Simulated cracking (was Re: [TriLUG] ethical hacking?)

Mike Johnson mike at enoch.org
Wed May 29 01:10:32 EDT 2002


Gonna kill two birds (well, maybe annoy two birds) with one post...

M. Mueller [mmueller at ss7box.com] wrote:
> On Monday 27 May 2002 01:57 am, Greg Brown reputedly wrote:
> > I've been reading about system security (one of my most favorite subjects
> > here  on trilug) and I'm wondering if there should be some kind of ethical
> > hacking group established.  The reason for this is some of us think we have
> > a more or less secure system attached to TWC or DSL and it would be nice to
> > know if there are any holes in our systems that allow access.

Well, take your best shot and try and make it as secure as you think is
possible.  Then, go looking at some of the online, automatic tools.  All
you're really after is to make sure the ports you think are closed
actually are.  The tools at:
http://www.dslreports.com/tools

Look alright.  I can't seem to get java working in Mozilla at the
moment, so I don't know for sure.

I'm sure there's several of us that wouldn't mind portscanning you and
mailing the results (I wouldn't, given an e-mail with permission).

> > I think it would be a good idea to come up with a common filename, such as
> > trilug.readme (or whatever) containing a unique text string.  If someone on
> > trilug hacks our system and e-mails back the text string we know we have a
> > security hole - and the person that finds the hole MUST say how they were
> > able to compromise the security of the system (so we can fix it).

I'd advise against this.  rday pointed out some good reasons why this
isn't a good idea.  Here's some of my thoughts:
1) It gives you a false sense of security.  Just because noone in TriLUG
(that actually tried) was able to compromise your system, does not make
it secure.
2) It smacks of the stupid 'hacking contests' that float around from
various security vendores from time to time.  These prove nothing.
Again, noone is really trying really hard to gain access to your system.
3) How do I know you won't send the cops to my door?  One would need
much more than an e-mail that says 'he said I could hax0r his box0r' to
keep one out of jail.
4) Say I do 0wn your b0x, why the hell would I want to tell you?  I
mean, you state 'the person that finds the hole MUST...' must what?
Your system is mine, you're going to have a hard time telling me what I
can and can't do.

> > Does anyone else think this is a good idea?
> > 
> > Greg

No.

In the end, security is not as tough as you're making it out to be.
Simply remove services you don't need (if all you're doing is browsing
the web and reading e-mail, your system should have -no- listening
services) and keep up to date on the patches, and you're set.

You can do the sorts of things your looking for for yourself.  Check out
nmap, check out nessus, check out lsof.  If it's listening, find out
what it is and what it does.

> It piques my interest.
> 
> I understand "hacking" as the refined art of designing, implementing, 
> testing, and maintaining computer systems and computer controlled systems.  
> What you are suggesting - unauthorized, covert, access to computer systems - 
> I understand to be "cracking".  Hacking is good.  Cracking is bad.

Speaking as a provider of security solutions (I'm in charge of several
different security services that the company for which I work provides),
you're going to have to give up the 'hacker' vs 'cracker' fight.  It was
all well and good to try and come up with a term to define 'the bad
guys', but the media has run with it, and it's too set in people's
minds.  Rather than fight the 'cracker' battle, I've headed in a
different direction in ever bit of our marketing stuffs that I can get
my hands on.  'Cracker' means nothing to your average Joe, try something
that makes sense to them: attacker, intruder, compromised.  A 'normal'
person can grok those.  The 'hacker' vs 'cracker' debate/battle was over
before it started.  It sucks, but it's what we have to live with.

That said, I disagree with your definition of 'hacking'.  It's a bit too
'tight'.  A cool implementation in a script could be a 'hack'.  Using
something in a manner in which it was not designed could be a 'hack'.
Writing a cool attack that gained me access to Greg's system could be a
'hack'.
 
> I dislike associating the word ethical with cracking.  It dilutes the meaning 
> of "ethical".  I would call it cracking simulation.

Greg never used the word 'crack' or 'cracking', he said 'ethical
hacking'.  What he seems interested in (however mislead) fits the term
perfectly, in my mind.  Hacking is far more than just an acedemic
exercise.

The actual term for what Greg is proposing is vulnerability analysis.
Probing a system to look for ways in (vulnerabilities) is not
simulation.  In some cases, it's actual attacks -- actually exploiting
that IIS server that I'm sure Greg is running. ;)
 
> There is value in simulated cracking attempts.  The US Armed Forces have had 
> simulated terrorist attacks in the past which emabarrassed some high ranking 
> brass.  In these exercises, the targets were told that they were targets.  I 
> think the same rule of engagement should apply to parties participating in a 
> simulated cracking exercise.

There's huge value in vulnerability analysis (I admit a bias: we offer a
vulnerability analysis capability).  If you can find the holes in your
system(s) before the bad guys do, you can fix it before damage is done.
I don't think what Greg is proposing is the way to go, however.  You're
much better off testing your own system, first.  As you learn more and
more how to probe your own system, you'll get better at it.  You'll be
able to get more to the root cause.

There's definately value in having a third party probe your systems.
However, ya gotta remember that security folk get paid large amounts of
cash for what you're looking for.  You're better off closing all
possible vectors of attack first, and go from there.  Trust me, it'll
keep you busy for a while. ;)

Who knows, maybe someone will step up and offer to test everyone's
systems.  I know I won't, certainly not without -written- and -signed-
permission, and I encourage anyone considering this to CYA.

Mike
-- 
"Let the power of Ponch compel you!  Let the power of Ponch compel you!"
   -- Zorak on Space Ghost

GNUPG Key fingerprint = ACD2 2F2F C151 FB35 B3AF  C821 89C4 DF9A 5DDD 95D1
GNUPG Key = http://www.enoch.org/mike/mike.pubkey.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: <http://www.trilug.org/pipermail/trilug/attachments/20020529/0fa5993c/attachment.pgp>


More information about the TriLUG mailing list