[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ISN] White hat, gray hat, black hat
Forwarded from: William Knowles <wk@xxxxxxx>
By Michael Arnone
Oct. 3, 2005
For a long time, most computer network crackers hacked a system for
the same reason George Mallory climbed Mt. Everest: "Because it's
But that's no longer the only reason or even the dominant one. More
hackers now follow the philosophy frequently attributed to Willie
Sutton, a bankrobber during the 1930s. According to legend, when asked
why he robbed banks, Sutton replied matter-of-factly: "It's where the
During the past six years, malicious black-hat hackers have changed
from script kiddies who deface Web sites and spread worms to earn
glory within the hacker community to professionals sponsored by
foreign governments and organized crime. They target specific
government and industry victims and commit real crimes, sometimes for
significant financial gain.
"We're now seeing sociopaths intent on doing...more devious and
sophisticated stuff," said Dragos Ruiu, chief organizer of the PacSec,
CanSecWest and EUSecWest hacker conferences, which annually draw
hundreds of hackers worldwide.
But in general, hackers secure their computers better than the rest of
the computing community. Government and industry can learn from their
hacking techniques and protection skills to improve information
technology security, experts say. In addition, government can learn
from two other groups: the paid professionals - known as white hats -
who research vulnerabilities to protect employers' and customers' data
and the unaffiliated tinkerers - known as gray hats - who alert users
Government and industry have always learned security techniques from
hackers, whether they realize that or not. For example, penetration
testing, which is a search for security holes in a computer system, is
a common hacker practice that the federal government is using more
often, said Steven Manzuik, security product manager at eEye Digital
Security. The company provides penetration testing, vulnerability
assessment and proactive security services to the Defense Department
and federal intelligence agencies.
Penetration testing is a good way to demonstrate actual risk and
secure systems by patching or applying other protections, Manzuik
said. DOD has come to appreciate the value of penetration testing and
now has a solid schedule and process in place for it, he said.
Because the federal government is a huge target for hackers for
political and financial reasons, agency officials have started issuing
information security regulations based in part on consultations with ?
and learning lessons from ? hackers, said Mark Loveless, a senior
security analyst at BindView and a hacker for 25 years.
The Graham-Leach-Bliley Act of 1999, Health Insurance Portability and
Accountability Act, Federal Information Security Management Act of
2002, and Sarbanes-Oxley Act of 2002 all require fortification of
computer networks to protect information based on real-life hacker
attacks, Loveless said. He added that following federal regulations
can make it easier to fix many common vulnerabilities.
Military officials have learned the fastest from hackers and are
starting to pay serious attention to software policies to bolster
their security, Ruiu said. Civil agencies are the most vulnerable
because they don't have money for adequate IT security, let alone
improvements to it, he said.
DOD and intelligence agencies enjoy talking with hackers who do not
have malicious intentions, and the two groups often tip each other off
about developments and discoveries, Loveless said. Information
analysis and intelligence gathering units are particularly willing to
learn from attacks to plug holes in their security, said Marc
Maiffret, founder and chief hacking officer at eEye.
But not all government agencies listen to hackers, Loveless said.
Old-school agents in the FBI and the Secret Service don't trust
hackers because they consider many of them to be criminals.
Hackers' importance as teachers, though, is increasing. As software
insecurity remains the norm, the number of targets increases and the
stakes involved in losing control of financial and confidential data
rises, experts say.
'Millions of monkeys'
A common bond among hackers is curiosity. "What if I try this?" and
"What can I do to make it do what I want?" are two hacker mantras,
said Martin Roesch, founder and chief technology officer of
Sourcefire, a provider of intrusion-prevention systems. But that
unrelenting, inquisitive skepticism, sometimes bordering on paranoia,
yields superior quality assurance.
"Everything you forget, they will find," Roesch said. "It's like the
proverbial millions of monkeys typing on typewriters. They have
infinite resources and infinite time to find weaknesses in your
Another hacker tenet is always follow the path of least resistance,
said Matthew Gray, founder of and CTO at Newbury Networks. In doing
so, hackers use network engineers' desire for efficiency against them
to design more effective and stealthy attacks.
This path of least resistance is often through the front door, said
Paul Proctor, research vice president of security and risk at Gartner.
Attackers hack only enough to insert malicious payloads that contain
keystroke and network sniffers and other means to collect information
they can use to fool the system into thinking the attackers are
legitimate users. Once they get that, they can come and go as they
please without scrutiny.
Nine times out of 10, vigilante gray hats, black hats and
cybercriminals follow the path of least resistance, Proctor said. But
most government and industry cyberprotectors try to thwart the primary
method gray hats use: burrowing into the system code to find flaws.
Gray hats, however, pose almost no real risk to computer security
because they don't act maliciously, he said.
