64 information technology security Bad… in a good way More and more organisations are being targeted in cyber-attacks, and they must get to know their enemy if they are to protect vital networks. Meet the professional, ethical hacker. by Aasha Bodhani eyevine, corbis Hacking the role model: in the film ‘Hellboy’ the eponymous superhero is a demonic creature recruited as a defender of good against the unseen forces of darkness Nasty, evil, devious, manipulative: adjectives commonly planted in front of the term ‘hacker’. But stick the word ‘ethical’ in front of it, and you may just have struck on a useful concept. Of course, ‘ethical hacker’ sounds like an oxymoron: how can such a disruptive, destructive coder ever lay claim to a code of ethics? With the rise of cyber-crime, ethical hacking has become a powerful strategy in the fight against online threats. in general terms, ethical hackers are authorised to break into supposedly ‘secure’ computer systems without malicious intent, but with the aim of discovering vulnerabilities in order to bring about improved protection. sometimes the local it managers or security officers in an organisation will be informed that such an attack – usually called a ‘penetration test’ – is to take place, and may even be looking over the hacker’s shoulder; but often they are not, and knowledge of an attack is confined to very senior personnel, sometimes even just two or three board members. some ethical hackers work for consultants; others are salaried staffers, who conduct a scheduled programme of hacks on a regular basis. a number of specialisms exist within the general discipline of ethical hacking; Engineering & Technology January 2013 www.EandTmagazine.com C2201_R12505_Feature_76.BK.indd 64 12/12/2012 12:31 65 There’s more online... Terrorism’s invisible propaganda network http://bit.ly/eandt-terror-network GCHQ’s drive to recruit new spies http://bit.ly/eandt-GCHQspies Cyber-terrorism concerns growing http://bit.ly/eandt-cyber-terrorism PROFILES IN PROBITY TEN TYPES OF CYBER HACKER The basic definition for a hacker is someone who breaks into computer networks or personal computer systems either for a challenge or to gain profit. 1 6 2 7 8 White-hat A ‘white-hat’ hacker, also referred to as an ethical hacker, is someone who has non-malicious intent whenever breaking into security systems. The majority of white-hat hackers are security experts, and will often work with a company to legally detect and improve security weaknesses. Black-hat A ‘black-hat’ hacker, also known as a ‘cracker’, is someone who hacks with malicious intent and without authorisation. Typically the hacker wants to prove his or her hacking abilities and will commit a range of cybercrimes, such as identity theft, credit card fraud and piracy. Grey-hat Like the colour suggests a ‘grey-hat’ hacker is somewhere between white-hat and black-hat hackers, as he or she exhibits traits from both. For instance, a grey-hat hacker will roam the Internet in search of vulnerable systems; like the white-hat hacker, the targeted company will be informed of any weaknesses and will repair it, but like the black-hat hacker the grey-hat hacker is hacking without permission. Blue Hat External computer security consulting firms are employed to bug-test a system prior to its launch, looking for weak links which can then be closed. Blue Hat is also associated with an annual security conference held by Microsoft where Microsoft engineers and hackers can openly communicate. Elite hacker These types of hackers have a reputation for being the ‘best in the business’ and are considered as the innovators and experts. Elite hackers used an invented language called ‘Leetspeak’ to conceal their sites from 3 4 5 as ‘grey-hat’ hackers, who will search for vulnerable systems and inform the company but will hack without permission. Tools of the raid trade for this reason it is impossible to group all ‘hackers’ into a comprehensive category. An ethical hacker, also referred to as a ‘white-hat’ hacker or ‘sneaker’, is someone who hacks with no malicious intent and is assisting companies to help secure their systems. However, a ‘black-hat’ hacker is the opposite and will use his or her skills to commit cybercrimes, typically to make a profit. In between are hackers known search engines. The language meant some letters in a word were replaced by a numerical likeness or other letters that sounded similar. Hacktivist Someone who hacks into a computer network, for a politically or socially motivated purpose. The controversial word can be constructed as cyber terrorism as this type of hacking can lead to non-violent to violent activities. The word was first coined in 1996 by the Cult of the Dead Cow organisation. Script kiddies Amateur hacker who follows directions and uses scripts and shell codes from other hackers and uses them without fully understanding each