Hackers Go Pro
by Nancy Nicolaisen and Dan Costa

Penetration analysis, or ethical hacking, is an increasingly popular way
for businesses to find holes in their networks. Vendors are lining up to
break and enter for profit


Ethical hacking might seem like an oxymoron, and it does present some
confusing issues, but it is also a growing and legitimate IT specialty. 
Ethical hackers can be separated into two broad classes--independents and
consultants. Independent ethical hackers believe that discovering the
weaknesses of software, hardware, and the networks upon which we all
depend is an inherently good or ethical act. 

These good-Samaritan Netizens have been around for years--poking holes in
Internet Explorer, breaking encryption algorithms, accessing networks
without authority. Sometimes they report the hack to the company; other
times the hack announces itself, and the vendor must quickly fix the
problem. This real-world market testing can make products stronger and
safer for the rest of us. 

[White hat hackers or "good-Samaritan Netizens" do not access
other networks without permission. White hat denotes good or legal 

Hackers Go Pro    (Continued)

Originally published in the February 1999 issue 

Digital Samurai

If hackers are the ninjas of the Net, then ethical hackers sell themselves as the samurai. Ethical
hackers look for the holes in a system, however ephemeral or obscure, ideally allowing system
administrators to close them before real hackers arrive. However, aside from a difference in motives,
"bad" hackers and "good" hackers operate in more or less the same fashion.

In the case of IBM Corp.'s Ethical Hacking group, an invitation to attack a target is typically a
very quiet arrangement made between the highest levels of management and IBM's Security and
Cryptography division.

Initially, the parties define the rules of engagement for the attack. "At this point, we mutually
establish when we will attack, what we will do, and most important, what we won't do," says Charles
Palmer, IBM's manager of network security and cryptography. For a realistic test of a system's
defense, IBM's team encourages clients to undertake completely blind testing, providing no
forewarning to operational staff and imposing no restrictions on what techniques or timing attackers
may use.

Regardless of restrictions imposed in the rules of engagement, IBM's team is successful at gaining
access about 80 percent of the time. "We are really trying to find out two things," says Palmer.
"First, can we get in and fool around? Second, and of much greater importance, does anyone notice?"

After the IBM Ethical Hacking team has compromised the target, it maintains a presence, gradually
increasing the level of illicit activity to establish the victim's threshold of discovery. After a
successful attack, IBM's team provides the client/victim a complete account of what the hackers did,
along with a description of how to defeat similar attacks. The team never discloses the exact
methodology of a successful attack, however.

Ethical hacking is gaining acceptance as an audit technique largely because victims of actual attacks
have begun to go public with accounts of their experience, reversing a long trend of silence.
Disclosing successful attacks may in part be motivated by public-relations considerations: A company
that announces and describes a successful attack is at least in a position to give equal coverage to
remediation measures, an aspect on which a third-party account is unlikely to focus. Also, interest
groups have begun to actively share information among themselves on known attacks and attackers.

Citibank pioneered this strategy after going public with information about a successful attack on the
company's Web site. As a result, the banking industry formed a group that shares attack information
and IP addresses of potential attackers, and alerts members to surges in Net activities known to be
precursors of hack attempts.

Of course, not everyone is happy with all this publicity. Some industry watchers who criticize IBM
and other so-called ethical hackers are simply trying to generate more business by scaring companies
into paying for their services. IBM's service business did $19.3 billion worth of consulting in 1997,
and security consulting made up a large part of that. IBM charges anywhere from $15,000 to $40,000
for its team to crack your security. (That includes travel and living expenses should the team decide
to actually visit your company's home office.)

Still, the need for some form of security testing seems real. The Computer Security Institute in San
Francisco conducts an annual poll to determine the scale of hacker activity. It polled 520
specialists in U.S. corporations, government agencies, and financial institutions, and it found that
64 percent reported computer security breaches in 1997. This is up 16 percent from 1996. More to the
point, losses from these intrusions rose from $100 million to nearly $137 million.

What's more, these attacks are increasingly coming from outside the company. In 1995, only 37 percent
of companies said they were attacked via the Internet, but now 54 percent said the Net was a source
of repeated attacks. "The threat on the inside is still higher," says IBM's Palmer, "but the threat
from the outside is trying to catch up."

