[ISN] OSS is an easier hack: Mitnick
InfoSec News
isn at c4i.org
Tue Jan 31 01:44:21 EST 2006
http://www.tectonic.co.za/view.php?src=rss&id=839
By Jason Norwood-Young
30 January, 2006
In an exclusive interview on Friday, infamous hacker Kevin Mitnick
told Tectonic that, given the choice between finding security
vulnerabilities in closed and open source, he'd prefer to attack an
open source environment.
"Open source would be easier [to hack]," admits ex-hacker turned
security consultant Mitnick. "It's less work."
Mitnick says that open source software is easier to analyse for
security holes, since you can see the code. Proprietary software, on
the other hand, requires either reverse engineering, getting your
hands on illicit copies of the source code, or using a technique
called "fuzzing".
Fuzzing means putting fake data - such as really long strings - into
portions of the application that allow user input. "You want to make
that function call fail. Does it cause an exception? If it does then
the programmer probably hasn't validated the input. You could supply
your code in a particular manner - thus tricking the application or
function into executing your own code. Hackers want to execute their
own code - preferably with privileges - and then they gain control.
"On the face of it, open source software is more secure," says
Mitnick. "A lot of eyes are looking at the code. You'd think that with
OSS, with more people looking at the code, you're more apt at finding
security holes. But are enough people really interested?"
Mitnick does qualify his statement carefully - it's six of one and
half-a-dozen of the other. "Then again, a lot of people are really
good at reverse engineering. You can obtain illicit copies of
[proprietary] source code," he says diplomatically.
Mitnick was arrested in 1995 by the FBI for hacking. He served five
years in prison, including eight months in solitary confinement after
it was alleged that he could launch nuclear missiles by whistling into
a telephone. He will be in South Africa next month for the ITWeb
Security Summit 2006, and will speak about social engineering and
wireless security.
He runs Microsoft Windows XP Pro, Microsoft Windows 2003 Server,
Debian, Gentoo and Solaris. Currently he's penning an autobiography to
clear up some myths about himself. And no, you can't launch a nuclear
attack by whistling into a telephone.
More information about the ISN
mailing list