step performed. Spy hackers Corporations hire hackers to infiltrate the competition and steal trade secrets. They may hack in from the outside or gain employment in order to act as a mole. Spy hackers may use similar tactics as hacktivists, but their only agenda is to serve their client’s goals and get paid. Cyber terrorists These hackers, generally motivated by religious or political beliefs, attempt to create fear and chaos by disrupting critical infrastructures. Cyber terrorists are by far the most dangerous, with a wide range of skills and goals. Cyber Terrorists’ ultimate motivation is to spread fear, terror and commit murder. Mobile hackers These days individuals store everything on their mobile phones, from personal information such as contact numbers and addresses to credit card details. For these reasons mobile phones are increasingly becoming attractive to hackers-on-the-hoof, either by hacking faulty mobile chips or point-to-point wireless networks, such as Bluetooth. Ethical hacker Peter Wood, founder of penetration-testing vendor First Base Technologies, specialises in Windows networks and social engineering. His first ‘packet sniffing’ exercise was in 1978, when he worked with defence corporation Raytheon, and later tested IBM’s network systems. The choice of tools used depend on the task, says Wood, but when testing a corporate Windows network he will use Hyena – a program designed for Windows admins and programs fgdump and SAMInside for Windows password-cracking. He adds program Core Impact is ideal for running exploits as it creates a solid audit trail. Cyber security issues change every day – new viruses, new malware, new ways to 9 10 Sources: E&T, McAfee/ Robert Siciliano, Wikipedia crack through even the most robust online defences. The ‘threat landscape’ has grown out from simple password breaking, viral infection, and the exploitation of weakness in online access safeguards, through to cyber-espionage, data asset theft, and denial of service (DoS) attacks. Add to this the proliferating problem of ‘hacktivism’ – the deployment of hacking techniques as a means of protest to promote political ends. As well as the external baddies, organisations of all kinds are continually challenged to adopt emerging digital information technologies, such as bring your own device (BYOD) and cloud computing, which bring their own security issues. Now however businesses are facing increasingly accurate and sophisticated attacks. Despite spending millions implementing firewalls, anti-virus/ anti-malware software, hardware firewalls, and data protection applications, there are > www.EandTmagazine.com January 2013 Engineering & Technology C2201_R12505_Feature_76.BK.indd 65 12/12/2012 12:32 66 information technology security < still flaws in many organisations’ IT security perimeters, and it’s not necessarily the fault of the security technology. This has resulted in companies employing ethical hackers to perform penetration tests, vulnerability scans and identifying the unknown. Ethical hackers may be deployed to look for vulnerabilities from both inside and outside an organisation: covert cyber criminals can pass themselves off as bona fide employees to conduct their nefarious ends from within corporate premises. Hacker history In 1974, the Multics (Multiplexed Information and Computing service) operating systems were then renowned as the most secure OS available. The United States Air Force organised an ‘ethical’ vulnerability analysis to test the Multics OS and found that, though the systems were better than other conventional ones, they still had vulnerabilities in hardware and software security. As companies begin to employ ethical hackers, the need for IT specialists with accredited skills is growing, but ethical hackers require support too.Shortly after the 11 September 2001 terrorist attacks on the World Trade Center, Jay Bavisi and Haja Mohideen co-founded the International Council of Electronic Commerce Consultants (EC-Council), a professional body that aims to assist individuals in gaining information security and e-business skills. Government institutions have recognised the benefits in using ethical hackers; the problem is where to find them. In 2011, UK intelligence agency GCHQ launched ‘Can You Crack It?’, an online code-breaking challenge in the aim to recruit ‘self-taught’ hackers to become the next generation of cyber security specialists. Early in 2012 GCHQ also unveiled a cyber-incident response (CIR) pilot scheme. This initiative launched by the agency’s CommunicationsElectronics Security Group (CESG) and the Centre for Protection of National Infrastructure (CPNI), will provide a range of support from tactical, technical mitigation advice to guidance on the use of counter-measures to improve the quality of security within the public sector and critical national infrastructure organisations. At