However, ‘ethical hackers’ do exist, and these masters of their craft are the mirror image of what people think of hackers. They possess pretty much the same skill set, but use them for the exact opposite reason-to identify vulnerabilities in systems so that corrective action may be taken.
The term ‘hacker’ originally referred to those involved in creating a new program or making changes to existing, complex software.
Ethical hackers employ the same tools and techniques as malicious hackers, or ‘crackers’, but they do not damage the target systems, nor steal information. They test networks for vulnerabilities, evaluate systems’ security practices and report loopholes as well as remedial measures to the owners.
They can perform security audits for companies-testing a system for vulnerabilities and submitting a report. This kind of work may not even require the services of an ethical hacker per se. Alternatively, they could actually attack a security system, seek out the vulnerabilities that a malicious hacker could easily exploit and, of course, report or fix them.
India’s ‘underground overlords’ of the IT realm are nestled in small-mostly, home-offices in the quiet suburbs of Mumbai, Delhi and several other cities across the country. These codebreakers and security experts are busy scouring networks to seek and destroy vulnerabilities.
Ethical hacker Shomiron Das Gupta, a Certified Information System Security Professional (CISSP) and GIAC Certified Intrusion Analyst (SANS Certified), was formerly employed with ICICI InfoTech as a security consultant, before moving out to start his own security firm, Net Monastery. He also founded the EHA (Ethical Hackers’ Association) “to increase awareness about security in the tech community and to educate programmers on measures to avoid mistakes that attract bugs or cause vulnerabilities.”
Says Das Gupta, “Hacking is more about instinct than hardcore programming skills. You have to understand network architecture and be adept with hacking tools. But to be an ethical hacker, one has to build trust… which takes time to establish but can be lost easily.”
KK Mookhey, a Certified Information Systems Auditor (CISA) with over four years of security experience, agrees. “The gains are low in malicious hacking, and really, it makes stupid business sense to cross that line,” he says.
Both swear by the Code of Vulnerability Disclosure-inform the vendor first on discovering a vulnerability, ask for a time period and assurance that the flaw will be fixed. “Else, you threaten to go public,” says KK, whose team has discovered vulnerabilities in soft-ware from vendors like Microsoft, Oracle, Nortel and Macromedia.
Das Gupta and KK represent the growing breed of young security professionals in India. In the recent past, India has seen a host of teenage prodigies emerge in the security space. Sixteen- year-old Namit Merchant, for example, is the youngest ever CISSP-a widely-recognised certification, which requires a minimum of three years of full-time professional computer security experience, prior to taking the test.
Ankit Fadia, a teen prodigy, was just 16 when he authored The Unofficial Guide to Ethical Hacking. A Computer Security and Digital Intelligence Consultant, he is now one of the best-known ethical hackers in India.
The S-Word
Security threats for companies (SMBs and enterprises) have gained prominence in the last few decades. With more and more governments and companies jumping onto the ‘world wide web’ bandwagon, seamless connectivity (through Virtual Private Networks, for example) across branches is crucial for efficient functioning of a business network.
| Ethical Hacking 101 – Resources You Can Use |
| Tools, discussion groups & virtual systems Insecure.org: http://www.insecure.org/ Pull The Plug: www.pulltheplug.org Whoppix Penetration Testing Toolkit: http://www.whoppix.net/ The PacketStorm IP Network Emulators: http://www.packetstorm.com/ K-OTik Security (French): http://www.k-otik.com/ Phrack (Hacker E-zine): http://www.phrack.org/ Hacker’s Lab: http://www.hackerslab.org/ Honeypot Project (Online honeypot deployment): http://www.honeynet.org/ Crackmes.de (Challenges for reversers, newbies, white hats and black hats): http://www.crackmes.de/ Eric S Raymond’s homepage: http://www.catb.org/~esr Carnegie Mellon Software Engineering Institute: http://www.cert.org The SANS (SysAdmin, Audit, Network, Security) Institute: http://www.sans.org Ethical Hacker’s Association (India): http://www.netmonastery.com/eha/eah.htm Conferences |
Today, viruses and worms proliferate on the Web within a matter of minutes. Not only do networks and security systems need to react instantaneously, security companies also need to develop more complex and stable solutions. SMBs usually employ a team comprising a Systems Administrator and security experts to monitor networks, 24×7.
Some of the best-known names in the security industry include MIEL e-Security, Mahindra SSG, SecureSynergy, HCL Comnet, IT Secure, and Cisco Systems. Security firms offer services such as penetration testing, vulnerability assessments, security audits, consulting and education. Many security companies also develop security assessment and intrusion-detection tools, and engage in security-related research.
Says Jagdish Mahapatra, business development manager, Cisco Systems, India and SAARC, “Organisations are beginning to realise that security has to be top priority on their IT investment budget. It’s the level of protection that causes the dilemma. Most SMBs have a security policy in place, but these have to be updated on a regular basis based on the company’s needs, the current environment and threats.”
