BOSTON (05/31/2000) - All the hackers had to go on were five innocuous e-mail messages. Within four hours, they had taken control of their target's bank account, changed his password and locked him out. They had also acquired his credit card numbers, the details of his driving record and his salary to the penny. For the coup de grce, they infiltrated his office and left a puckish note on his desk: "Hi Matt, from your friends at Jaws."
Luckily for this target, Matthew McClearn, these hackers were invited guests and not intruders. Part of a so-called penetration testing team for Calgary, Alberta-based Jaws Technologies, they'd been challenged by McClearn and his employer, the Calgary Herald, to take the five e-mails and learn as much about the reporter as they could in a week. Using a combination of technical skill and social engineering (the art of persuading people to give out sensitive information), the Jaws team rapidly created a file of information on McClearn.
In addition to the data above, the file contained printouts of all his bank transactions for the past few months as well as the names of friends, family members and colleagues, who in turn could have been targeted by real intruders.
In the wrong hands, this situation could have been a consumer and corporate security nightmare.
While not a new trend, penetration testing, or testing security from the perspective of a would-be intruder, has gained significant appeal in the wake of recent attacks on high-profile companies like Yahoo Inc. and CNN.
Long-standing fears about security vulnerabilities have been brought uncomfortably close to the surface for CIOs and the executive boards to which they answer, and the realization that there is no such thing as 100 percent security has companies looking for any edge they can get. As soon as security holes are found and patched, new ones appear, and while the IT departments of many corporations are perpetually understaffed, hackers, crackers, sneakers and phreakers seem to prosper and proliferate. To mix a metaphor, desperate times make for strange bedfellows, and CIOs are forging some unconventional alliances in their mission to bolster corporate security.
Take for example, Kevin Mitnick, the infamous 36-year-old hacker who served five years in federal prison for breaking into the computer systems of some of the nation's biggest businesses. Since his release from prison earlier this year, Mitnick's future as a security consultant appears to be quite bright. In March, he met with the Senate's Governmental Affairs Committee to advise it on how easy it is to break through government and corporate security systems. And at a recent CIO conference, 31 percent of the 191 information executives said they would hire Mitnick to advise them on security preparedness after he meets the terms of his three-year parole (which bars him from using a computer, cellular phone or any device with an internet connection).
The reasoning behind this is quite simple, according to Mitnick. "I have real-world experience circumventing security measures," he says. "And that might be more attractive [to a CIO] than hiring somebody right out of school who has a degree in information security but no practical experience. Companies are more interested in experience than education."
That kind of real-world experience can also be found at the various security vendors, many of which claim to employ former hackers, reformed hackers or ethical hackers. But what differentiates the hacker working for a security vendor from the pasty-faced, teenage loner orchestrating hacks from his parents' basement? In some cases, not a lot, and before hiring a hacker or a security company that employs hackers, CIOs have to be prepared to ask the right questions. "Many companies feel that somehow a hacker is adding value," says Mike Higgins, president and cofounder of Alexandria, Virginia-based Para-Protect Services. "What they don't understand is that they have a tiger by the tail."
MEET THE CAST Before weighing the pros and cons of hiring a hacker, let's first clarify what we mean by hacker. In the multilayered social strata of the underground, the term differs greatly from the way it's used in the mainstream media. To be called a hacker does not suggest that one is a criminal; it simply connotes a level of skill and a curiosity to explore systems. The malicious work is done by individuals referred to as crackers. In common parlance, the two types are known as white-hat and black-hat hackers. Somewhere in the middle are the gray-hat hackers, who no longer actively engage in malicious hacks but maintain their ties to the underground to stay abreast of new exploits and techniques.
Gray-hat hackers, like those found in L0pht Heavy Industries, the recently acquired R&D group of @Stake, a newly formed e-commerce security company, often have a greater level of experience with the tools used by hackers. "If you're researching vulnerabilities, do you want to hire somebody who can use LockCrack [a password cracking program] or somebody who wrote LockCrack?" asks Weld Pond, a research scientist with Cambridge, Massachusetts-based @Stake.
Obviously, the value of hiring well-known hacker groups like L0pht is that you know what you're getting. Plenty of vandals who call themselves hackers can break into systems and make a mess, according to Ken Ammon, founder and CEO of Herndon, Virginia-based Network Securities Technologies. But you never see a true hacker's attack coming, and it's often impossible to even detect the damage he has done or where he broke in. It's in combating that kind of foe that attack and penetration skills become invaluable. "If you're never going to hire a hacker, you're never going to catch a hacker," says Ammon.
One of the chief benefits of working with some breeds of hackers, like the gray-hats, is that they often have access to information about known security holes and hacking exploits that a CIO, or a suit in hacker-speak, could never get. Through chat groups and message boards, which corporate IT staffers generally don't have the time or the inclination to visit, hackers discuss, post and exchange information about security problems. When a company learns about a vulnerability, it often fixes its own systems but buries any information about the problem for fear it might become public. While this may be a smart move from a public relations standpoint, it also means that while hackers are freely exchanging information about vulnerabilities and exploits, companies are by and large kept in the dark.