present, data-intelligence provider BAE Systems Detica and security providers Cassidian, Context IS, and Mandiant have been selected by CESG and CPNI to work in partnership to provide support. A GCHQ spokesperson revealed both GCHQ and CPNI have not incurred any additional costs in establishing the scheme, but in line with other certification schemes they will charge an annual certification fee when the CIR scheme is launched in 2013. “We certify ‘ethical hacking’ companies ourselves to undertake penetration testing of government IT systems, and work with industry schemes CREST and TIGER in setting the right standards for these companies to work to,” adds a GCHQ spokesperson. How ethical is ‘ethical’? Even though more enterprises are actively recruiting ethical hackers, for some there remains a hesitation when it comes from letting a licensed attacker loose on corporate information systems. According to the report ‘When is a Hacker an “Ethical Hacker” – He’s NOT’ by AlienVault’s research engineer Conrad Constantine, an ‘ethical’ hacker simply does not exist, and it is the contradictory job title that is the problem. “The term ‘ethical’ is unnecessary – it is not logical to refer to a hacker as an ‘ethical hacker’ because they have moved over from the ‘dark side’ into ‘the light’,” Constantine argues. “The reason companies want to employ a hacker is not because they know the ‘rules’ to hacking, but because of the very fact that they do not play by the rules.” Constantine adds: “Some hackers would argue that they’re not criminals, but activists. Others would say that Spying tonight: early in 2012 GCHQ also unveiled a cyber-incident response (CIR) pilot scheme Engineering & Technology January 2013 www.EandTmagazine.com C2201_R12505_Feature_76.BK.indd 66 12/12/2012 12:32 67 Charlie Miller: Apple bug finder general they’re just rebellious in the way they think about technology and have a duty to highlight an organisation’s poor security. My personal view is that we need people who are willing to stand up and challenge authority – in so doing, does that then make them ethical? I don’t see why it should, it is still hacking – end of argument.” Supporting this, Faronics project management vice president Dmitry Shesterin asks: “Have you ever heard of an ethical hacker that has started off as an ethical hacker? I have not.” “Experts do not typically adhere to textbook coding practices, and can uncover problems, vulnerabilities, or business practices of varying shades of ‘ethical’ – something they were not supposed to uncover,” adds Shesterin. “So the concern often remains, how ethical is an ethical hacker?” Turning tables Despite this, the common belief among many at-risk companies is that ‘to outwit a hacker, you need to hire one’. With so much at stake, even technology providers are turning to those with hacking skills to find the flaws in their products and fix them before the baddies are able to exploit them. Twenty-three year-old George ‘GeoHot’ Hotz gained notoriety in 2007 when he became the first person to ‘jailbreak’ Apple’s iPhone by creating a program that enabled iPhone users to modify their devices to run on other carrier networks, despite AT&T having an exclusive deal with Apple. Two years later Hotz cracked Sony’s PlayStation 3 games console, giving him access to the machines processor which helped gamers to amend their game consoles and run unapproved applications and pirated games. However, despite his reputation, social networking giant Facebook hired him, ‘Some businesses are not STEP-BY-STEP DEFINITION prepared to deal with the WHAT EXACTLY IS A findings of an ethical hacker’ ‘PENETRATION TEST’? Dmitry Shesterin,Faronics and is reported to be engaged on building an anti-hacker defence programme. Earlier this year social networking site Twitter experienced a hacking mishap of its own where more than 55,000 Twitter usernames and passwords were released. Since then it has recruited former Apple device hacker Charlie Miller into its security team. Miller is renowned for being the first to find a bug in Apple’s MacBook Air, as well as for discovering a security hole in Apple’s iOS software which enabled applications to download unsigned code which was added to apps even after it had been approved. When Miller tested and proved this, he was later dismissed from Apple’s developer program. Cybercriminals are adept at finding vulnerability anywhere, and though no known attacks have occurred, the health industry is also a target. McAfee employed hacker Barnaby Jack to break into cars and develop anti-virus products to prevent car computer malware. Jack’s latest stunt involved hacking into and shutting down a wireless insulin pump, upon which diabetics are reliant to dispense the hormone into the body. Jack is best known for hacking into cash machines and making them eject money at a Black Hat computer security conference