[ISN] White hat, gray hat, black hat

InfoSec News isn at c4i.org
Mon Oct 3 08:50:47 EDT 2005


Forwarded from: William Knowles <wk at c4i.org>

http://www.fcw.com/article90994-10-03-05

By Michael Arnone
Oct. 3, 2005 

For a long time, most computer network crackers hacked a system for 
the same reason George Mallory climbed Mt. Everest: "Because it's 
there." 

But that's no longer the only reason or even the dominant one. More 
hackers now follow the philosophy frequently attributed to Willie 
Sutton, a bankrobber during the 1930s. According to legend, when asked 
why he robbed banks, Sutton replied matter-of-factly: "It's where the 
money is." 

During the past six years, malicious black-hat hackers have changed 
from script kiddies who deface Web sites and spread worms to earn 
glory within the hacker community to professionals sponsored by 
foreign governments and organized crime. They target specific 
government and industry victims and commit real crimes, sometimes for 
significant financial gain. 

"We're now seeing sociopaths intent on doing...more devious and 
sophisticated stuff," said Dragos Ruiu, chief organizer of the PacSec, 
CanSecWest and EUSecWest hacker conferences, which annually draw 
hundreds of hackers worldwide.

But in general, hackers secure their computers better than the rest of 
the computing community. Government and industry can learn from their 
hacking techniques and protection skills to improve information 
technology security, experts say. In addition, government can learn 
from two other groups: the paid professionals - known as white hats - 
who research vulnerabilities to protect employers' and customers' data 
and the unaffiliated tinkerers - known as gray hats - who alert users 
to vulnerabilities. 

Government and industry have always learned security techniques from 
hackers, whether they realize that or not. For example, penetration 
testing, which is a search for security holes in a computer system, is 
a common hacker practice that the federal government is using more 
often, said Steven Manzuik, security product manager at eEye Digital 
Security. The company provides penetration testing, vulnerability 
assessment and proactive security services to the Defense Department 
and federal intelligence agencies. 

Penetration testing is a good way to demonstrate actual risk and 
secure systems by patching or applying other protections, Manzuik 
said. DOD has come to appreciate the value of penetration testing and 
now has a solid schedule and process in place for it, he said. 

Because the federal government is a huge target for hackers for 
political and financial reasons, agency officials have started issuing 
information security regulations based in part on consultations with — 
and learning lessons from — hackers, said Mark Loveless, a senior 
security analyst at BindView and a hacker for 25 years. 

The Graham-Leach-Bliley Act of 1999, Health Insurance Portability and 
Accountability Act, Federal Information Security Management Act of 
2002, and Sarbanes-Oxley Act of 2002 all require fortification of 
computer networks to protect information based on real-life hacker 
attacks, Loveless said. He added that following federal regulations 
can make it easier to fix many common vulnerabilities.

Military officials have learned the fastest from hackers and are 
starting to pay serious attention to software policies to bolster 
their security, Ruiu said. Civil agencies are the most vulnerable 
because they don't have money for adequate IT security, let alone 
improvements to it, he said. 

DOD and intelligence agencies enjoy talking with hackers who do not 
have malicious intentions, and the two groups often tip each other off 
about developments and discoveries, Loveless said. Information 
analysis and intelligence gathering units are particularly willing to 
learn from attacks to plug holes in their security, said Marc 
Maiffret, founder and chief hacking officer at eEye.

But not all government agencies listen to hackers, Loveless said. 
Old-school agents in the FBI and the Secret Service don't trust 
hackers because they consider many of them to be criminals.

Hackers' importance as teachers, though, is increasing. As software 
insecurity remains the norm, the number of targets increases and the 
stakes involved in losing control of financial and confidential data 
rises, experts say. 


'Millions of monkeys'

A common bond among hackers is curiosity. "What if I try this?" and 
"What can I do to make it do what I want?" are two hacker mantras, 
said Martin Roesch, founder and chief technology officer of 
Sourcefire, a provider of intrusion-prevention systems. But that 
unrelenting, inquisitive skepticism, sometimes bordering on paranoia, 
yields superior quality assurance. 

"Everything you forget, they will find," Roesch said. "It's like the 
proverbial millions of monkeys typing on typewriters. They have 
infinite resources and infinite time to find weaknesses in your 
system."

Another hacker tenet is always follow the path of least resistance, 
said Matthew Gray, founder of and CTO at Newbury Networks. In doing 
so, hackers use network engineers' desire for efficiency against them 
to design more effective and stealthy attacks. 

This path of least resistance is often through the front door, said 
Paul Proctor, research vice president of security and risk at Gartner. 
Attackers hack only enough to insert malicious payloads that contain 
keystroke and network sniffers and other means to collect information 
they can use to fool the system into thinking the attackers are 
legitimate users. Once they get that, they can come and go as they 
please without scrutiny. 

Nine times out of 10, vigilante gray hats, black hats and 
cybercriminals follow the path of least resistance, Proctor said. But 
most government and industry cyberprotectors try to thwart the primary 
method gray hats use: burrowing into the system code to find flaws. 
Gray hats, however, pose almost no real risk to computer security 
because they don't act maliciously, he said. 


