[Infowarrior] - Why we need hackers

[Richard Forno]

Why we need hackers
By Patrick Gray   |   9 January 2007 02:45PM
http://www.pcauthority.com.au/feature.aspx?CIaFID=3204

It would be easier if hackers, who say they¹re acting in the public interest
by releasing information on the vulnerabilities they find, would just get
real jobs and stop pointing out the weaknesses in our software, right?
Wrong.

As most who work in the IT security field will tell you, all the software
that we use is shipped in a vulnerable state. The security holes are there
from day one, and if the good guys don¹t find the bugs, the bad guys will.
The only way to defend an operating system or an application against a bug
is to know of the existence of the bug in the first place.

Just 10 years ago, the bug-hunting community was a mish-mash of hackers,
system administrators and programmers. Many were geeks seeking kudos for
finding the latest "zero-day" or "fresh" vulnerability.

Since then, IT security has become a booming business and vulnerability
information is worth its weight in gold. Scores, if not hundreds of
full-time bug hunters now spend their days earning hefty salaries pulling
apart software and looking for bugs ‹ a weird sort of third-party quality
assurance service for software companies.

They disclose their findings to the vendor, which releases a patch, then
they release information about the bug to the wider community. But what are
the ethics of security research? How much information should researchers
release when they find a bug?

'You talk about why people crack things; I think the benefit is that it
keeps the vendors in line, its holds them accountable,² says Rick Forno, the
former chief security officer of Internic. 'And chances are if the good guys
find something, the bad guys have known about it longer than the good guys.'

US-based Forno is currently studying for a PhD on vulnerability disclosure
at Curtin University in Western Australia. In his role as Internic¹s CSO, he
was responsible for securing the Internet¹s root domain name servers ‹ the
core directories responsible for matching domain names to IP addresses. In
short, they¹re important machines.

While Forno defends security researchers who disclose information on the
vulnerabilities they uncover ‹ even "proof of concept exploit code", the
software researchers sometimes release, which allows all and sundry to use
the vulnerability ‹ he says there¹s a right way to do it and a wrong way.

'Knowledge is neutral. How do you use it, to patch a system or exploit a
system,?' he asks. 'There is a big movement now to restrict adverse
information ... but where do you draw the line between where information is
deemed to be adverse or helpful. Too often people err on the side of
caution.²

In this feature, you¹ll hear from the hackers themselves, who largely serve
the public interest. Some have disclosed information that¹s led to computer
worms being unleashed by unscrupulous hackers. Others have written tools the
bad guys use to penetrate networks. All say they¹ve acted in the public
interest.

Are they mischievous characters or guardian angels? Read on and decide for
yourself.David Litchfield is a security researcher, entrepreneur and
accidental architect of one of the fastest spreading computer worms the
Internet has ever seen; the Slammer SQL worm.

Security geeks often come from similar backgrounds. Raised by the
pocket-protector sporting supergeeks of the 1960s, these guys and gals were
twiddling with computers at the age that most of us were learning how to
hold a crayon.

Not so for David Litchfield, who was already 23 when he decided to make the
move into IT security in the late 90s, dropping out of a degree in zoology
to pursue computer science studies. But the course ran too slow for his
liking ‹ he dropped out of university altogether and moved to London from
Scotland to find work in IT. 'At first, I was working in pubs, doing a lot
of canvassing while I was teaching myself computers,' he says.

Since his early days in IT, Litchfield has become, arguably, the most
prominent database software security researcher in the world. And it was his
research that made the Slammer worm possible. Litchfield had discovered a
vulnerability in Microsoft¹s SQL server product and decided, after the
company had released a patch for the bug, to present details about the
glitch to a security conference in 2002. 'The code I presented [at the Black
Hat security conference] became the template for Slammer,' he says. 'There
was six months between the release of the code and the worm.'

When it was unleashed on January 25 of 2003, Slammer wreaked havoc on the
Internet. While it was relatively benign ‹ it didn¹t destroy any data on
infected systems ‹ it generated enough traffic to grind some corners of
cyberspace to a near-total halt.

Why was a security researcher presenting information that could be used to
cause so much disruption? Litchfield had uncovered a vulnerability in
Microsoft¹s flagship database server, SQL, that was so easy to exploit he
considered the release of the code used to exploit it as a wake-up call for
database administrators. 'I said if you don¹t fix this it will become the
next big worm,' he says.