in Las Vegas in 2010. In October he left McAfee and returned to computer security firm IO Active, where he initially served in the role of director of security testing. Breaches become the norm Security vendor Faronics revealed findings from its ‘State of SMB Cyber Security Readiness’ survey about the motivations behind companies investing in data defences and security. On behalf of Faronics, the Ponemon Institute surveyed 544 IT experts from SMEs – 58 per cent of which were at supervisor level or higher and all were familiar with the organisation’s security mission. It found 54 per cent of respondents have experienced at least one data breach in the last year, and 19 per cent have experienced more than four. “As well as raising awareness of cybercriminal tactics, organisations must consider a more holistic approach to security,” says Faronics vice president Dmitry Shesterin. “They cannot afford to rely solely on traditional solutions, such as anti-virus. Today’s threats are just too sophisticated.” However, Shesterin adds, availing to the services of an ethical hacker has its drawbacks. “Contracting an ethical hacker will virtually always uncover a vulnerability, but dealing with that vulnerability might prove extremely expensive,” he cautions. “Some businesses are simply not prepared to deal with the findings, and would rather not know themselves to maintain plausible deniability.” Start assessment Public records search Target gathering Client provided information Manual testing Application mapping Data extraction Session analysis Automated tools Logic and fraud abuse Issue identification Vuln. confirmation Alert client on high or critical Compromise? YES NO Reporting Final report/close out call End assessment A stylised, high-level overview of the Trustwave SpiderLabs application penetration testing methodology. It highlights the iterative nature of an assessment, and that successful delivery is dependent almost entirely on the manual security testing expertise and experience of the penetration tester(s). Furthermore, it is important to understand that the consulting/professional services wrapper (alerting, reporting and debrief elements) around the technical delivery expertise is key to ensuring that the client is best equipped to fully understand what the business impact of each identified security issue is - and ultimately how best to prioritise, plan and action the resultant remediation activities. The ‘ethical professional’ Trustwave, a data security vendor is responsible for assisting small and medium-sized businesses on how to manage compliance and secure network infrastructure, data communications and critical information assets. Within Trustwave, a security team called SpiderLabs focuses on application security, incident response, and penetration testing and treat intelligence. Director of Trustwave’s SpiderLabs security team John Yeo has several years experience as a security consultant. He > www.EandTmagazine.com January 2013 Engineering & Technology C2201_R12505_Feature_76.BK.indd 67 12/12/2012 12:32 68 information technology security George ‘GeoHot’ Hotz: iPhone cracker king < describes his background as typical: “As a youth I was obsessed with technology… Yes, you could say I was a bit of a geek, but that’s the standard profile of anyone that ends up in [the IT security] industry.” The computer science graduate adds: “I just want to put that out there, because it is just as important as any formal education. There is an element of creativity to the mindset that’s required, because it’s not just about knowing the technical hows and whys, there is a problem-solving mentality required, you have think outside the box.” Yeo claims two of the things lacking in the IT security testing industry is a professional standards and ethics body, and a lack of specialist training, in terms of skills required for penetration testing. “Training courses aren’t necessarily perceived as the most valuable thing by active practitioners; instead it’s learning through doing. That’s how you get into the industry.” Trustwave’s 2012 Global Security Report is based on data from real-world investigations researched in 2011 by SpiderLabs. It revealed only 16 per cent of companies’ self-detected data compromises, which suggests organisations aren’t capable of detecting breaches and the remaining 84 per cent of organisations relied on regulatory, law enforcement, third-party and even the public to inform them of incidents. On average, SpiderLabs performs 2,200 penetration tests a year, and finds a range of high-risk problems reports John Yeo. When a breach occurs, incident response investigations are performed to discover if private information has been exposed. SpiderLabs uses a ‘sniper forensics’ methodology, first by containing the breach by shutting down what the hacker has done and secondly investigating what information was