Perimeter
Guest Blog // Selected Security Content Provided By Sophos
What's This?
5/8/2012
09:00 AM
Dark Reading
Dark Reading
Security Insights
Connect Directly
RSS
E-Mail
50%
50%

Where In Hacking The Ends Justify The Means

Do some 'ethical hackers' really have your best interest at heart, or are they more interested in making your private information public?

As an admitted pop culture fan, I frequently find parallels (sometimes easily, other times where it's admittedly harder to connect the dots) between that typically lightweight subject matter domain and the perennially sacrosanct security industry.

Case in point: the recent news about the new hacker group "The Unknowns," who are, to use Ted Samson's headline in InfoWorld, "claiming the high ground in exposing security holes." That conclusion got me to thinking of actor Jeff Goldblum in his role as Dr. Ian Malcolm in Jurassic Park .

The park's creator, philanthropist John Hammond, clashes with Dr. Malcolm about his desire to deliver dino-fans to the island for a once-in-a-lifetime experience. Hammond's complaint is that Malcolm isn't giving scientists enough credit for doing things that nobody has ever done before. Ever the contrarian Dr. Malcom retorts, "Yeah, but your scientists were so preoccupied with whether they could that they didn't stop to think if they should."

As myriad news outlets including InfoWorld have reported, using SQL injection, the Unknowns have claimed to breach the databases and publish administrative account and passwords for high-profile organizations including NASA (which discounts that in the instance of its breach any sensitive information was actually compromised), the U.S. Air Force, and Harvard University, as well as in-country targets including the European Space Agency, the Thai Royal Navy, and the French Ministry of Defense.

While up to this point in the story it appears these "Unknowns" are taking root in Anonymous' shadow, they claim their interest is mostly altruistic. As Samson reports, the Unknowns have released a statement that reports many of the systems they've successfully hacked have since been secured. "And now, we are happy to inform you that most of the links we used to penetrate through the databases, have been patched. This is exactly what we were looking for. This is what we want," the group said.

The group's "manifesto," posted on Pastebin, is at once eye-opening and, of course, these being hackers, self-serving:

• We are not Anonymous Version 2 and we are not against the US Government

• We can't call ourselves White Hat Hackers but we're not Black Hat Hackers either.

• These Websites are important, we understand that we harmed the victims and we're sorry for that -- we're soon going to email them all the information they need to know about the penetrations we did.

• We still think that what we did helped them, because right now they know that their Security is weak and that it should be fixed.

• We wanted to gain the trust of others, people now trust us, we're getting lots of emails from people we never knew, asking us to check their website's security and that's what we want to do.

• Our goal was never to harm anyone, we want to make this whole internet world more secured because, simply, it's not at all and we want to help.

• We don't want revolutions, we don't want chaos, we just want to protect the people out there. Websites are not secured, people are not secured, computers are not secured, nothing is...

• We're here to help and we're asking nothing in exchange"

So the takeaway is the Unknowns are completely on the up-and-up and we should trust them because they're not like the others, right?

Nope -- not buying it.

Let's take another look, shall we? According to the evidence already in hand, these Unknowns:

1. Search for vulnerabilities on websites

2. Use SQL injection tools to penetrate them

3. Extract sensitive, even confidential data

4. Publish that data to Pastebin for anyone to find and reuse

I don't know. Sounds like classic, old-school hacking to me.

One thing I never get with apolitical groups like these folks is why they just don't come together as some privately held security group, monetize their knowledge, and sell their services above-board to companies that want to conduct penetration testing of their websites and know for certain they will actually stand up to the Anonymous and other would-be hacker collectives of the world.

If they were really interested in fixing the Internet's flaws, why do it in the shadows? After all, capitalism is all about making money by leveraging your knowledge, experience, and skill to others lacking the same. Seems to me that any organization that serves as data custodians would want expert help and pay dearly for what these days passes as badly needed peace-of-mind.

And from a human perspective alone, doesn't this process ever become excruciatingly repetitive? How long will it be before you've proved to yourselves and everyone else in your loosely knit group that you can do it time and again without being stopped? How many pats on the back, how much self-media adulation do you really need? I have to imagine that even hacking for the sake of hacking gets old; after all, it only took 50 days before LulzSec threw in the towel.

An additional word of caution. Even as the Unknowns claim that they're "getting lots of emails from people we never knew, asking us to check their website's security and that’s what we want to do," I would ask: Would you really trust your business data and, for that matter your business, to a group of clandestine ex-coders who claim to have your best interest at heart?

I thoroughly recommend considering an alternative: aligning your organization with a known security solutions entity that doesn't hide behind anonymous or unknown personas and who you can also count on to keep your data secure and off public forum-private data disclosure sites like Pastebin. And when they get media attention (if they get it at all, that is), it's not for the number of hacks they’ve pulled off, but rather for the many hacks they've prevented.

Sometimes the ends justify the means. Other times, as in the example of these Unknowns, the two concepts couldn't be further apart.

Brian Royer, a security subject matter expert, Sophos U.S., is partnering with SophosLabs to research and report on the latest trends in malware, web threats, endpoint and data protection, mobile security, cloud computing and data center virtualization.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3409
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

CVE-2014-4620
Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

CVE-2014-4623
Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

CVE-2014-4624
Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

CVE-2014-6151
Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.