The term hacker may be used to describe people who steal information from computers, but that's just the dark side of the story.
Like the cowboy heroes of childhood, there are white hats as well as black, and the former are legal hackers: security professionals who aim to make the wilds of the internet a safer place for us all, tracking down and rounding up the exploits that endanger our computers.
The movie Sneakers features a team of hackers who are employed to show businesses just where their weak spots are.
The film may be a little dated, but security experts agree that it's still one of the best depictions of just how they go about their work, which involves examining both networks and systems to find exploits based on both social and technological weaknesses.
The US Military runs exercises where 'tiger teams' of good guys think like bad guys in order to penetrate secure facilities, testing just how secure they really are.
That's the idea behind network penetration tests, where security consultants are challenged to get inside a system or network in order to find holes, which are then filled with patches, policies or other security measures.
Penetration test teamteams include people with a wide-ranging mix of different skills, from social engineers and network specialists to hardware and software engineers. The exploits that they find vary, but they all share one fundamental element: they are ways into a network that compromise both data and computer systems.
The making of a legal hacker
Not everyone is cut out to be a security analyst; for one thing, it's not easy to develop that level of professional paranoia. One of the most famous security analysts, Bruce Schneier, tells a story about how as a child he realised that a company that sold ant farms (and mailed out tubes of live ants) could be used to send ants to anyone, anywhere.
That's a very different mindset to that of most of us, and essentially it means looking at the world to see how it can be broken or subverted. A security analyst would walk into a shop and think of three different ways to rob it and another dozen to defraud it. It's a good job that those minds are on the side of good and serve to help protect us against their less than honourable counterparts.Opportunities are everywhere. You might see a USB charging port at an airport as a quick way of getting your phone or iPod charged between flights, but a security analyst will be counting the connections in the port and wondering just how much data someone could steal from an idle phone using nothing more than a USB connection.
Penetration tests capitalise on that security mindset. White hat hackers working for security companies attempt to use their skills (and the tools that the black hats use) in order to find ways into a business network.
If you're running a big network that carries data that needs to be secure, you're likely to need certification from one of the big security consultancies before you'll get any insurance – and that certification is going to require one or more major penetration tests.
These tests aren't simply restricted to the computer side of things. Network security is about people, policy and technology. While you may be thinking about encrypting your network traffic and using two-factor authentication, your penetration testers may well be gaming your social network, tracking down backdoors into your network through staff who might have forgotten passwords one time too many and tailgating their way into the office building.
The slightest crack in your network's armour and all the passwords in the world are rendered next to useless for keeping that precious data safe.
Penetration testing
One thing to remember about a penetration test is that it's not just a glorified game of Capture the Flag. Many of the tools and techniques that are used by the security team doing the test have been used before – and not by the good guys.
Even so, the black hats out there use many more techniques, social engineering their way into systems and networks, and exploiting zero-day and little-known flaws in software and hardware.
A penetration test will reveal many of the problems in a network, but not all of them. A tested network may be more secure than others, but it's certainly not safe from every possible attack.
Schneier implies that good security analysts are born, not made. Even so, you can work to inculcate some of that useful paranoia. Plenty of puzzle games allow you to challenge yourself against imaginary computer systems. Games like Cypher and SlaveHack simulate the dark side of hacking, helping you to develop the puzzle-solving skills that can help you find ways of deconstructing your own networks and systems. Then therechneier implies that good security analysts are born, not made. Even so, you can work to inculcate some of that useful paranoia. Plenty of puzzle games allow you to challenge yourself against imaginary computer systems. Games like Cypher and SlaveHack simulate the dark side of hacking, helping you to develop the puzzle-solving skills that can help you find ways of deconstructing your own networks and systems. Then there's the other option: finding software that can be paranoid for you and letting it loose on your network.
Network-analysis tools
You don't need to hire a professional to break into your network – there's software out there that will do it for you in the shape of network-analysis tools.
Dan Farmer's SATAN (Security Administrator Tool for Analysing Networks) was one of the first of these tools. Written in the mid-1990s by Farmer and IBM security guru Wietse Venema, SATAN bundled up a whole raft of network vulnerability testing tools into one package. Administrators could load it onto a Unix machine and let it rip, delving into holes that even the most diligent network engineers had forgotten to patch.