A failure of imagination
An obstacle to blocking hackers is the implementation of IT security
by network engineers instead of software developers and engineers,
said John Viega, founder of and CTO at Secure Software. On the other
hand, most hackers are software engineers or use software engineering
tools built by software experts. Thus, the primary defenders of IT
assets have different perspectives, skills and experiences from the
attackers, Viega said.
This compounds the problem that most organizations consider IT
security only when they are under attack, said Roger Thornton, founder
of and CTO at Fortify Software. Few organizations look at their IT
capabilities in terms of the risk they face from black hats and
cybercriminals, he said.
This failure of imagination to ask what would happen if hackers could
access their information is the main stumbling block to effective
security, Thornton said. "Anything that government and industry learn
from hackers must be seen through the lens of their own risk
management needs," Proctor said.
Another problem is that government and industry have fallen for the
negative hacker stereotypes shown on film and television, and are not
using valuable, available assets.
"Not every hacker is a cracker," which is the old slang for a black
hat, Maiffret said.
Organizations should invite more white and gray hats to their
conferences, Maiffret said. Many government and commercial
organizations, such as Microsoft, have already heeded that advice and
even pay to be sponsors at hacker conferences.
Because talented Internet security professionals, such as hackers, are
tough to find and hire, "the greatest defense against hackers is that
you can make a mighty good living on the right side of the fence,"
Government and industry hire white and gray hats who want to have
their fun legally, which can defuse part of the threat, Ruiu said. But
it's impossible to reach every potential attacker through a job
advertisement, he said.
Many hackers are willing to help the government, particularly in
fighting terrorism. Loveless said that after the 2001 terrorist
attacks, several individuals approached him to offer their services in
fighting al Qaeda.
Hiring black hats, however, is a bad idea. Bruce Murphy, vice
president of worldwide security services at Cisco Systems, said he
does not hire black hats because they do not appreciate or respect
standard business processes and structures.
"Somebody with questionable moral judgment isn't someone you want to
have control of your networks," said Avi Rubin, a professor of
computer science at Johns Hopkins University. A disgruntled hacker
with inside knowledge of a company's networks could create a nightmare
scenario, he said.
Besides, white hats have closed the skill gap between themselves and
gray and black hats, said Amit Yoran, president of Yoran Associates
and former national cybersecurity director. What the white hats need
to learn, he said, is how to sell IT security more persuasively to
bureaucracies that still may not see the need for it.
More important than the presence of hackers is emulating their
skeptical attitude, Maiffret said. Most large organizations do not
cultivate the maverick mind-set needed for quality hacking and
computer security, he said.
"Part of the hard thing in government is that you're not really meant
to question how things work," he said, adding the same goes for large
companies. "You're expected to take orders and do things...[but]
that's what [hackers] are here for, to question."
Organizations must encourage employees to question everything about
the technology they use, he said.
Putting lessons to work
The guiding principle for government and commercial IT has been to
increase productivity and decrease cost, without much thought about
security, Proctor said.
Savings are powering the federal government's insistence that
contractors and integrators use commercial software. The drive "is
like nothing I've ever seen in my life," said Michael Armistead, vice
president of products at Fortify Software.
Thornton warned that any commercial solution must account for the
organization's risk profile, especially risks presented by black hats.
Those responsible for implementing commercial products should audit
them, line by line if necessary, to see if they provide adequate
security. If they don't, the hackers will.
Even with the security emphasis since the 2001 terrorist attacks,
Thornton and other experts agree that government and industry are not
changing fast enough to thwart evolving threats from black hats.
But government and industry have attributes that, if used
hacker-style, could potentially help them defeat malicious hackers.
Government has the advantage of central coordination and the ability
to quickly enforce best practices and standards enterprisewide, Ruiu
said. It can also share information quickly and effectively ? faster,
in fact, than industry and the balkanized hacker community.
Industry has the advantages of being able to speedily implement
changes and act pragmatically, Ruiu said. If it employs the hacker
mind-set while developing products, it would produce software and
hardware more resistant to attacks in the first place.
Government and industry need research units to discover
vulnerabilities, or they should work with someone who has them,
Maiffret said. They need to dissect software to find every weakness,
just like hackers worldwide do.
Until such widespread changes occur, the public and private sectors
can protect themselves the way hackers do, said Michael Cantey, a
network systems administrator at the Florida Department of Law
Enforcement's Computer Crime Center. He said they should learn as much
as they can about what's on their systems, how those systems operate
and how to fix as many flaws as possible. They can stay current on
basic security measures and set up a multilayered defense that goes
beyond the perimeter to inside essential systems.
The only long-term way to effectively hinder or prevent hacker attacks
is to show the same persistence, skepticism and vigilance that hackers
do, Roesch said. After all, he said, "the million monkeys are working
relentlessly, every day, all day."
"Communications without intelligence is noise; Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
InfoSec News v2.0 - Coming Soon!