Security firms employ ‘certified ethical hackers’ to perform audits as well as develop security tools. But are they wary of hackers? “Anyone who can wreak havoc is a useful tool for a security company. Especially while building a security system for a network, hackers come in handy-they come up with different ways of penetrating the network,” says Mahapatra.
Security engineer Kartikeya Puri of MIEL eSecurity, says, “Though security companies develop exploits, some organisations prefer just random audits-by running tools like Nessus, a vulnerability scanner-to generate reports. You don’t really need to be a hacker for that! Even my ten-year old brother can run that tool! Security engineers normally protect the critical resources of a company-server side applications and Web sites.”
Hierarchies In Cyberia
At the bottom of the hacker hierarchy is a ‘script kiddie’-a malicious hacker with little or no skill. These guys can cause a lot of damage with their shoot-in-the-dark methods. A ‘white hat’ or ‘sneaker’, who also breaks into networks or seeks vulnerabilities, does so for ‘altruistic’ reasons. ‘White hats’ usually report bugs or vulnerabilities to the vendors.
‘Black hats’ or ‘Crackers’, on the other hand, are on the lookout for vulnerabilities in networks and software, and enjoy destroying vulnerable networks.
Top-notch hackers-usually referred to as ‘Wizards’ or ‘Gurus’-have been associated with some of the biggest names in the software business. The best-known amongst these are Richard Stallman, founder of the Free Software Movement and GNU projects, which nurtured the development of the GNU/Linux operating system (OS), and Linus Torvalds, who developed the Linux kernel in 1991.
Hackers get to match wits at events such as DEFCON (www.defcon.org) dubbed the “largest underground hacking event in the world”, the Black Hat conference (www.blackhat.com)-a melting pot of hackers, security experts, government officials and network administrators, and COMDEX (Communications and Data Processing Exposition)-a hardware and software tradeshow.
| Hackerspeak: Jargon Explained |
| Intrusion Detection: The processes involved in detecting inappropriate, incorrect or anomalous activity happening in a network. Intrusion Detection Systems (IDS) are employed to determine if a computer network or server has fallen prey to an unauthorised intrusion. Honeypots: Closely monitored network decoys that help distract intruders from attacking more valuable machines on a network and causing damage. Challenge: A virtual system designed by programmers with various hacking-related goals/problems to be solved Exploit: An application designed to penetrate known vulnerabilities in a network or software Sniffer: A tool that that captures passwords and other data while in transit within the computer or over a network Social engineering: The practice of conning people into revealing sensitive data on a computer system, often on the Internet. In other words, exploiting the weakest link-more often than not, users Vulnerability scanner: A tool that scans computers on a network for known weaknesses. Port scanners look for “open ports” to gain entry into the network. Man in the middle attack (MTM): Here, an attacker reads and modifies messages between two parties without letting either party know that their link has been compromised. |
Enemy At The Gate
Vulnerabilities abound in networks. Security professionals are privy to this knowledge, especially during audits. They have no reason not to distribute this knowledge for profit or even exploit the vulnerability.
Ethical hacking is subjective; its interpretation varies-I could enter a network and snoop around without causing any significant harm
Kartikeya Puri, MIEL eSecurity
According to Puri, some of the most potent hacking attacks include distributed denial of service; idle scanning-exploiting the bugs on a server running on the network and then taking control of the rest of the infrastructure; sniffer attacks-where a sniffer is installed on one of the servers and compromises the information flow; attacks on the border routers/ switches; overflows (buffer/heap/stack-based) in server software; and social engineering attacks.
Once a network has been compromised, the intruder gains ‘Administrator’ privileges, and using certin tools (‘root kits’) disables security auditing. At the end of their stay, using the same tools, the intruders simply turn on auditing again.
Says Prakash (name changed), a cracker-turned-security engineer from Bangalore, “Most networks cannot guarantee 100 per cent security. Online banking systems in India, for example, are vulnerable to attacks. But it involves a lot of work-traffic to the site has to be sniffed, data has to be encrypted, the network scanned for vulnerabilities, firewalls disabled, and so on. But a break-in is certainly possible.”
Dancing With The Devil
For every successful ethical hacker or systems administrator, there is a hotshot cracker waiting to get the better of him. Although there is big money involved, the cat-and-mouse game between security experts and malicious hackers is also a battle of extremely creative minds. Hackers are constantly upgrading their knowledge, while virus writers continue to unleash their creativity on the Web.
Genuine hackers “seek to create, nurture and contribute to the evolution of more efficient computer networks”.
“Ethical hacking is subjective; its interpretation varies-I could enter a network and snoop around without causing any significant harm. Does that make me any less ethical?”, asks Puri.
Yet, he confesses it is hard to stay ‘ethical’ when one has knowledge and access to sensitive and potentially lucrative information.
Thomas Anderson or Neo, from The Matrix, a “program writer for a respectable software company… and a hacker guilty of virtually every computer crime we have a law for…”, is merely a stereotype. Not all hackers are malicious and not all ethical hackers are saints. But which hat would you rather wear?