http://www.zdnet.com/computershopper/edit/cshopper/content/9902/383168.html Hackers Go Pro by Nancy Nicolaisen and Dan Costa Penetration analysis, or ethical hacking, is an increasingly popular way for businesses to find holes in their networks. Vendors are lining up to break and enter for profit Introduction Ethical hacking might seem like an oxymoron, and it does present some confusing issues, but it is also a growing and legitimate IT specialty. Ethical hackers can be separated into two broad classes--independents and consultants. Independent ethical hackers believe that discovering the weaknesses of software, hardware, and the networks upon which we all depend is an inherently good or ethical act. These good-Samaritan Netizens have been around for years--poking holes in Internet Explorer, breaking encryption algorithms, accessing networks without authority. Sometimes they report the hack to the company; other times the hack announces itself, and the vendor must quickly fix the problem. This real-world market testing can make products stronger and safer for the rest of us. [White hat hackers or "good-Samaritan Netizens" do not access other networks without permission. White hat denotes good or legal 'hackers'.]
Hackers Go Pro (Continued) Originally published in the February 1999 issue Digital Samurai If hackers are the ninjas of the Net, then ethical hackers sell themselves as the samurai. Ethical hackers look for the holes in a system, however ephemeral or obscure, ideally allowing system administrators to close them before real hackers arrive. However, aside from a difference in motives, "bad" hackers and "good" hackers operate in more or less the same fashion. In the case of IBM Corp.'s Ethical Hacking group, an invitation to attack a target is typically a very quiet arrangement made between the highest levels of management and IBM's Security and Cryptography division. Initially, the parties define the rules of engagement for the attack. "At this point, we mutually establish when we will attack, what we will do, and most important, what we won't do," says Charles Palmer, IBM's manager of network security and cryptography. For a realistic test of a system's defense, IBM's team encourages clients to undertake completely blind testing, providing no forewarning to operational staff and imposing no restrictions on what techniques or timing attackers may use. Regardless of restrictions imposed in the rules of engagement, IBM's team is successful at gaining access about 80 percent of the time. "We are really trying to find out two things," says Palmer. "First, can we get in and fool around? Second, and of much greater importance, does anyone notice?" After the IBM Ethical Hacking team has compromised the target, it maintains a presence, gradually increasing the level of illicit activity to establish the victim's threshold of discovery. After a successful attack, IBM's team provides the client/victim a complete account of what the hackers did, along with a description of how to defeat similar attacks. The team never discloses the exact methodology of a successful attack, however. Ethical hacking is gaining acceptance as an audit technique largely because victims of actual attacks have begun to go public with accounts of their experience, reversing a long trend of silence. Disclosing successful attacks may in part be motivated by public-relations considerations: A company that announces and describes a successful attack is at least in a position to give equal coverage to remediation measures, an aspect on which a third-party account is unlikely to focus. Also, interest groups have begun to actively share information among themselves on known attacks and attackers. Citibank pioneered this strategy after going public with information about a successful attack on the company's Web site. As a result, the banking industry formed a group that shares attack information and IP addresses of potential attackers, and alerts members to surges in Net activities known to be precursors of hack attempts. Of course, not everyone is happy with all this publicity. Some industry watchers who criticize IBM and other so-called ethical hackers are simply trying to generate more business by scaring companies into paying for their services. IBM's service business did $19.3 billion worth of consulting in 1997, and security consulting made up a large part of that. IBM charges anywhere from $15,000 to $40,000 for its team to crack your security. (That includes travel and living expenses should the team decide to actually visit your company's home office.) Still, the need for some form of security testing seems real. The Computer Security Institute in San Francisco conducts an annual poll to determine the scale of hacker activity. It polled 520 specialists in U.S. corporations, government agencies, and financial institutions, and it found that 64 percent reported computer security breaches in 1997. This is up 16 percent from 1996. More to the point, losses from these intrusions rose from $100 million to nearly $137 million. What's more, these attacks are increasingly coming from outside the company. In 1995, only 37 percent of companies said they were attacked via the Internet, but now 54 percent said the Net was a source of repeated attacks. "The threat on the inside is still higher," says