As it turns out, he was right. Despite administrators having six months to
apply a patch from Microsoft that would have eradicated the vulnerability he
discovered, few, it seems, heeded his warning.

These days Litchfield doesn¹t release ³proof-of-concept² code like that used
as the foundation for Slammer, but says the effect of his research, and even
the worm itself, has been positive. 'At the time I did (regret releasing the
code) but looking back, Slammer, thankfully, was benign. It didn¹t have a
malicious payload, it just screwed up a few weekends, and it¹s really what
brought patching to the boardroom,' he argues. 'Today if you come across a
SQL server, nine out of 10 times it will be patched, so Slammer at least
brought a change in the way people look at patching.'

You¹d think Litchfield¹s company, Next Generation Security Software, would
hardly be on Microsoft¹s Christmas card list after his research was used to
knock over SQL servers, but NGS does a substantial amount of work for the
software giant.

But he¹s not cosy with all the major vendors. He¹s been involved in a very
public flamewar with Oracle¹s chief security officer Mary Ann Davidson for
years. 'Before the spat began I travelled over to Redwood Shores to have a
coffee with her. I like the woman, she¹s a nice person, but professionally I
think she¹s in the wrong job,' he says bluntly.

It was Lichfield who released limited details of scores of vulnerabilities
in Oracle products immediately after the launch of the company¹s
³Unbreakable² marketing campaign. The campaign suggested that Oracle
software was secure, and Litchfield knew it wasn¹t. So he set to work on
breaking the company¹s ³unbreakable² products. 'I think it was the civic
thing to do, to be honest,' he says. 'If you bought something from a shop,
your details are in a database somewhere. To make that information safe, we
need secure databases ... and Oracle isn¹t doing that. There¹s been a
complete and utter failure from Oracle as far as I¹m concerned.'It¹s not
always independent researchers who spend their days trying to break software
and digital security mechanisms ‹ sometimes the vendors get in on the action
as well.

Cryptographer Scott Fluhrer, who works for Cisco, is probably best known for
being one of the team responsible for sending the Wired Equivalent Privacy
(WEP) standard to the computing graveyard.

WEP was the default standard for wireless network encryption, but a paper
published in 2001 by Fluhrer and two Israeli researchers, Weaknesses in the
Key Scheduling Algorithm of RC4, showed just how flawed the encryption
scheme is.

You may be asking, at this point, why on Earth vendors are still shipping
wireless networking equipment with WEP "security" built in? Well, one reason
is for backwards compatibility, and the other is that it¹s "better than
nothing", but only marginally.

Thanks to Fluhrer and a few others, cracking WEP is trivial.

This means you can access your next door neighbour¹s access point for free
Internet access, or even sniff their data as it flies back and forth. Why
you¹d want to read your next door neighbour¹s email is anyone¹s guess, but
you get the drift: WEP is useless.

If you want real wireless security, you¹ll need WPA, or Wi-Fi Protected
Access.

So what was Fluhrer¹s motivation? He happily admits ego was involved, which
makes one wonder: if someone admits to being motivated by ego, does that
make them humble?

'As much as I¹d like to say "it¹s to make the world a more secure place",
well, that really wasn¹t my main goal,' he wrote in an email to PC
Authority. 'Ultimately, I suspect it was that I could, and to show people I
could.'

At least he¹s honest.
Still, there were also some altruistic motives at play; Fluhrer says it¹s
important to research weaknesses in security schemes and make them public.
'After all, with security, it¹s quite difficult to determine if what you¹ve
designed actually works; whether it is actually secure,' he explains. 'The
only way we know to test that is to have skilled people try to break it.
Given that, it¹s obviously better to have the good guys break it first.'

The disclosure aspect is also important, Fluhrer says. 'It¹s quite
impossible to tell the good guys about the weakness without telling the bad
guys about it too,' he argues. 'If we don¹t publish the results, then any
bad guy who stumbles on the same result will be able to break it at will. If
we just claim to have results without publishing them, we wouldn¹t be taken
seriouslyŠ By publishing the results, we let companies who take security
seriously update their equipment.'

