Hacking Back: Cyber Counterterrorism

The recent arrest and 17-count indictment against 20-year-old accused hacker and botmaster Jeanson James Ancheta for both using and selling the tools to attack a number of networks, including some within the Defense Department, should be taken as a shot across the bow by anyone who reads this. Ancheta is accused of being part of a new breed of criminal hacker: not just in it for the fame--sure, he's getting his 15 minutes, although it could be more like 50 years--but rather after money. Accordin
The recent arrest and 17-count indictment against 20-year-old accused hacker and botmaster Jeanson James Ancheta for both using and selling the tools to attack a number of networks, including some within the Defense Department, should be taken as a shot across the bow by anyone who reads this. Ancheta is accused of being part of a new breed of criminal hacker: not just in it for the fame--sure, he's getting his 15 minutes, although it could be more like 50 years--but rather after money. According to the charges against him, Ancheta even managed to collect nearly $60,000 by creating, spreading, and selling bots to the highest bidders. By all accounts, Ancheta is smart and motivated, and there was a market for his black-market guerrilla hacking tactics and tools. How do you stop a smart, motivated attacker from making your life miserable? Read carefully.To catch a thief, or in this case a cyberterrorist, you have to think like one. IT professionals have been conditioned to think defensively, draping their networks with sensor-studded barbed wire and using firewalls and intrusion-prevention systems to lock down doors and windows around the perimeter. But there's an emerging school of thought that says only a more proactive approach to security can prepare companies for the unexpected.

Actually, it's not just a school of thought; it's also a school. I know because I was there earlier this week watching a group of a dozen IT workers get their hands dirty writing exploit code and hacking into each other's systems. They were there as part of a 10-day "Hacking-Defined Training" course hosted by New York IT consulting and job placement firm Prime View in conjunction with the not-for-profit New York Metropolitan Jewish Council's Futures in Information Technology program, which receives funding from New York City's Department of Small Business Services to help re-train and find jobs for laid-off IT workers whose skills have lost their relevance in the market.

Prime View's secret weapon is Mati Aharoni, lead penetration tester with Israeli IT security-education firm See Security Technologies Ltd. "Technology itself will not stop a hacker," Aharoni told his students. Clad in a black T-shirt with white lettering that read, "Not Even Norton Will Protect You," along with black jeans and gray sneakers, Aharoni added, "Instead, you have to use induction to understand what it takes to secure a network."

The stuffy, windowless classroom reminded me of my old computer lab in high school, minus the TRS-80's. I took notes as Aharoni described to his students the components of a basic hack, where an attacker exploits a user login program written to accept a 64-character name. If the programmer doesn't include a command in the program to reject any login greater than 64 characters, an attacker could input a 100-character login and break the program, possibly overwriting memory within the program. Seems like a pretty obvious mistake, but I was assured that it's not uncommon.

Aharoni later showed his class several tools hackers have at their disposal when searching for and exploiting their victims. They write, or borrow other hackers', "fuzzer" code that can be unleashed on programs to look for possible vulnerabilities in that program's code. Another tool attackers often use is a reverse shell, which tricks a program into sending the attacker a command prompt for logging into that program. From there, the attacker can break in and remotely access the program's features and data.

Less creative hackers can even visit Web sites that offer free shell code that can be used during their hacks. Metasploit, an open-source project for developing, testing, and using exploit code, lets hackers copy this code right into their own scripts. "What should make you really paranoid is that these are the bugs that the hackers tell you about," Aharoni told his class. "For every exploit released, you have two that are not."

In fact, the greatest threats are those that no one sees. Some attackers will find a vulnerability and develop an exploit without sharing their work. Now they've got a secret that they can use at a particularly inopportune time, Aharoni said. The severity of these unseen threats has led Aharoni to incorporate principles from the military treatise "Sun Tzu On The Art of War" into his teachings. One principle reads, "If the enemy leaves a door open, you must rush in." Prime View president and chief technology officer Victor Natanzon agreed with this analogy when I sat down to speak with him prior to the class. There are several ways to enter through a door, he said. "You can use a key, a sledgehammer, or you can remove the hinges."

