Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
5/8/2012
09:00 AM
Security Insights
Security Insights
Security Insights
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Where In Hacking The Ends Justify The Means

Do some 'ethical hackers' really have your best interest at heart, or are they more interested in making your private information public?

As an admitted pop culture fan, I frequently find parallels (sometimes easily, other times where it's admittedly harder to connect the dots) between that typically lightweight subject matter domain and the perennially sacrosanct security industry.

Case in point: the recent news about the new hacker group "The Unknowns," who are, to use Ted Samson's headline in InfoWorld, "claiming the high ground in exposing security holes." That conclusion got me to thinking of actor Jeff Goldblum in his role as Dr. Ian Malcolm in Jurassic Park .

The park's creator, philanthropist John Hammond, clashes with Dr. Malcolm about his desire to deliver dino-fans to the island for a once-in-a-lifetime experience. Hammond's complaint is that Malcolm isn't giving scientists enough credit for doing things that nobody has ever done before. Ever the contrarian Dr. Malcom retorts, "Yeah, but your scientists were so preoccupied with whether they could that they didn't stop to think if they should."

As myriad news outlets including InfoWorld have reported, using SQL injection, the Unknowns have claimed to breach the databases and publish administrative account and passwords for high-profile organizations including NASA (which discounts that in the instance of its breach any sensitive information was actually compromised), the U.S. Air Force, and Harvard University, as well as in-country targets including the European Space Agency, the Thai Royal Navy, and the French Ministry of Defense.

While up to this point in the story it appears these "Unknowns" are taking root in Anonymous' shadow, they claim their interest is mostly altruistic. As Samson reports, the Unknowns have released a statement that reports many of the systems they've successfully hacked have since been secured. "And now, we are happy to inform you that most of the links we used to penetrate through the databases, have been patched. This is exactly what we were looking for. This is what we want," the group said.

The group's "manifesto," posted on Pastebin, is at once eye-opening and, of course, these being hackers, self-serving:

• We are not Anonymous Version 2 and we are not against the US Government

• We can't call ourselves White Hat Hackers but we're not Black Hat Hackers either.

• These Websites are important, we understand that we harmed the victims and we're sorry for that -- we're soon going to email them all the information they need to know about the penetrations we did.

• We still think that what we did helped them, because right now they know that their Security is weak and that it should be fixed.

• We wanted to gain the trust of others, people now trust us, we're getting lots of emails from people we never knew, asking us to check their website's security and that's what we want to do.

• Our goal was never to harm anyone, we want to make this whole internet world more secured because, simply, it's not at all and we want to help.

• We don't want revolutions, we don't want chaos, we just want to protect the people out there. Websites are not secured, people are not secured, computers are not secured, nothing is...

• We're here to help and we're asking nothing in exchange"

So the takeaway is the Unknowns are completely on the up-and-up and we should trust them because they're not like the others, right?

Nope -- not buying it.

Let's take another look, shall we? According to the evidence already in hand, these Unknowns:

1. Search for vulnerabilities on websites

2. Use SQL injection tools to penetrate them

3. Extract sensitive, even confidential data

4. Publish that data to Pastebin for anyone to find and reuse

I don't know. Sounds like classic, old-school hacking to me.

One thing I never get with apolitical groups like these folks is why they just don't come together as some privately held security group, monetize their knowledge, and sell their services above-board to companies that want to conduct penetration testing of their websites and know for certain they will actually stand up to the Anonymous and other would-be hacker collectives of the world.

If they were really interested in fixing the Internet's flaws, why do it in the shadows? After all, capitalism is all about making money by leveraging your knowledge, experience, and skill to others lacking the same. Seems to me that any organization that serves as data custodians would want expert help and pay dearly for what these days passes as badly needed peace-of-mind.

And from a human perspective alone, doesn't this process ever become excruciatingly repetitive? How long will it be before you've proved to yourselves and everyone else in your loosely knit group that you can do it time and again without being stopped? How many pats on the back, how much self-media adulation do you really need? I have to imagine that even hacking for the sake of hacking gets old; after all, it only took 50 days before LulzSec threw in the towel.

An additional word of caution. Even as the Unknowns claim that they're "getting lots of emails from people we never knew, asking us to check their website's security and that’s what we want to do," I would ask: Would you really trust your business data and, for that matter your business, to a group of clandestine ex-coders who claim to have your best interest at heart?

I thoroughly recommend considering an alternative: aligning your organization with a known security solutions entity that doesn't hide behind anonymous or unknown personas and who you can also count on to keep your data secure and off public forum-private data disclosure sites like Pastebin. And when they get media attention (if they get it at all, that is), it's not for the number of hacks they’ve pulled off, but rather for the many hacks they've prevented.

Sometimes the ends justify the means. Other times, as in the example of these Unknowns, the two concepts couldn't be further apart.

Brian Royer, a security subject matter expert, Sophos U.S., is partnering with SophosLabs to research and report on the latest trends in malware, web threats, endpoint and data protection, mobile security, cloud computing and data center virtualization.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-5704
Published: 2014-04-15
The mod_headers module in the Apache HTTP Server 2.2.22 allows remote attackers to bypass "RequestHeader unset" directives by placing a header in the trailer portion of data sent with chunked transfer coding. NOTE: the vendor states "this is not a security issue in httpd as such."

CVE-2013-5705
Published: 2014-04-15
apache2/modsecurity.c in ModSecurity before 2.7.6 allows remote attackers to bypass rules by using chunked transfer coding with a capitalized Chunked value in the Transfer-Encoding HTTP header.

CVE-2014-0341
Published: 2014-04-15
Multiple cross-site scripting (XSS) vulnerabilities in PivotX before 2.3.9 allow remote authenticated users to inject arbitrary web script or HTML via the title field to (1) templates_internal/pages.tpl, (2) templates_internal/home.tpl, or (3) templates_internal/entries.tpl; (4) an event field to ob...

CVE-2014-0342
Published: 2014-04-15
Multiple unrestricted file upload vulnerabilities in fileupload.php in PivotX before 2.3.9 allow remote authenticated users to execute arbitrary PHP code by uploading a file with a (1) .php or (2) .php# extension, and then accessing it via unspecified vectors.

CVE-2014-0348
Published: 2014-04-15
The Artiva Agency Single Sign-On (SSO) implementation in Artiva Workstation 1.3.x before 1.3.9, Artiva Rm 3.1 MR7, Artiva Healthcare 5.2 MR5, and Artiva Architect 3.2 MR5, when the domain-name option is enabled, allows remote attackers to login to arbitrary domain accounts by using the corresponding...

Best of the Web