Stealthy hacker dons a white hat

The Globe and Mail — Busi­ness Sec­tion
July 1st, 1999 — 1450 words

Brad Gri­er — in Cal­gary

Bri­an Lynch looked like any oth­er exec­ut­ive as he flew to his next busi­ness meet­ing, typ­ing notes on his laptop and fin­ish­ing off yet anoth­er memo.

But the papers in the clean-cut young man’s carry-on told a dif­fer­ent story. The bag con­tained a prin­tout of 10,000 val­id cred­it card num­bers, taken after a suc­cess­ful secur­ity pen­et­ra­tion of a com­puter sys­tem.

Bri­an is a hack­er. A White Hat hack­er to be pre­cise. A pro­fes­sion­al com­puter secur­ity spe­cial­ist work­ing for ‘the forces of good’.

His primary job is to audit the cor­por­ate data secur­ity and net­work infra­struc­ture before someone with a much more mali­cious agenda can get in.

In order to beat the bad guy at his own game, Mr. Lynch and his col­leagues have to vir­tu­ally wear a Black Hat — set a thief to catch a thief.

In this pro­fes­sion we’re see­ing a blend of Net­work Admin­is­trat­or, Psy­cho­lo­gist, Sys­tem Admin­is­trat­or, Tech Sup­port and Man­age­ment.” Mr. Lynch notes. “But to actu­ally think in the sense of the per­son who wants to break into a net­work or to fully assess what the net­work vul­ner­ab­il­it­ies are, is prob­ably not some­thing that can be learned in school.”

And that begs the ques­tion; How do you learn to hack?

Not form­ally at col­lege or uni­ver­sity, though Mr. Lynch sug­gests that most do offer courses in basic secur­ity. “If you wanted to get a Com­puter Sci­ence Degree, you’d know how to pro­gram, you’d know C++ etc. how­ever I don’t think you’d have the applic­a­tion, I think it’s some­thing that needs to be learned.”, he says. Learned in the envir­on­ment.

The Inter­net provides a digit­al smör­gås­bord of know­ledge for both the Black and White Hat com­munit­ies.

Type the word ‘hack’ into any search engine and you’ll get thou­sands of hits. The Web is the secur­ity specialist’s text­book.

LOpht, and Cult of the Dead Cow are two of the more fam­ous com­puter secur­ity spe­cial­ist groups online. Their web­sites detail new ‘exploits’ and ‘fixes’ for many oper­at­ing sys­tems and applic­a­tions. Curi­ous users will also find ‘warez’; pro­grams designed to break pass­words and sys­tem secur­ity.

When it comes to ‘on the job train­ing’, Mr. Lynch says, “I think it comes down to being able to pull out the use­ful inform­a­tion, some­times find­ing things on your own. I read a ridicu­lous amount of information¦it’s very import­ant to stay informed and aware in this industry.”

But that same inform­a­tion can also be used for ‘evil’. Cult of the Dead Cow alarmed the secur­ity com­munity last August when they released ‘Back Ori­fice’; a pro­gram designed to give unlim­ited access to a tar­get com­puter run­ning the Win­dows oper­at­ing sys­tem.

I think there’s a lot of con­verts. Black Hat is obvi­ously where a lot of people start.”, Mr. Lynch observed. “A lot of people have crossed the line, either way, from White to Black — Black to White. But there’s a peri­od of research for any per­son, where they real­ize what they’re becom­ing inter­ested in, and they see a lot of inform­a­tion they like¦it’s not really Black or White Hat, I think that’s where I would have star­ted. And moved into White Hat.”

Mr. Lynch began his edu­ca­tion in the early days of home com­put­ing, using a cut­ting edge ‘386 and a 2400-baud modem. The bul­let­in board sys­tems were his primary school, exchan­ging tid­bits of inform­a­tion with oth­er curi­ous folk. “I saw how inter­ested con­nec­ted com­puters can be”, he notes. “I was back on the Inter­net with Lynx, Mosa­ic, and Gopher, and I star­ted out on AIX, and then kicked around all the Unix sys­tems, and now I’ve expan­ded into NT, there’s a big demand in the cor­por­ate world for NT. A wide base of oper­at­ing sys­tem and soft­ware know­ledge helps when you’re on the ground”

Bud­ding hack­ers can eas­ily learn any­thing they need to know about any type of com­puter sys­tem online. With a bit of research they can learn all about your cor­por­ate com­puter resources.