But Aharoni's class wouldn't be truly effective if he didn't let his students loose to cause a little mischief. For one exercise, Aharoni had his students search for bugs in Ability Server, a low-end FTP server made by Code-Crafters Software LLP. Aharoni told me he has already communicated with Code-Crafters about using their product in his exercises, and they haven't asked him to stop. I suppose that's the same thing as receiving their blessing, although they might speak up if they saw just how easy it was for a bunch of novice hackers to have their way with the software. Once students found bugs in Ability Server, they wrote working exploits that attack it. It was all part of the process of de-mystifying what hackers do and how they operate. "You cannot defend properly unless you know how people attack," Aharoni told me before class. "I try to instill a sense of paranoia in my students."

In another exercise, students used exploit code downloaded from the French Security Incident Response Team, or FrSIRT, Web site to hack into Microsoft Windows 2000 Plug and Play Universal Remote, creep across their local network, and reboot other students' PCs. FrSIRT is a security-research organization that collects and publishes information about networked computer threats and vulnerabilities.

It's an eye-opening experience that Aharoni's students hope will give them an edge in the security job market. "I'm amazed at how easy it is to gather information on potential targets," Benjamin Pearlman, who worked for seven years as a QA tester for AT&T and is now in Prime View's retraining program, told me after class. "In order to be protected properly, you have to think about how a system can be broken into."

Bessalel Yarjovski, who has more than 20 years of experience in the IT world, is taking Prime View's retraining program with the hope of landing a job as a chief information security officer somewhere. "The class is opening my eyes not to new technology but to how easy it is to do these exploits and how many there are," said Yarjovski, who has worked as CIO of CareerEngine Inc., a network of career Web sites, and as chief technology officer with iVillage Inc., which runs a multimedia Web site addressing women's issues.

I was beginning to get a bit depressed about the state of software and network security when Aharoni directed us to sites, including the Symantec-run SecurityFocus, which offer a seemingly endless list of security advisories put out by a number of high-profile vendors. That's where I first saw Cisco's security advisory for a serious Internetwork Operating System, or IOS, "heap-overflow" vulnerability that could let hackers get control of routers and switches running certain versions of the software. Widespread awareness of this potential exploit stems from the July Black Hat conference, where former Internet Security Systems Inc. security researcher Michael Lynn demonstrated that vulnerabilities to a certain version of IOS running in IPv6 environments could be exploited to take over--rather than simply shut down--Cisco routers and switches. The heap-overflow advisory was the third security advisory Cisco issued for the week; the others affected certain Cisco Airespace Wireless LAN Controllers and Cisco intrusion-prevention system devices configured by IPS Management Center version 2.1.

The class wasn't all gloom and doom. Aharoni also addressed several ways application and network security can be improved. One is to write programs that strictly control the type and amount of information that users can input, so that a hacker can't use the trick of adding too many characters to confuse a program (see paragraph 5 above). Another is to improve QA testing procedures after a program is written by applying hacking-defined methods to the code. In other words, testers are doing their best work when they're trying their hardest to break programs. Network administrators should also provide users with the least amount of access privileges those users need to get their work done. I feel safer already.

Prime View positions its new hacking-defined training module as a more comprehensive exposure to white-hat hacking than those offered through the International Information Systems Security Certification Consortium Inc., (ISC)2, a nonprofit organization that provides professional education services and administers certification exams, or SysAdmin, Audit, Network, and Security, or SANS, Institute, established in 1989 as a cooperative research and education organization. I haven't been to any classes held by either place, so I really can't judge.

I do know that IT security has become a real concern over the years as we've all been networked together. Jeanson James Ancheta may be off the streets, but there are plenty more where he came from. With any luck, the 12 students in Aharoni's class will be just the first in a new generation of IT workers and managers who are up to challenging the malicious hackers who have shown an ability and willingness to endanger anyone the Web touches.