Technician, Heal Thyself Is 1st Lesson at Hacker U
Leandro Oliveira flew in from Brazil to learn how to hack. Little did he know he’d be breaking into his own computer.
During a class, the security consultant put into practice some newfound skills. He typed a few simple commands into a PC and bypassed a security firewall--at his company in Brasilia--meant to block intruders.
Oliveira smiled. “I have to go back now and reconfigure my firewall and my machine,” he said, shrugging.
It was a productive week for Oliveira at Foundstone’s hacking school, one of a growing number of training seminars made popular over the past year by real-world hacking, which has cost companies tens of millions of dollars.
There is no simple software solution to security on the Internet. Hence sessions like the Foundstone class, whose operating philosophy could be described as: If you want to beat them, join them.
“It’s very empowering,” said Nicolas Wuorenheimo, security analyst for Commerzbank’s New York branch and one of 31 students at a recent Foundstone class. “I’ve taken lots of security classes, but there’s nothing like Breaking and Entering 101.”
Security threats increase as computers become more connected with one another and as tools that automate attacks make hacking easier. In addition, as businesses become more dependent on e-commerce, there’s more to lose.
A March report from the Computer Security Institute found 273 large companies and government agencies reporting losses totaling $266 million in the last year.
“There’s always been a vulnerability to hacks, but there hasn’t always been the economic impact,” said Bob Bassett, a trainer for Ernst & Young. His company has offered its “Extreme Hacking” class for about three years. Internet Security Systems Inc. of Atlanta has conducted “Ethical Hacking” seminars in Europe for about three months and plans to start a U.S. version next year.
Foundstone, of Irvine, Calif., runs “Ultimate Hacking” about twice a month around the country. It costs about $3,500 per student for three or four days. About 300 students have attended since the first class in March.
Dane Skagen, Foundstone’s director of training, likens computer security to football.
“The defense usually understands how the offensive plays work,” Skagen said. “When something new is thrown at them, they have a much better chance at reacting.”
With a simulated network set up in a rented conference room, Skagen teaches students to identify open access ports into the network and exploit known security flaws in common software products, including Microsoft operating systems.
He offers tips on guessing master passwords and shows ways to capture password files in transit when guessing fails. He demonstrates L0phtcrack and other software that can decrypt most passwords in seconds.
Students are shown how to deactivate software designed to monitor such intrusions--the programming equivalent of bypassing burglar alarms.
Working in pairs, students break into simulated payroll machines, using clues a typical system administrator might inadvertently leave in a computer file’s comments field. They learn how hackers devise attacks, and are encouraged to turn off unneeded software features to prevent them from being exploited.
One student, Ed Walsh, said the class taught him to rethink password policies at his company, Bridgewater Associates Inc., an investment firm in Westport, Conn.
“My thinking is, know your enemy,” the network administrator said. “Every time a [software] vendor comes out with a fix, hackers will find ways around it.”
No product can prevent all threats, security experts say. Firewalls, by design, allow e-mail and Web site inquiries through. Intrusion detection systems can identify known types of attacks--but new ones are devised all the time.
And though larger companies have long hired hackers to test their systems for vulnerabilities, those tests are conducted just once every year or so. Simply installing new software or adjusting old software during that year can create new security holes.
With security ever more complicated, Ernst & Young gets three applicants for every class spot available. And it can’t find enough qualified trainers: Like its competitors, the company won’t hire malicious hackers who have claimed reform.
Though a few students signed up after their networks were attacked, most joined simply because they are worried, said T.J. Klevinsky, an Ernst & Young trainer.
On the Web:
Foundstone: https://foundstone.com
Ernst & Young: https://ey.com
Sandia program: https://heat.ca.sandia.gov