Space Rogue (like other hackers, he prefers to use his alias), a research scientist for @Stake and a member of L0pht, considers his ties to the underground a valuable resource for the companies he works with. "The underground doesn't post information [for companies to see]. They want to keep it to themselves," he points out. "By having contacts with these sorts of people, we get hints about where to look for holes, we find them and publicize the problem."
Hackers also have rather traditional methods for sharing their information through vehicles like the online Hacker News Network Attrition.org, where a page called "mirror" reports pages of corporate websites that have been hacked and defaced, and a variety of internet relay chat sites. CIOs can certainly send their own systems administrators to these sites, but few companies have the resources to dedicate to the cause, and there is also a danger to having corporate employees surfing these pages freely. Many times, for example, hackers set up the sites with sniffers (a program that monitors IP packets traversing a local network), and if one of your employees is searching for information on Windows NT vulnerabilities, well, there's got to be a reason. A hacker is now armed with some very valuable information about where your systems may be weak.
A CIO should be aware that although penetration testing can provide enormous value, it has limits. "Breaking in is easy," says Fred J. Rica, a partner and national threat and vulnerability assessment leader with PricewaterhouseCoopers' technology risk services division in Morristown, New Jersey. "I can teach anyone to be a hacker." But that alone doesn't help the company strengthen security. There has to be a certain level of business knowledge and understanding involved in order to not only fix the problems, but also create a security policy that will prevent recurrence. According to Rica, that may not be the average hacker's strong suit. CIOs should also understand that a penetration test is just a snapshot of the network at that point in time. The holes that are there today can be fixed, but new ones can be created every time something is changed on the network.
Penetration testing should be viewed as an occasional test for the strength of its defenses rather than the vulnerability of its weaknesses, says Al Decker, director of security and privacy services for IBM Global Services in Cary, North Carolina. Rather than throwing a brick right through the window, Decker suggests that companies check for the network equivalent of safety glass. If there's a screen in place, safety glass in the windows and a fence outside, "then I'll throw that brick," he adds.
HOW TO PROTECT YOUR COMPANY Once a company is sold on the value of hiring a hacker, it has to know how to mitigate the potential security risk of doing so--steps that CIOs should consider whether they're hiring a hacker or a new systems administrator. Whether the hacker works directly for the company or through a third-party vendor, CIOs need to conduct a thorough background check on each individual being considered. For a hacker hire, however, the check takes on a bit more significance because any criminal history where computers were involved should be an automatic red flag. Some, like ex-convict and hacker poster boy Mitnick, argue that because some computer crimes are committed out of intellectual curiosity rather than the desire for personal gain, those crimes should not preclude hackers from working as IT security professionals.
But CIOs should weigh that risk carefully.
Companies should also check references. It's important to look carefully at the resumes of all who will be working on their systems and ask if those individuals are employees of the company or subcontractors. Even if the individuals are part of a security vendor's on-staff team, don't presume that the background work has already been done.
Since hackers tend to develop a deep expertise in one or two particular areas, certification can also provide some insight into the level of experience of prospective penetration testers. Most hackers doing it for illegal purposes wouldn't bother to put the time and effort into getting certified, so if the individual you're considering is a certified information system security professional or a systems network administrator professional, chances are good that person has the necessary skills and takes his work seriously. In addition, if you are working with a security vendor, require that it has both business insurance as well as key personnel clauses in the contract that will prevent companies from sending people other than those who were originally proposed to conduct the work. Such steps are important in establishing the reliability of the service provider.
Unfortunately, none of this information will tell you much about the ethics of the person in question. Rica of PricewaterhouseCoopers recounts the story of a client PWC snapped up. This client was on the rebound from a bad experience with a hacker who was providing penetration testing services. The company brought in the hacker to do some work, and the very next month 2600: The Hacker Quarterly featured a cover story on how to hack into this particular company.
Although the CIO couldn't prove a direct link, he decided that the two events were far too coincidental and fired the individual.
To prevent reading about your company's system secrets in the next issue of a hacker magazine, get a feel for the morals and intentions of the person by meeting with him face-to-face. Brian Martin, a 26-year-old ex-hacker and security consultant, advises CIOs to get to know these people personally and not rely on a piece of paper. "No matter what the resume says, 15 minutes in a bar sipping beers and talking to them will tell you more about their background and ethics." Bringing penetration testers into the office for at least the initial portion of the engagement also provides the added bonus of creating an opportunity for the company's security personnel to learn from the penetration testers. When Ernst & Young's penetration testing team starts a new project with a client, for example, a staff member from the IT department they are working with sits in on the work they are performing. This creates an additional level of trust and an atmosphere of mutual education.
GROW YOUR OWN HACKERS Many companies simply can't afford to risk their reputations by hiring gray- or black-hat hackers. So for them, developing hacking skills among the existing members of their IT staff is a very appealing option. Ernst & Young's Global Security Solutions center runs a one-week "extreme hacking" course out of its Kansas City, Missori, headquarters and in cities around the United States where its on-staff security experts will teach IT staff members the ins and outs of hacking.
