Download White Hat Hacking Tyler Schumacher Department of Computer

White Hat Hacking
Tyler Schumacher
Department of Computer Science
University of Wisconsin, Platteville
[email protected]
Abstract
Malicious hackers can cause a multitude of problems for a company. However, white hat
hackers, or ethical hackers, can be used to protect a network against them. Some IT
specialists are taught how hackers can get into a system. However malicious hackers have
real world experience hacking networks and looking for ways to break into them and
finding vulnerabilities that they can exploit. That can make them better prepared to
protect a network if they reform. There are many different kinds of hackers, but unlike
popular thought, most hackers are not malicious. White hat hackers are the reason
networks are secure at all.
Origins of Hackers
Hackers are well-known to nearly everyone and yet understood by very few. The media
has given us our image of what hackers are. There are some popular books, and numerous
hit movies, about hackers who will guess a password within three tries, or hack a
government website and take over nuclear weapons deployment. This is a very limited,
and some would argue incorrect, view of what hackers are.
The most popular early use of the term hacker initiated at MIT. Hackers were students
who would pull clever or hard to pull off pranks, or 'hacks', often times either involving
the Great Dome on their campus or the annual Yale-Harvard football game. It became
popular in the computer industry in the 1960's. At that time, a hacker was often someone
who would create a computer program in some nonstandard way. That could by through
changing the code in a program until the desired output was delivered, with little regard
to design or actually determining what problems there are in the code. It could also mean
crudely changing your program to work with the limited constraints of computers at the
time, perhaps by removing (hacking) code so that your program is not too large, and then
doing whatever you have to in order to get your program functional again. However, it
could include things such as efficiently solving a problem in a way that it had not been
solved before, which would have a much more positive connotation than the previous
uses [1].
Until the 1980's, even when the term hacker was used with a negative connotation, it was
still nowhere close to being as negative as it is in modern times. Hackers were not doing
anything illegal, and the general public would often be unable to distinguish the work of a
hacker from the work of a non-hacker. Modern media has now twisted the meaning of the
word hacker for most people. Many people are not even aware that there could be a
positive connotation for the term.
Types of Hackers
In the programming industry the term hacker can still be used to refer to someone who
solves a problem in an unconventional manner. Indeed the term can be used as a sign of
the highest praise. Stephen Wozniak, the co-founder of Apple, may be thought of as a
hacker. He made blue boxes which allowed him to bypass telephone switching
mechanisms, enabling him to make free long-distance telephone calls. It was through that
sort of innovation that the first Apple computers were created.
Hacktivists are hackers with a political agenda. They may have virtual sit-ins, deface
websites that promote actions or stand for ideas that are against their own, display
controversial information as a promotion of free speech, or use denial of service attacks
to protest certain websites. Recently, in August 2009, the Melbourne International Film
Festival was attacked by Chinese hackers because of a film that was proclaimed as antiChinese by the Chinese state media. The Chinese had previously been on the other side of
a hacktivist attack when Bronc Buster disabled firewalls so that the Chinese public could
have uncensored access to the internet.
Blue hat hackers are security professionals that are brought in to bug test a system prior
to launch. The term is most frequently applied to security professionals that Microsoft has
invited to an annual conference to find vulnerabilities in Windows.
Crackers, or black hat hackers, are what the media has gotten people to believe all
hackers are. They are the self-serving criminals. They care only for personal gain,
whether that be turning a profit by stealing sensitive data, or just satisfaction in the
knowledge that they caused problems for some individual or company. These are the
people you hear about in the news that steal credit card information or social security
numbers, or who shut down websites.
Black hat hackers can employ a varied set of tools in order to accomplish their crimes.
Script kiddies are crackers who have no real knowledge of programming or network
security, but find tools that more knowledgeable people have created and use them in the
hopes that they do not get caught and they get something out of it. The more advanced
black hat hackers will find vulnerabilities in websites or databases and exploit the
vulnerabilities to gain unauthorized access to sensitive data. They can use vulnerability
scanners, packet sniffers, password crackers, and the like to cause harm.
There are also black hat hackers who rely on little network security flaws or cracking
software. They use social engineering techniques to gain physical access to areas they
should not be allowed to get to or to learn passwords. There are a number of different
social engineering techniques. A black hat hacker might make an imitation of a uniform
for some company. Then they could walk up to a keycard access door with a group of
people and hope that one person will let the entire group in. Or even if they just go up to
the door with one other person, they can act as though they can't find their keycard, and
hope that the other person is sympathetic, as many people would be, and allow them in.
Once inside they can look for passwords taped to monitors, something that occurs
frequently because of strict requirements on what a password can contain and also the
frequency at which passwords must be changed. They might also talk up the receptionist
in a friendly manner to try to glean some information from him or her. They also might
just try to find out where employees like to hang out outside of work, so that they can run
into them later and perhaps get them talking over a few beers. If the black hat hacker is a
female, or knows a female that he can trust, they can oftentimes more easily get
information out of people. Many do not think that women would be crackers, so they may
be less guarded with what they talk about [3]. A black hat also could fairly easily get
administrative passwords in the right situation. If they know how usernames are
determined, for instance by using the last name and then the first two letters of the first
name, then they could find the username of an administrator, and then call the help desk
asking to reset his password. The help desk could then call them right back with the new
administrative password.
