Ethical hacks may save some systems

Having someone hack into your network from the outside may be the best thing you can do for the security of your computer system.

Ernst & Young LLP has just added its first Canadian site, in Mississauga, Ont., to its 23 North American attack and penetration labs.

Having a local site is beneficial, because clients can now see first hand how the process works, said Matunda Nyanchama, a senior consultant with the Information Security Services of Ernst & Young.

“Clients are often surprised we can [break into their systems] so easily.”

A set of steps known as “hacker tools” are used by the security team to attempt break-ins to the Internet, Windows NT, Unix and dial-in systems. First, an analysis is done of the client system to determine where the weaknesses lie. Information from a global database of published weaknesses and fixes, which is constantly updated, is used as a resource. There are a series of common problems that most people would not even think of, Nyanchama said.

“NT has allowance for a LAN connection. If you don’t disable that, then anyone can have access. Once you have a LAN connection, it is easy to download the user names on that system. And if you download the user names, it is also possible to download an encrypted password file.”

Hackers can then use tools to break the encryption clear-text password and perform a valid log-in. This is especially damaging if the firewall for the network is running on an NT box, he said. Other common weaknesses include forgetting to change defaults and using easy-to-guess passwords.

Once flaws are discovered, Ernst & Young will either fix them or give guidelines for the companies to perform the fixes themselves.

Many common problems occur with firewall configuration, said John Alsop, president of BorderWare Inc., a security analysis service firm in Mississauga.

The issue is not that firewalls are improperly engineered or tested, but rather that people within an organization often open a particular service on a firewall for a one-time business need, such as Microsoft NetMeeting, he said.

“What happens is the system administrator may open it up, but may forget to shut it down. What that means is that there is an opening in your firewall that you’ve put there that you don’t know about.”

BorderWare has a security service, called BorderPatrol, which scans firewalls and other Internet devices from the outside, “using the same mechanisms that a hacker might use.”

It accesses the system on a regular basis and reports to administrators on any open services or ports – while at the same time maintaining a baseline of firewall configurations. Companies can subscribe to run the service as often as needed. This product can also be used as a compliment to other security analysis services, Alsop said.

“A corporation could pay a lot of money to someone like Ernst & Young to do a very thorough security analysis and penetration test, but two or three months later you really don’t want to be repeating that same test.”

Hackers often try to hide back doors at the high-numbered ports because not many people will look there, he said. “But we do scan all the way up. So if somebody’s got something hidden at port 6,400, we will find it and we’ll alert the user.”

John Klein, president of Rent-A-Hacker in Newport News, Va., takes a slightly different approach. His company differs from most other security analysis companies because it uses ‘real’ hackers, “quite a few of whom are either wanted by the government or used to be.” This is an important distinction, he said.

“One of the most noticeable differences is the fact that a true hacker keeps up with vulnerabilities on a very regular basis — and in fact, even invents some,” Klein said.

The biggest obstacle to security often lies in the attitude of a company’s IT people. System administrators need to realize that no system is secure “unless you unplug it. And even then, it’s not bullet-proof,” he said.

“The best case scenario is if [the hackers] delete data. That’s what you hope for,” he continued. “It’s when they tamper with the data or release it, that’s when you’ve really got problems.”