A failure of imagination

An obstacle to blocking hackers is the implementation of IT security 
by network engineers instead of software developers and engineers, 
said John Viega, founder of and CTO at Secure Software. On the other 
hand, most hackers are software engineers or use software engineering 
tools built by software experts. Thus, the primary defenders of IT 
assets have different perspectives, skills and experiences from the 
attackers, Viega said.

This compounds the problem that most organizations consider IT 
security only when they are under attack, said Roger Thornton, founder 
of and CTO at Fortify Software. Few organizations look at their IT 
capabilities in terms of the risk they face from black hats and 
cybercriminals, he said. 

This failure of imagination to ask what would happen if hackers could 
access their information is the main stumbling block to effective 
security, Thornton said. "Anything that government and industry learn 
from hackers must be seen through the lens of their own risk 
management needs," Proctor said.

Another problem is that government and industry have fallen for the 
negative hacker stereotypes shown on film and television, and are not 
using valuable, available assets. 

"Not every hacker is a cracker," which is the old slang for a black 
hat, Maiffret said.

Organizations should invite more white and gray hats to their 
conferences, Maiffret said. Many government and commercial 
organizations, such as Microsoft, have already heeded that advice and 
even pay to be sponsors at hacker conferences.

Because talented Internet security professionals, such as hackers, are 
tough to find and hire, "the greatest defense against hackers is that 
you can make a mighty good living on the right side of the fence," 
Thornton said. 

Government and industry hire white and gray hats who want to have 
their fun legally, which can defuse part of the threat, Ruiu said. But 
it's impossible to reach every potential attacker through a job 
advertisement, he said.

Many hackers are willing to help the government, particularly in 
fighting terrorism. Loveless said that after the 2001 terrorist 
attacks, several individuals approached him to offer their services in 
fighting al Qaeda. 

Hiring black hats, however, is a bad idea. Bruce Murphy, vice 
president of worldwide security services at Cisco Systems, said he 
does not hire black hats because they do not appreciate or respect 
standard business processes and structures. 

"Somebody with questionable moral judgment isn't someone you want to 
have control of your networks," said Avi Rubin, a professor of 
computer science at Johns Hopkins University. A disgruntled hacker 
with inside knowledge of a company's networks could create a nightmare 
scenario, he said.

Besides, white hats have closed the skill gap between themselves and 
gray and black hats, said Amit Yoran, president of Yoran Associates 
and former national cybersecurity director. What the white hats need 
to learn, he said, is how to sell IT security more persuasively to 
bureaucracies that still may not see the need for it.

More important than the presence of hackers is emulating their 
skeptical attitude, Maiffret said. Most large organizations do not 
cultivate the maverick mind-set needed for quality hacking and 
computer security, he said. 

"Part of the hard thing in government is that you're not really meant 
to question how things work," he said, adding the same goes for large 
companies. "You're expected to take orders and do things...[but] 
that's what [hackers] are here for, to question." 

Organizations must encourage employees to question everything about 
the technology they use, he said.


Putting lessons to work

The guiding principle for government and commercial IT has been to 
increase productivity and decrease cost, without much thought about 
security, Proctor said. 

Savings are powering the federal government's insistence that 
contractors and integrators use commercial software. The drive "is 
like nothing I've ever seen in my life," said Michael Armistead, vice 
president of products at Fortify Software. 

Thornton warned that any commercial solution must account for the 
organization's risk profile, especially risks presented by black hats. 
Those responsible for implementing commercial products should audit 
them, line by line if necessary, to see if they provide adequate 
security. If they don't, the hackers will. 

Even with the security emphasis since the 2001 terrorist attacks, 
Thornton and other experts agree that government and industry are not 
changing fast enough to thwart evolving threats from black hats.

But government and industry have attributes that, if used 
hacker-style, could potentially help them defeat malicious hackers. 

Government has the advantage of central coordination and the ability 
to quickly enforce best practices and standards enterprisewide, Ruiu 
said. It can also share information quickly and effectively — faster, 
in fact, than industry and the balkanized hacker community. 

Industry has the advantages of being able to speedily implement 
changes and act pragmatically, Ruiu said. If it employs the hacker 
mind-set while developing products, it would produce software and 
hardware more resistant to attacks in the first place. 

Government and industry need research units to discover 
vulnerabilities, or they should work with someone who has them, 
Maiffret said. They need to dissect software to find every weakness, 
just like hackers worldwide do. 

Until such widespread changes occur, the public and private sectors 
can protect themselves the way hackers do, said Michael Cantey, a 
network systems administrator at the Florida Department of Law 
Enforcement's Computer Crime Center. He said they should learn as much 
as they can about what's on their systems, how those systems operate 
and how to fix as many flaws as possible. They can stay current on 
basic security measures and set up a multilayered defense that goes 
beyond the perimeter to inside essential systems. 

The only long-term way to effectively hinder or prevent hacker attacks 
is to show the same persistence, skepticism and vigilance that hackers 
do, Roesch said. After all, he said, "the million monkeys are working 
relentlessly, every day, all day."
 


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*





More information about the ISN mailing list