White hat hackers are ethical hackers. They may be employed as ethical hackers, so their
motives could be self-serving and for profit, but they will never do any hacking illegally
or maliciously. A white hat hacker might notice a vulnerability on a business' website,
contact that business, and then work with them to fix the vulnerability. They may also be
hired by a company for the sole purpose of attempting to break into a system so that any
vulnerabilities could be brought to light and hopefully fixed.
White hats can be former black or grey hats, or they can simply be network security
specialists. Black hats may become white hats for a number of reasons. They may have
dreams of getting rich, but realize that money is hard to come by as a black hat. White
hats can get a steady paycheck with steady hours. As a black hat, you live your real life in
secret, and have to attempt to live two lives. As a white hat, you can be proud of your
accomplishments and can share that pride with those around you. They may also simply
mature out of their self-serving habits. It is believed that the majority of black hat hackers
are under the age of forty [1]
Grey hat hackers are people who do not act maliciously, and in fact oftentimes do things
that white hat hackers do, but they may do so illegally. Other times grey hats may break
into a system for the simple joy of knowing that they are able to, and then leave the
system without doing anything at all. Others may leave their signature on the system
somewhere, but not do anything malicious. A popular example of an act that
demonstrates exactly how a grey hat hacker can work is self-described in the article
"How we defaced www.apache.org" written by two hackers who go by “{}” and
“Hardbeat”. The introduction to the article follows:
This paper does _not_ uncover any new vulnerabilities. It points out common (and
slightly less common) configuration errors, which even the people at apache.org
made. This is a general warning. Learn from it. Fix your systems, so we won't
have to :) This paper describes how, over the course of a week, we succeeded in
getting root access to the machine running www.apache.org, and changed the
main page to show a 'Powered by Microsoft BackOffice' logo instead of the
default 'Powered by Apache' logo (the feather). No other changes were made,
except to prevent other (possibly malicious) people getting in. [5]
They broke into a computer, but other than the mostly harmless change of the logo on
main page, they did no harm, and in fact fixed the problem that they exploited. They even
wrote up that entire article so that other people who had the same vulnerabilities could fix
them. As extra incentive for the company to fix the problem, and to make others aware of
what they might need to fix on their own networks, grey hats may threaten to disclose the
vulnerability to the public after a set period of time. However {} and Hardbeat just fixed
the problem themselves, and then publicly disclosed the information afterward so that
others would be able to fix their own systems. What they did was technically illegal;
however Apache appreciated the fix and did not prosecute them. People are not always so
lucky, however. Eric McCarty found a vulnerability on the University of Southern
California's online application system when he was allegedly registering for a class. He
was able to access USC's database, and he copied a small number of records. He then
worked with a computer security website to notify USC of the problem and to help them
fix it, but he was charged with computer intrusion under the U.S. Patriot Act.
Origin of Terms
The terms white and blat hat hacker were based on old western movies. In the black and
white fast moving chase scenes, it could be hard for viewers to distinguish between the
good guys and the bad guys. That led to the common practice of having the good guys
wear white hats and the bad guys wear black hats. So the ethical hackers were labeled
white hats and the crackers were labeled black hats. Grey is a mixture of white and black,
and so the middle ground hackers were labeled grey hats. The blue hats were called such
to follow suit in the using of the term hat, and the color was used because of the blue
employee badges that are worn at their annual security conferences mentioned above.
Hackers in the Public Eye
Some hackers, and their activities, are well-known to the public. This happens for various
reasons, such as media coverage or problems that personally affect them. This can also be
a cause for change. The government of United Kingdom fell prey to hackers and lost
large amounts of their citizen's data. They are now, along with other measures, employing
white hats in order to earn back the trust of the citizens.
Daniel Cuthbert, the "tsunami hacker," was found guilty under the United Kingdom's
Computer Misuse Act. Cuthbert had made an online donation to a web site that was
accepting money for victims of the 2004 Asian tsunami. Cuthbert was concerned that he
may have been phished because he did not receive a thank you or a confirmation after he
donated. He then illegally gained access to the site to test it, and was later arrested. This
sort of prosecution of someone without malicious intentions can be a deterrent for white
hats looking to find and fix problems without prior consent of a company [2]. Some
companies see that as a good thing, but all black hats do.
Tsutomu Shimomura is a famous white hat. He was hacked himself, and then worked
with the FBI to catch the black hat hacker, who was the most wanted cyber-criminal in
the US at the time. He hacked a cell phone (possibly illegally, but under FBI supervision)
to monitor calls, and was able to narrow the search down to an apartment complex, where
the hacker was arrested.
