LOGIN | REGISTER NOW | SUBSCRIBE
 
 
News on Monday
more>>
SharePoint Tech Report
more>>


   

 
 
Download Current Issue
ISSUE 3/1/2010 PDF

Need Back Issues?
DOWNLOAD HERE

Receive the print Edition?


 
blogs tab
Microsoft plans 'open' Silverlight analytics framework
Microsoft is going to announce a multipurpose analytics framework for Silverlight at MIX.
03/11/2010 09:51 AM EST

About CSS processing
Two sites that lead to a startling CSS conclusion.
03/10/2010 02:29 AM EST

Open source on Windows
Open source developers are targeting Windows with great frequency, says Microsoft.
03/09/2010 01:41 PM EST

 

Events calendar tab
Game Developers Conf.
3/9/2010 to 3/13/2010
San Francisco
Think Services

SHARE
3/14/2010 to 3/18/2010
Seattle, Wa.
SHARE

Cloud Connect
3/15/2010 to 3/18/2010
Santa Clara, Calif.
TechWeb

Microsoft MIX10
3/15/2010 to 3/17/2010
Las Vegas
Microsoft

SharePointPro Summit & Expo
3/16/2010 to 3/19/2010
Las Vegas
Penton Media


 
print Printable version 
Most Read Latest News Blog Resources
Even with its success, .NET causes some consternation
Despite its popularity, the developer community believes that .NET isn't being fully serve...

VMware releases Tomcat-based server for Spring
SpringSource and VMware are moving their platforms closer together with tc Server for Spri...

Appcelerator dev environment targets Android, iPhone
This unified development environment compiles JavaScript into Objective-C or Java, and wil...

Digg!  Digg
Reddit  Reddit
Slashdot  Slashdot
Share on facebook  Facebook
Share on Twitter  Twitter

Outrunning the Bears


In-house hackers help Web sites stay steps ahead by finding vulnerabilities before they are exploited

By Jeff Feinman
July 1, 2007 — 
The term “hackers” does not merely represent the villains that break into Web sites to do malicious things and steal important information. There are the white knights of the hacker society as well, scanning Web sites and conducting penetration tests to find vulnerabilities. Ethical hacking has become a security tool, as organizations seek out their vulnerabilities before the wrong sets of eyes find them.

BUGS FOR SALE
A developer for the open source Metasploit project, a computer security project that provides help and tooling for penetration testing, said that hackers are starting to sell the vulnerabilities they find because bugs are getting harder to find. The developer, who asked to be referred to only as Pusscat, said sale prices depend on what the bug is.

Pusscat and other developers contribute exploit code to Metasploit on an ad hoc basis. Exploit code is code that takes advantage of a software vulnerability to subvert some security mechanism, most usually to execute arbitrary code on the system within the context of that process.

“There’s a lot of time and effort that goes into finding [vulnerabilities], and even more that goes into exploiting them,” Pusscat said. “It’s basically free work you’re giving the company if you disclose the bug. The ones that get disclosed are usually disclosed by people who think they have more going for them in name recognition than in selling the bug.”

Pusscat also said that hackers can achieve a great deal of fame and a stronger resume if they release vulnerabilities publicly.

Both Pusscat and Scott Laliberte, director of security assessments for Protiviti, a provider of audit and technology risk consulting services, said most hackers follow the unwritten rule of responsible disclosure, which calls for informing the company and giving them the information you have on the vulnerability, while the company in turn gives a timeline for fixing the patch.

Sometimes the researcher and the company can negotiate an acceptable time line, with the researcher vowing to keep it quiet until that date, and the company crediting the researcher for finding it, according to Pusscat.

Laliberte told SD Times that most vulnerabilities are found in Web applications, including buffer overflows, cross-site scripting, SQL injections, and on occasion, missing patches. “We’ve done ‘pen’ tests, where basically we’ll replicate a VPN [virtual private network] server, and sometimes the log-on page is susceptible to cross-site scripting,” he said. “We can use that to craft an e-mail to try to get folks to reset their VPN passwords.”

Laliberte said he uses a variety of tools, including Metasploit, the free security scanner Nmap, SPI Dynamics’ application security assessment tool WebInspect, and Application Security’s AppDetective, which assesses the security of databases. Laliberte also uses freeware tools, which are put through an internal certification process to ensure they are free of Trojan code and viruses. For good penetration testing, Laliberte said, one needs a good port scanner and the ability to write exploits. A good vulnerability scanner can help a penetration test in viewing most of a Web site very quickly, but the scanner is often picked up by today’s network-based intrusion detection systems.

Jeremiah Grossman, founder and CTO of Web security provider WhiteHat Security, said that in-house hackers are getting better at finding vulnerabilities on Web sites. On top of that, new technologies such as Microsoft ASP.NET are more secure than previous ones, Grossman said. The result is that fewer vulnerabilities are making it into production applications.

“It’s best if a company gets the data ahead of [an attack]. Their site is going to be attacked whether they like it or not, so it’s best if they know about vulnerabilities before the bad guys come along,” Grossman said.

‘SHOCK VALUE’
Penetration testing and ethical hacking may sound like a great way to detect vulnerabilities in theory, but how can someone with good intentions try to act and think like someone with bad ones?

“It has its place,” Laliberte said. “I think pen tests are good for organizations that need the shock value. Replicating what a real-time attacker may do can carry a lot of shock value. It also tests response capability, enabling you to see how well people in an organization can detect an attack and respond.”

Laliberte also said vulnerability assessment can be a good first step for less mature organizations, as it gives them some good knowledge of security vulnerabilities to watch for as they grow.

“What you’re really trying to do is make it so difficult for the bad guy, that they’re more willing to target the next Web site,” Grossman said. “I think the bear-in-the-woods analogy applies to hacking as well: ‘To outrun a bear, you have to outrun your friend.’”


Share this link: http://www.sdtimes.com/link/30856
 

Add comment


Name*
Email*  
Country     


  • Comment
  • Preview
Loading