Myth #1: You know as much as Hackers know
As a kid, I used to like taking things apart to see how they worked; sometimes I was even successful in putting them back together again! I’d disassemble anything I could get my hands on – toys, watches, radios, calculators, an electronic type-writer, and an old TV just to name a few. As technology advanced, I was delighted to get my hands on an LED digital watch discarded by a friend’s father who was now the proud owner of an LCD watch. The operation was a tricky one and involved the life support system formed from parts of my many previous experiments. Alas, the patient didn’t survive, but I learnt a lot about crystal vibrations, clock-division and diodes.
In this day and age, it’s sometimes difficult to remember that there was a time when we didn’t know everything, and learning was the result of experience. OK, so we still don’t quite know everything, but if there is something we don’t know, then we “..know a man does”! There is so much information available to each and every one of us, that it is sometimes almost incomprehensible when you can’t find the answer to any fact you want, instantaneously. The battle between the search engines like MSN Search, Google and Yahoo (is Altavista still being used by anyone these days?) means they continue to research faster and better ways to help us find just what we’re looking for, when we’re looking for it.
If we are not careful, this easy access to all the information we can eat brings with it a consequence – we will become deluded and over confident that we can stand on the shoulders of giants and become wise simply by accumulating knowledge from the internet. However, to turn raw information into wisdom, you need to play that knowledge, to question it, to apply it and to build on it – to make it your own. A little philosophical perhaps, but just take a moment and think about the way your average day goes. I can almost guarantee that it is a set of activities that you do based actually on the results of searches on the internet. You want to buy something – you look for the cheapest price first. You’re asked to write a report – the research might come from internet searches. You need to implement Kerberos protocol transition and constrained delegation as part of your authorisation strategy – you search the internet…
By the way, most probably, someone else put that information on the internet, not you. That someone else has already figured things out; they have already made the discovery that you are now benefiting from…
Do you remember the first time you heard about a buffer overrun vulnerability? Was it via a news article in a magazine or online, or was it at a security training event? I would reckon that it wasn’t on a college or university course about programming, and I would put money on the fact that it wasn’t someone working for you that came up with that joyous discovery. Buffer overruns where just regular bugs until they got a major upgrade and became scary IT news headlines. Now, a potentially serious exploitable vulnerability in any piece of software, developers are being trained to avoid them, testers are testing for them and tools have been developed to detect them. You didn’t know about them until you were informed of their existence. Unless you work for the NSA, GCHQ or similar government organisation, or perhaps for one of the better software security companies, then it’s unlikely that you or one of your colleagues will discover a new class of exploitable software vulnerability.
The hacker on the other hand has the time and the motivation to take software apart and put it back together in new and unusual and novel ways to achieve their goal. Unlike my tame investigations into how things worked, hackers have tools that can probe the inner workings of applications or operating systems in a manner that will break things only at their command, but more likely, you won’t even know they’ve been there or anywhere near your systems. The good ones don’t get caught.
As the time taken for an exploit to be developed for a published vulnerability (the days of risk) shortens, and worm writers become more sophisticated and you hear of the availability ‘hacker toolkits’ things may seem grim or even hopeless in the fight to protect your systems.
Do not despair, all is not lost! In the same way that doctors don’t give up each year when a new mutation of the common cold virus evolves, they develop a new vaccine; however it is your responsibility to take the medicine. And like a doctor you need to keep informed of the latest treatments, keep your IT staff current and up-to-date and your developers informed of the latest tools and techniques for building and developing secure applications.
It will never be possible to know as much as the professional hacker knows about hacking, unless you become a professional hacker yourself! However, these Industry wide issues can be tackled by everyone’s continuous vigilance and efforts and perhaps we can send the odd hacker home with a few toys that he can’t infiltrate or take apart today.