Newsmaker: Hacking--do the pros now rule?

The chief scientist of security company Internet Security Systems believes 2004 could prove to be a watershed year for hacking.

Robert Graham says that many hackers are graduating into the pro ranks, a development that carries worrisome implications for corporate security.

It's been largely a game for hackers up until now.

Today, more people write their own exploits. Why are they able to do it? If you look at the kids graduating from school all over the world, they got interested in hacking when they were, like, 12-year-olds, in the mid-'90s. Over the years, their interests have grown into a skill set that lets them write their own attack programs.

Speaking of new exploits, what do you make of the rising number of bug variants that we've seen this year?
In the past, antivirus vendors would compete with each other to see which would be able to write signatures faster for each new virus that came out. But with (the) Netsky and Bagle (viruses), we saw the reverse. Now we have virus writers who compete to see how fast they can update their viruses in response to each new antivirus signature. That's why we see a Netsky a, b, c, d and so on.

But why were hackers suddenly interested in making variants?
Well, with previous virus writers, their goal was to create a virus and see if it could be done. After that, these virus writers were done. There seems to be a change in the psyche among virus writers now. You see this with Netsky and Bagle. There are two teams of people competing with each other. The Netsky people hated the Bagle people, and Bagle people hated the Netsky people. So it was kind of like a feud between them.

So how worried should we be? Are viruses becoming more sophisticated in a hurry?
No. Viruses today are really no more sophisticated than they've been over the last several years. As a matter of fact, Netsky and Bagle are pretty unsophisticated. As security professionals, we know how to create a sophisticated virus. The reality is that hackers that write viruses really aren't all that smart. They focus more on whatever defenses they see. They try to do one extra step. And so we rarely see a huge advance in hacking techniques. Rather, we see gradual growth. Most virus writers only try to stay one step ahead. And only one step, not five or 10 steps.

The bread-and-butter defense today remains the firewall. Where does this mature technology go from here?
Firewalls have basically been supplanted by intrusion-prevention systems. In the old days, it was enough just to lock the doors. But these days, we realize that some doors have to be unlocked. And we need to protect against cases when doors aren't locked. It's like a bank. Robbers will come in and rob the bank in the day, when doors are unlocked. The problem is not that you need to find a stronger lock for the front door, because fundamentally you can't lock the front door all the time. You need to let customers in. And that's what firewalls basically are--doors that are locked.

IPS (intrusion-prevention systems), on the other hand, are able to look for attacks coming in the open doors. IPS and firewalls are probably going to merge soon into one product. But firewall technology, by itself, is done. It already has become a commodity.

No room for improvement at all?
There is really going to be nothing new for firewalls. In fact, a lot of the more-complicated firewall features can actually reduce security, rather than increase it.

How so?
Well, the more-complicated firewall rule-sets can trip users up. Remember, firewalls are tools that you use to stop bad traffic. And how effective they are depends on your skill in using them. And the more complicated something is, and the more feature-sets it has, the more educated you'll need to be to use it right.

And we've seen (organizations not using their firewalls correctly). For example, we find that Slammer occasionally comes through the firewalls, even though it is supposed to be blocked by the rule-sets. The reasons are varied. Sometimes it is because people go into the

The reality is that hackers that write viruses really aren't all that smart.

firewalls to open ports they shouldn't be opening. Other times they just remove the whole configuration from the firewalls and reset them back to the default state of "open," which lets everything through. They may do this for only a few seconds before they re-apply the policy again, but that is enough for Slammer to come through. And these things happen partly because of the complexities of today's firewalls. With simpler systems, you are unlikely to make those mistakes.

How important do you think application firewalls will become in the future?
Not very. The application firewall space really is targeted at Web applications. These firewalls are about proxying HTML or HTTP. The thing we have to remember is that no Web applications are bug free. Some have well-known bugs that people can take advantage of. Application firewalls may be able to solve some of these things, but not all.

Let me give you an example of something that happened with me. Not long ago, I ordered a plasma screen online, which was to be shipped by a local company in Atlanta. And the company gave me a six-digit shipping number. Accidentally, I typed in an incremental of my shipping number (on the online tracking Web site). Now, a six-digit number is a small number, so of course I got someone else's user account information. And the reason that happened was due to the way they've set up their user IDs, by incrementing from a six-digit number.

