The hacker pyramid reminds me of an old joke that revolves around a pack of Camel cigarettes. You display the front of the pack and ask: "If you were stranded in the hot sands of an arid desert in dire need of food, shelter, and water for your thirsty camel, what would you do?"
Before delivering the punch line, you turn the pack of Camels around and reveal the Casbah pictured on the reverse side. Then you answer, "I'd go around the corner and check me and my camel into the Casbah!"
A pyramid has three sides! The face of hacking most people see is the one described in Figure 8.5. Hollow bunnies and script kiddies are inexperienced newbies whose curiosity combined with powerful "point-and-click" hacking tools could inadvertently or purposely lead to damage or harm. Ankle biters are black hats, although many of them would argue their motivation is the same as white hats ”to expose network security flaws. Crackers are black hats, cyberspace equivalents of a criminal underground . And cyber terrorists are the blackest cracker of all! However, for every black hat there is a white hat out to foil him with technology from the same bag of tricks. The story of hacking is an allegory of good versus evil!
Few people bother to walk around to see what's on the remaining two sides of the hacker pyramid. So let's turn the metaphoric pack of Camels around. Directly behind the hacker pyramid is the security pyramid. Everyone on this side of the pyramid (or on the third side ”the IT pyramid ”for that matter) is a hacker with proven skills.
White hat hackers are the self-appointed vigilantes of cyberspace. They reside on the first rung of the security pyramid, and they hack for pleasure as well as justice . Dwain ( don't eat yellow snow ), whose story begins this chapter, typifies a white hat hacker. Righting the wrong of a mischievous script kiddie is a typical white hat mission. Many white hats, still in their teens, use their hacking skills as a calling card for future employment. Optyx, a hacker once interviewed by PC World magazine, got his first job while on a white hat mission when he was just 15. He'd been exploiting a security hole in a small ISP for months. Finally, he sent the administrator a note advising him to fix it. The administrator wrote back saying he didn't know how. Optyx sent him the code to patch the hole, and the administrator offered him a job. Now a 21-year-old security consultant, Optyx complains, "Fixing security holes is a thankless task. Most companies just focus on the fact that you hacked them and they want to come after you with a lawsuit. It's made hackers reluctant to help! Now I still fix machines, but I won't tell an administrator I've done it." Spoken like a true white hat!
Full disclosure advocates are the whistleblowers of cyberspace ”hackers who believe information ( especially information pertaining to security, freedom, and privacy) should be freely available. Full disclosure advocates counterbalance the status quo. Without them, the powers-that-be would have no accountability. The debate over the dissemination of information has raged between technology vendors and full disclosure advocates since the advent of computing. Thejian, a hacker historian , explains the debate over "full disclosure" versus "security through obscurity" this way:
Nowadays, hackers are often portrayed as anything on two legs near something electric with the ability to break it! You may smash the stack for fun, profit, or just because you're a vicious little bugger, but the idea most hackers have about hacking is someone who opens stuff up just to find out how and why it works. The security scene consists of lots of people with different takes on how to act. At the crux of the debate is the issue of "full disclosure" versus "security through obscurity." These two philosophies are at loggerheads. Full disclosure advocates releasing all available information about security problems to the public in order to inform users how to prevent it from affecting their systems. The security through obscurity school maintains that information about security problems should be shared only among a select group of people. This places users at the mercy of vendors slow to produce a fix, and has resulted in an alarming number of security incidents that could have been prevented.
Full disclosure does have a dark side. When something can be abused, it will be. That's human nature. Unfortunately, detailed information on how to exploit security problems appeals to a new breed of lazy hackers looking to save themselves the trouble of actually learning how to hack. When plug-and-play hacking tools were introduced, these script kiddies exploited them for nefarious purposes. The security through obscurity school contends that what you don't know can't hurt you. They compare full disclosure to giving a kid a gun. The full disclosure camp counters that it's worse when a kid finds the gun by himself. By teaching him how to use it, you can prevent him from shooting himself!
More essays by Thejian, and other experts on hacking and security, are archived on Help Net Security at http://www.net-security.org/articles_main.php. This web site is an excellent example of disclosure advocacy . I relied on it for research as you can see. What you can't see is the impact Help Net Security had on this book.
I contacted the site and got to know the people behind it, a team of white hats who operate Help Net Security from their home base in Croatia. One thing led to another and, to make a long story short, Mirko Zorz and Berislav Kucan became the tech editors on this book. Their imprint is on every page. I not only relied on their hacking and security expertise, but they helped sensitize me to the sensibilities of hackers.
Mirko and Berislav were born in Rijeka, Croatia, and both are in their 20s. Kucan started Help Net Security (www.net-security.org) in 1998, and Zorz joined him at the beginning of 2000. Help Net Security has been a leading source of information regarding the security scene for several years now. Help Net Security always tends to position itself as a source of guidance on how to approach security related issues in personal as well as business environments.
