LulzSec–I am amused (chuckles)

Honestly. LulzSec is hilarious and in the process of their amusing merry-making they also happen to be making a very serious and important point.

They’re doing this because they can.

And the point that they’re trying to get across is that our data isn’t secure which puts the public at serious risk.

It’s a message that should be taken seriously.

Note that they are White Hat hackers. They did nothing illegal with the information like selling it to unscrupulous third parties. They simply hacked, provided the evidence that they hacked, how far they got with the hack,  publicized the hack, and lastly publicized what could have happened to the data had they been Black Hat hackers.

Like Anonymous, LulzSec appears to be a socially responsible hacking group and one that’s trying to give the Information Technology industry the push it needs to deal seriously with the security of online data and computer systems.

It’s a message which hasn’t taken despite the recent criminal and black hat hacks of government and corporate systems within the last few years, some of which have threatened the national security of governments like Canada when our financial systems were hacked this year.

At least part of the problem is the fact that government and corporate entities don’t really understand how these violations occur thereby leaving themselves open and vulnerable, often without realizing it.

I’m not a hacker but being in IT, I understand the process of hacking. I have to in order to write software code which at least attempts to block it. 

Of course, I make no guarantees, because I can’t, and neither can any other software developer. If one does, they’re lying to you. There’s always going to be a hacker out there who is better at breaking our code than we are at writing it, no matter how good we are. In addition, we have to balance security requirements with ensuring that the functionality requirements are met, some of which, by their very nature make the code less secure.

The best that we can do is minimize the threat by writing code that is difficult to break.

Serious hacking (not Script Kiddies who pick up malware online and distribute it) requires two components:

1. A high degree of hardware and software knowledge. (Technical engineering)
2. A high degree of social knowledge of the target to be hacked (Social engineering).

Serious prevention must have strategies for managing both of the above processes.

Probably the most important security point to remember is that the biggest threat doesn’t come from outsiders but from insiders.

It’s insiders that have both the Technical and Social knowledge required by outsiders to perform a successful hack. Whether those insiders are innocent dupes, criminals who have been bribed, or part of the black hat hacker team is irrelevant to the fact that they will have contributed to the insecurity of the system. It would, of course, be relevant if they were caught in order to determine what kind of charges should be laid.

So, when a Government MP or Corporate CEO, for example, has been either knowingly or unknowingly comprised and hires an Employee Recruitment firm based on the wrong reasons, that MP or CEO, may well have just opened the door to allowing their government or corporate data to be compromised.

And the insiders aren’t always, or even usually, the IT people.

Receptionists and Cleaning Staff are lucrative targets because:

1. They are generally poorly paid.

2. Receptionists have Social Engineering knowledge that would be useful to hackers as well as a log in/password to the system.

3. Janitors have access to all of the physical areas of the building which could allow them to attach hardware to server and computer systems which could be used to compromise them as well as provide hardware information.

Other regular employees are not immune either. Employee groups like Customer Service (client information) or HR (employee information) have access to information that would be considered confidential. They can provide log ins, useful social engineering information, or in many cases the actual data, to the hacker group which could be used to compromise the rest of the system.

If IT people are compromised, there is generally no need to hack the system because it’s already completely compromised from within, since they have direct access to the data and can do pretty much whatever they want to do with it.

There are ethical technical and social solutions to all of these problems that do not involve violating civil rights and are not draconian in nature.

Unfortunately the tendency appears to be to go with the draconian solutions which almost always involve civil rights violations, making employees feel untrusted and targeted or requiring all kinds of high level (and frankly useless) security clearances. It’s really a shame but that tends to be the direction that those who continue to cling desperately to the old-fashioned and out-dated Security and Intelligence Cold War psychological model, appear to prefer.

In my opinion, none of the alert parameters that they apply or look for make one iota of difference in terms of preventing these types of  organizational compromises. They just make the “suits” feel like something is being done and gives them something to tell people, thereby creating a sense of false security which contributes to the worsening of the problem.

And as long as that is the model out there in the IT Security and Intelligence World, LulzSec, Anonymous, and other White Hat Hackers  will continue to have a lot a fun at your expense, and the Black Hat Hackers will continue to seriously compromise our systems.

Now that they've attacked Canadian Federal financial systems what's next? Do we even know if they've hacked other Federal systems like the RCMP or Provincial Government systems like Ontario's eHealth, OPP, Provincial Financial systems?

