Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Inside the Mind of a Hacker – 2

    Written by

    Lisa Vaas
    Published July 6, 2007
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      During the 2004 presidential campaign, Jeremy Poteet watched as the candidates site he had worked to secure went up. Just 16 minutes later, the site was attacked.

      But this high-profile site deftly deflected these attacks and the others that followed because Poteet had anticipated—and then protected against—the kinds of exploits he knew would be coming. How did he know? Quite simply, hes a hacker, and thinking like a hacker—and getting to know the tools that hackers use—is one of the most effective ways to protect your company from being exploited.

      Poteet, chief security officer at AppDefense, is the type of hacker commonly referred to as a white-hat hacker or security researcher—someone who digs for system holes to point out where trouble could occur. Black-hat hackers are just the opposite—people who try to gain access to systems and the data on them for nefarious purposes. In the past, most hackers were in it for fun or for bragging rights.

      /zimages/6/28571.gifHow do you turn a small group of security pros into an organized online crime group? Read the six rules here.

      Now, black hats are selling exploits for tens of thousands of dollars as the malware industry capitalizes on flaws to capture passwords, credentials for banking sites and personal information for identity theft and financial fraud.

      Learning how black-hat hackers think, what theyre looking for and how they get it should be a fundamental part of any companys security strategy.

      According to George Kurtz, author of “Hacking Exposed,” hackers targets have changed dramatically in the last few years.

      /zimages/6/180394.jpg

      “When I got into the game … it was, We dont have a firewall, we have a packet-routing filter. Fast-forward to today, and youve got very interactive applications: Youve got Web 2.0 tying in back-end databases and all the exposures around that,” said Kurtz, who is also the founder of Foundstone, an organization that teaches hacking and secure coding practices. Foundstone is now a division of McAfee, and Kurtz, of Mission Viejo, Calif., is senior vice president of McAfees enterprise division.

      Indeed, applications are increasingly drawing hackers attention. According to research by Gartner and Symantec, close to 90 percent of software attacks were aimed at the application layer as of June 2006.

      “Once you open Port 80, you have unfettered access to an application,” Kurtz said.

      Application-level flaws arent new. In 2002, Poteet won eWEEKs OpenHack IV competition, in which people were invited to hack a test e-commerce site. Poteet was able to hack the version of the site tied to an Oracle database application.

      Basically, the flaw that Poteet exploited was a screen in which users could edit their profile. The user name constituted one field—supposedly not an editable one. But as soon as input was accepted from the front end, with the Web server taking data from a browser, it didnt matter whether the field was designed to be editable or not—at that stage, everythings editable.

      Poteet changed the name in the field to “A Smith,” and then he waited, like a spider for a fly. As soon as somebody named “A Smith” logged on, he pounced, immediately gaining access to all of A Smiths data.

      /zimages/6/28571.gifClick here to learn more about hackers targeting Homeland Security.

      The problem is, most application developers dont think the way Poteet did during OpenHack.

      Poteet said he has consulted with many companies and has grown accustomed to seeing not just a vulnerability here or there, but a vulnerability in every field in every screen of every application in question.

      And were not talking mom-and-pop shops—most of Poteets clients are Fortune 500 companies, and many of them are financial institutions. But, even in organizations within the financial realm—an industry known for being well-versed and experienced with security issues—those who work on code still leave well-known security holes that draw attackers like flies to honey.

      Fool Me Once …

      If theres one sure thing when it comes to security, its that people make the same mistakes—over and over and over. Its something that hackers have come to count on.

      Common holes include data in error messages that can be used to access systems, SQL injections, XSS (cross-site scripting) and access control in J2EE (Java 2 Platform, Enterprise Edition) applications.

      Hackers especially love SQL injection: A good SQL injection will elicit data from all the tables in your database. And if attackers gain edit capability in a user query, they can change data in the database.

      /zimages/6/28571.gifLearning to think like your most common opponent isnt that hard. Click here to read more.