So how did he break WEP?
'I did some simulations based on random sets of related (cryptographic)
keys, and while I didn¹t find the weakness I was looking for, I did notice
an anomaly where occasionally, a set of related keys would act quite
non-randomly,' he says. 'I tracked down what was happening in those cases,
and found the basic observation the attack was based on.'

But Fluhrer misunderstood how WEP worked, so his research didn¹t break WEP
directly. 'At this point, I went to a technical conference, and ran into
(Israeli researchers Itsik) Mantin and (Adi) Shamir. We decided to
collaborate,' he says. 'Together, we refined the attack, including how these
results could be applied to the real WEP protocol.'
The rest, as they say, is history.

Hacking tools: For better or worse?
Security research isn¹t all about breaking software; sometimes it means
creating it. Gordon Lyon, who¹s better known by his handle Fyodor, achieved
a fame of sorts when he wrote the Nmap network scanning software.

Nmap, a port-scanning utility, has become the de facto standard tool for
good guys and bad guys alike. It¹s a relatively simple piece of software
that scans IP ranges for open or closed ports. It can identify running
services, like Web-server or mail transfer software, Trojan software and
even the operating system of the target machine.

But it wasn¹t until his utility made a guest appearance in [i]The Matrix
Reloaded[/i] that Fyodor got serious kudos from the geek elite. 'That was
pretty awesome,' Fyodor told PC Authority. 'Especially since I had no idea
it would happen.'

He¹d scored tickets to a midnight showing when the movie was released.
Sensing a ³hacking scene² was approaching, Fyodor shuddered. 'I was like Œoh
no! These are always terrible!,' he says. 'Then I saw her (the Trinity
character) whip out Nmap and was amazed.'

Fyodor¹s movie companion, James Hong, the man behind the lurid dotcom
operation hotornot.com, was as stunned as he was. Let me tell you, you can
spend almost 10 years writing a port scanner, adding all sorts of great and
useful features,' Fyodor says. 'But you don¹t get nearly as much press from
big new releases as when some hot celebrity chick in black vinyl uses Nmap
for five seconds in a movie.'

But if anything, Fyodor finds Internet fame a little embarrassing. He took
his nickname from Russian author Fyodor Dostoevsky. 'I¹m a little
embarrassed that a Google search for Fyodor now lists me before Dostoevsky,'
he says. 'I guess it is hard to earn and maintain a decent PageRank when
you¹re dead.'

Fyodor, who¹s now based in California and spends his days maintaining Nmap,
says he never thought the side project would take off. He released it as
open source software, and the response was overwhelming. 'Tons of people
started sending me suggestions, improvement ideas [and] patches,' he says.
'So I decided to release one more version, and well, here it is nine and a
half years later and I just released a version two nights ago.'

Today, Fyodor makes a crust by licensing Nmap to software companies that
include it in their products. It¹s a legitimate enterprise, but not even
Fyodor himself saw it coming. 'One reason I used a handle was I was worried
I¹d get sued, harassed,' he says. 'But actually the response has been
extremely positive in almost all cases.'

If someone is sophisticated enough to know what Nmap is, they also
understand how much value it can bring them in terms of securing their own
network, he adds. 'The very first step in securing your network is
understanding what is really going on. So you whip out Nmap to inventory
your systems, check whether any unexpected ports are listening, ensuring
that your firewall is really behaving as you expect it to.'

Besides, the bad guys already had access to scanning technology prior to the
release of Nmap, even if it wasn¹t as sophisticated, Fyodor says.

At 29, Fyodor, a self-confessed workaholic, has some expensive hobbies,
racing his BMW M3 coupe for kicks. 'I love to ski in the winters at Tahoe, I
like driving fast, taking my car to the racetrack or going go-kart racing,'
he says.

Fyodor, the author of the Nmap network scanning software

You¹d think Mudge¹s use of a pseudonym would suggest he¹s an underground
guy; an enemy of the establishment. But this good-guy hacker is about as
close to the establishment as it gets.

It was Mudge (pictured on this page with former US President Bill Clinton)
who in 1998 told the US Senate that hackers could take down the Internet in
30 minutes. Now he¹s BBN Technologies¹ technical director of national
intelligence research and applications. BBN is a government contractor in
the US, which provides services for several, unspecified US Government
agencies.

