Sep 3, 2001 12:00 PM,

Fear of a black hat

by Glenn Bischoff

There is no sure-fire way to keep hackers out of your network. But taking several precautions — including safeguarding sensitive customer data — can keep the damage to a minimum

Hackers all start out with
the same motivation — curiosity

It all begins innocently enough. Much as a child will pilfer a 50¢ candy bar from the local convenience store just to see if it can be done, most hackers will worm their way into a provider's computer network simply for the challenge of doing so.

These hackers are known as “white hats,” and they account for about 90% of all attacks. Often they have unsophisticated skill sets, relying on a plethora of scripts easily found on the Internet to tell them where a service provider's vulnerabilities are and give them the exploitive code needed to take advantage of them.

“They simply download programs, point them at a network and hit ‘Go,’” says Greg Smith, director of product marketing for Internet security company Check Point Software Technologies.

Typically, white hat hackers will leave a calling card of some sort because — in addition to the thrill of the hunt — notoriety within the hacking community is an important goal.

“Some of these kids want to make a name for themselves, and others are in the prime of adolescence and are just saying, ‘Screw the system,’” says Gorka Sadowski, director of emerging technologies for security systems developer NetScreen Technologies. “Most times, these aren't the worst attacks.”

But don't believe for a moment that “script kiddies” are harmless just because they lack sophistication or are less than stealthy. They, and all white hats, are capable of unleashing viruses and denial-of-service attacks that can easily bring networks down, potentially costing service providers millions of dollars to restore their networks and satisfy blown service level agreements.

And depending on the length of the outage, millions more can be lost. After all, if you can't provide service because your network is down, you can't bill.

Script kiddies are also capable of defacing a provider's Web site, jamming its e-mail system and perpetrating a number of other annoyances that can cost their victims a great deal in terms of public perception and customer confidence.

Nevertheless, Sadowski is correct: These are not the hackers you should be most worried about.

The white hat hacker is curiosity
driving toward a perfect standard.
The black hat hacker is curiosity
driving toward absolute power

Hackers reach a fork in the road around age 20, according to one hacker who requested anonymity. Up to this point, they remain steadfastly unaffected by the material world, content to subsist on pizza and soft drinks while dressing in the unofficial hacker uniform: t-shirt, jeans and Doc Martens.

85% of respondents detected computer security breaches in the past 12 months

Source:
Computer Security Institute

Their living space typically is littered with all sorts of clutter. Various hacker manifestoes (such as “The Cathedral and the Bizarre” and “Hacking Exposed”) are kept in a place of high honor. And, in addition to a workstation that would make a NASA scientist green with envy, you may find a sleeping bag and a telephone — but not much else.

“Then they go to work for a company like Microsoft and clean up their act to the point where they can maintain a schedule in order to keep their job. Or they become an industrial hacker,” the hacker says.

These are the ones you need to worry about — the so-called “black hats.”

“Absolute power corrupts absolutely, and there's a lot of power that comes from hacking,” says the hacker, who is of the black hat variety. “Once they realize what kind of power they hold, they eventually begin to rationalize and start to believe that what they're doing is OK.”

Though personal and political vendetta is high on the list of motivating factors, most elite black hats engaging in industrial espionage do so for personal gain. And for good reason: Industrial hackers can pull down a million dollars per gig, which is pretty good work if you can get it, especially considering that the typical espionage attack only takes about three weeks to pull off. Fees collected from clients generally are funneled to offshore accounts in countries that have no extradition laws. Once a black hat has accumulated about half a billion dollars, he or she retires to white-sand beaches and umbrella drinks.

“Increasingly, the hacker community is being driven by criminal activity, as opposed to how it began — as sort of a hobby,” says John Grady, director of Internet product marketing for integrated communications provider e.spire. “And from a criminal perspective, this is easy money.”

The first thing a black hat does
is go shopping

However, it's no place for amateurs relying on scripts. This is serious work done by serious people. Elite black hats are meticulous in their approach and sophisticated in their tactics, and they're not above getting a little dirty when necessary.

70% of respondents cited their Internet connection as a frequent point of attack in 2001, up from 59% in 2000

Source:
Computer Security Institute

“I've heard of instances where they will go through dumpsters or bribe employees to try to get at sensitive information or to get a sense of your vulnerability,” says Jonathan Harwood, executive vice president of network operations for security software provider OpenReach.

Harwood adds that shredding documents using conventional methods doesn't do much good when dealing with an elite black hat. “You have to crisscross when you shred, or they will meticulously tape the document back together.”