The result of SATAN's investigation was a comprehensive report that detailed where the problems were and how to fix them. No one had seen a tool like this before – especially one this easy to use.
Panicked articles focused on the tool's name and declared that it was a tool for hackers, completely forgetting that SATAN was actually a tool to help stop crackers breaking into systems and that all it did was bundle up existing black-hat tools for over-worked system administrators.
In the resulting furore Farmer lost his job, but the foundations for a new class of security tools had been laid.
Scan your network
You can use the current generation of network-analysis tools to test your own network both inside and outside your firewall.
Tools like Nessus are easy to use and free to download. You'll find packages for most operating systems, though the Unix versions are often the most mature.
Commercial security scanners like GFI's LanGuard also help show up flaws, though they may not be as thorough as the more wide-ranging Nessus. Some of the latest generation of network-analysis tools will even manage to patch your systems for you by downloading system updates and remotely installing them on the machines that are most at risk.
Once you've downloaded a network scanner, install it on the machine that you intend to host your tests on. A laptop is a good idea because you can use it to scan any always-on broadband connections via a mobile broadband connection or from a friend's network. The result is a very detailed report of system vulnerabilities and a surprising amount of information about the systems you're running.
We ran Nessus over a typical small business network that supports a handful of laptops as well as numerous desktops, servers and network devices. The resulting report found several vulnerabilities that could have easily allowed someone with access to the network to quickly steal information and disrupt the network.
Not all the problems were ones we could solve (some were baked into NAS box and wireless router firmware), but all could be mitigated by locking down the network and increasing the security on its firewall.
Crack it to win it
One area where cracking tools and techniques have helped to secure the rest of the industry is the cracking contests held at major hacker conventions.
The format is simple. A group of machines running popular operating systems are set up in a secure area. Attendees are then given hacking tasks such as installing a certain file on the machines' hard disks.
At a convention contest, attackers are initially denied all access to the machines, meaning that they have to attack them through their networking stacks and default applications and services. If the machines survive the first round of attacks, restrictions on access are removed one by one until a machine has been compromised using driveby attacks.
The attacks used can be published (unless a sponsor has a non-disclosure agreement in place), and security researchers keep a careful eye on the results. PR teams also keep track of the contests, as a win or a fail can affect how their products are perceived by an influential part of the market.
There are some problems with these contests, however. The winners get to keep the hardware that they compromise, so contestants are often more inclined to attempt to break into the more attractive machines. Cash can also make a difference, as if there's more than one machine on offer, the attacker will go for the easiest machine to compromise.
That was the case at the PWN 2 OWN contest at CanSecWest in March 2008, where $10,000 was offered as a prize alongside three PCs. The winners broke into a new MacBook Air rather than attempting to gain access to Windows and Linux systems. While the exploit in question was a simple browser attack, it was kept under wraps by a security research company in order to give Apple time to clear it up.
These secrecy agreements aren't put in place just to spare an individual company's blushes. Releasing the details of an exploit before there's a fix available would be irresponsible, instantly putting every vulnerable system out there straight into the firing line.
Rewarding the honest crackers
The contest was sponsored by TippingPoint, a security consultancy that runs its own Zero Day Initiative. This program is designed to keep significant exploits from leaking out into the black hat community.
Rewards are offered for exploit, and the more that you submit, the more you earn. It works like a frequent flyer program: you get points (as well as cash) for submitted exploits, and the more points you get, the more bonuses you receive – including access to the main security and hacking conferences, Defcon and Blackhat.
TippingPoint isn't the only company that rewards security researchers for finding problems with their products. Most operating system vendors are rumoured to pay well for undisclosed exploits (and they also have the legal wherewithal to make sure that non-disclosure agreements stick).
The goal of these payment systems is to patch the holes in the software before a piece of zero-day malware gets out there, ready to use the exploit to compromise systems all over the world. If it means paying for an exploit, then that's what it takes to make sure that millions of users are secure next time Patch Tuesday or its equivalent rolls around.
We may not all have our own tiger teams of security analysts and hackers, but the legal hacking tools and legal hackers out there certainly make our networks and PCs safer. They're everyone's penetration testers, finding the weak spots in our increasingly important – and always vulnerable – networks and making sure that the white hats get the information about them first.
Vulnerabilities need to be discovered and patched to avoid being turned into exploits. If there were no legal hackers out there, black hats would have even more ways to threaten our PCs.
