Learning to protect computers through hacking

Keatron Evans teaches his students to build hacking tools that can invade the computers of unsuspecting users, stealing information, freezing programs and infecting them with invisible viruses. But only if they pledge to use their supercomputing powers for good.
Eight corporate and government employees signed the pact, ponied up $3,795 and spent last week in a Redwood City classroom trying to get one over on one another - and a visiting reporter. Soon enough, my computer inexplicably went out of my control. The CD drive spontaneously opened, the browser switched Web sites and a message popped up on the desktop: "We own the world!"
If they pass this class, these students will be certified "ethical hackers," also known as white-hat hackers. And if they...

continue training, they can aspire to become "pen testers" - people who penetrate corporate and government networks to look for flaws. But first, they have to learn to use some powerful and dangerous tools.
Most students won't learn enough in a week to acquire the skills of professional hackers, Evans said. His goal is to get them to learn to think like hackers, because the best ones never stop looking for new ways to penetrate and exploit machines. They strive to obscure their steps and, if possible, automate what they do.
Whenever the students tried something, Evans challenged them to think how else they could have accomplished it. He also warned them whenever they were about to try something that is illegal outside of class.

"You can construct a tool that can tunnel inside anything, guys - that's the whole point here," he said.

Demand for the class is growing, said Evans, a security consultant who teaches it on behalf of Training Camp in Philadelphia. But, he said, students are coming in with fewer skills than they did five or six years ago when he started teaching it.
That's because many companies - some now compelled by federal and state regulations - recognize cyber-security as a problem. But at the same time, companies are curtailing spending in the slow economy, so information technology staffs don't have the luxury of specializing in security.

Software flaws

So far, black-hat hackers have the advantage. The number of serious flaws in software - errors in code that hackers can exploit - grows every year, up 28 percent from 2006 to 2007, according to IBM's Internet Security Systems. The time it takes antivirus vendors to come up with software patches to protect against attacks also is growing because new viruses and worms are being created so fast. More than 5.5 million pieces of malware - malicious software code - were let loose on the Internet last year, according to AV Test Labs in Germany. That's more than five times the number released in 2006 and 16 times the number released in 2005.

Hacking for profit has become an industry that mirrors the legitimate software industry. Anything needed to commit a cybercrime - viruses and worms or the toolkits to make them, software flaws, infected computers to relay spam - can be bought online. Customer support is available, too. "My clients (Fortune 500 companies) underestimate how bad their security problems are and what it will cost to fix them," said one student, Su Gaustad, a security consultant for Fortify, a San Mateo company that makes tools to help developers detect errors in software code.

Indeed, the star student of this boot camp, a young woman who said she is forbidden from revealing her name or employer, created an infected version of Google's home page. With a click of her mouse, she grabbed Google's source code - which can be done for any Web page - and embedded a Trojan horse into it so that anyone who visited the page and clicked on the Google Search button got infected. She also forced class computers to visit her fake page by infecting them with a Trojan horse that allowed her to get inside their machines and overwrite Google's real Internet address, directing them instead to hers.

Impressive attack
The other students at first couldn't replicate her attack. They were impressed. It's a common hack that has many variations. Thousands of Web pages are compromised every day, according to Steve Munford, CEO of Sophos, which sells antivirus software. In fact, over the past two weeks, tens of thousands of high-traffic Web sites - including MSNBC Sports, and - were infected through a carefully planned SQL Server attack, according to Websense, which filters Web pages for corporations. SQL Server attacks trick Web pages into revealing the contents of any SQL Server databases that power them, and it's another type of attack that the students in boot camp were practicing.

Imagine what they can do
"Look at what (students) are able to do with Google in just a couple hours," said Andrew Whitaker, another instructor. "Now imagine a bunch of experts." When the class returned to the problem of how to create an infected Google home page, Gaustad and Martin Smith, an information security analyst with Riverside County in Southern California - who had been attacking each other's computers - worked as a team.

Smith said he had been nervous about enrolling in the boot camp. In his 20-plus years of computing, he had never tried hacking because, he said, "I know the kind of trail I could leave." But his boss sent him, and he's learned to watch out for new dangers. The young woman, meanwhile, had turned her infected Google page into a drive-by attack. Now, anyone who visited her page was infected automatically, without having to click on anything.

"That's where you want to get to someday," Evans told the students.

Tips for businesses on the Web
Three out of 4 Web sites run by businesses are vulnerable to attack, according to SANS, a group of security researchers in Bethesda, Md. To protect yourself:

-- Don't run software you don't need.

-- Use a firewall.

-- Don't load disks or peripheral devices if you don't know what's on them.

-- Don't click on links or attachments in e-mails or instant messages.

-- Keep your antivirus software up to date.

No comments:

Post a Comment