IBM's Palmer, "but the threat from the outside is trying to catch up." Who Watches the Watchmen? In contrast to IBM's elite team of experts, recruited from the ranks of its Systems Research division, some ethical hackers bring slightly more shadowy credentials to the trade. Marketing their services as security consultants, some reformed hackers engage in behavior and business practices that raise valid concerns. Is the "ethical hacking" community in the business of manufacturing threats? In one such questionable incident, Israel's WithinReach software posted a new implementation of the notorious Back Orifice hack on its Web site. This enhanced version embedded the hack in a hostile Java applet, endowing it with previously unknown mobility and transparency. Back Orifice is the work of the hacker collective Cult of the Dead Cow. Introduced at DefCon 98 (a hacker conference held in San Francisco in August), it uses standard Windows system-management APIs to provide the attacker a means of remotely monitoring Windows 95 systems. Back Orifice also provides access to most system resources, including the file system and the registration database. [Defcon is held in Las Vegas.] Though widely publicized as an ominous threat, experts generally agree that it poses a relatively insignificant risk due to the nature of its delivery: In its original form, the hack gained access to the system as an executable attachment to an e-mail message. Unless and until the e-mail recipient ran the executable, the Back Orifice hack was completely benign. The implementation posted by WithinReach dramatically altered that situation, however. Inserting the hack in a Java Bean causes it to be transparently installed in a browser and automatically executed when the unsuspecting user visits an infected Web page. An individual who is, coincidentally, the manager of customer support at a security-software company with a presence in Boston and in Haifa, Israel, performed this malevolent feat of reverse engineering. The danger of letting these tools fall into the wrong hands isn't lost on the security industry. Several software vendors, including Finjan Software, have established policies forbidding the generation and proliferation of hostile code for its own sake. And it is largely for these reasons that IBM's Ethical Hacking group doesn't provide the specifics of successful attacks, even to the customers who paid for them. Preemptive Strikes Most successful hacks are the product of something less glamorous than sheer genius. More typically, they are an amalgam of breathtaking perseverance and a specific bit of technical insight. Still, having access to a team knowledgeable in the ways of hacking offers IT managers a new range of responses, or counterhacks. Take, for example, a recent attack simultaneously mounted against three targets: the U.S. Department of Defense (DoD), the Web site of the president of Mexico, and the Frankfurt Stock Exchange. The hack was staged by Electronic Disturbance Theater in an attempt to effect what is considered to be the crudest of all attack strategies, a denial of service. Briefly, a denial-of-service attack is one that aims to flood the targeted server with requests, effectively making it unavailable to legitimate users. In an interesting twist, the attack was mounted by unsuspecting third parties rather than by the actual perpetrators. Known as the zapsNetTactical hack, it relied on infected mobile code for transparent distribution. Here's how it worked: When users visited the Electronic Disturbance Theater home page, a hostile Java applet was automatically downloaded to their browser. The applet transparently initiated page-fetch requests to each of the three targeted Web sites several times a second. The perpetrators claim to have distributed on the order of 10,000 copies of the applet. When the flood of requests began hitting the DoD server, the server was prepared. In a preemptive strike, the DoD server detected the point sources of the request flood and turned the strategy around on the attackers. The targeted server discarded incoming page requests, but it responded to the attacking client by sending it an uninterruptible stream of empty browser windows. Though the exact details of the successful defense were not disclosed, it's likely that the server tracked the frequency and variability of requests associated with a particular client's IP address. Ethical hacking in self-defense is certainly likely to become a routine method of defeating denial-of-service attacks, but it increasingly places innocents in the crossfire. In the case of zapsNetTactical, affected users likely didn't know that they downloaded the hostile applet, nor did they probably realize why their browsers subsequently froze. Because targets of attack can really only preemptively strike back at the source of a flood of requests, this technique may ultimately provoke hackers by providing them a tool more effective than denial of service. To mount an ethical-hack counterattack, servers are forced to shut down the browsers of users who may be unaware they have been co-opted. Preemptive ethical-hacking techniques may also be used to forecast attacks and identify likely perpetrators. Typically, these activities center on scanning, a pattern of network communication not unlike a burglar walking