By David Ludlow, VNU
Net
Chris Rouland is the director of X-Force at Internet Security
Systems (ISS), a group dedicated to understanding, documenting and
coding new vulnerability checks and tests, attack signatures and
solutions to global security problems.
Rouland has 10 years’ experience in IT. His career has spanned
the growth of the internet and the evolution of widescale
distributed systems. Prior to joining ISS, Rouland held positions
as software developer, network architect and, most recently, vice
president of distributed technology for Lehman Brothers.
How would you describe the hacking
community?
I classify hackers on three levels: the individuals, who have the
ability or motivation to download hacking tools and launch attacks,
with the majority being script kiddies.
Then there are the grouped individuals, who combine their
skillsets to facilitate a more efficient use of capabilities and
infrastructures.
At the top are the individuals who are able to write new
exploits. They are definitely the minority, maybe one or half a per
cent, of the hackers out there, but have the capability to write
machine code in Sparq assembly language for new exploits.
The highest risk is posed by ‘organised individuals’. They’re
not motivated by notoriety or fun. They resemble organised crime,
and are people who have some direct motivation for this – whether
it be governmental or political.
Do you recruit hackers to work at X-Force?
I’ve interviewed some hackers, or ‘black-hats’, that want to become
‘white-hats’ but I haven’t hired any of them. We have to have a
strong security backbone on the team and we have a lot of senior
members that infuse that. As I bring new people on board, I find
that I prefer to hire somebody with a mathematics or computer
science degree from a very good institution, and teach them
computer security.
So hackers aren’t really good enough?
No, hackers are not good enough. Well, not to beat hackers. We
certainly have to have knowledge of the computer underground, but
you can’t train a hacker how to work. Most of them are pretty lazy,
and I need people who are very hungry and aggressive, but
brilliant.
The X-Force is a high-octane mix of computer security and
computer science, and I found that you can take a brilliant
computer scientist or a brilliant mathematician and make them
anything. Take a hacker and you can’t teach them much.
Do you infiltrate hacker groups to get more
information?
Yes – I don’t want to get into specifics about which groups we have
infiltrated because we do it on an ongoing basis, and I don’t want
to blow our cover. Infrequently, we find an organisation that has
found a new vulnerability. What we have to do is infiltrate the
organisation to get a copy of their exploit code.
How do you go about infiltration?
In the computer underground there are a couple of things that are
used as currency. The ‘hundred dollar bill’ is what we call ‘zero
day warez’.
This is a new exploit – a new way to break into a computer that
the vendors don’t know about, so there’s no fix available. This is
what leading-edge hackers are using. When they become a ‘one-day
ware’, and a ‘two-day ware’, these ‘hundred dollar bills’ are
traded for other things. One hacking group might find a new exploit
and trade it with another hacking group so they can have two
unknown exploits.
Is this your doorway in?
One of our research arms finds new exploits, but we’re very careful
not to let code leak out because it’s really a class of cyber
weapon. So we wouldn’t go into a hacking group and say ‘hey I’ll
trade you some exploits’. We don’t want our customers to get hacked
with vulnerabilities we found. That has never happened.
We may have to socially engineer our way into a hacking group,
talking about our expertise to get access to some new technology
that they’re using. This kind of counter-intelligence is something
we reserve for very high-profile, high-risk technologies. For
instance, with BO2K [Back Orifice 2000] we took a couple of angles
at getting that. In the end we had to resort to the lowest common
denominator, which was a highly athletic member of our team jumping
over rows of reporters to catch a copy of the CD at Defcon [an
underground computer convention].
How do you work with companies to solve vulnerabilities
that you’ve found?
I have one liaison officer who interfaces with all our vendors.
Once we identify the vulnerability, we work with them to produce
fixes, and give the company a 45-day window to fix the product.
The only caveat is when we see that a hacker is already using
that vulnerability in the wild, which is quite common. We have an
intersection where we’re looking at the same technologies as
hackers. So if there’s an exploit out there we’re going to go ahead
and release a security advisory.
Is security still generally overlooked?
Before ISS I worked for a large brokerage firm, and security was
generally perceived by the end user as a kind of tax: ‘Oh, we’ve
got to pay for our computers, and we’ve got to pay for security
too?’ So it was put on the back burner.
But I think as organisations come to depend on ecommerce and the
internet for business and revenue, they will see that they are
operating in a hostile environment and they’ve got to protect
themselves. Honestly, I think it will take some more hits for
everybody to sign up to this.
Has ecommerce just generated more bad
security?
What I see in most organisations is ‘a hard candy shell with a soft
chewy centre’. There’s a very strong perimeter, but nothing on the
inside.
People are always going on about the fact that they bought this
really expensive firewall and they have these gurus that run it,
but you cannot depend on just the firewall.
A really good example was the NAI Gauntlet firewall. A remote
route vulnerability allowed any hacker to walk through the firewall
with a fire axe. They could burst right through it.
If you were running a Gauntlet firewall, once it was penetrated
everything on the inside was typically not secure so the databases,
where all the goodies are, were wide open.
Is open source the way forward, or just a method for
hackers to get in-depth knowledge of systems?
It’s a really interesting argument, and a very fine line for me to
walk. After the Linux thing [X-Force released an advisory on a
hotly debated Red Hat Linux backdoor], I had some reporters come to
me hoping I’d bash up open source. It’s not the case.
Open source is very effective at rapidly integrating new ideas
into software. The Linux operating system has evolved much quicker
than Microsoft’s products because you’ve got lots and lots of
programmers working on this and introducing new stuff. But, it’s a
hobby. Even with funding, the bottom line is that with a hobby you
don’t have the same kind of software engineering quality assurance.
You get what you pay for.
What about Linux as a secure platform?
The first thing a person does when they break into a Linux box is
to backdoor the whole OS. It is a real mess to clean up. The thing
with Linux is it’s a low-cost product from an OS perspective, but a
Linux expert is an expensive person to hire. If you’re going to
play with open source technology you need to have open source
people to run them for you and to secure them.
The adoption of Linux in the market without the techies to
support it is a high risk. That’s not to say that Windows NT is
more secure than Linux – it’s who sets them up that
counts.
Are we getting to the point where hackers are going to
be able to injure people through their actions?
Actually, we’ve seen a case from the Federal Bureau of
Investigations where hackers shut down a phone switch. By fooling
around with the telephone system they shut down a small airport,
which used a phone line to the FAA [Federal Aviation
Administration] to handle traffic data. High degrees of
interdependency on infrastructure mean that if one piece is knocked
over, deliberately or by accident, you can potentially create
life-threatening situations.
The other angle we’ve got is the Chinese authorities executing
hackers right now. People are being killed because of hacking
today.