Then there’s the soft side of hack­ing; social engin­eer­ing. Mr. Lynch notes, “The best way to get into a client’s inform­a­tion might not be to sit there for six hours on their com­puter net­work, it might be just a simple call to their sup­port centre that can get your pass­word, or walk­ing into their build­ing.

After fin­ish­ing his freel­ance online explor­a­tions, Mr. Lynch then worked on private con­tracts; con­sult­ing and learn­ing more about the busi­ness. “I’ve had a lot of work as a per­son who goes into net­works and dis­cov­ers what’s there and I have an eye for what is valu­able to a com­pany from an out­siders per­spect­ive.”, he says.

Jaws Tech­no­logy Inc. of Cal­gary recog­nized Mr. Lynch’s tal­ent, and per­suaded him to join their cause. At Jaws, he’s a mem­ber of a team of secur­ity spe­cial­ists that mar­ket their diverse skills to busi­nesses with a need for data secur­ity. “We sit down with a com­pany, first of all, and find out what’s valu­able to them”.

Then the real grunt-work begins, look­ing for the vul­ner­ab­il­it­ies.

Intern­al secur­ity is usu­ally the first and most import­ant tar­get of the audit. “More than sev­enty per­cent of inform­a­tion theft and secur­ity breaches occur from inside”, he observes.

For obvi­ous reas­ons, Mr. Lynch declined to go into detail about the meth­ods he uses when per­form­ing an audit, but many of the skills he uses are the same ones used by people intent on breach­ing cor­por­ate secur­ity.

A scen­ario could work like this:
Work­er X at the Tar­get Com­pany receives a phone call from a sup­posed Help­desk staffer. The caller sounds con­vin­cing, and even knows some per­son­al or work related detail that help estab­lish their cred­ib­il­ity.

The user is then instruc­ted to run a pro­gram on their com­puter, e-mailed to the user pre­vi­ously. Now the deed is done. The pro­gram was a Tro­jan Horse, and that employee’s machine is now sur­repti­tiously relay­ing user IDs, pass­words and oth­er cor­por­ate data to a Black Hat.

You may not think there’s much valu­able inform­a­tion bur­ied in your e-mail, but Mr. Lynch dis­agrees. “I don’t mind scrolling through fifty pages of inform­a­tion to exploit things. Maybe there’s text lying around, and I don’t mind read­ing a month of someone’s email, to scan for use­ful cor­por­ate inform­a­tion if that’s what I’m being hired to do.”, he states.

Extern­al ‘Attack and Pen­et­ra­tion’ audits expose the oth­er big vul­ner­ab­il­ity of today’s networks¦the cor­por­ate Fire­wall to the Inter­net. “We can come to your fire­wall, do a little probe, and find out that we can read a person’s hard drive”. Mr. Lynch adds, “if they have a net­work share tied into that, we may be able to read the entire net­work off a web browser.”

The work’s not very easy, or glam­or­ous, but occa­sion­ally the pay­off can be awe­some, such as find­ing those cred­it card num­bers, unpro­tec­ted and exposed. “I like find­ing holes in people’s sys­tem that are so extraordin­ary it just makes me sit back from the mon­it­or”, he says. “I’ve had root access on very large sys­tems, and sud­denly you’re there! You just catch your breath¦ You’re sud­denly hold­ing all their cor­por­ate records, and you can con­trol any­thing you want on their sys­tem.”

Mr. Lynch cau­tions that a mali­cious hack­er wouldn’t neces­sar­ily delete data or infect the sys­tem with a vir­us. “Someone can use that inform­a­tion in a sec­ond­ary sense, steal your iden­tity, apply for cred­it cards, attacks along those lines”.

This sort of thing does hap­pen here in the real world, as one of his cli­ents found out. “They had an intern­al web­site with age, mar­it­al status and oth­er con­fid­en­tial inform­a­tion on their cli­ents. Account­ing and mar­ket­ing should have been able to access it, how­ever we dis­covered that any­one on the Inter­net could.”

Mr. Lynch says the real fun is in clos­ing these secur­ity holes, and dis­cov­er­ing new ones. “That’s a high,” he says. “To have that, or to get the access of someone, or to come across a nug­get of inform­a­tion that’s quite use­ful, that’s a good feel­ing, if that’s what you’re look­ing for.”

In the next few years, you’ll be read­ing more about Bri­an Lynch and his col­leagues. Com­puter secur­ity is becom­ing more com­plex, chan­ging and grow­ing as quickly as the com­puter industry. And the Black Hats are out there too.

Last Updated ( Wed­nes­day, 19 Octo­ber 2005 )

Related Posts with Thumbnails