According to the black hat interviewed for this article, industrial hackers also will pore over publicly available documents (such as SEC filings), search Web sites for legitimate IP addresses that may provide an open door to the network, and check the target's own site for telephone numbers, names, titles and personal information about the company's employees. They will even set up dummy offices and identities for themselves.

“Anything you can use to convince somebody that you're for real,” he says. “Social engineering is the easiest way to get in. You look for enough information so you can impersonate someone who works for the company.” The ultimate goal is to uncover critical passwords. Once you have those, you have the keys to the vault.

A true artisan in terms of pilfering passwords was Kevin Mitnick, says Kevin Ketts, senior director of technology for SecureWorks. Mitnick, a legend in the hacking community, is something of an aberration — he served nearly five years in prison for allegedly possessing unauthorized access codes. Ketts said Mitnick would call up an IT department, “talk a good game” and convince his unsuspecting prey to change the password for somebody whose name Mitnick once saw on a business card.

“Then he would just log in under that username and password, and get full access,” Ketts says. “When a hacker gets in that deep, they can get to just about anything they need.”

You don't want to be
the next CD Universe

Any organization that retains sensitive data about its customers is a potential target for black hats. The e-commerce site CD Universe found this out the hard way a year and a half ago when a black hat managed to get his hands on more than 350,000 credit card numbers belonging to the company's customers. He then blackmailed the company, and when CD Universe refused to cave in to the demands, the hacker reportedly posted 25,000 of those numbers on the Web.

64% of respondents acknowledged financial losses due to computer breaches

Source:
Computer Security Institute

“When a business is retaining information about a customer… there is an obligation to treat that information with some degree of care,” says Eric Hemmendinger, research director of information security for Aberdeen Group. “Telcos, for instance, should be protecting billing information and payment history. If they don't and they're hacked, they'll have an image problem.”

Service providers are particularly vulnerable to the threat of a black hat attack. Not only are they sitting on sensitive data, they provide services that others want — but don't necessarily want to buy.

“The attacks started [with] phone companies back in 1961,” says Adam Madoukh, executive vice president and chief information officer for security software developer Eruces. “The hackers found out that it was easy to infiltrate a PBX to get free long-distance calls.”

Now, in addition to stealing sensitive data and placing free calls, hackers also are quite capable of re-routing traffic, causing network servers to crash, and stealing proprietary product development and market strategy data that can be sold to the highest bidder.

“And if you think it's bad now, it's only going to get worse,” says Bill Hancock, vice president and chief security officer for managed hosting provider Exodus Communications.

eXtreme hacking

Dear Mom and Dad,

You'll never guess what I did today. I went to hacker school. I had never heard of such a thing either, but it turns out that Ernst & Young runs something called “eXtreme Hacking School” to help companies understand what they're up against. (Dad, you've probably heard of E&Y — they have something to do with investing money.)

From what I understand, hackers can cause a whole bunch of trouble, so the guys at the hacker school show companies where they can be attacked, how hackers snoop around to get the info they need and then how they probe around a company's network.

(And no, Mom, I'm not thinking of becoming a hacker. Chill.)

Man… you wouldn't believe how easy this stuff is. The first thing we did was search around for IP addresses owned by a company. This kind of info is all over the Web. In about two minutes we had everything we needed. Then we probed the IP address and discovered its HST record, which is a unique identifier; every IP address has one.

Once we had that, it was easy to come up with domain names and the operating system the company is using. That's important because every operating system has vulnerabilities that can be taken advantage of. In fact, we went to a Web site that listed all the vulnerabilities for all the operating systems and gave the secret codes that let you exploit the “holes.” I kid you not.

Then we went over to a site called EDGAR, which financial dudes use. There we found the names of a bunch of big wigs, like CEOs, presidents, and stuff like that. My teacher (Ron Nguyen — a real smart guy) says this kind of info is important to a hacker because it can be used to get more sensitive info to penetrate a network.

There was a whole bunch more, but I don't have time to go into it all right now. It was amazing, though. We learned about things like zone transfers, trace routes, host discovery, ping sweeps and port scans. (I especially liked stealth scanning. It's a way to “get under the radar,” Ron says. You can use it to bypass filtering routers and sneak past intrusion detection systems. Pretty cool.)

There's a whole bunch of scanning tools on the Internet, and plenty of them are available free of charge. Hacking is a pretty cheap hobby, as it turns out.

Ron says hackers are like burglars. They case a neighborhood, figure out who's home and who's not, and then check the doors and windows to see what kind they are and whether they're locked. Oddly enough, the ones who do this for fun pick the houses that have the most locks. It's more of a challenge that way. Sort of like when Dad does those round jigsaw puzzles. The bad hackers, the ones who want to steal stuff from companies, look for the open doors.