along a dark street checking each door and window to find an easy point of entry. IBM's Ethical Hacking group routinely scans the systems of its subscribers, looking for possible points of unauthorized access and comparing results to previous scans to identify suspicious changes. On a larger scale, the federally sponsored Computer Emergency Response Team (CERT) watches networks at large, identifying sources of scanning, alerting the public to the identities of known attackers, and publishing detailed accounts of successful hacks along with effective defenses against them. [CERT does not alert the public to the identity of known attackers.] Even the insurance industry is getting into the ethical-hacking business. Cigna Corp.'s Property and Casualty division offers insurance against losses incurred from a hack. The insurance giant will insure clients as long as they install Cisco Systems' Netranger firewall and use NetSolve's ProWatch to monitor their systems. According to Cigna, the company's policy will cover up to $25 million in losses. Much like IBM, Cigna also offers ethical-hacking services to determine a customer's weaknesses. For a fee of $25,000 to $35,000, Cigna will attempt to break into a customer's network and then issue security recommendations. In fact, getting insurance coverage may be contingent on implementing these measures. Who's Next? Despite these dire accounts, it should be said that even if you use the Web to shop or make financial transactions, as an individual, you are unlikely to be hacked. In the words of one ethical hacker, targeting an individual may pay for a hacker's Snapple and pizza for a couple of weeks, but for the amount of sheer effort involved in finding and penetrating a susceptible host, a corporate target is much more appealing. And there is no shortage of corporate targets. According to Zona Research, security is a top concern for corporate IT managers, but they are spending money in the wrong places. Zona found that although 58 percent of the 212 companies it polled were increasing their security budgets, relatively few do regular security testing. In fact, 40 percent of companies do no testing at all, and most of the rest use only internal audits. Without adequate outside testing, new security loopholes won't be detected until someone uses them. In the end, employing ethical hackers is a balancing act. Business and network managers must ask themselves whether they want to deal with a devil they know and have under contract, or the devil they don't. For the Best Defense Change all default accounts and passwords that shipped with your servers and desktops. Require passwords for access to all servers. Authenticate both remote and local users. Use hard-to-guess alphanumeric passwords. Limit the number of access attempts a user can make. Change passwords frequently. Deactivate accounts when employees leave the company. Restrict all of your company information, including help menus, until users are authenticated. Don't give users "root" access to hosts. Use the most current version of client/server software. Record and review security logs. Beyond Ethical Hacking by Kevin Poulsen The image of rebellious scofflaws slipping through the back doors of corporate computer networks has always been a powerful force for drawing companies into the waiting arms of highly paid consultants: The Gartner Group predicts the worldwide information-security market will reach $13.1 billion by the year 2000. But the recent popularity of penetration analysis--in which security professionals stage controlled attacks on a client's network--may owe more to the hacker mystique than to sound security policy. "I think penetration analysis is clearly overemphasized in the industry," says Eugene Spafford, professor of computer sciences at Purdue University and director of the Center for Information and Research in Information Assurance and Security. "It's far more important to have trained personnel, plus a policy in place that's meaningful, well-thought-out, and budgeted appropriately." Ira Winkler, a security consultant and the author of Corporate Espionage, agrees. "Security should be built-in from the start," he says. Winkler has carried out penetration tests for dozens of large businesses with great success, but not for the reasons you might expect. "It is useful as final verification that you did everything else correctly, but 90 percent of the time I'm doing it to make a point," Winkler says. "I get calls from security managers wanting me to steal millions so they can get management's attention and a larger budget." Most experts agree that a dearth of management support is the biggest obstacle to network security, and a good penetration analysis can provide a useful wake-up call to slumbering corporate bigwigs. It can also have value in ferreting out vulnerabilities that rarefied security policy misses but street-smart cyberpunks could prey on. But Winkler and Spafford both agree that, however cinematic its appeal, unleashing an elite team of ethical hackers on a network is no substitute for in-house expertise and the mundane grind of security administration. "The idea of having these shadowy figures break into your system is kind of an indication that maybe you don't really understand security as well as you think you do," Spafford suggests.