UK IT SECURITY PUT TO THE TESTThe hackers who can put your IT security to the test - vnunet.comThe hackers who can put your IT security to the test
Computing reports on how businesses are using penetration testing

Daniel Thomas, Computing 13 Oct 2005
In the sleepy Worcestershire town of Great Malvern, Paul is hacking into a computer network.

Using software downloaded from the internet, he locates the machine of a careless employee who has forgotten to disconnect the wireless card on the laptop he used earlier to check email in an internet cafe.

By exploiting the breach, the 29-year-old Welshman finds his way into the business’s computer network and uses a bespoke program on his Dell laptop to generate 450 password attempts a second.

In the blink of an eye, Paul has cracked the password, entered the network, and is free to snoop around, steal sensitive company information and damage critical systems.

Fortunately, Paul is not a computer hacker: he is a penetration tester for defence and security firm QinetiQ, which tests and hosts IT systems for organisations including MI5 and the government’s National Infrastructure Security Co-ordination Centre.

And by thinking like a hacker, Paul Beechey, senior IT security specialist at QinetiQ’s secure health check division, says he can root out potential flaws in IT security systems, and draw a firm’s attention to the problem before criminals have a chance to exploit it.

‘As businesses rely more and more on technology and connections to the internet they become more vulnerable. Penetration testing can expose the cracks in systems in a consensual and benign way, meaning they can protect themselves before they are hacked,’ he says.

According to research by the National Hi-Tech Crime Unit (NHTCU), the UK law enforcement agency tasked with catching internet criminals, 11 per cent of businesses had their IT systems breached by hackers and former employees last year.

A further 10 per cent of businesses had information stolen from their computer network, and four per cent had systems damaged or sabotaged.
The motivations of hackers are manifold, and range from organised crime syndicates trying to steal corporate secrets, through to curious IT geeks trying to discover the truth about UFOs – see story below.

Hackers may also look to demolish a company’s reputation by defacing its corporate web site.

On Tuesday 30 September 1997, web developers at US airline AirTran returned to work to discover the company’s web site had been defaced.

The attackers had graffitied the site of the recently rebranded company with derogatory comments, accusing the firm of trying to hide the fact that 110 people had died in an air crash in Florida the year before.

‘There are people with criminal intent, and then there are those whose actions are still criminal even if they do not mean them to be,’ says Beechey.

As well as stopping hacks, penetration testing can expose vulnerabilities in IT systems, which could lead to downtime if attacked by computer viruses or worms.
In 2003, the Slammer worm infected the computer network of Ohio’s Davis-Besse nuclear power station, disabling safety monitoring systems for nearly five hours.

The worm is believed to have entered the power plant after penetrating a contractor’s unsecured system and travelling through a bridging connection into the Davis-Besse network, bypassing the plant’s firewalls.

Whereas a hacker might take months or years to try to crack a highly secure system through sheer persistence, Beechey says an internet worm can breach defences in seconds.

To combat these automated threats, companies should also deploy vulnerability scanning software, which tests systems in real time, says Paul Simmonds, global head of security at ICI, which uses the software to automatically scan more than 400 of its web sites every week (Computing, 5 May).

David Lacey, director of information security at Royal Mail, says real-time scanning can prove more cost-effective than using ethical hacking on a regular basis, and often finds vulnerabilities faster.

Hackers are also getting smarter and more organised, says Stuart Okin, associate partner at Accenture’s IT security practice. And it is no longer just teenage script kiddies and computer science students giving it a shot, he says.

‘It is something a lot more terrifying; it is organised crime gangs and they are using new methods and new tools,’ says Okin.

‘We have moved away from the good old days of the movie War Games and the acoustic coupler. Most operating systems back then were very basic and had no encryption, but it is different these days. People are getting more sophisticated.’
With the continued growth of remote working, joint ventures and supply chain partners, Okin says organisations also need to look for cracks in their internal systems and processes.

According to the NHTCU, 75 per cent of web defacements were carried out by employees last year. Some 68 per cent of data theft and 38 per cent of financial fraud was also instigated by staff using internal systems.

‘I think firms that are putting in new systems or upgrading them should include a variety of penetration testing and social engineering methods as part of their go-live,’ says Okin.

QinetiQ’s Beechey agrees: ‘It is not just about attacking from the internet. We also test the security of the demilitarised zone on the network, as well as the internal network where, say, a cleaner could gain access to computer systems.’

According to experts, the recent foiled attempt by criminals to steal £220m from Japanese Sumitomo Mitsui bank targeted weaknesses in physical security (Computing, 21 April).

It is believed the gang tried to hack systems using a bugging device that was inserted into the USB socket in the back of a computer.

With the growth of legislation such as Sarbanes-Oxley and the Data Protection Act, Okin says a combination of ethical hackers and vulnerability management software can also protect businesses from ending up on the wrong side of the law.

‘If you are a big company, it is not a question of if; it is a question of when you are going to have a massive security breach,’ he says.

‘This is why it is important that you have all the things in place to show your shareholders that you have done everything possible to protect yourself.’

But Okin says businesses should think seriously about whether they check for vulnerabilities themselves or outsource the job to an independent ethical hacking firm.

‘If you are buried in the designing of a system you will not necessarily see the mistakes or cracks,’ he says.

But how do you check the pedigree or ethics of an ethical hacker entrusted to protect your business?

‘All of our penetration testers have to adhere to the Check scheme, which is run by the government’s CESG department,’ says Paul Hopkins, who heads up QinetiQ’s secure health check division.