So here's the irony: Their system may be so cryptographically secure that (the) chances of an encrypted shipping number being cracked is lower than a meteor hitting the earth and wiping out civilization. Still, I could get at the next ID easily.

There is no application firewall that can solve this problem. With applications that people are running on the Web, no amount of additive things can cure fundamental problems that are already there in the first place.

What's security technology's next frontier?
Voice over IP and general packet radio service are going to be the next biggest security issues.

How big?
Several years ago, we were researching Microsoft remote procedure call, and we were talking to the media, saying that that's going to be the next big thing, that all the worm occurrences that we've seen in the past will be nothing compared to what we are going to see happening with RPC. And of course, that was exactly what happened when Blaster and Sasser came along. We are now at the same stage with VoIP and GPRS.

What's the lowdown on VoIP?
VoIP is completely insecure. At the protocol level, there is no encryption and authentication. I mean, I call you, and there's no way for you to verify who I am. I can send a caller ID from the U.S. president, or the CIA, and you won't know who I am. And people can easily hack a caller ID and claim to be whoever they want.

GPRS?
With GPRS, the systems that mobile operators share between each other are largely wide open. Operators have so far trusted each other not to hack each other. While the average hacker from the Internet doesn't have access to these systems, the mobile operators do. And once you get into one mobile operator, you can start attacking the rest of the mobile operators via the backbone that they share. And once hackers compromise the gateway machines, they can then have fun with the internal networks, as well as come in from the Internet or handsets.  

More Newsmakers

[a09252003]

So, what's the point?

That there are many ways to hack a system?, not really big news coming from a guy who runs a firewall company.

Basic rant... This can be hacked, That can be hacked, on and on. Sounds like he is trying to round up some buisness to me.

He should join Tom Ridge and start a Red Light, Orange Light etc system that can be posted on the home page of News.com.

No soluitons, just warnings please.

[betelgeuse68]

"Pro" means what?

Unlike other domains which require registration to practice, e.g., law and medicine, computing is an area where "Professional" in my experience carries very little weight. I have a CS degree and have worked in the field for 10+ years so my perspective is not from a position of envy, i.e. someone who wishes he had credentials.

If the definition of "Pro" is "someone who makes money... even through illicit means" then yes I would say they have turned "PRO".

If the other hand it is a juxtaposition of people who have salaries in the IT field, then they turned "PRO" long ago. In my experience even the most basic of precautions are largely ignored by the IT Pros. With all the complaints of Microsoft's software, namely the proliferation of viruses for starters, 90% of the problem is pure ignorance and is greatly exacerbated by the manner in which people operate under Windows. Yes we should cut Joe Average some slack but "IT Pros" are just as guilty of this ignorance. The Windows NT kernel has had impersonation (think "computer accounts") and Access Control Lists (ACLs) for the file system since day one (early 90's) yet people complain when some Trojan code manages to wipe out their disk. We often hear the complaint of "Well, it's inconvenient to use a restricted/limited account." Let me ask such people this, "It is inconvenient to lock your house? And carry all those keys in your pocket?" Applying such logic they should simply dispose of their house keys and leave their front door unlocked since gosh darn it, lugging all that metal in your pocket is such a nuisance isn't it? Gosh darn it, occasionally they poke holes in your pocket, that's sure inconvenient.

You have to learn some basics such as when you might want to install some software if you always work under a Windows "Limited Account" but it is readily doable and actually trivial. People have not taken the time to *learn*. More specifically, people who SHOULD know, i.e. the so called "IT Pros." If you still view all of this as "inconvenient" then perhaps you should enter some other field, i.e. it's too much work to learn some basics of the platform you work with.

[ClocksTicks]

Definition of Pro

A professional is someone who can make money at what they do.

Like it or lump it, thats what a professional is. And yes, hackers HAVE turned pro. Worse, hackers have started teaming up with other forms of internet miscreants to establish more complex schems to prey on the consomer sector.

Are corporate and governmental systems targeted? Absolutely. However the monetary potential for a commercial systems crack is relatielly small... in itself (ignoring DDoS as this isnt really a "hack" ). Get your hands on some identity info and.. voila, you can now seek out a group of ID thieves or some mass spammer, sell them the info and you have made money ont eh hack without ever getting your hands dirty directly in use of the stolen information.