The Internet is a big network, but when it comes to hackers, it's a small world. The more hackers I got to know, the more apparent it became to me that most of them know each other, by reputation at the very least! It's almost as if the Internet is the hackers' own private club, invisible to the uninitiated. I want to thank Mirko, Berislav, Thejian, Dwain, Jinx, Epiphany, Jeff Moss, and all the other hackers who invited me in and treated me as a welcome guest.
Here's some other full disclosure advocates I relied on for research. Links to these sites and others can be found on the Invasion of Privacy homepage at www.mjweber.com/iop/privacy.htm.
OpenSecrets.org ”http://www.opensecrets.org
Computer Emergency Response Team ”http://www.cert.org
DEFCON ”http://www.defcon.org
Black Hat Briefings ”http://www.blackhat.com
Jinx Hack Wear ”http://www.jinxhackwear.com
Cult of the Dead Cow ”http://www.cultdeadcow.com
Electronic Frontier Foundation ”http://www.eff.org
GlobalPOV ”http://www.globalpov.com
Gibson Research Corporation ”http://grc.com
The Navas Group ”http://navasgrp.home.att.net
Langa.Com ”http://www.langa.com
NTBugtraq ”http://www.ntbugtraq.com
Junkbusters ”http://www.junkbusters.com
Internet ScamBusters ”http://www.scambusters.com
Scam Watch ”http://www.scamwatch.com
SpywareInfo ”http://www.spywareinfo.com
American Civil Liberties Union ”http://www.aclu.org
The Privacy Foundation ”http://www.privacyfoundation.org
Electronic Privacy Information Center ”http://epic.org
Foundstone ”http://www.foundstone.com
George Guninski Security Research ”http://www.guninski.com
SecurityFocus ”http://www.securityfocus.com
Help Net Security ”http://www.net-security.org
Microsoft TechNet ”http://www.microsoft.com/technet 1
A famous TV commercial went something like, "If it's Tuesday it must be Prince Spaghetti day!" As part of Microsoft's "Trustworthy Computing" initiative, Microsoft now issues new security patches every Wednesday. Although an unlikely candidate, Microsoft is transforming itself into a full disclosure advocate! They're to be commended for leading the way. I wish all software developers and technology vendors would implement this kind of full disclosure policy.
Intrusion detectives are the white hat "Bad Boys" of cyberspace! Imagine being an undercover hacker employed by a large corporation, security firm, or the government, to crack their network! Intrusion detectives are hired because the employer wants them to expose their network security vulnerabilities. This is a dream job for most aspiring hackers, and intrusion detectives often turn down cushy jobs in security firms because they're happier working in the shadows. Cracking into a client's network was considered a controversial practice only a few years ago, but nowadays it's the de facto standard for testing a system's security. One intrusion detective who prefers anonymity has staged 50 such assaults in the past two years and boasts a 90-percent success rate. Businesses have come to the realization that in the information age, their crown jewels are digital. It's better to allow a white hat to expose your Achilles heel than to allow a black hat to rob you blind!
CERT, the federally funded Computer Emergency Response Team headquartered at Carnegie Mellon University in Pittsburgh, documented 21,756 instances of attempted corporate hacking in 2000 ”more than twice the number documented in 1999, and eight times the amount documented in 1995. In 2001, 52,658 incidents were reported ”double the number of the previous year. Keep in mind that these are just reported incidents. To avoid negative publicity, most corporations have a "do not report" policy when it comes to being hacked. Security through obscurity strikes again!
In an ironic twist of fate, CERT, the "official" Department of Defense computer security clearinghouse (http://www.cert.mil/), was itself hacked by a denial-of-service attack in late May 2001. The most sophisticated hackers on the planet couldn't protect their own network, a security breach analogous to thieves burglarizing a police station!
In the parlance of the security business, a network intrusion is called an incident, and nullification of the breach is called a response. Security firms providing incident response have become one hot sector in technology. Gartner Research reports that businesses dedicated an average 0.4 percent of their annual revenue to security in 2001, a figure expected to increase tenfold by 2011, when security expenditures will account for 4 percent of a company's total annual revenue.
Security experts are the pop stars of the technology sector. George Kurtz of Foundstone, Jeff Moss of the Black Hat Briefings, and George Guninski of George Guninski Security Research spring to mind, but corporate giants like IBM and Symantec are also major vendors of security services. Actually, Peter Norton, of Norton Antivirus fame, was the original security superstar! The company he founded turned into Symantec. Last year Symantec's managed security division, which has operations centers in Texas and the United Kingdom, produced nearly $1 billion in revenue for fiscal year 2002. Symantec's security clients include 98 of the Fortune 100.