The course offers segments on internet profiling (gathering information about a company's internet footprint), hacking Unix and NT, as well as more advanced techniques. It then follows up with labs where the students can work in groups, as many real-life hackers do, to actually hack a box that has been set up for them on a closed network. Ricky Soler, an information security analyst with Fiduciary Trust in New York City, attended one of the recent courses because his company is moving into e-commerce and wants to ensure that its systems can't be easily hacked. Soler, like most of the students, was surprised by how easy hacking actually is. "The first couple [NT and Unix] were particularly easy; we were able to hijack the password, run the cracker and we were in."
Many of the instructors come from three-letter government agencies such as the CIA, the FBI and the NSA. Ron Nguyen came from San Antonio's Air Force Information Warfare Center, where he studied the attack and penetration techniques used by hackers and developed customer countermeasures to detect and thwart their preferred methods of attack. The difference between the Air Force and corporate America is not that great either. Most security vulnerabilities in both areas are still caused by simple configuration errors, outdated firewall access control lists or a user's easily guessed password. In addition to teaching his students all about hacking, Nguyen makes a point to reinforce the basics of good information security practices.
As for corporate security professionals like Soler, one of the biggest benefits of attending the course--aside from the knowledge gained--is the relationships it created. One of the key points pushed by the extreme hacking instructors is the importance of networking with fellow students. In the future, when Soler runs up against a security problem or questions, he'll be able to call his fellow classmates to talk about how they may have dealt with the same issue.
Regardless of whether you choose to hire penetration testers or not, hackers need to be taken seriously. Michael L. Puldy, who heads IBM's Emergency Response Service, points to events like Defcon, the annual gathering of serious computer hackers, enthusiasts and undercover feds as evidence that hackers are going somewhat mainstream. "There are people from the FBI and the State Department there because they want to hear what the philosophies are," says Puldy. Companies can also learn a great deal by boning up on the methods and exploits of the hacker community; they just need to give careful consideration to how they go about it.
Daintry Duffy, senior writer and fledgling hacker, goes by the screen name Coolio...whoops...Julio. She can be reached at firstname.lastname@example.org.
CONVERSATION WITH KEVIN MITNICK Kevin Mitnick, perhaps the nation's most notorious hacker, talked to us recently about hackers, corporate security and where companies are most vulnerable CIO: WHAT SHOULD CIOS CONSIDER BEFORE HIRING HACKERS?
Mitnick: Just because somebody is a hacker doesn't mean he has the skill set to do the job. A hacker might be really good at getting through security measures on a Windows NT box but not good at creating policies and procedures to protect a company.
CIO: WHAT'S YOUR OPINION OF THE PERPETRATORS OF THE RECENT DENIAL-OF-SERVICE ATTACKS?
Mitnick: When the media labels those individuals as hackers, it distorts the definition and gives hackers a bad name. You know, it's interesting, Steve Jobs and Steve Wozniack started off as hackers; that's how they obtained their skills. Yet they weren't people who were looking to do damage.
CIO: HOW VULNERABLE TO HACKING ARE THE MAJORITY OF COMPANIES?
Mitnick: Given the sufficient resources, time and money, any computer system or network is vulnerable. CIOs should increase security only to the point that it is cost effective, enough to drive the hacker on to the next person. It's like the security of putting The Club on the steering wheel. Somebody could still break into the car, but it's probably easier to move on to the next one.
CIO: SHOULD CIOS BE WARY OF INDIVIDUALS WITH COMPUTER-RELATED CRIMINAL RECORDS?
Mitnick: Just because someone has been arrested for hacking, doesn't mean he is a criminal. [The offense] could have been very benign. He could be a hacker who worked in a bank and circumvented money to an account to steal it, or he could just be a computer enthusiast circumventing security for other purposes, not to cause harm.
CIO: WHAT SHOULD CIOS WORRY MOST ABOUT IN THEIR SECURITY INFRASTRUCTURES?
Mitnick: The weakest link in the chain is always the human element. You can have the newest security tools to protect your technology, but in the end, if you have a $7- or $8-per-hour person using the equipment, that can be exploited by a hacker. The less knowledgeable the people are, the easier it is [for hackers to exploit them]. -D. Duffy CAST OF CHARACTERS Who's who in the world of hackers, according to the online hacker Jargon File Cracker: A malicious meddler who tries to discover sensitive information by breaking into computer systems. Cracking usually involves the dogged repetition of well-known tricks that exploit common weaknesses in the security of target systems.
Hacker: A person who enjoys exploring the details of programmable systems and how to stretch their capabilities. Hackers also relish the intellectual challenge of creatively overcoming or circumventing limitations.
Phreaker: One who practices the art and science of cracking the phone network (for example, to make free long-distance calls).
Samurai: A hacker who is hired for legal cracking jobs, snooping for factions in corporate political fights, lawyers pursuing privacy rights and First Amendment cases, and other parties with legitimate reasons to need an electronic locksmith.
Script Kiddies: The lowest form of cracker, script kiddies do mischief with scripts and programs written by others, often without understanding the exploit.
Sneaker: An individual hired to break into places to test their security.
Reprinted with permission of Jargon File, version 4.1.0.