MikeShaw's WebLog

Developer Security and other stuff

Myth #1: You know as much as Hackers know

As a kid, I used to like taking things apart to see how they worked; sometimes I was even successful in putting them back together again!  I’d disassemble anything I could get my hands on – toys, watches, radios, calculators, an electronic type-writer, and an old TV just to name a few.  As technology advanced, I was delighted to get my hands on an LED digital watch discarded by a friend’s father who was now the proud owner of an LCD watch.  The operation was a tricky one and involved the life support system formed from parts of my many previous experiments.  Alas, the patient didn’t survive, but I learnt a lot about crystal vibrations, clock-division and diodes.


In this day and age, it’s sometimes difficult to remember that there was a time when we didn’t know everything, and learning was the result of experience.  OK, so we still don’t quite know everything, but if there is something we don’t know, then we “..know a man does”!  There is so much information available to each and every one of us, that it is sometimes almost incomprehensible when you can’t find the answer to any fact you want, instantaneously.  The battle between the search engines like MSN Search, Google and Yahoo (is Altavista still being used by anyone these days?) means they continue to research faster and better ways to help us find just what we’re looking for, when we’re looking for it.


If we are not careful, this easy access to all the information we can eat brings with it a consequence – we will become deluded and over confident that we can stand on the shoulders of giants and become wise simply by accumulating knowledge from the internet.  However, to turn raw information into wisdom, you need to play that knowledge, to question it, to apply it and to build on it – to make it your own.  A little philosophical perhaps, but just take a moment and think about the way your average day goes.  I can almost guarantee that it is a set of activities that you do based actually on the results of searches on the internet.  You want to buy something – you look for the cheapest price first. You’re asked to write a report – the research might come from internet searches.  You need to implement Kerberos protocol transition and constrained delegation as part of your authorisation strategy – you search the internet…


By the way, most probably, someone else put that information on the internet, not you.  That someone else has already figured things out; they have already made the discovery that you are now benefiting from…


Do you remember the first time you heard about a buffer overrun vulnerability?  Was it via a news article in a magazine or online, or was it at a security training event?  I would reckon that it wasn’t on a college or university course about programming, and I would put money on the fact that it wasn’t someone working for you that came up with that joyous discovery.  Buffer overruns where just regular bugs until they got a major upgrade and became scary IT news headlines.  Now, a potentially serious exploitable vulnerability in any piece of software, developers are being trained to avoid them, testers are testing for them and tools have been developed to detect them.  You didn’t know about them until you were informed of their existence.  Unless you work for the NSA, GCHQ or similar government organisation, or perhaps for one of the better software security companies, then it’s unlikely that you or one of your colleagues will discover a new class of exploitable software vulnerability. 


The hacker on the other hand has the time and the motivation to take software apart and put it back together in new and unusual and novel ways to achieve their goal.  Unlike my tame investigations into how things worked, hackers have tools that can probe the inner workings of applications or operating systems in a manner that will break things only at their command, but more likely, you won’t even know they’ve been there or anywhere near your systems.  The good ones don’t get caught.


As the time taken for an exploit to be developed for a published vulnerability (the days of risk) shortens, and worm writers become more sophisticated and you hear of the availability ‘hacker toolkits’ things may seem grim or even hopeless in the fight to protect your systems.


Do not despair, all is not lost!  In the same way that doctors don’t give up each year when a new mutation of the common cold virus evolves, they develop a new vaccine; however it is your responsibility to take the medicine.  And like a doctor you need to keep informed of the latest treatments, keep your IT staff current and up-to-date and your developers informed of the latest tools and techniques for building and developing secure applications. 


It will never be possible to know as much as the professional hacker knows about hacking, unless you become a professional hacker yourself! However, these Industry wide issues can be tackled by everyone’s continuous vigilance and efforts and perhaps we can send the odd hacker home with a few toys that he can’t infiltrate or take apart today.


James Crowley said:

Glad to see you got around to writing this - I thought your deadline was Friday, though? ;)

Looking forward to the rest of the series!
# July 13, 2004 12:10 PM

MikeShaw said:

Thanks James, I'm glad I got round to it too. Yeah, my deadline was Friday, but I had my car broken into and it then it became one of thoses things I'd kept putting off. It should get easier... I hope ;-)

Enjoy your summer break and glad to read you enjoyed the Thames Valley User Group meeting.
# July 13, 2004 12:37 PM

Peter da Silva said:

Surely trying to come up with ways to break any security system you're developing or implementing is part of the design and/or evaluation process? It's certainly one of the things in my mind as I read about new features or capabilities of a system, and I believe it should be part of everyone's habit if they're any kind of system or network administrator, or develop customer- or public-facing software.

It took me less than 1/4 of an hour to come up with a privilege escalation that gave me Local System access on NT, the first time I sat down in front of an NT box. I was already trying to raise people's awareness of the automatic mount and launch of internet-enabled disk-images on Mac OS X when the recent Safari vulnerability was announced.

And I'm not "super hacker", I'm amazed at the lengths these guys go through and some of the convoluted sequences of attacks they come up with. I've never had the patience to implement a buffer overflow attack. I'm just an ordinary guy doing ordinary things, wondering why everyone else isn't doing them as welll...
# July 15, 2004 5:31 PM