exposed and how it was done. The average length of time from Company profile Firebrand training certiFied ethical hacker UK-based Firebrand Training offers a ‘boot-camp’ style approach to gaining a professional certification in various IT and management computer courses. Courses are scheduled every month, each with an average capacity of 15 students. Firebrand certifies 150 ethical hackers yearly since it started running the courses in 2001. In particular, Firebrand Training is accredited by the EC-Council to run a range of Certified Ethical Hacking (CEH) training programmes. Richard Millett, product lead and senior instructor at Firebrand, explains the CEH course gives an insight into the methodologies and tools used by the hacking community and the guiding concept is that “if you understand how the bad guys get in you can take the appropriate steps to kick them out”. The CEH course has more of an emphasis on techniques and methodologies and aims to certify a student in just five days. The course covers 19 modules, starting with an introduction to ethical hacking, and then on to footprinting and reconnaissance, scanning networks, enumeration, system hacking, trojans and backdoors, viruses and worms, sniffers, social engineering, denial of service, session hijacking, hacking webservers, hacking web applications, SQL injection, hacking wireless networks, evading IDS, firewalls and honeypots, buffer overflows, crytography and penetration testing. The official course material is updated every 18 months, and when new attack methodologies and trends come to light, Firebrand will implement them and incorporate practical exercises into the course. Firebrand instructors remain in contact through the use of email and forums such as LinkedIn.The customer and sales departments also maintain contact to announce course updates and new products. The course provides group and one-to-one instruction, hands-on labs, group and independent study, plus question and answer opportunities. However Firebrand stipulates that prospective student applicants should ideally have at least two years’ IT experience, a strong knowledge of specific technologies such as TCP/IP,Windows Server (NT, 2000, 2003, 2008) and a basic familiarity with Linus and/or Unix. All CEH students must agree to sign a legally-binding non-disclosure agreement (NDA) before they are allowed to start intrusion to detection from SpiderLabs incident response caseload is around six months, but in some cases cybercriminals have gone undetected for many years. He explains the problems start as there is a naïve perception with companies wanting to stay ahead by adopting new technologies, such as BYOD and cloud and mobile applications. Furthermore, many organisations are outsourcing to third-party companies who may not take security the course. The NDA states that students must “not use the newly acquired skills for illegal or malicious attacks and you will not use such tools in an attempt to compromise any computer system”. However Firebrand Training’s NDA is the only formal undertaking to prevent students from then going on to become black-hatters; it is down to them to remain fully ethical. The course is based upon the practical side of securing networks in the workplace and gives a broad overview of what skills and knowledge are important to have. Students who want to continue developing move on to other certifications such as Certified Information Systems Security Professional (CISSP) or Certified Information Security Manager (CISM) on the management path or look at professional penetration testing and purse qualifications such as the Council of Registered Ethical Security Testers (CREST) and TIGER. The main driver for students who enrol is to learn and practice the practical side of IT security, playing with the software tools and learning the methodologies of the hacker.“They have aspirations that include mastering as many aspects of computer security as possible and taking that knowledge back to the workplace to make their own networks secure,” adds Firebrand’s Richard Millett. The course includes 12-hour training days, course materials, exams, and accommodation; students who do not pass first time round can train again for free, and only pay for accommodation and exams. Richard Millett, senior instructor at Firebrand F seriously. SpiderLabs identified 75 per cent out of 330 cases investigated; a third party was responsible for a major incident. Yeo heads a team of skilled ethical hackers and the size of them team varies according to the incident. “Honestly, it is one of the best jobs in the world, from a comradery perspective it’s amazing,” says Yeo. “If one person finds an interesting technical problem, the whole team chips in to solve it, it’s a good feeling.” * Engineering & Technology January 2013 www.EandTmagazine.com C2201_R12505_Feature_76.BK.indd 68 12/12/2012 12:33