This sort of crack is becoming harder and harder to do BUT The black hats will always find some way to do it though. One of the white hats who works for our company has a mantra: "If i cant get into it, i havent thought about it long enough." Yeah, we have all heard this sort of "traditional security alarmism" before but its true, the issue here is not whether hacking is possible but rather whether or not these hackers have a different focus and an established methodology which would define them as a "Professional."

Black Hats are going professional in more than one way. Revenue streams, age/experience/education, alliances with other groups, each of these halmarks of an actual business organization.

Skript kiddies? Recognition. Professionals? Money.

And this is COMPLETELY ignoring the state-sponsored training in cyber-terrorism and so forth in some countries. In some areas, hacking has become an instrument of policy... a WHOLE NEW entry into the black hat arena.

[David Arbogast]

Bad Blame Drop

You said

"With all the complaints of Microsoft's software, namely the proliferation of viruses for starters, 90% of the problem is pure ignorance and is greatly exacerbated by the manner in which people operate under Windows."

I couldn't disagree more.
Somehow, the fundamental theory of right and wrong is being lost. A hacker is somebody who chooses to break the law for personal gain. The ignorant user, abiding by the law and minding their own business is NOT the problem. The problem, is CRIMINALS breaking the law.

You are trying to put the blame of hacking on a tool manufacturer and on the tool's users.

This is like blaming gun-related deaths on the gun company and the dead person who neglected to wear a bulletproof vest. It is an ignorant position. 100% of the blame belongs on the individual who chose to break the law, not upon those who suffer as a result.

[Thomas, David]

NOT NEWS, and THE SKY IS NOT FALLING

This story is the equivalent of an auto magazine that states
DETROIT MAKES CARS THAT RUN ON GAS

There is no need to expound this issue, except if you didn't
think hackers were programmers.

By the way, a novice who creates a malevolent excel macro, but
can't create binary code is not a hacker. You can call them a
hack, a misguided individual, but they are not hackers.

I am not sure of the name of this book, but i think this is it. For
real information on hacking, you should read it. I believe it is
called "Approaching Zero", I will repost with that information
once I find it.

[Thomas, David]

POOR STORY, ACTUALLY A BAD ONE

Read this book:
Approaching Zero: Data Crime and the Computer Underworld  
Bryan Clough, Paul Mungo

Your story is not journalistic, it is sensationalistic. You probably
had a dead-line and had to figure out a way to get paid. I am
very, very disappointed in the subjective comments that are
made,
the baseless generalizations, and the obvious lack of true
research.

Urghhh - 80's and 90's revisited

I agree that this story is horrid. The correct term for 1 is "Crackers". Nice scare story for your biz.

You generalize and single out hackers and the truth is real hackers dont profit off damaging and espionage and crap, we profit off our skills to keep people out and invent new technology.

Can anyone remember the press headlines of the late 80's and early 90's. Went along the same lines as this story.

Campfire tale for Sys Admins...

Nice holloween story to read to SysAdmins around the campfire.

Ooga Booga, hackers are gonna get you, ooga booga

Interesting Article, however...

Although some of the content has merit, the majority of it sounds likd marketing hype for Preventia. Realit is that ISS has already merged their firewall (blackice) with RealSecure (IDS) to create Proventia. What he is not saying is that Proventia, like any (all) other IPS products today are nothing more than the merger of these two OLD technologies, with the same inherent limitations they have always had, to wit, signatures, the known, what we have seen before. The other obvious issues are that now they want to stick those devices in-line creating all sorts of new problems, not withstanding the fact that the view from those devices (all of them) is very limited, and the TCO is inordinately high.

Now, I do not proclaim that ISS is the only one with these problems. All IPS technologies and products have these issues, and is part of the reason that the market is not adopting these technologies as the vendors hoped they might, and these are facts boys and girls.

What if there were a way to know that an attack were imminent before they breached perimeters in the first place? What if there were a technology that was agnostic of the rules, signatures, and the latest anomalies (whatever they are, and another very immature new type of tool)? What if you had the intelligence to understand every facet and bit of traffic of every network segment you own that did not cost a fortune to implement and manage holistically from one interface that produced something more than mountains of log data?

