[iwar] [fc:Special.Report.-.Ethical.hackers.-.The.only.hackers.you.want.in.your.system]

From: Fred Cohen (fc@all.net)
Date: 2001-10-13 02:24:27
Next message: Fred Cohen: "[iwar] [fc:fbi.gov.weirdness?]"
Previous message: Fred Cohen: "[iwar] [fc:Cyber.attack.could.impact.water.systems]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200110130924.CAA01763@big.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Sat, 13 Oct 2001 02:24:27 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:Special.Report.-.Ethical.hackers.-.The.only.hackers.you.want.in.your.system]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit

Special Report - Ethical hackers - The only hackers you want in your system 
Mark Samuels, Computing, 11-10-2001
<a href="http://vnunet.com/News/1126058">http://vnunet.com/News/1126058>

Paul has spent hours looking for vulnerabilities in one particular UK
website.  Sometimes he goes a step further and waits outside the
company's head office to watch staff arrive in the morning.  Gathering
information on who works where, and how they get into the building,
helps him plan his attack. 

When Computing spoke to Paul a few days later, he was flushed with
success. 

He had sneaked past security systems, and hacked the company's physical
site.  "The company had a huge recycling bin that hadn't been emptied in
ages.  I could get to paper that was posted in the slot, and pull out
bank statements," says Paul. 

Fortunately for the company, Paul is an ethical hacker with IBM, paid by
companies to expose their weaknesses before someone less well
intentioned does it for them.  For Paul, such cases are common. 

Security? Get serious

The problem is that too few IT departments take security seriously. 
Some 14 per cent of UK organisations reported a security breach last
year, according to consultant KPMG.  But not all cases are reported - in
reality, the figures are likely to be far higher. 

Most companies aren't equipped to deal with attacks, and only half of
companies have incident response procedures to react to attacks when
they do happen, says KPMG. 

Companies are aware of the threats - 50 per cent of those surveyed by
the consultant identified hackers as the biggest threat to their
systems.  Unfortunately, those companies haven't done enough to stop
hackers getting in. 

"You have a laugh with your colleague when you see a system that is
totally open," says Paul. 

But luckily for his clients, Paul has their best interests at heart.  He
says he would never use his skills for his own personal gain.  "I love
hacking as a job, and that's why I would never do it."

Trust me, I'm an ethical hacker

Ethical hackers don't just hack your IT systems.  Working in a secure
lab that is research controlled, and isolated from external systems,
James Luke, lead technical architect in IBM's knowledge management
practice and an expert on industrial espionage, experiments with
computer viruses. 

Like Paul, Luke says he can be trusted.  "I spend a great deal of time
in a practical research environment.  I do this so we can better
understand the threats to our customers, and protect them."

With an expert past, these guys are recruited to help you.  Back in the
mid 1980s Paul and his friends wired up BBC Micros with slow 300-baud
modems to hack university systems. 

Once inside the system, people were far more interested in learning and
exploring than corrupting data, says Paul.  Even so, the Computer Misuse
Act of 1990 ended his adventures.  "A lot of people knocked it on the
head overnight.  You couldn't risk being arrested, and having your
future career flushed down the toilet," he says. 

By 1993, Paul had his own dial-up modem.  He kept his hacking knowledge
up to date by participating in various online newsgroups. 

His interest in hacking was further fostered in the mid 1990s when he
was employed by an IBM business partner.  Here he tested the security of
the company's hardware and software implementations.  "If I put a
firewall or a web server in, I wanted to make sure that the ports I
opened were safe," says Paul. 

After five years testing security, Paul was asked to join IBM's ethical
hacking team.  "I jumped at the chance," he recalls.  And he hasn't
looked back since. 

"It's like your favourite hobby - playing golf, racing cars - for me,
I'm being paid to do my hobby.  I can hack all day and night, live, eat
and sleep it," he says. 

Going through a phase

Ethical hacking engagements usually have a number of phases.  Paul
always starts with war-dialling. 

The company contracting Paul will have given him and his colleagues a
list of the direct dial-in number ranges that are owned by its sites. 
Paul and his colleagues will then test every single one ("war-dial") to
find a potential modem access point.  Numbers are dialled randomly so
telecom company suspicions are allayed. 

Once modems are found, they dial back in and discover the attached host
systems.  "Modern hosts tend to be tight," says Paul.  Securely password
protected servers make Paul's work difficult. 

However, he does find systems that are left completely unprotected.  "We
found an air conditioning system with modems attached.  It was the
environment control for a big building.  And there was no password
control at all, so you could just go in and do what you wanted to.  We
were going to set the office temperature at 33 degrees Celsius in the
middle of the summer," says Paul. 

The next step in an ethical hack is an over-the-internet security
assessment.  Here Paul and his team check the security of the customer's
internet connected infrastructure, including web and mail servers. 

Paul follows a tried and tested methodology to discover which ports are
open.  Once he's found a port, he will then see if it's possible to
compromise the external web server. 

Let's get physical

A full-scale engagement also includes social engineering.  In what's
known as a physical penetration test, Paul and his colleagues spend the
first day looking at the company's site.  They then use this information
to design a plan to get past the physical controls the company has in
place.  Most plans have been appropriate. 

"We've had a string of very successful physical penetration tests where
we've been able to get past many swipe card controls," Paul says.  "This
then gives us free access to roam around the building, and pick up
confidential material off the printers and out of recycling bins."

If a company has the right physical policy, it generally shows they have
the right mentality, says Paul. 

Key physical defences should include swipe cards, turnstiles and
bolted-down IT equipment.  "In companies like that, you'd expect
external servers to be secure as well," says Paul. 

