Linked by Thom Holwerda on Fri 17th Jun 2011 18:49 UTC
Privacy, Security, Encryption Oh boy, what do we make of this? We haven't paid that much attention to the whole thing as of yet, but with a recent public statement on why they do what they do, I think it's about time to address this thing. Yes, Lulz Security, the hacking group (or whatever they are) that's been causing quite a bit of amok on the web lately.
Thread beginning with comment 477718
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[5]: Bah - hacking skills
by jabbotts on Sat 18th Jun 2011 17:13 UTC in reply to "RE[4]: Bah"
jabbotts
Member since:
2007-09-06

I agree that it's far harder to build and manage secure systems than to find and exploit a single path into them. I might suggest though that if the person developing the system is not themselves a hacker or employing hackers they are being negligent in there duties.

Hacking and hackers are not inherently criminal; it is a set of skills applied to any topic of interest and in the majority of cases, applied in a perfectly legal manner. In terms of security hackers who work within the law, they should be considered a natural resource. They should be employed to design and test systems. If you are not employing hackers on your own sys admin team and/or having third party pentests done by hackers how can you possibly claim that you've designed and hardened your systems in any kind of responsible manner?

Heck, if your federally employed, FISMA makes it a legal obligation to be responsible and prove your systems secure through proactive testing. (which does bring into question these federal systems that are broken into so easily let alone older cases of wide spread use of default passwords and similar stupidity.)

Not contracting people who now have a criminal record; that's fair. There are lots of law abiding hackers out there to hire or contract.

Reply Parent Score: 2

Proactive testing
by Lennie on Sun 19th Jun 2011 09:09 in reply to "RE[5]: Bah - hacking skills"
Lennie Member since:
2007-09-22

Proactive testing is just proactive testing, it doesn't say anything about the security of a system.

It just says it isn't vulnerable to the attacks it was tested against. However a large part of that testing is done automated with tooling in the production environment so people are careful with how they test.

So even if the tool found a problem like a SQL-injection, the tool or user of the tool might not even have noticed it.

No, pentesting and so on is to find the most obvious problems.

Just look at a recent bank website security problem, when an id in the URL was changed people could get in the account of other people.

I'm very certain banks do those previously mentioned security checks.

If you want real security, there is only one solution to have a 3rd party look at the code. All the code.

Reply Parent Score: 2

jabbotts Member since:
2007-09-06


Proactive testing is just proactive testing, it doesn't say anything about the security of a system.


You think it's better to wait for a malicious third party to test your systems for you? Proactive testing can, at minimum, give you an indication of your system's effective security posture. Properly done, it includes addressing discovered issues and retesting to discover new ones. That would be the "proactive" part of it. If proactive testing is not saying anything about your system's security, you need to fix your testing methodology.

Automated testing is also very much a part of proactive testing. I'd say it's like the relationship between signature and heuristics based AV; the signatures to catch the recognizable stuff and the heuristics to catch what is not recognizable. The automated vuln assessment tools for the signatures they recognize followed up by a skilled manual vuln assessment with the creativity and flexibility of a skilled human.


So even if the tool found a problem like a SQL-injection, the tool or user of the tool might not even have noticed it.


Bingo. "might not even have noticed it". If your admin or auditor is a Hacker they will indeed notice it though. They will be looking for it. They are self directed learners who think in terms of "hm.. what can I do with this beyond it's intended purpose?" by default.


No, pentesting and so on is to find the most obvious problems.


Vulnerability assessment says "someone could possibly open that door if left unlocked." Pentesting says "That door is indeed unlocked, here is what one is able to do in the room behind it if you don't lock the door." A vulnerability assessment is a list of potential problems one should address. A pentest provides that list along with confirmation that they are exploitable and evidence as to why you should fix them.

If all you tasked your internal team with or contracted a third party for is a single way into the system then sure. You put that limitation on them in the first place though. Your designing your test to fail. Limiting scope of testing, ordering a pentest when what you wanted was a vulnerability assessment or ordering a vulnerability assessment when what you wanted was a pentest are all great ways to insure failure.

You could alternatively contract the third party to find all the ways in they can, what they can do once in and ways they are able to maintain access during time permitted.

With an internal pentest team, you can run a proper testing cycle; pentest, harden, verify, pentest, harden verify. Now your not just finding a single vulnerability and calling it a day.

If your test is only to find the most obvious problems and your not repeating the test cycle to find your next most obvious problems; your doing it wrong.


I'm very certain banks do those previously mentioned security checks.


And, that's exactly the problem. You are very certain your bank is doing the proactive testing; do you now for sure that they actually are though?

Everyone was certain Sony, a huge tech company, knew how to manage it's servers and networks. How did that work out? Lack of network filtering, servers left without latest updates (or even remotely recent updates) customer data stored unencrypted. These are things any competent pentest would have identified. Any responsible company, having those identified, would have addressed them promptly.

Everyone was certain that having over a hundred million PSN and SOE customer's private information exposed would convince them to address discovered issues and check for similar issues across all other company systems. Everyone was certain that Sony's PR claims that they have addressed security issues meant they had actually implemented changes. How did all that work out for Sony when the next week the same weaknesses where exposed in other systems?

Everyone was certain Facebook knew how to implement it's software securely. Facebook must be testing it's systems continually right? So what of passing authentication tokens in URLs which has left every facebook user open to exploit since 2007? (that one was discovered around May of this year 2011).

And financial companies; banks and such. They must be doing the previously mentioned security checks; Heartland Payment Systems, 2009, 40 million accounts exposed.

Banks are in the business of making money. They are notorious for "minimizing expenses" any way they can get away with it. "we'll spend the money to fix that if it proves to be a problem" is the mainstay. If it's cheaper to live with the losses instead of fix the problem; they're going to continue living with the losses.

I wish the market success of a company was an indication of it's responsible management of secure systems; it's not. More often, it's the opposite.

Let's toss out another example for fun. RSA; thee security company. When governments, military and billion dollar companies need security they go to RSA. RSA's SecureID database has been compromised. Everyone who uses SecureID for authentication is screwed. RSA has actually said "uh.. make sure you are using strong passwords for your second of the two part authentication because the SecureID part of it isn't stopping anyone."

But how could this happen? We where all certain that RSA would be doing testing. It was a speer phishing email. How is automated vulnerability assessment tools and peer code review going to identify the need for staff training against social engineering attacks?

The string of successful company breaches resulting from the SecureID breach is ongoing and affecting such sensitive information as new weapon designs copied from government contractors.


If you want real security, there is only one solution to have a 3rd party look at the code. All the code.


That, like automated testing, is very much a part of it. Peer review can do a lot to remove bugs from software. It's not the one magic cure solution on it's own though.

Consider some of the vulnerabilities in Windows which exist because the code is correct. Intentional functions like DLL relative paths. Peer review and automated code audits where not going to find that problem because the code was implemented as intended. Discovering and demonstrating that vulnerability took human creativity thinking beyond the software design document. It took someone testing the system after source code was compiled to running binary.

Automated code auditing to find recognizable bugs in your source code.

Peer review to find bugs the automated audit tool missed.

Automated vulnerability assessment to find recognized weak points in your system's security.

Manual vulnerability assessment to find weaknesses missed by the automated tools.

Reply Parent Score: 2

RE[6]: Bah - hacking skills
by Soulbender on Sun 19th Jun 2011 18:09 in reply to "RE[5]: Bah - hacking skills"
Soulbender Member since:
2005-08-18

I might suggest though that if the person developing the system is not themselves a hacker or employing hackers they are being negligent in there duties.


So banks should be employing thieves when they design their bank vaults? Having a generally idea about how hacking works is useful, yes, but specific knowledge is worthless for this purpose.

Heck, if your federally employed, FISMA makes it a legal obligation to be responsible and prove your systems secure through proactive testing


Unfortunately this makes your system "better" by trial and error, not by design.

There are lots of law abiding hackers out there to hire or contract.


Obviously I'm not referring to those and also not referring to hackers who hack on code rather than break into systems.

Reply Parent Score: 2

jabbotts Member since:
2007-09-06


So banks should be employing thieves when they design their bank vaults? Having a generally idea about how hacking works is useful, yes, but specific knowledge is worthless for this purpose.


Let's get the confusion out of the way first. The majority of Hackers are in fact law abiding folks. It's a mental approach to solving problems; a skill set, creativity and curiosity. It is not an indication of ethics or morality. While some folks use hacking skills to break the law, the majority do not.

Hacking is not even inherently computer security or computer related. Law abiding hackers are seen in all areas of interest. Hams; radio hackers. Gearheads; car hackers. Audiophiles; stereo hackers. The US authors of the constitution; political hackers. Builders; physical hackers. Computer Case Modders; case hackers. Researchers who find and responsibly report software bugs; usually software and security hackers. The folks who wrote most of that FOSS software you use daily; software hackers. It's simply a creative curiosity and need to learn applied to any topic of interest and usually resulting in finding ways to use a thing beyond how it was intended.

If what you mean is "someone who breaks the law" then the word you are looking for is "criminal" not "Hacker". A criminal using methods previously discovered by hackers does not make the criminal a hacker any more than using the directions to assemble Ikea furniture makes one a master carpenter.

Now, on to your points.

Should a bank hire thieves to design bank vaults? I'd say it's up to the business management to decide. There are a few ex-cons who now work as contractors testing bank security. I've seen interviews with at least one who specializes in vault security. There are also many physical security hackers (ie. penetration testers) who've never broken the law; the bank may consider hiring one of them instead.

Having a general idea about how a break in occurs helps but it's really not the same as someone with the hacker mind and permission actually breaking in and going "here's how I got in, here's what I could do once in."


Unfortunately this makes your system "better" by trial and error, not by design.


It's not done in a vaccume. You design a secure system and let the guys on your team with the Hacker mind think of ways the system could fail. You update your specs. Once you actually implement the test system you let the Hacker minds try to break it then address how it fails. You repeat this in testing until satisfied that it's reasonable for production use. You then regularly test the production system or a lab duplicate of it to see what new ways it fails which you then address.

Why do you suggest that it's one or the other? Why do you suggest that "design" is inherently superior and need never be tested?


Obviously I'm not referring to those and also not referring to hackers who hack on code rather than break into systems.


Obviously the word you should be using then is "criminals". And, if you did indeed recognize the difference, why did you open this last comment with asking if banks should be hiring criminals to design bank vaults? Was there something to be gained by sensationalizing your comments by referring to "teh 3vi1z hax0rz3z"?

If you did indeed recognize the difference then my first comment stands; how do you know your system is indeed secure if you've never let it be tested by hackers? If you haven't any hackers on your admin or info sec teams then obviously you have room to improve simply by addressing your current lack of creative "outside the box" self motivated staff.

Reply Parent Score: 3

RE[7]: Bah - hacking skills
by Alfman on Mon 20th Jun 2011 02:30 in reply to "RE[6]: Bah - hacking skills"
Alfman Member since:
2011-01-28

"[jabbotts] I might suggest though that if the person developing the system is not themselves a hacker or employing hackers they are being negligent in there duties."


Soulbender,

"So banks should be employing thieves when they design their bank vaults? Having a generally idea about how hacking works is useful, yes, but specific knowledge is worthless for this purpose."

Wait, how did you get from someone being a hacker to that person being a thief? Or any sort of criminal for that matter? Many hackers are in professional occupations and there is nothing unethical about it.

I think maybe there's cross talking going on due to a difference in the definition of "hacker" - yours seems to imply a criminal element, but many hackers don't consider themselves criminals (and nor does the law for that matter).


"True but unlikely."

Can you elaborate?


"That's a really lame excuse and it's just confirms that these people are indeed assholes."

Maybe they are assholes, but they're still skilled ones.

"Is that like being a law abiding bank robber?"

No, not at all the same thing. Robbing banks implies a criminal element, hacking does not.


"Would probably help if the term 'hacker' wasn't so ambiguous. Are we talking about hackers who write code or hackers who (try to) break into systems? Two different beasts, same term."


Security hackers can break into their own systems, do you agree that it's neither illegal nor immoral? They can hack into third party systems with permission, same deal there, right? It's not the skill of hacking which is evil, it's the intent.

Of course, it may be unwise to hire a hacker who's previously demonstrated skill but has also shown malicious intent. However this doesn't describe the majority of hackers, most of whom just hack their own systems to learn about security.

The only reason we hear about all these "evil hackers" is because they're the ones which catch headlines, the good hackers don't get any attention - it's unfair but that's the media for you.

Edit - I guess this is already the conclusion on this thread, so I didn't need to post. Oh well.

Edited 2011-06-20 02:45 UTC

Reply Parent Score: 2

RE[6]: Bah - hacking skills
by Soulbender on Sun 19th Jun 2011 19:18 in reply to "RE[5]: Bah - hacking skills"
Soulbender Member since:
2005-08-18

There are lots of law abiding hackers out there to hire or contract.


Is that like being a law abiding bank robber?

Would probably help if the term "hacker" wasn't so ambiguous. Are we talking about hackers who write code or hackers who (try to) break into systems? Two different beasts, same term.

Reply Parent Score: 2

RE[7]: Bah - hacking skills
by jabbotts on Sun 19th Jun 2011 19:58 in reply to "RE[6]: Bah - hacking skills"
jabbotts Member since:
2007-09-06

I think my meaning in my original post was quite clear in referring to law abiding Hackers not crackers or criminals. Are you just trying to be cute by intentionally misreading what I wrote to mean criminals just because I talked about Hackers and system security?

And really, how can you claim your sys-admin or infosec team is at it's best if you haven't at least one member who can think outside the box, find creative solutions, try the unexpected and take a detail oriented enthusiasts interest in developing and implementing a solution?

My point stands; if your responsible for system management and security, you should be hiring Hackers not nine to five folks looking only for a pay cheque with no real interest in the job topic outside of work hours. You want the type of person who will go home, duplicate wifi settings using there own router, break into it then report back on how easy/hard it was and how your business system can be improved. You want people who spend all day managing and fixing your systems then go home and play with there own systems for the pure joy of developing skills and learning down to the smallest details (aka. Hackers).

Reply Parent Score: 3