Like the cowboy heroes of childhood, there are white hats as well as black, and the former are legal hackers: security professionals who aim to make the wilds of the internet a safer place for us all, tracking down and rounding up the exploits that endanger our computers.
The movie Sneakers features a team of hackers who are employed to show businesses just where their weak spots are.
The film may be a little dated, but security experts agree that it's still one of the best depictions of just how they go about their work, which involves examining both networks and systems to find exploits based on both social and technological weaknesses.
The US Military runs exercises where 'tiger teams' of good guys think like bad guys in order to penetrate secure facilities, testing just how secure they really are.
That's the idea behind network penetration tests, where security consultants are challenged to get inside a system or network in order to find holes, which are then filled with patches, policies or other security measures.
Penetration test teamteams include people with a wide-ranging mix of different skills, from social engineers and network specialists to hardware and software engineers. The exploits that they find vary, but they all share one fundamental element: they are ways into a network that compromise both data and computer systems.
The making of a legal hacker
Not everyone is cut out to be a security analyst; for one thing, it's not easy to develop that level of professional paranoia. One of the most famous security analysts, Bruce Schneier, tells a story about how as a child he realised that a company that sold ant farms (and mailed out tubes of live ants) could be used to send ants to anyone, anywhere.
That's a very different mindset to that of most of us, and essentially it means looking at the world to see how it can be broken or subverted. A security analyst would walk into a shop and think of three different ways to rob it and another dozen to defraud it. It's a good job that those minds are on the side of good and serve to help protect us against their less than honourable counterparts.Opportunities are everywhere. You might see a USB charging port at an airport as a quick way of getting your phone or iPod charged between flights, but a security analyst will be counting the connections in the port and wondering just how much data someone could steal from an idle phone using nothing more than a USB connection.
Penetration tests capitalise on that security mindset. White hat hackers working for security companies attempt to use their skills (and the tools that the black hats use) in order to find ways into a business network.
If you're running a big network that carries data that needs to be secure, you're likely to need certification from one of the big security consultancies before you'll get any insurance – and that certification is going to require one or more major penetration tests.
These tests aren't simply restricted to the computer side of things. Network security is about people, policy and technology. While you may be thinking about encrypting your network traffic and using two-factor authentication, your penetration testers may well be gaming your social network, tracking down backdoors into your network through staff who might have forgotten passwords one time too many and tailgating their way into the office building.
The slightest crack in your network's armour and all the passwords in the world are rendered next to useless for keeping that precious data safe.
Penetration testing
One thing to remember about a penetration test is that it's not just a glorified game of Capture the Flag. Many of the tools and techniques that are used by the security team doing the test have been used before – and not by the good guys.
Even so, the black hats out there use many more techniques, social engineering their way into systems and networks, and exploiting zero-day and little-known flaws in software and hardware.
A penetration test will reveal many of the problems in a network, but not all of them. A tested network may be more secure than others, but it's certainly not safe from every possible attack.
Schneier implies that good security analysts are born, not made. Even so, you can work to inculcate some of that useful paranoia. Plenty of puzzle games allow you to challenge yourself against imaginary computer systems. Games like Cypher and SlaveHack simulate the dark side of hacking, helping you to develop the puzzle-solving skills that can help you find ways of deconstructing your own networks and systems. Then therechneier implies that good security analysts are born, not made. Even so, you can work to inculcate some of that useful paranoia. Plenty of puzzle games allow you to challenge yourself against imaginary computer systems. Games like Cypher and SlaveHack simulate the dark side of hacking, helping you to develop the puzzle-solving skills that can help you find ways of deconstructing your own networks and systems. Then there's the other option: finding software that can be paranoid for you and letting it loose on your network.
Network-analysis tools
You don't need to hire a professional to break into your network – there's software out there that will do it for you in the shape of network-analysis tools.
Dan Farmer's SATAN (Security Administrator Tool for Analysing Networks) was one of the first of these tools. Written in the mid-1990s by Farmer and IBM security guru Wietse Venema, SATAN bundled up a whole raft of network vulnerability testing tools into one package. Administrators could load it onto a Unix machine and let it rip, delving into holes that even the most diligent network engineers had forgotten to patch.
The result of SATAN's investigation was a comprehensive report that detailed where the problems were and how to fix them. No one had seen a tool like this before – especially one this easy to use.