      These issues are among the top 10 most frequent mistakes made in application security, as outlined by the Open Web Application Security Project. Also included in that list is usable information provided in error messages.

      Take this error message: “Microsoft OLE DB Provider for SQL Server error 80040e14 Column newsTBL.NEWS_ID is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause. G:WEBSITESWWW.SAMPLECOMPANY.COM/internal/dbSys.inc, line 241.”

      From that one error message, a potential attacker will learn that the application uses OLE DB to communicate to the database, that it uses SQL Server as the database, that SQL commands can be passed to the database and that theres a table called newsTBL in the database, among other things.

      Next Page: Terrible trends.

      Page 2


      A newer trend that has been a boon to the malware profit machine is the rapid advancements being made in rootkit technology.

      “Some rootkit technology we see at [McAfees] Avert Labs is unbelievable,” Kurtz said. “[We see] stuff not done in the past, [done] in new ways, [done] covertly to steal information and use it for financial fraud. From a [criminal] perspective, its moved from, Let me find a vulnerability, to, Let me find an application vulnerability and automate it and put it into a bot, load up pages and reinfect the client, which I can then use to populate my bot network.”

      Security researchers are closely watching out for the weaponization of two new rootkit technologies that they fear will someday contribute to the stream of money feeding into the bot economy: virtual rootkits and evil hypervisors.

      “We know that the bad guys are looking for more ways to stay on systems longer, unnoticed,” said Joe Telafici, vice president of McAfees Avert Operations, in Beaverton, Ore. “The longer you stay on a machine unnoticed, the longer you can rent out your botnet or whatever.”

      Both evil hypervisor technology and virtual rootkits, seen only in proof-of-concept code to date, allow malware authors to stay on a machine, undetected, for a long time. Researchers until recently have grimly waited for black hats to weaponize the new technologies; its a question of when, not if, they believe. (On June 27, a group of researchers challenged the premise that such exotic new rootkits were undetectable, but the jurys still out on that question.)

      Let It Bleed

      Thomas Ptacek, principal, researcher and founder of security company Matasano, said its not only the duty of developers and system architects to assess the security of the products protecting their assets; its also their duty to rip the code underneath those systems to see if it bleeds—the same thing that hackers do. “[To do] due diligence, theyre going to have to strip open those applications,” Ptacek said.

      Stripping open Microsofts Windows Vista, for example, will show that Microsoft has made what most consider to be significant security improvements in its newest operating system.

      In its 64-bit form, Vista will take away some of the tools attackers now use.

      The 64-bit version of Vista makes it harder for attackers to exploit insecure functions by assuming that the entry point is always in the same place. Vista also does away with the ability to inject code into the Windows kernel to watch what functions are being called by other running programs.

      /zimages/6/28571.gifClick here for a basic request for proposal that can assist with identification and remediation of security risks.

      Then theres Vistas UAC (User Account Control), which redirects some files and registry keys to “sandboxes.” Malware can make changes, but the changes will go away when the process stops running or will at least not affect other users.

      Rest assured, however, that these new security controls will not result in malware authors taking their ball and going home. Rather, security researchers are anticipating that Vistas new security profile will actually force attackers to innovate.

      McAfee predicts that it will take about six months for a frustrated or ambitious malware author to turn his or her attention to rootkitting a machine and leveraging virtual technology capabilities of an Intel or Advanced Micro Devices chip.

      Its all a cat-and-mouse game: As new security techniques arise, hackers poke holes in them and malware authors learn how to manipulate them for profit.

      Scanners and other tools used by hackers are available to anyone with an Internet connection, and it would behoove developers and system architects to use these tools routinely. Just dont think for a minute that these tools will keep out the most sophisticated attacks—theyre most effective for low-hanging fruit or to accelerate testing.

      The best advice echoes Ptaceks recommendation: Tear things apart as carefully and methodically as you put them together. Its better by far that you tear up your own systems to find the holes before someone does it for you.

      Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

      Lisa Vaas
      Lisa Vaas
      Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×