The Globe and Mail — Business Section
July 1st, 1999 — 1450 words
Brad Grier — in Calgary
Brian Lynch looked like any other executive as he flew to his next business meeting, typing notes on his laptop and finishing off yet another memo.
But the papers in the clean-cut young man’s carry-on told a different story. The bag contained a printout of 10,000 valid credit card numbers, taken after a successful security penetration of a computer system.
Brian is a hacker. A White Hat hacker to be precise. A professional computer security specialist working for ‘the forces of good’.
His primary job is to audit the corporate data security and network infrastructure before someone with a much more malicious agenda can get in.
In order to beat the bad guy at his own game, Mr. Lynch and his colleagues have to virtually wear a Black Hat — set a thief to catch a thief.
“In this profession we’re seeing a blend of Network Administrator, Psychologist, System Administrator, Tech Support and Management.” Mr. Lynch notes. “But to actually think in the sense of the person who wants to break into a network or to fully assess what the network vulnerabilities are, is probably not something that can be learned in school.”
And that begs the question; How do you learn to hack?
Not formally at college or university, though Mr. Lynch suggests that most do offer courses in basic security. “If you wanted to get a Computer Science Degree, you’d know how to program, you’d know C++ etc. however I don’t think you’d have the application, I think it’s something that needs to be learned.”, he says. Learned in the environment.
The Internet provides a digital smörgåsbord of knowledge for both the Black and White Hat communities.
Type the word ‘hack’ into any search engine and you’ll get thousands of hits. The Web is the security specialist’s textbook.
LOpht, and Cult of the Dead Cow are two of the more famous computer security specialist groups online. Their websites detail new ‘exploits’ and ‘fixes’ for many operating systems and applications. Curious users will also find ‘warez’; programs designed to break passwords and system security.
When it comes to ‘on the job training’, Mr. Lynch says, “I think it comes down to being able to pull out the useful information, sometimes finding things on your own. I read a ridiculous amount of information¦it’s very important to stay informed and aware in this industry.”
But that same information can also be used for ‘evil’. Cult of the Dead Cow alarmed the security community last August when they released ‘Back Orifice’; a program designed to give unlimited access to a target computer running the Windows operating system.
“I think there’s a lot of converts. Black Hat is obviously where a lot of people start.”, Mr. Lynch observed. “A lot of people have crossed the line, either way, from White to Black — Black to White. But there’s a period of research for any person, where they realize what they’re becoming interested in, and they see a lot of information they like¦it’s not really Black or White Hat, I think that’s where I would have started. And moved into White Hat.”
Mr. Lynch began his education in the early days of home computing, using a cutting edge ‘386 and a 2400-baud modem. The bulletin board systems were his primary school, exchanging tidbits of information with other curious folk. “I saw how interested connected computers can be”, he notes. “I was back on the Internet with Lynx, Mosaic, and Gopher, and I started out on AIX, and then kicked around all the Unix systems, and now I’ve expanded into NT, there’s a big demand in the corporate world for NT. A wide base of operating system and software knowledge helps when you’re on the ground”
Budding hackers can easily learn anything they need to know about any type of computer system online. With a bit of research they can learn all about your corporate computer resources.
Then there’s the soft side of hacking; social engineering. Mr. Lynch notes, “The best way to get into a client’s information might not be to sit there for six hours on their computer network, it might be just a simple call to their support centre that can get your password, or walking into their building.
After finishing his freelance online explorations, Mr. Lynch then worked on private contracts; consulting and learning more about the business. “I’ve had a lot of work as a person who goes into networks and discovers what’s there and I have an eye for what is valuable to a company from an outsiders perspective.”, he says.
Jaws Technology Inc. of Calgary recognized Mr. Lynch’s talent, and persuaded him to join their cause. At Jaws, he’s a member of a team of security specialists that market their diverse skills to businesses with a need for data security. “We sit down with a company, first of all, and find out what’s valuable to them”.
Then the real grunt-work begins, looking for the vulnerabilities.
Internal security is usually the first and most important target of the audit. “More than seventy percent of information theft and security breaches occur from inside”, he observes.
For obvious reasons, Mr. Lynch declined to go into detail about the methods he uses when performing an audit, but many of the skills he uses are the same ones used by people intent on breaching corporate security.
A scenario could work like this:
Worker X at the Target Company receives a phone call from a supposed Helpdesk staffer. The caller sounds convincing, and even knows some personal or work related detail that help establish their credibility.
The user is then instructed to run a program on their computer, e-mailed to the user previously. Now the deed is done. The program was a Trojan Horse, and that employee’s machine is now surreptitiously relaying user IDs, passwords and other corporate data to a Black Hat.
You may not think there’s much valuable information buried in your e-mail, but Mr. Lynch disagrees. “I don’t mind scrolling through fifty pages of information to exploit things. Maybe there’s text lying around, and I don’t mind reading a month of someone’s email, to scan for useful corporate information if that’s what I’m being hired to do.”, he states.
External ‘Attack and Penetration’ audits expose the other big vulnerability of today’s networks¦the corporate Firewall to the Internet. “We can come to your firewall, do a little probe, and find out that we can read a person’s hard drive”. Mr. Lynch adds, “if they have a network share tied into that, we may be able to read the entire network off a web browser.”
The work’s not very easy, or glamorous, but occasionally the payoff can be awesome, such as finding those credit card numbers, unprotected and exposed. “I like finding holes in people’s system that are so extraordinary it just makes me sit back from the monitor”, he says. “I’ve had root access on very large systems, and suddenly you’re there! You just catch your breath¦ You’re suddenly holding all their corporate records, and you can control anything you want on their system.”
Mr. Lynch cautions that a malicious hacker wouldn’t necessarily delete data or infect the system with a virus. “Someone can use that information in a secondary sense, steal your identity, apply for credit cards, attacks along those lines”.
This sort of thing does happen here in the real world, as one of his clients found out. “They had an internal website with age, marital status and other confidential information on their clients. Accounting and marketing should have been able to access it, however we discovered that anyone on the Internet could.”
Mr. Lynch says the real fun is in closing these security holes, and discovering new ones. “That’s a high,” he says. “To have that, or to get the access of someone, or to come across a nugget of information that’s quite useful, that’s a good feeling, if that’s what you’re looking for.”
In the next few years, you’ll be reading more about Brian Lynch and his colleagues. Computer security is becoming more complex, changing and growing as quickly as the computer industry. And the Black Hats are out there too.
Last Updated ( Wednesday, 19 October 2005 )