Well, g2g… pizza guy's here. Write back soon.

Love, Glenn

P.S. Dad: Do you have a firewall on your computer at work? You might want to get one….

Someone's always going to be
up late at night coming up with
the next best thing

There is no way of telling from where or from whom an attack will come, which makes it next to impossible to keep the hackers out. In fact, it is estimated that as much as 60% of all attacks come from within the victimized organization. In addition to script kiddies and the hacker-for-hire crowd, attacks can come from disgruntled employees (current and former), customers and vendors.

Occasionally, internal sources will inadvertently cause a breach that leads to an attack, according to Rieko Sato, director of product management for software provider Rainfinity. “It's not a case of malicious intent. Sometimes people do things to make their jobs easier or more productive, and they unwittingly create exposures in other areas.”

Malicious or not, the fact is that networks once were closed to the outside world, and companies only had to authenticate a few hundred employees, if that. Today, with so many companies connected to the Internet, it is necessary to track — and authenticate — millions of employees, customers, vendors and assorted others.

And they have to do it without irritating their customers, which is no easy task, according to Bill Wear, a product manager for Hewlett-Packard. “Security often becomes a performance issue because the server that's supposed to be taking a customer's order is busy checking the customer's credentials, which slows the system down.”

The first step in coming to grips with all of this is accepting the notion that you're never going to be able to keep the hackers out completely. Mike Kelly, a partner in Ernst & Young's telecom advisory service, says most companies connected to the Internet have too many potential access points: “If you showed them a footprint of their network and showed them where those points were, in most cases you'd knock them off their chair.”

Another problem is that hackers as a rule are pretty clever, and they have a lot of time on their hands. “There are no bulletproof locks because there's always going to be someone who's patient enough, smart enough and well-equipped enough to get past your security,” says Wear.

“It's like the relationship between the armor plate people and the artillery people,” agrees Rick Schaffzin, president and CEO of security product developer ServGate. “Every time you come up with better armor plating, they come up with better shells. I don't know if we'll ever get to the point where we'll be able to anticipate what's coming next.”

People tend to buy insurance
after they see their neighbor drop dead

If you can't predict when the attacks will come, and you can't stop them even if you could, then all you can really do is make it as difficult as possible for the hackers in the hopes that they'll pass you by, according to e.spire's Grady.

“The hobby hackers are looking for the challenge,” he says, “but the criminal hackers, the ones who can really hurt you, are looking for open doors. They don't want to take the time to break in or take a chance on tripping alarms. It's like dealing with a burglar when you own a house: if the doors are locked and the lights are on, the more likely it is he'll move on to the next house.”

The basics of security include firewalls at the network edge, intrusion detection systems, periodic network assessments to determine where the holes are, regular updates to security software, and well-defined policies that guide the effort and can be used to train, inform and authenticate employees, customers and vendors.

“You have to determine what you're trying to protect and who you're trying to protect against,” says Genuity's Cain. “That will tell you what your vulnerabilities are and what your counter measures are going to be.”

But that's not enough. Hackers sooner or later will find a way to breach any firewall, so a multilayered approach to security is a must. Such an approach should include firewalls on all personal computers connected to the network, firewalls at multiple network layers and encryption of sensitive data, which is the equivalent of hiding one's valuables in a safe, according to Eruces' Madoukh.

“This is not a winnable game. No network will be completely safe, but your data can be through encryption,” he says.

Hewlett-Packard's Wear further suggests that companies look beyond the obvious when trying to identify and shore up breach points.

“Printers, for example, are smart enough these days that they can be used as a jumping-off point,” he says. “They have their own IP addresses and crude but intelligent operating systems, so a good hacker that knows the equipment can talk to these printers and get them to open a door.”

Of course, such activity and preparation doesn't come cheaply, which means that any information technology professional that pushes such a strategy is going to have trouble with the bean counters.

“The problem is that security is a huge drain on the finances of companies. It's a very costly implementation when done properly,” says Madoukh.

Attitudes tend to change, however, after an attack occurs.

“You're more receptive to the need for life insurance when you've seen what can happen when you don't have it. Network security should be on every telco's radar screen,” says Aberdeen's Hemmendinger.

If fear doesn't do the trick, Ernst & Young's Kelly suggests appealing to another primal instinct. “If you try to sell a security program by itself, you're going to run into some obstacles. Try tying it to an objective that is revenue producing. That's how you get funding.”

And if that doesn't work, appeal to management's survival instincts, suggests OpenReach's Harwood: “We ask our customers, ‘Do you want to be standing in front of a board of directors and have to explain why you didn't put in a patch and your corporate infrastructure was compromised, and you lost millions due to lost time?’”