand opened it in seconds.

Having spent a few years locksmithing in the past, I wasn't suprised at how quickly he broke into the lock, or even how simply he did it. Instead, I was utterly amazed at how many participants in the room were utterly amazed that he had done so.

We have the same false sense of security when it comes to the little yellow padlock that is supposed to designate a secure Web page. It's an image, folks - an illusion of security that makes people feel good but in actuality means absolutely nothing. If you think a pin tumbler padlock will keep would-be thieves out of your gate, think again. Padlocks keep honest people honest and nothing more. Likewise, the little yellow padlock image on that allegedly secure Web page offers no protection whatsoever and in no way means a particular website is safe.

With friends like this, who needs enemies?
One of the tools discussed at this year's Defcon enabled the automated manipulation of mixed HTTPS/HTTP. In a nutshell, the tool enables would be attackers to automate a man-in-the-middle attack that swaps out the HTTPS portion of the requests, cataloging and remembering the original path while substituting in their own malicious content (and intercepting your sensitive data in the process). Of particular risk, any site that allows you to enter login credentials from an HTTP:// address in an allegedly secure box (you know, the ones with the padlock) from somewhere on the non-secure page. This weakness covers just about all mainstream banking and ecommerce sites, as well as most social networking sites (such as Facebook).

What struck me about this presentation wasn't that it was possible - that capability has long been abused by phishers for years. What was so disconcerting was that the researcher had created a tool that improved and automated the entire process and then made the tool freely available for download, making it possible to carry out this style of attack on a very large scale. This is the exact scenario (MPack, et al) that has led to today's mass compromises of websites.

And the researcher said he did iit all just to prove the point that it could be done.

Nice. :-(