But it's not always as simple as that.  "We've seen customers whose
physical security is incredible, and you can't get near the building
without a security guard coming out," says Paul.  "But when you get in
to do the legitimate hack of the internal network, it's wide open."

All-round corporate security will require specialist expertise.  "Unless
your company has a dedicated security officer who does logical security,
in terms of systems access and physical security, then you'll find your
company might be open," says Paul. 

Tracking the hacks

It's difficult to keep track of developments in the hacking world.  It's
vital that companies appreciate how tools and techniques change with
time, says Luke.  "A hacking technique which is very hot now, which
hackers can learn off the internet and use every day, may not be used in
12 months' time."

Corporates should develop a technology independent information strategy,
says Luke.  "Companies need to learn how to value their information
first.  Once they've done that, they can look at how hackers might
degrade their information."

Insider hacking

The insider job should be your main concern, says Paul.  For example,
aggrieved ex-employees may have access to your information.  Having been
made unemployed, a member of your IT department could have created a
spoof user identification and password.  They can then dial back into
your network from the outside and hack into the system. 

Poor configuration of web servers is also a key concern.  Paul says the
worst web server configurations arise from bolt-on packages. 

New software configurations often create default user profiles.  If the
default password is not changed, an attacker can use this password to
gain entry to the back-end system.  Examples of this are common. 

"In the last few weeks we worked on an engagement where a customer had
Oracle databases installed on its web server," says Paul. 

"We entered the username Oracle and password Oracle to get into the
system.  That allowed us to get access to a further set of passwords and
a further series of system privileges."

Most problems are related to bad planning.  Due to time constraints,
technical staff rush from one job to the next before fully completing a
system implementation. 

"They might put a mail server in and everyone will be happy because it's
up and working, but before the technical team have had a chance to bolt
down the security, they have another 50 jobs to do," says Luke. 

Password policy

He agrees that working practices can hinder corporate security.  One of
the key problems is passwords.  Companies should educate their employees
to change their passwords once a month, and should make them use
alphanumeric passwords that are at least eight characters long, says
Luke. 

"People will then write passwords down in the front of their notebook or
stick them on a yellow Post-It note to the side of their computer," he
says. 

Slack practices, such as this, are common, although Paul admits it's
difficult to quantify how bad corporate security is. 

"We generally only get called in when a company has already been
attacked or when there's been an internal security breach."

Systems are poorly configured and have gaping holes in them, he adds. 

Paul believes that wider security has severe limitations.  "General
security that exists out on the Net isn't very good at all.  Security is
always the last priority - and by then the company has always used up
all its budget."

Unfortunately, it all comes down to a matter of money.  "At the board
level, security is seen as an endless hole that you tip money into, but
don't get a physical item out of the end of it," he says. 

Paul suggests this type of thinking is short-sighted.  "It may cost
�50,000 for security, but if your company is hacked and your website is
defaced, then customer confidence will go down the pan," he says.  "You
need to weigh up how much brand damage your company can live with."

Corporate cases

Sceptical IT directors and chief executives should look hard at recent
examples of corporate hacks.  Late last year, HSBC's website was hacked,
and the front-pages for UK, Spain and Greece were replaced by a new
image. 

And Bibliofind, a subsidiary of online retailer Amazon, was partially
shut down after it was discovered that hackers had been accessing
customer information on its server between October 2000 and February
2001. 

"We've had customer engagements where servers have been hacked and
websites defaced," says Paul.  "One pharmaceutical customer had pictures
of cut-open animals put across its site" - a reactive case, this one. 

IBM's ethical hacking team was called in after the event.  Even worse,
the server had already been rebuilt and there were no web logs for Paul
to scrutinise because they'd already been scrubbed. 

In this case, there was no way for Paul to trace how the hackers had got
in.  Companies in a similar situation should not jump the gun when
installing new security products. 

"Before even considering a web server solution, IT directors should do
their homework first," says Paul.  "Check out security websites and see
how different products are rated.  In the front end of your web server,
put in a decent firewall and web traffic filter."

"We've seen web servers connected to the Net with no firewall
whatsoever," Paul continues.  Avoid that at all costs because the
firewall filters access to the network's operating system, and without
it, the hacker will have a free reign to attach your box. 

No smoke without firewalls

Paul has seen some embarrassing slips from companies that have spent a
lot of money on firewall technology.  Using something called "de-bug"
mode, an IT department can turn off a firewall to check the traffic
running between different devices and applications.  Paul has seen
"de-bug" modes go unnoticed for up to six months - which is like closing
the door and leaving it unlocked. 

A firewall will not answer all your security prayers.  Quality
enterprise security will require more than a single product. 

"A single product can be beaten.  What you need is an appropriate
multi-layered security system that covers all possible routes of
attack," says Luke. 

When considering these layers, the IT director must evaluate the value
of information they're protecting. 

"That must drive the selection of your security products," says Luke. 
"Clear priorities for security spend include virus checkers, intrusion
detection systems and data back-up systems."

Companies must think of security from the outset.  Retro-fitting defence
products to existing systems is likely to be a tricky task. 

"Security needs to be designed in at the low-level," Paul says. 

Get it right at the start, and the ethical hacker's job will be made
much more difficult.  This article is available online at <a
href="http://vnunet.com/News/1126058">http://vnunet.com/News/1126058>

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Get your FREE VeriSign guide to security solutions for your web site: encrypting transactions, securing intranets, and more!
http://us.click.yahoo.com/UnN2wB/m5_CAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Next message: Fred Cohen: "[iwar] [fc:fbi.gov.weirdness?]"
Previous message: Fred Cohen: "[iwar] [fc:Cyber.attack.could.impact.water.systems]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:54 PST