Could you pass the tiger test?

Their mission is all too possible: to rip your security system to shreds. Neil McIntosh meets the ethical hackers who find your faults before the real cyber-villains do
  
  


George Kurtz's hacking team is any system administrator's worst nightmare. A typically harassed systems boss doesn't know when Kurtz and co have gone to work - at least, not until it is too late. But he will find out, eventually, because they tend not to fail. When this squad gets working on a computer system, it is only a matter of time before it gives up its deepest secrets.

The Rampart crew came together only recently, but individually they've been hacking systems for years, tunnelling their way past defences guarding the most sensitive information you could imagine. Each member of the team is a specialist in their field, be it Unix, Java, Windows NT or one of the other languages and systems found on the world's biggest computers. Each knows the weak links to probe for and is ready to exploit them.

Even more terrifying for our oblivious systems chief: the crew has been hired by his bosses to test his skills.

This is no collection of spotty youths working from a bedroom but an elite "tiger team" of ethical hackers, employed to uncover - any way they can - the systems' weaknesses, before someone else does. With recent events proving even the biggest dot com names vulnerable, tiger team attacks are even becoming part of the "due diligence" process start-ups must go through before they win their vital venture capital.

"We're having a hard time keeping up," says Kurtz, who is chief executive of Rampart, the company he founded after years working on tiger teams at the accountancy giants PricewaterhouseCoopers and Ernst and Young.

"We're working with both dot com companies and established ones. If a dot com doesn't get its security right, they can be out of business before their funding dries up. On a larger scale, more established businesses like financial institutions have just as much to lose because the majority of their business is now is being shifted over to the internet."

Computer security has quickly taken over the mantle of the Y2K bug as America's biggest hi-tech concern. Fuelled by recent "denial of service" attacks on major websites including Amazon and Yahoo!, businesses and the government are desperately looking for ways to beef up their defences. The climate of fear even led to the unlikely scene of Kevin Mitnick, America's most notorious computer hacker and high-tech fraudster, appearing before the senate committee on governmental affairs last week - less than two months after completing a near five year jail term for his crimes.

A smart pin stripe suit and a tie replaced his trademark jeans and sneakers, and the committee room was packed for his testimony. The senators were, according to one observer, "star struck". He was there to help them understand the murky world of hacking. Mitnick's message was simple: the problem is not as straightforward as you would think. While recent attention has focused on attacks launched from the internet using freely available software, Mitnick made it clear that these should not be the biggest concern: the big problem is human fallibility.

Mitnick knows just how to exploit those human weaknesses. During his appearance, he confessed to further crimes - committed, he was quick to add, in 1992, beyond the applicable statute of limitations - where he hoodwinked employees from the US internal revenue service and social security administration into disclosing confidential information over the telephone.

David Buchwald, Vice President of New York-based Crossbar Security, would agree. He has had plenty of first hand experience of naivete regarding computer security, sometimes from the most unlikely culprits.

"I know someone who worked for a small bank, as a technology manager," he says. "We were trading email addresses, and she said 'oh - just send email to my bank address. I just use PC Anywhere from home to access that'."

Buchwald goes on to explain that PC Anywhere is a program which allows users to dial in directly to their PC over a phone line from a remote location. The problem is, security built into networks is bypassed: a hacker finding that PC would have a direct route on to a company's network. "This is someone who should be technically aware - who should really know better," he says. "And here she is using this simply to trade email for her and her daughter, and putting the security of a bank at great risk."

But, while mistakes do happen, a company should not think that simply educating its staff will prevent security breaches. It also needs to defend against mali cious acts by its own people. Some computer security experts say up to 75% of hacking is done by this enemy within.

Buchwald confirms this. "The majority of computer crimes which actually cost money - not downtime like denial of service, but actual theft and fraud - aren't being done by the 17 year old hacker in their home. They're being done by an insider, or somebody working with an insider who already has access to a company's resources."

Hacking from inside systems can be painfully easy. Kurtz, who has also co-written a book on hacking, says that is a weakness that has been known for a long time.

"We can come in on an intranet PC and not know anything more than where the network jack is in the conference room," he says. "In two weeks - actually, it's two or three days - we'll be able to compromise most of the systems on the network.

"We were doing a job a couple of months ago at a financial institution. In one hour I had complete control of all their Unix servers. They had all their customers' records on them - the most sensitive information that organisation had was lying on those servers, and within one hour we had control of all 15. They were horrified. Three days later we had full administrator control over all their NT domains. In the space of three days, we had pretty much taken over the whole network."

And that means that it's not just external security that needs to be maintained. Everything, from locking doors in sensitive areas to making sure paper waste is properly shredded, comes under the tiger teams' remit.

'We start with zero knowledge," says Crossbar's Buchwald. "The company will hire us, but not tell us anything about how their systems are structured. Just going from public information, it's amazing the amount of information you can glean from looking at web pages, public records, public filings. Even job advertisements [for IT specialists], which list the kind of systems they are running.

"Then, using a combination of internet probing and scanning, and looking to see if there are dial-up lines, we try to gain access to the network. Once that is done, we try to show them their prized resource is actually not secure."

The teams will even test physical security, seeing how many locked doors and secure areas prevent them walking in and moving around buildings, from department to department.

"It shouldn't be easy for somebody from, say, the sales group to saunter up three floors, walk into human resources, and peruse their large bins and find things," says Buchwald.

This combination of attacks - which the likes of Mitnick have proved so effective in their "real" attacks - rarely fail, either at established companies or fresh-faced dot coms. The Crossbar team - which boasts a 100% success rate - has worked its way into a phone company's switches, bank customer databases and even a credit card issuer's authorisation systems.

How do their customers react when they find their security has been brushed aside so easily? "Clients usually are not surprised," says Buchwald. "They pick us on reputation, after all, and know we deliver this kind of service.

"It's usually more embarrassment, and then at that point we work with them to fix the network problems, and set up policies to prevent things like this happening again."

 

Leave a Comment

Required fields are marked *

*

CAPTCHA

*