He¹s a cryptography and hacking expert. Read between the lines.

Pieter 'Mudge" Zatko


As one of the members of L0pht Heavy Industries -- a Boston-based hacker
collective that later formed the respected @Stake security company ‹ Mudge
was behind L0phtCrack, the creme de la creme of password crackers.

'L0phtCrack was a password-cracking tool I wrote for use on and against
Microsoft Windows systems,' he told PC Authority. 'It ended up working
extremely well, too well for many people's liking.'

At the time, he was responsible for auditing and maintaining several hundred
systems. Most of them were Unix based, but increasingly he was being tasked
with taking care of Windows boxes. 'There simply weren¹t any tools to do the
equivalent password cracking and auditing on MS Windows systems as there
were for Unix,' he says. 'So I had to write my own ... during that time I
started looking into what Hobbit, a legendary Boston area hacker, had been
working on... he had pointed out to me that LANMAN, Microsoft¹s legacy
[password storage mechanism], didn¹t look to be too well done. It sure
wasn¹t.'

What started out as an auditing tool turned into a demonstration that MS
systems needed to be segmented on networks and treated as if their passwords
were trivial to retrieve, which, thanks to L0phtcrack, they were. The tool
completely broke Windows passwords. 'It was not a good tool, as many
organisations and people claimed, for ensuring that users were choosing
strong passwords based upon the amount of time that the program took to
return the unencrypted password,' he says. 'It could, and usually did,
return almost all of the passwords (on a targeted machine).'

With that in mind, it was no surprise that Mudge was a tad miffed when
L0phtcrack became a successful commercial product. He¹d demonstrated just
how bad Windows passwords were -- auditing them became moot -- yet the
market lapped up the tool as an auditing suite. 'Originally I released
L0phtCrack free of charge for most uses under a BSD style licence,' he says.

Commercial users were supposed to pay a $25 fee, but no one was paying, and
the tool had been downloaded hundreds of thousands of times from government
networks. 'That didn¹t bother me as much as the support emails that started
showing up, primarily from the US Government,' he says. 'We put a trivial
timeout mechanism in to the next release of the software, and when I say
trivial we went out of our way to make sure it was easily "crackable".'

Mudge, (with long hair) at the White House. He is Technical Director,
National Intelligence Research and Applications at BBN Technologies.
Mudge, (with long hair) at the White House. He is Technical Director,
National Intelligence Research and Applications at BBN Technologies.


The people who were going to crack the software were not people who would
have paid for it in the first place, so Mudge let them use it and spread the
word about how effective it was. Within a very short period of time, the
software was pulling in revenues 'well into the six figure range'.

So what would Mudge say to those who¹d charge him with writing a tool that
can be used by the bad guys? 'Don¹t eat anything but strained food. Outlaw
hammers. Arrest anyone who owns or drives a car... these tools [can be] used
by bad guys,' he says. 'The tool is not the issue. It¹s the person behind
the tool that one needs to worry about.'

In other words, password crackers don¹t kill people, people kill people.

But it¹s not just passwords that he¹s known for breaking. Mudge also
pioneered the techniques used to discover and exploit buffer overflow
vulnerabilities. These are the class of vulnerabilities that lead to all the
superworms -- Code Red, Slammer, Blaster and more. 'I¹ll probably get a few
thousand years tacked on to my Purgatory sentence for my contribution to the
field of buffer overflows,' Mudge jokes.

Perhaps due to his relatively diverse expertise, Mudge is happy to weigh in
on the Apple versus Windows security debate, a topic many sway away from.

Unfortunately, he says, there¹s no clear winner. 'I¹m a bit disappointed in
Apple as they seem to be handling the security issue in the same marketing
and PR fashion that Microsoft initially handled its security PR angle,' he
says.

He has nothing against the company, he says, and is a fan of Steve Jobs.
Likewise, he¹s been impressed by the inroads Microsoft has made in its war
on vulnerabilities. 'I¹m also very impressed with how Microsoft, a very
large organisation, has changed in how it handles security reports and
patches in comparison to its initial "that vulnerability is completely
theoretical" responses,' he says. '[But] the simple fact is that both OSes
have security problems.'