Panicked articles focused on the tool's name and declared that it was a tool for hackers, completely forgetting that SATAN was actually a tool to help stop crackers breaking into systems and that all it did was bundle up existing black-hat tools for over-worked system administrators.
In the resulting furore Farmer lost his job, but the foundations for a new class of security tools had been laid.
Scan your network
You can use the current generation of network-analysis tools to test your own network both inside and outside your firewall.
Tools like Nessus are easy to use and free to download. You'll find packages for most operating systems, though the Unix versions are often the most mature.
Commercial security scanners like GFI's LanGuard also help show up flaws, though they may not be as thorough as the more wide-ranging Nessus. Some of the latest generation of network-analysis tools will even manage to patch your systems for you by downloading system updates and remotely installing them on the machines that are most at risk.
Once you've downloaded a network scanner, install it on the machine that you intend to host your tests on. A laptop is a good idea because you can use it to scan any always-on broadband connections via a mobile broadband connection or from a friend's network. The result is a very detailed report of system vulnerabilities and a surprising amount of information about the systems you're running.
We ran Nessus over a typical small business network that supports a handful of laptops as well as numerous desktops, servers and network devices. The resulting report found several vulnerabilities that could have easily allowed someone with access to the network to quickly steal information and disrupt the network.
Not all the problems were ones we could solve (some were baked into NAS box and wireless router firmware), but all could be mitigated by locking down the network and increasing the security on its firewall.
Crack it to win it
One area where cracking tools and techniques have helped to secure the rest of the industry is the cracking contests held at major hacker conventions.
The format is simple. A group of machines running popular operating systems are set up in a secure area. Attendees are then given hacking tasks such as installing a certain file on the machines' hard disks.
At a convention contest, attackers are initially denied all access to the machines, meaning that they have to attack them through their networking stacks and default applications and services. If the machines survive the first round of attacks, restrictions on access are removed one by one until a machine has been compromised using driveby attacks.
The attacks used can be published (unless a sponsor has a non-disclosure agreement in place), and security researchers keep a careful eye on the results. PR teams also keep track of the contests, as a win or a fail can affect how their products are perceived by an influential part of the market.
There are some problems with these contests, however. The winners get to keep the hardware that they compromise, so contestants are often more inclined to attempt to break into the more attractive machines. Cash can also make a difference, as if there's more than one machine on offer, the attacker will go for the easiest machine to compromise.
That was the case at the PWN 2 OWN contest at CanSecWest in March 2008, where $10,000 was offered as a prize alongside three PCs. The winners broke into a new MacBook Air rather than attempting to gain access to Windows and Linux systems. While the exploit in question was a simple browser attack, it was kept under wraps by a security research company in order to give Apple time to clear it up.
These secrecy agreements aren't put in place just to spare an individual company's blushes. Releasing the details of an exploit before there's a fix available would be irresponsible, instantly putting every vulnerable system out there straight into the firing line.
Rewarding the honest crackers
The contest was sponsored by TippingPoint, a security consultancy that runs its own Zero Day Initiative. This program is designed to keep significant exploits from leaking out into the black hat community.
Rewards are offered for exploit, and the more that you submit, the more you earn. It works like a frequent flyer program: you get points (as well as cash) for submitted exploits, and the more points you get, the more bonuses you receive – including access to the main security and hacking conferences, Defcon and Blackhat.
TippingPoint isn't the only company that rewards security researchers for finding problems with their products. Most operating system vendors are rumoured to pay well for undisclosed exploits (and they also have the legal wherewithal to make sure that non-disclosure agreements stick).
The goal of these payment systems is to patch the holes in the software before a piece of zero-day malware gets out there, ready to use the exploit to compromise systems all over the world. If it means paying for an exploit, then that's what it takes to make sure that millions of users are secure next time Patch Tuesday or its equivalent rolls around.
We may not all have our own tiger teams of security analysts and hackers, but the legal hacking tools and legal hackers out there certainly make our networks and PCs safer. They're everyone's penetration testers, finding the weak spots in our increasingly important – and always vulnerable – networks and making sure that the white hats get the information about them first.
Vulnerabilities need to be discovered and patched to avoid being turned into exploits. If there were no legal hackers out there, black hats would have even more ways to threaten our PCs.