There are a number of contests and conferences for hackers. There are contests where
computers or devices running various operating systems are put up as prizes for the first
person able to hack into them. On the first day the hackers are only allowed to use
software that comes preinstalled on the computer, but the longer the computers hold up
against the hackers, the more third party applications they are allowed to install and
attempt to exploit. This allows the sponsors of the contest to fix their products before they
are shipped [4]. The most notable conference for hackers is the annual DEFCON. Along
with many lectures, contests, movies, and much more, DEFCON sets up their own
private network that they do not recommend using your primary computer on. The
network is for general hacking and security testing, so anything hooked up to the network
is fair game to be broken into. They also have a specific game, capture the flag, where
teams work together to attempt to hack, and preventing the hacking of, systems. If a
certain file is stolen (the flag), a new round begins. Black hats are assumed to attend, but
they are not the intended audience, and in fact the hosts of DEFCON allow federal agents
to be on premises without displaying their badges.
Uses of Former Black Hats in Industry
There are some problems when attempting to hire a former black hat to protect your
system. First of all, you will rarely be able to check up on their claims. They will not
want to give the details of the crimes they have committed, as it could lead to their arrest.
If they have already served time for their crimes, then you would have very good
references for their work, but they could also be barred by the courts from working in
certain industries. And if they were formerly black hats, what is to stop them from
returning to their criminal ways, greatly hurting your company in the process? There was
a white hat working for the secret service which was hunting down hackers who had
stolen millions of credit card numbers from various companies including 7-Eleven. It
turns out that the 'white hat' was leaking investigation information to the hackers, and had
helped them run tests to ensure that their intrusion would go undetected.
There are some major benefits to hiring former black hats, despite the risks. They have
real world experience, they aren't just taught in a classroom. Criminals think outside of
the narrow classroom view, which is why convicted criminals are often used to prevent
the crimes that they committed. Protective measures against counterfeiting US currency
were aided greatly by a convicted counterfeiter, and the same holds true for network
security. Former black hats can train your security specialists in many of the ways that
black hats are attacking networks, including gaining information through social
engineering. The former black hats will know all about these sorts of techniques, and will
be able to prepare your company to avoid falling prey to them. Former black hats would
be more likely to be proactive about fixing problems instead of reactive. Some IT
specialists, more so in the past, would be called in to fix a problem. Former black hats
can be utilized to find and fix the problem before it hurts the company. There are security
consultants who do similar things, but it would be quite possible that the founders of
those companies were black hat hackers themselves at one point. And if you hire a
consulting group temporarily, they may try to scare you into buying more of their time
and services then you really need. Former black hats are much more easily able to see
potential problems in a network, but, they might also still think like criminals and try to
exploit the vulnerabilities themselves.
Uses of White Hats
As temporary employees to a company, white hats could be used to test the system in
multiple ways. First they may be asked to attempt to hack the network while only having
access to information that outsiders would have easy access to. They might then be asked
to attempt to break in using information that most employees would have access to and
see how much damage they can do as a disgruntled employee [3]. A different example of
a great use of a white hat hacker is the case of a private company funding a white hat to
attempt to clone the new RFID passports. He drove around San Francisco with an RFID
reader and was quickly able to log data from a couple of passports. He is hoping that his
work will discourage the use of RFIDs for personal information as he does not believe it
is very secure.
As full time employees of a company, white hats, such as network security specialists,
can work full time on actively searching for vulnerabilities that could be exploited, as
well as reacting to fix problems if an unknown vulnerability is exploited. They can be in
charge of data encryption, managing the hardware or software based firewall, protecting
the database, and physically protecting the network from intruders.
Web Security
The Whitehat Website Security statistics report shows that 82% of websites have had, at
one point or another, a high, critical, or urgent issue. The issues are rated as such based on
the Payment Card Industry Standards Council's rating. The PCISC was founded by
American Express, Discover Card, Visa, MasterCard, and JCB, a Japanese credit card
company. The council determined how vulnerabilities would be classified, and they say
that if a website has a single high, critical, or urgent issue, they are not in compliance
with the standards that they have established. And yet 63% of websites currently have a
high, critical, or urgent issue. The report also shows that only 60% of the almost 18000
historical vulnerabilities have been resolved, leaving over 7000 unresolved
vulnerabilities. It says that vulnerabilities are still taking weeks or months to be resolved.
It lists the average number of inputs (attack surfaces) per website as 227, and the average
ratio of vulnerability count/number of inputs is 2.58%. This all shows itself in the average
number of serious, unresolved vulnerabilities per website, which is seven - seven
vulnerabilities per website that could lead to a loss of pertinent information or the
takeover of the site. Those aren't good numbers. It's up to the white hat hackers to
improve them.
References
[1] Barber, Richard. 2001. Hackers Profiled – Who Are They and What Are Their
Motivations? Computer Fraud & Security 2001 (2):14-17.
[2] Kizza, Joseph Migga. Computer Network Security and Cyber Ethics. Jefferson:
McFarland & Company, 2002.
[3] McClure, Stuart; Scambray, Joel; Kurtz, George. Hacking Exposed: Network Security
Secrets & Solutions. Berkeley: McGraw-Hill. 2003.
[4] Conti, Gregory. 2005. Why Computer Scientists Should Attend Hacker Conferences.
Communications of the ACM 48(3):23-24.
[5] “{},” Hardbeat. How We Ddefaced www.apache.org. 2000.