‘It tests the ability and ethics of people conducting the tests, and explains to them the relevant laws around penetration testing.’

The University of Glamorgan and internet security firm 7safe have also recently launched a Postgraduate Certificate in penetration testing and information security.
Students enrolling for the course, part-taught at the National Specialist Law Enforcement Centre, have to consent to background checks by the police, and learn the ethical elements of penetration testing, says Alan Phillips, managing director of 7safe.

‘In the old days penetration testing was done by actual hackers who were paid to go into systems. But this has given a bad name to the industry, as companies imparted an element of trust to these people and did not always know whether they were clean,’ he says.

‘Through better certification and training the whole industry is lifted to a far more credible standard.’

Case study Gary McKinnon

How one X-Files fan’s search for the truth landed him in hot water

Not all hackers are motivated by financial gain. Gary McKinnon, a 39-year-old from Wood Green in North London, says he learned how to hack into computer networks to find out the truth about UFOs.

The US military believes the X-Files fan hacked into 97 US military computers, including machines owned by Nasa, The Pentagon and the US Army, Navy and Airforce, during his pursuit for the truth.

McKinnon began developing an interest in computer programming at the age of 14, while experimenting on his Atari PC.

And when he first logged on to the internet in 1995, McKinnon started to read about UFO theories.

‘I was sick of reading all the conspiracy theories on the web, and I thought hacking doesn’t look difficult, so I can hack in and find out the truth from the horse’s mouth, so to speak,’ he says.

Years on, after reading newspaper articles in which the US military publicised the fact that it had upgraded to Microsoft Windows operating systems, McKinnon used the internet to search for details about vulnerabilities in the software.

He found hacking tools that hunted for Windows machines, scanned IP addresses and identified a number of administrator user names that had not been password protected.

By doing so, McKinnon entered Nasa’s Johnson Space Center in Texas.
‘I was totally gobsmacked. I could not even program in C when I first started doing this,’ he says.

‘There were folders full of megabytes of images but I couldn’t transfer them as I was only using a 56k modem. I came across an image of a cigar-shaped UFO, which looked totally unlike any planes or space ships I had ever seen before.’

During another hacking session, McKinnon claims he accessed US Navy files containing details about ‘non-terrestrial’ officers transferring to what he believes is some kind of spaceship.

But whether McKinnon’s intentions were harmless or not, the US military estimates he caused $700,000 (£370,000) damage.

During one incident in February 2002, the US government alleged he shut down internet access on 2,000 military computers in Washington.

The US government is now trying to extradite McKinnon to North America, where he could face up to 70 years in jail.

‘I know it was illegal and I regret what I have done,’ he says. ‘My advice to any hacker would be: do not do it. If you are interested in security you would be better off getting good qualifications and going for jobs in IT security.’

Case study Royal Mail

Weekly checks keep viruses and worms at bay

Royal Mail checks its computer networks for security flaws on a weekly basis.
The company – which includes Royal Mail, Post Office and Parcelforce – has employed security firm QinetiQ as an external penetration tester to ensure no vulnerabilities can affect its infrastructure.

QinetiQ, which has 30 people dedicated to testing customer networks, attempts to manually hack into computer networks to test for vulnerabilities on a regular basis. It also uses security software from Qualys to scan automatically for flaws in Royal Mail’s systems every week.

David Lacey, director of information security at Royal Mail, says the organisation tests any critical ebusiness application going live, or any new system connected to the internet.

‘Things can happen in the infrastructure that are not always noticed, but we are more concerned about the effects of viruses and computer worms rather than hackers. We keep our standards pretty tight,’ he says.

With numerous web sites, ecommerce applications and more than 70,000 internal computers and electronic point of sale systems, Lacey says Royal Mail – more than most – needs to make sure systems are safe.

QinetiQ ethical hackers working on the Royal Mail account are also certified under the government’s Communications-Electronics Security Group Check scheme, which tests the ability of a penetration tester and ensures they adhere to a set of ethical standards.

‘It is important to use an independent, top-end company when carrying out penetration tests, as you can be guaranteed that they have vetted staff,’ says Lacey.

But while Lacey says penetration testing of IT systems is important, he questions the importance of testing for flaws in physical security procedures, such as administrators giving out passwords or strangers gaining access to buildings.

‘We have carried out social engineering tests but they have a weakness. People on helpdesks are always going to be as helpful as possible when dealing with customers and even though we tell staff to challenge strangers, people are always going to hold open doors when entering buildings. It is human nature,’ says Lacey.

‘If you are a real thief or spy you are not going to want to get caught, whereas penetration testers have a get-out-of-jail card if they get found out. It is a bit of a false test really.’

Instead, Lacey says IT departments need to put in place data encryption and procedures to ensure critical systems are not compromised, even if hackers do gain access to the corporate computer network.

‘We encrypt all our customer credit card information, and the security keys are securely stored,’ he says.‘It would need at least four people with special access rights to collude before they even stood a chance of getting access.’

Using the QualysGuard vulnerability management system, Lacey says Royal Mail is now looking to automate more of its security testing so it can check systems more regularly.

‘Real-time scanning is picking up many of the faults that a penetration tester would find. We want total visibility of what is going on,’ he says. ‘Penetration testing is very expensive and not something that you can do everyday.’

The organisation is also working with QinetiQ and Qualys to test the security of third-party outsourcing partners, data hosting firms and banks.