On a personal note, while I do take all of the important steps to protect my systems security, my focus isn’t really on preventing anyone from hacking my system but rather on catching them. I don’t have insiders on my system but if I did, that would apply to both insiders and outsiders.

More fun that way for me but then, unlike most users, I have the technical skills to do it ;-D.

And so does the IT world.

Just a thought ….
 

Hacking and IT Culture

IT Culture has come into the limelight in recent weeks due to Byron Sonne's arrest just prior to the G20 Summit in Toronto.

Byron Sonne is part of the IT Hacker community in Toronto and a Security professional although the claim of professionalism has been challenged by at least one blogger on BelchSpeak.

So, perhaps this is a good time to enlighten the public on IT Culture, what it is and what constitutes standard practice.

Hacking (exposing vulnerabilities in computer hardware and software systems) is part of our IT culture and not an uncommon practice.

Is it illegal? Technically speaking, yes it is and always has been.

However, in it's defense and in my personal opinion, the problems with hacking isn't so much that it's done but what the motivation is. This motivation can be determined by observing what occurs as a result of it's being done.

For example, if a person hacks a system in order to set it up to:

1. participate in a DNS attack,
2. load a virus or other maliciously destructive software,
3. violate the privacy of an individual, group, corporation, etc. they've targeted, 
4. steal and/or tamper with data or software code,

amongst many other things....

They've committed an illegal act and should be held accountable including prison time.

The criminal act, in my opinion, was what occurred when the person accessed the system, not the access to the system.

On the other hand, if someone is Black Box Testing a system in order to expose vulnerabilities, but does no harm to the system and/or reports the vulnerabilities to the target so that they can improve their security, I (and I would argue that most IT people) don't see this as a problem, never mind a criminal act.

Historically, this has been the role of the White Hat Hacker and one that many corporations have appreciated and benefited from.

Why has this become part of IT Culture?

In order to protect systems and keep them secure, we need to know how to break them first and this gives us the information we need to secure them.

As a Web and Software Developer, if I don't understand how SQL Injection or Cross-site posting works I can't develop software which blocks these kinds of attacks.

This is one of the key purposes behind Black Box Testing. It gives the IT professional the information they need to either write secure code or implement configuration changes to hardware for the purpose of securing the system against malicious hacking.

Black Box Testing is an IT methodology where the tester doesn't know the internal workings of a software or hardware system but will poke it, both see if they can bypass it's security and expose any  vulnerabilities in the system.

It's generally a constructive activity which contributes to ensuring that IT hardware and software systems and therefore the privacy and security of those who use these systems is protected.

A key principle behind this type of hacking is that no harm must be done to the system being probed or with information garnered.

As soon as harm is done, it crosses the line from White Hat Hacking into malicious hacking also known as Black Hat Hacking.

So, what then constitutes harm?

In my opinion, just noting that one was able to access private information, particularly if this access is then reported to the appropriate parties, does not constitute doing harm.

Why?

Because no negative act occurred as a result of this violation, and if it was reported, the violation is offset by the reporting which will result in a more secure system.

Accessing private information and then using it for blackmail purposes would constitute doing harm, would be malicious hacking and of course the person who committed such an act belongs in jail.

That said, let me just make the critical point that the vast majority of IT people who do this are not malicious hackers and it's because of them that we have far more secure systems today than even five years ago.

The IT Community, particularly the IT Security Community, which consists of numerous White Hat Hackers, should be commended and not demonized, for their constructive contributions to the IT Security field and industry.

Irrespective of whether Byron Sonne turns out to be a White Hat, Black Hat, or possibly a Grey Hat Hacker.

Something which remains to be seen.

I don't know him, but what little information I've been able to pick up on his activities through Internet searches gives me serious cause for concern, despite the confidence displayed by his friends.

Friends who, while I'm sure they're nice and for the most part honest, sincere and caring people, obviously have an emotional stake in this cause and are unlikely to be able to see this situation as objectively as an outsider would.

That said, there is a concept held by some hackers, called Full Disclosure which could have an impact and which I'll be discussing in another blog.

One of the difficulties in the Byron Sonne situation is that the Bail Hearing was held under a publication ban at Sonne's lawyers request.

So it's currently impossible to make a rational decision based on actual facts, regarding whether or not Sonne's actions were reasonable in the context of IT culture and based on the facts that I do have I can't in good conscience defend his actions.

Background information:

Hacking Wiki

Originally published July 24 (8:54AM). Republished August 8 with revisions.