Who Watches the Watchmen?

In contrast to IBM's elite team of experts, recruited from the ranks of its Systems Research
division, some ethical hackers bring slightly more shadowy credentials to the trade. Marketing their
services as security consultants, some reformed hackers engage in behavior and business practices
that raise valid concerns. Is the "ethical hacking" community in the business of manufacturing

In one such questionable incident, Israel's WithinReach software posted a new implementation of the
notorious Back Orifice hack on its Web site. This enhanced version embedded the hack in a hostile
Java applet, endowing it with previously unknown mobility and transparency.

Back Orifice is the work of the hacker collective Cult of the Dead Cow. Introduced at DefCon 98 (a
hacker conference held in San Francisco in August), it uses standard Windows system-management APIs
to provide the attacker a means of remotely monitoring Windows 95 systems. Back Orifice also provides
access to most system resources, including the file system and the registration database.

[Defcon is held in Las Vegas.]

Though widely publicized as an ominous threat, experts generally agree that it poses a relatively
insignificant risk due to the nature of its delivery: In its original form, the hack gained access to
the system as an executable attachment to an e-mail message. Unless and until the e-mail recipient
ran the executable, the Back Orifice hack was completely benign.

The implementation posted by WithinReach dramatically altered that situation, however. Inserting the
hack in a Java Bean causes it to be transparently installed in a browser and automatically executed
when the unsuspecting user visits an infected Web page. An individual who is, coincidentally, the
manager of customer support at a security-software company with a presence in Boston and in Haifa,
Israel, performed this malevolent feat of reverse engineering.

The danger of letting these tools fall into the wrong hands isn't lost on the security industry.
Several software vendors, including Finjan Software, have established policies forbidding the
generation and proliferation of hostile code for its own sake. And it is largely for these reasons
that IBM's Ethical Hacking group doesn't provide the specifics of successful attacks, even to the
customers who paid for them.

Preemptive Strikes

Most successful hacks are the product of something less glamorous than sheer genius. More typically,
they are an amalgam of breathtaking perseverance and a specific bit of technical insight. Still,
having access to a team knowledgeable in the ways of hacking offers IT managers a new range of
responses, or counterhacks.

Take, for example, a recent attack simultaneously mounted against three targets: the U.S. Department
of Defense (DoD), the Web site of the president of Mexico, and the Frankfurt Stock Exchange. The hack
was staged by Electronic Disturbance Theater in an attempt to effect what is considered to be the
crudest of all attack strategies, a denial of service. Briefly, a denial-of-service attack is one
that aims to flood the targeted server with requests, effectively making it unavailable to legitimate

In an interesting twist, the attack was mounted by unsuspecting third parties rather than by the
actual perpetrators. Known as the zapsNetTactical hack, it relied on infected mobile code for
transparent distribution. Here's how it worked: When users visited the Electronic Disturbance Theater
home page, a hostile Java applet was automatically downloaded to their browser. The applet
transparently initiated page-fetch requests to each of the three targeted Web sites several times a
second. The perpetrators claim to have distributed on the order of 10,000 copies of the applet.

When the flood of requests began hitting the DoD server, the server was prepared. In a preemptive
strike, the DoD server detected the point sources of the request flood and turned the strategy around
on the attackers. The targeted server discarded incoming page requests, but it responded to the
attacking client by sending it an uninterruptible stream of empty browser windows. Though the exact
details of the successful defense were not disclosed, it's likely that the server tracked the
frequency and variability of requests associated with a particular client's IP address.

Ethical hacking in self-defense is certainly likely to become a routine method of defeating
denial-of-service attacks, but it increasingly places innocents in the crossfire. In the case of
zapsNetTactical, affected users likely didn't know that they downloaded the hostile applet, nor did
they probably realize why their browsers subsequently froze. Because targets of attack can really
only preemptively strike back at the source of a flood of requests, this technique may ultimately
provoke hackers by providing them a tool more effective than denial of service. To mount an
ethical-hack counterattack, servers are forced to shut down the browsers of users who may be unaware
they have been co-opted.

