| In the WarGames example, the hacker was motivated by curiosity and the desire to use a secure computer with more capability than his own. Although he felt that his actions weren't malicious because he didn't plan to harm the system, his actions resulted in a cascade effect with serious consequences. As a software tester it's important to understand why someone may want to break into your software. Understanding their intent will aid you in thinking about where the security vulnerabilities might be in the software you're testing. A secure product is a product that protects the confidentiality, integrity, and availability of the customers' information, and the integrity and availability of processing resources, under control of the system's owner or administrator. www.microsoft.com/technet/community/chats/trans/security/sec0612.mspx A security vulnerability is a flaw in a product that makes it infeasibleeven when using the product properlyto prevent an attacker from usurping privileges on the user's system, regulating its operation, compromising data on it, or assuming ungranted trust. www.microsoft.com/technet/archive/community/columns/security/essays/vulnrbl.mspx Hacker: One who is proficient at using or programming a computer; a computer buff. One who uses programming skills to gain illegal access to a computer network or file. www.dictionary.com
The five motives that a hacker might have to gain access to a system are Challenge/Prestige. The simplest and most benign form of hacking is when someone breaks into a system purely for the challenge of the task and the prestige (among his fellow hackers) of succeeding. There's no intent of anything more sinister. War driving is such an activity. Although this may not sound like much of a problem, imagine if a lock picker practiced his craft by unlocking random doors throughout your neighborhood each night and then bragging to his friends which homes had locks that were the easiest to pick. No one would feel secureand rightly so. Curiosity. The next level up the scale is curiosity. Here, the hacker doesn't stop at just gaining access. Once inside, he wants to look around to see what's there. Curiosity is the motive. The hacker will peruse the system looking for something interesting. A software system could have a security vulnerability that allows a hacker to gain access (challenge/prestige) but still be secure enough to prevent the hacker from looking at any of its valuable data. Use/Leverage. This is the level where the hacker does more than just breaking and entering. Here the hacker will actually attempt to use the system for his own purpose. The WarGames example we've discussed is a Use/Leverage attack. A present-day example is when a home PC is attacked with an email virus, which then uses the email addresses stored on that PC and its computing power to re-send thousands more instances of the virus. The hacker is able to accomplish much more using the distributed power of many computers than if using just his own. Additionally, the hacker may be able to better cover his tracks by using these "hacked" computers to do the damage. Vandalize. When you think of vandalizing, remember the three D's: Defacing, Destruction, and Denial of Service. Defacing is changing the appearance of a website to promote the opinion or thoughts of the hackersee Figure 13.1. Destruction takes the form of deleting or altering of data stored on the system. An example might be a college student changing his grades or deleting the final exam. Denial of service is preventing or hindering the hacked system from performing its intended operation. An example of this would be flooding an ecommerce website with so much traffic that it's incapable of handling its standard transactions, locking out paying customers from making purchases. Even worse, the hacker could crash the system resulting in data loss and days of downtime. Figure 13.1. The defacing of a website is just one type of damage that a hacker can inflict. 
Steal. Probably the most severe form of hacking is stealing, outright theft. The intent is to find something of value that can be used or sold. Credit card numbers, personal information, goods and services, even login IDs and email addresses, all have value to the hacker. In 2003, a 24-year-old computer hacker gained access to and stole 92 million AOL screen names (login IDs). The list of names was later sold several times to various spammers for amounts up to $100,000! Not bad for a few days' work.
Are you afraid yet? You should be. Every day there are countless hackers out there attempting to break into theoretically secure systems. And, many of them succeed. Now that you know why a hacker may want to break into a system, we'll continue our discussion of software security testing by outlining what you can do to assist your development team in creating a secure software product. |