Security is hot because the Internet has come of age. The Internet links more than 20 million computers in 200 countries , and anything attached to the Internet is potentially hackable! Private networks are slightly more secure, but in this economy there's a need to pinch pennies and modernize. Those who still operate private networks realize that the Internet is less expensive and more efficient ”if it can be trusted. That "if" is what security experts provide. Networks are vulnerable because there's no way to quantify their actual security; that's the conundrum . According to security expert George Kurtz, "The problem is there is no one system that allows you to qualify exposure to differentiate between how exposed one company is compared to another."
Foundstone, the security company that Kurtz co-founded, developed a 100-point scale for rating a company's exposure to unauthorized access, with 100 being the most secure. Kurtz says, "In general, any enterprise system is hard-pressed to get above 70 or 75. We just finished a large enterprise that got a 5. When we went through the process, we found many of their servers were already hacked!"
What are the crackers looking for? According to Kurtz, "We see some hackers who are looking to target specific organizations. They're looking to get source code. There is a lot of source code that floats around the Internet because organizations have been compromised. They're also looking to use those organizations as a staging point to launch other attacks, or they're looking to embarrass the organization. Then there are people who are just fishing . They're kind of throwing the hook out there and automatically scanning. And when they find something, they take advantage of it just because it's there!"
Most security experts have a subspecialty, such as network engineering, software development, system design, computer forensics, monitoring, attack and penetration detection, incident response, or digital surveillance. For that reason, and to maximize efficiency, most security consultants work in teams, and most security teams cooperate with each other. Figure 8.13 shows a graphic from Foundstone's Professional Services that illustrates how a security team functions ”a closed circle of prevention, resolution, and response. For a more in-depth perspective on computer crime investigation, I highly recommend Incident Response (McGraw-Hill Osborne Media, 2001), the definitive book on the subject, written by Chris Prosise, a co-founder of Foundstone and Kurtz's partner.
Richard Reed, the Al Qaeda shoe bomber, received all of his orders from anonymous computer terminals in Internet cafes scattered around the world. As luck would have it, he was too cheap to buy a Bic lighter, but he certainly knew how to use computers and surf the Web! That tells you something about our enemy. The Department of Defense admits its networks are probed around 250,000 times annually. It's impossible to tell whether these intrusions are from enemies out to steal our military secrets or hackers on a war-dialing joyride. Regardless, each probe is viewed as a potential threat.
According to Frank Cilluffo, Director of the Information Assurance task force at the Center for Strategic and International Studies (CSIS) in the nation's capital, "The likelihood of obtaining top secret information in this way is small since classified data is generally stored on machines not connected to the Net. A more problematic assault would focus on utilities or satellite and phone systems." CSIS estimates 95 percent of U.S. military communications run through civilian phone networks. An attack on these systems could impede military communications. Cilluffo doesn't believe a cyber-terror incident is imminent, but he doesn't rule it out in the future because members of groups such as Al Qaeda and Hezbollah who have been educated in Western universities are capable of engineering such cyber-attacks. In December, 2001, hackers cracked into a Navy research facility in Washington, D.C. and stole two- thirds of its source code for satellite and missile guidance systems. The Navy claims the source code was an unclassified, older version.
It should come as no surprise that Uncle Sam is looking for a few good hackers. That's why Richard Clarke, Bush's former cyber-security czar, addressed thousands attending the 2002 Black Hat Security Briefings in Las Vegas, hosted by Jeff Moss. Clarke pointed a finger of blame at software developers and Internet service providers for the vulnerabilities that plague our nation's networks. Clarke said
By selling broadband connectivity to home users without making security a priority, telecommunications companies, cable providers, and ISPs have not only opened the nation's homes to attack, but also created a host of computers with fast connections that have hardly any security. There are a lot of people in our country that rely on cyberspace who are not taking responsibility for securing their part of it! The major issue is that companies and organizations who create the hardware, software, and services that make up the Internet, aren't doing enough to secure their products!
In addition to blaming software manufacturers and ISPs for the current rash of security flaws, Clarke singled-out wireless networks as being particularly vulnerable. "Companies throughout the country have networks that are wide open because of wireless LANs! The Department of Defense has already shut down all wireless LANs within the department and in the various military forces."
Clark acknowledged that although few firms admitted it, the Nimda virus in 2001 hit nearly every major financial and banking institution hard, causing nearly $3 billion in damage. The Nimda virus got into computers through vulnerabilities that were known at the time! Nimda didn't spread because the vulnerabilities had not been identified; rather, it spread because patches were not applied. Clarke suggested, "Nimda was so successful not because the system administrators didn't have a chance to apply the patch, but because they wanted to test the patch themselves!" Clarke compared the role of his audience, packed full of security experts, to Winston Churchill and his early warnings of Germany's aerial build-up prior to World War II: "You all have a responsibility to be like Winston Churchill, out there in front of anyone who will listen to say that we are vulnerable. If a cyber war comes, and come it will, we must be like the Royal Air Force and win!"