Preemptive ethical-hacking techniques may also be used to forecast attacks and identify likely
perpetrators. Typically, these activities center on scanning, a pattern of network communication not
unlike a burglar walking along a dark street checking each door and window to find an easy point of
entry. IBM's Ethical Hacking group routinely scans the systems of its subscribers, looking for
possible points of unauthorized access and comparing results to previous scans to identify suspicious

On a larger scale, the federally sponsored Computer Emergency Response Team (CERT) watches networks
at large, identifying sources of scanning, alerting the public to the identities of known attackers,
and publishing detailed accounts of successful hacks along with effective defenses against them.

[CERT does not alert the public to the identity of known attackers.]

Even the insurance industry is getting into the ethical-hacking business. Cigna Corp.'s Property and
Casualty division offers insurance against losses incurred from a hack. The insurance giant will
insure clients as long as they install Cisco Systems' Netranger firewall and use NetSolve's ProWatch
to monitor their systems. According to Cigna, the company's policy will cover up to $25 million in

Much like IBM, Cigna also offers ethical-hacking services to determine a customer's weaknesses. For a
fee of $25,000 to $35,000, Cigna will attempt to break into a customer's network and then issue
security recommendations. In fact, getting insurance coverage may be contingent on implementing these

Who's Next?

Despite these dire accounts, it should be said that even if you use the Web to shop or make financial
transactions, as an individual, you are unlikely to be hacked. In the words of one ethical hacker,
targeting an individual may pay for a hacker's Snapple and pizza for a couple of weeks, but for the
amount of sheer effort involved in finding and penetrating a susceptible host, a corporate target is
much more appealing.

And there is no shortage of corporate targets. According to Zona Research, security is a top concern
for corporate IT managers, but they are spending money in the wrong places. Zona found that although
58 percent of the 212 companies it polled were increasing their security budgets, relatively few do
regular security testing. In fact, 40 percent of companies do no testing at all, and most of the rest
use only internal audits. Without adequate outside testing, new security loopholes won't be detected
until someone uses them.

In the end, employing ethical hackers is a balancing act. Business and network managers must ask
themselves whether they want to deal with a devil they know and have under contract, or the devil
they don't.

For the Best Defense

Change all default accounts and passwords that shipped with your servers and desktops.

Require passwords for access to all servers.

Authenticate both remote and local users.

Use hard-to-guess alphanumeric passwords.

Limit the number of access attempts a user can make.

Change passwords frequently.

Deactivate accounts when employees leave the company.

Restrict all of your company information, including help menus, until users are authenticated.

Don't give users "root" access to hosts.

Use the most current version of client/server software.

Record and review security logs.

Beyond Ethical Hacking

by Kevin Poulsen

The image of rebellious scofflaws slipping through the back doors of corporate computer networks has
always been a powerful force for drawing companies into the waiting arms of highly paid consultants:
The Gartner Group predicts the worldwide information-security market will reach $13.1 billion by the
year 2000. But the recent popularity of penetration analysis--in which security professionals stage
controlled attacks on a client's network--may owe more to the hacker mystique than to sound security

"I think penetration analysis is clearly overemphasized in the industry," says Eugene Spafford,
professor of computer sciences at Purdue University and director of the Center for Information and
Research in Information Assurance and Security. "It's far more important to have trained personnel,
plus a policy in place that's meaningful, well-thought-out, and budgeted appropriately."

Ira Winkler, a security consultant and the author of Corporate Espionage, agrees. "Security should be
built-in from the start," he says. Winkler has carried out penetration tests for dozens of large
businesses with great success, but not for the reasons you might expect.

"It is useful as final verification that you did everything else correctly, but 90 percent of the
time I'm doing it to make a point," Winkler says. "I get calls from security managers wanting me to
steal millions so they can get management's attention and a larger budget."

Most experts agree that a dearth of management support is the biggest obstacle to network security,
and a good penetration analysis can provide a useful wake-up call to slumbering corporate bigwigs. It
can also have value in ferreting out vulnerabilities that rarefied security policy misses but
street-smart cyberpunks could prey on. But Winkler and Spafford both agree that, however cinematic
its appeal, unleashing an elite team of ethical hackers on a network is no substitute for in-house
expertise and the mundane grind of security administration.

"The idea of having these shadowy figures break into your system is kind of an indication that maybe
you don't really understand security as well as you think you do," Spafford suggests.