VNU Net: Hacking the hackersJun 24, 2000, 14:14 (2 Talkback[s])
(Other stories by David Ludlow)
By David Ludlow, VNU Net
Chris Rouland is the director of X-Force at Internet Security Systems (ISS), a group dedicated to understanding, documenting and coding new vulnerability checks and tests, attack signatures and solutions to global security problems.
Rouland has 10 years' experience in IT. His career has spanned the growth of the internet and the evolution of widescale distributed systems. Prior to joining ISS, Rouland held positions as software developer, network architect and, most recently, vice president of distributed technology for Lehman Brothers.
How would you describe the hacking
Then there are the grouped individuals, who combine their skillsets to facilitate a more efficient use of capabilities and infrastructures.
At the top are the individuals who are able to write new exploits. They are definitely the minority, maybe one or half a per cent, of the hackers out there, but have the capability to write machine code in Sparq assembly language for new exploits.
The highest risk is posed by 'organised individuals'. They're not motivated by notoriety or fun. They resemble organised crime, and are people who have some direct motivation for this - whether it be governmental or political.
Do you recruit hackers to work at X-Force?
So hackers aren't really good enough?
The X-Force is a high-octane mix of computer security and computer science, and I found that you can take a brilliant computer scientist or a brilliant mathematician and make them anything. Take a hacker and you can't teach them much.
Do you infiltrate hacker groups to get more
How do you go about infiltration?
This is a new exploit - a new way to break into a computer that the vendors don't know about, so there's no fix available. This is what leading-edge hackers are using. When they become a 'one-day ware', and a 'two-day ware', these 'hundred dollar bills' are traded for other things. One hacking group might find a new exploit and trade it with another hacking group so they can have two unknown exploits.
Is this your doorway in?
We may have to socially engineer our way into a hacking group, talking about our expertise to get access to some new technology that they're using. This kind of counter-intelligence is something we reserve for very high-profile, high-risk technologies. For instance, with BO2K [Back Orifice 2000] we took a couple of angles at getting that. In the end we had to resort to the lowest common denominator, which was a highly athletic member of our team jumping over rows of reporters to catch a copy of the CD at Defcon [an underground computer convention].
How do you work with companies to solve vulnerabilities
that you've found?
The only caveat is when we see that a hacker is already using that vulnerability in the wild, which is quite common. We have an intersection where we're looking at the same technologies as hackers. So if there's an exploit out there we're going to go ahead and release a security advisory.
Is security still generally overlooked?
But I think as organisations come to depend on ecommerce and the internet for business and revenue, they will see that they are operating in a hostile environment and they've got to protect themselves. Honestly, I think it will take some more hits for everybody to sign up to this.
Has ecommerce just generated more bad
People are always going on about the fact that they bought this really expensive firewall and they have these gurus that run it, but you cannot depend on just the firewall.
A really good example was the NAI Gauntlet firewall. A remote route vulnerability allowed any hacker to walk through the firewall with a fire axe. They could burst right through it.
If you were running a Gauntlet firewall, once it was penetrated everything on the inside was typically not secure so the databases, where all the goodies are, were wide open.
Is open source the way forward, or just a method for
hackers to get in-depth knowledge of systems?
Open source is very effective at rapidly integrating new ideas into software. The Linux operating system has evolved much quicker than Microsoft's products because you've got lots and lots of programmers working on this and introducing new stuff. But, it's a hobby. Even with funding, the bottom line is that with a hobby you don't have the same kind of software engineering quality assurance. You get what you pay for.
What about Linux as a secure platform?
The adoption of Linux in the market without the techies to support it is a high risk. That's not to say that Windows NT is more secure than Linux - it's who sets them up that counts.
Are we getting to the point where hackers are going to
be able to injure people through their actions?
The other angle we've got is the Chinese authorities executing hackers right now. People are being killed because of hacking today.