Linux Today: Linux News On Internet Time.

VNU Net: Hacking the hackers

Jun 24, 2000, 14:14 (2 Talkback[s])
(Other stories by David Ludlow)

By David Ludlow, VNU Net

Chris Rouland is the director of X-Force at Internet Security Systems (ISS), a group dedicated to understanding, documenting and coding new vulnerability checks and tests, attack signatures and solutions to global security problems.

Rouland has 10 years' experience in IT. His career has spanned the growth of the internet and the evolution of widescale distributed systems. Prior to joining ISS, Rouland held positions as software developer, network architect and, most recently, vice president of distributed technology for Lehman Brothers.

How would you describe the hacking community?
I classify hackers on three levels: the individuals, who have the ability or motivation to download hacking tools and launch attacks, with the majority being script kiddies.

Then there are the grouped individuals, who combine their skillsets to facilitate a more efficient use of capabilities and infrastructures.

At the top are the individuals who are able to write new exploits. They are definitely the minority, maybe one or half a per cent, of the hackers out there, but have the capability to write machine code in Sparq assembly language for new exploits.

The highest risk is posed by 'organised individuals'. They're not motivated by notoriety or fun. They resemble organised crime, and are people who have some direct motivation for this - whether it be governmental or political.

Do you recruit hackers to work at X-Force?
I've interviewed some hackers, or 'black-hats', that want to become 'white-hats' but I haven't hired any of them. We have to have a strong security backbone on the team and we have a lot of senior members that infuse that. As I bring new people on board, I find that I prefer to hire somebody with a mathematics or computer science degree from a very good institution, and teach them computer security.

So hackers aren't really good enough?
No, hackers are not good enough. Well, not to beat hackers. We certainly have to have knowledge of the computer underground, but you can't train a hacker how to work. Most of them are pretty lazy, and I need people who are very hungry and aggressive, but brilliant.

The X-Force is a high-octane mix of computer security and computer science, and I found that you can take a brilliant computer scientist or a brilliant mathematician and make them anything. Take a hacker and you can't teach them much.

Do you infiltrate hacker groups to get more information?
Yes - I don't want to get into specifics about which groups we have infiltrated because we do it on an ongoing basis, and I don't want to blow our cover. Infrequently, we find an organisation that has found a new vulnerability. What we have to do is infiltrate the organisation to get a copy of their exploit code.

How do you go about infiltration?
In the computer underground there are a couple of things that are used as currency. The 'hundred dollar bill' is what we call 'zero day warez'.

This is a new exploit - a new way to break into a computer that the vendors don't know about, so there's no fix available. This is what leading-edge hackers are using. When they become a 'one-day ware', and a 'two-day ware', these 'hundred dollar bills' are traded for other things. One hacking group might find a new exploit and trade it with another hacking group so they can have two unknown exploits.

Is this your doorway in?
One of our research arms finds new exploits, but we're very careful not to let code leak out because it's really a class of cyber weapon. So we wouldn't go into a hacking group and say 'hey I'll trade you some exploits'. We don't want our customers to get hacked with vulnerabilities we found. That has never happened.

We may have to socially engineer our way into a hacking group, talking about our expertise to get access to some new technology that they're using. This kind of counter-intelligence is something we reserve for very high-profile, high-risk technologies. For instance, with BO2K [Back Orifice 2000] we took a couple of angles at getting that. In the end we had to resort to the lowest common denominator, which was a highly athletic member of our team jumping over rows of reporters to catch a copy of the CD at Defcon [an underground computer convention].

How do you work with companies to solve vulnerabilities that you've found?
I have one liaison officer who interfaces with all our vendors. Once we identify the vulnerability, we work with them to produce fixes, and give the company a 45-day window to fix the product.

The only caveat is when we see that a hacker is already using that vulnerability in the wild, which is quite common. We have an intersection where we're looking at the same technologies as hackers. So if there's an exploit out there we're going to go ahead and release a security advisory.

Is security still generally overlooked?
Before ISS I worked for a large brokerage firm, and security was generally perceived by the end user as a kind of tax: 'Oh, we've got to pay for our computers, and we've got to pay for security too?' So it was put on the back burner.

But I think as organisations come to depend on ecommerce and the internet for business and revenue, they will see that they are operating in a hostile environment and they've got to protect themselves. Honestly, I think it will take some more hits for everybody to sign up to this.

Has ecommerce just generated more bad security?
What I see in most organisations is 'a hard candy shell with a soft chewy centre'. There's a very strong perimeter, but nothing on the inside.

People are always going on about the fact that they bought this really expensive firewall and they have these gurus that run it, but you cannot depend on just the firewall.

A really good example was the NAI Gauntlet firewall. A remote route vulnerability allowed any hacker to walk through the firewall with a fire axe. They could burst right through it.

If you were running a Gauntlet firewall, once it was penetrated everything on the inside was typically not secure so the databases, where all the goodies are, were wide open.

Is open source the way forward, or just a method for hackers to get in-depth knowledge of systems?
It's a really interesting argument, and a very fine line for me to walk. After the Linux thing [X-Force released an advisory on a hotly debated Red Hat Linux backdoor], I had some reporters come to me hoping I'd bash up open source. It's not the case.

Open source is very effective at rapidly integrating new ideas into software. The Linux operating system has evolved much quicker than Microsoft's products because you've got lots and lots of programmers working on this and introducing new stuff. But, it's a hobby. Even with funding, the bottom line is that with a hobby you don't have the same kind of software engineering quality assurance. You get what you pay for.

What about Linux as a secure platform?
The first thing a person does when they break into a Linux box is to backdoor the whole OS. It is a real mess to clean up. The thing with Linux is it's a low-cost product from an OS perspective, but a Linux expert is an expensive person to hire. If you're going to play with open source technology you need to have open source people to run them for you and to secure them.

The adoption of Linux in the market without the techies to support it is a high risk. That's not to say that Windows NT is more secure than Linux - it's who sets them up that counts.

Are we getting to the point where hackers are going to be able to injure people through their actions?
Actually, we've seen a case from the Federal Bureau of Investigations where hackers shut down a phone switch. By fooling around with the telephone system they shut down a small airport, which used a phone line to the FAA [Federal Aviation Administration] to handle traffic data. High degrees of interdependency on infrastructure mean that if one piece is knocked over, deliberately or by accident, you can potentially create life-threatening situations.

The other angle we've got is the Chinese authorities executing hackers right now. People are being killed because of hacking today.

Related Stories: