Sarah Lai Stirland
Main Archives About Me Newsletter Cyberstatesman Email
 

February 2001

 

 

 

White Hat Hackers
By Sarah Lai Stirland

It's amazing what you can do with a little information.

I'm in Ernst & Young's 25th floor lab/office in New York City, watching a hacker busting into some corporation's computer user accounts. The scary thing about the scene is that the hacker really didn't have any inside information to help him unlock the doors to this sensitive information. All he had to do was look up publicly available information about his target. To actually gain access, he used some free software tools that he downloaded from the Internet.

OK, before I get into trouble, the scene is actually a demonstration. The hacker is what the industry calls a "white hat" hacker, meaning that he's a good, trustworthy guy that corporations usually hire to break into their computer networks to pinpoint security weaknesses. His name is Scott Laliberte and he is part of Ernst & Young's eRisk Solutions group. It's a division that helps e-businesses nail down the basics of doing business reliably over the Internet.

Specifically, Laliberte works in the group's security division. He helps clients with their computer security issues and teaches a course called "Extreme Hacking." The course is one of a growing number around the country that train the IT folks in companies to hack their own networks so that they can better defend themselves, and they usually take place in one of Ernst & Young's five hacking labs around the country. They take up to a week and are composed of lectures and hands-on workshops.

Why break into your own computer network?

"It's just like a game of chess. Once you understand the opponent, it's much easier to defend yourself," says Laliberte.

In the past few hours, we've been empathizing a lot with the opponent.

The target is a server that's been set up in Houston on Ernst & Young's lab network. We're gaining access to that server in Houston by checking for side doors into Ernst & Young's private lab network through the Internet. Although the set-up is much simpler than it would be under real-life conditions, it's fascinating to see just how easy it is to break into computer systems with such freely available tools, and with such little initial information. It's also frightening: With this new experience in mind, I begin to see the security of all the account information residing at the online brokerages and financial portals on the Internet in a new, more sinister light.

On this day-a Tuesday in January, we managed to gain unauthorized access into Ernst & Young's lab network, to a particular Windows NT server that had been set up for us called (imaginatively) "Demo." Then we assumed the role of the server's administrator. As the administrator, we were able to download account usernames and decipher passwords by using a piece of software called L0phtCrack.

The process, accompanied by long explanations and a few technical glitches, took a couple of hours.

The surprising aspect of the experience was the realization that the procedure for breaking into a computer system is remarkably similar to what I imagine robbing a physical bank must be like-or at least the way it's portrayed in the movies.

First, the robber cases the joint, and then he meticulously plans the logistics of breaking in. Then he must cover up his tracks and make a quick getaway.

Essentially, this is what hackers do when they break into computer systems. But instead of operating around physical buildings, hackers have to plan their attacks around islands of information on the Internet. And there is plenty of information that has been carelessly left lying around on the Internet, leaving corporations open to attack.

One of the primary lessons learned from this mini course in Extreme Hacking: The more information and attributes of your computer networks that you leave visible to passers-by on the Internet, the more vulnerable to attack you are.

The first step we took as hackers was simply to locate our targets on the Internet. (In order to learn the various steps leading up to an attack, we pretended that we didn't know which server we were looking for.)

Step One: By querying the Internic database with "who is" queries, we're able to find the company's Internet Protocol addresses, the numerical information that identifies specific destinations on networks.

Step Two: Like old-school criminals, we still have to case the joint to see the scope and size of our target in order to figure out methods to gain access. This means performing tasks such as viewing "IP Blocks," to see the range of addresses that a company maintains and performing "trace routes," which trace the route that packets travel over various networks. This gives hackers a map of a company's network. We also perform other information-gathering tasks such as so-called zone transfers and ping sweeps to determine which systems on Ernst & Young's lab network are active. When we figure out which ones are active, we do the virtual equivalent of rattling the doors and windows of a house: We scan the ports on the active systems to check which are open. A port is a channel of communication on a system and leaving one open is like leaving the front door of your house unlocked. We discover that someone has left three doors open on the demo server. Three different channels of communication are open: the NetBios; Port80 and FTP ports. We chose to use the NetBios channel and run an automated list of passwords in order to guess the correct password needed to gain access to the server.

Laliberte also launches a program called DumpACL, which shows us all sorts of current information for five accounts on the demonstration server. One of these accounts is the system administrator's. He then tries to log into the network as the system administrator by guessing the administrator's password. It takes him several minutes. But eventually, he makes it in. The administrator's choice of password makes the job easier: The word is "admin."

We have gained full, administrative access to the demonstration server on Ernst & Young's lab network.

But that's not enough. We want access to more useful, and valuable, information.

So Laliberte launches a popular hacking program called L0phtcrack. The program retrieves the usernames and passwords for the five accounts and deciphers those passwords.

Now we have access to all the user accounts on this server. Now we're in the network, the world's our oyster. If we wanted to, we could log onto Ernst & Young's lab network using the identity of anyone's account information we just discovered. Posing as one of these account holders, we could then gain access to all the information on their desktops as well as to the information living on all the other servers on the Ernst & Young's lab network that they are authorized to access. If we wanted to do more damage, we could also upload tools onto the demonstration server that would allow us to monitor all the activity on the network. Some of these tools could even allow us to capture and record information that will help us to gain access to other systems on the network.

Just as there are infinite ways to break into a house or to rob a bank, there are infinite ways that corporate networks can be attacked and penetrated.

During the real Extreme Hacking courses-which take place five or six times a year-real, pre-arranged targets on company networks are profiled and broken into. These exercises are meant to keep network administrators aware of potential weaknesses of their network architectures, says Laliberte. Though we've only explored what's possible on Windows NT, Ernst & Young's course also covers Unix, Windows 2000 and Novell's Netware operating systems as well. The course is part of an entire security solutions package on offer at the company.

In addition to sending their employees off to take this $5,000-a-head hacking course, companies can also hire Ernst & Young to come in themselves to perform assessments on how secure the company's network architecture is.

These hacking stunts might seem obscure. But the issue is that the world at large will never find out the true extent and scale of break-ins into financial institutions because the institutions don't want the publicity to undermine consumers' trust. Meanwhile, information sharing on potential security holes and other exploitable weaknesses in software flourishes on the Web. Ernst & Young's Laliberte, along with colleagues Ajay Gupta and T.J. Klevinsky, are codifying that, along with other insights into hacking, in their forthcoming book, "Hack IT, a Beginner's Guide to Penetration Testing." Publishers Addison Wesley Longman plan to publish the book in April.

"All the information and tools presented in the book are already available on the Net and people who plan to exploit the tools will already have access to them," says Laliberte. "We just give the good guys information on how to get the tools to defend themselves."