C

[curio55]

SERIOUS Jail Time

It's not a total solution by anymeans, but perhaps some SERIOUS jail time (say 3-5, no parole no probation) may put a dent in all this malicious hacking - at least as far as casual hackers go.

Ok then...

Say we do that. Then where does the limitation begin and end on what constitutes that penalty? What if the people breaking into a machine happen upon the entry on accident and dont do anything malicious? They instead report the issue to the company and a possible fix. At that point, the company could then take a nasty approach and try to bring about a lawsuit against that individual for gaining entry and now you put behind bars someone who has no malicious intent.

A good example of this scenario is when Gamespy tried to launch a lawsuit against an individual for finding a flaw in thier server and software. Instead of acknowledging it and patching it, they tried to throw the kid in jail and fine him saying he violated copyright laws and unlawfully gained access to their servers.

Thats nuts. Plain and simple. Because then when someone comes along who does want to do malicious things to a system and they get in, what happens when that person(s) cant be caught. Damage is done. Now the possibility of it being avoided in the first place by a non-malevolent true hacker finding the flaw first is not going to happen because you've made it so the real hackers dont want to risk being put behind bars because they dont know how the company will take it.

Im sorry, but your logic is flawed. A good portion of the malicious cracking goes unpunished because the persons behind it are not caught. You just force them to develop more complex methods of hiding their tracks by throwing out a general law to encompass all.

Why open doors?

As long as childish systems like ActiveVirus and JavaVirus exist (excuse me, ActiveX and JavaScript), which cannot be controlled explicitly by the end client, we will have security problems. I consider the use of JavaScript to be morally equivalent to attacking my machine. Would you deal with UPS if they demanded you keep your front door unlocked so they can put the package inside? Yet the idiots who design Web sites think they can demand I expose my computer to potential attack. There is currently no intelligence being applied to the design of client-side scripting; "cool" is good enough to justify its existence. I will not allow these to run unless I, and I alone, can limit what they are doing...on a point-by-point basis if necessary (I should get an alert that an attempt is being made to read a file, write a file, or modify my Registry, giving the exact paths involved...but I can't get this information. Therefore, the systems are inherently untrustworthy). Only children and cyberterrorists like client-side scripting. The rest of us can happily live without it.

[Thomas, David]

JavaScript is more secure than ActiveX

Javascript, by design, does not allow reading or writing of your
local files from a client side script downloaded from the internet.
The run-time engine has a great deal built into from a security
standpoint.

In fact, in its earlier versions, it was so restricting that some
developers found it un-usable for their ideas. That was not the
fault of Javascript. Maybe some of those ideas were great for
intranets, but they exposed users on the internet. As a result,
many developers turned to ActiveX (i did not).

Well, Microsoft had no real problems with opening up ActiveX
and VBScript more than Javascript, because they saw
opportunitity. In light of this, we have to take some
responsibility ourselves, as your response suggests. It was our
demands and needs the fueled the direction the client side
controls and scripts have taken.

D

Those are client side...

I think the focus of this article is mostly about the corporate systems above the individual machines. Specifically targeting entire networks and server farms as a whole. I dont suggest that the individual computers and home users are to be counted out, but ActiveX and Javascript are browser based technologies primarily and they dont usually involve compromise of an entire network or server per say. You do have a valid point tho and that is not enough effort is being put into making a web browsing expirience a safe one on top of enjoyable. I think this stems primarily because the most common methods for interactivity on the web, the two you mentioned, are tightly controlled by the parent companies (MS and Sun) so much so that it makes it difficult for the open source community to find ways to improve its security and whatnot. Instead we are left waiting for those companies to decided when to improve and secure the technologies.

I couldn't agree more

I am new to this forum.
As stated, I agree with you and I have dissabled scripting on my PC. Although I don't perform what I think is an excessive amount of surfing, I havn't had any problems on web sites yet. AX is dissabled too. Like your post.

spammers are hackers?

Personally, I wouldn't consider a spammer a hacker. They're more of an annoyance than anything. Oh, by the way, you make want to rephrase some things in this article. Those 12 year old kids were never hackers to begin with... I think you should use the work cyber criminal instead of hacker...