releasing software with little or no testing and no formal verification and ... Ethical Hackers the Internet would be a more dangerous place. ... organization where network and computer security is paramount such as the US Department of ... scripts that can be downloaded to anonymously target systems anywhere in the world.
Copyright 2001. Published in the Proceedings of the Ethics of Electronic Information in the 21st Century Symposium (EEI21), University of Memphis, Memphis TN USA, October 18-21 2001. Personal use of this paper is permitted, however, permission to reprint/republish this work or any component of this work in other works must be obtained from McFarland & Company, Inc. Publishers.
Ethical Hacking: The Security Justification Bryan Smith
William Yurcik*
David Doss
Illinois State University Dept. of Applied Computer Science {basmit3,wjyurci,dldoss}@ilstu.edu
Abstract The state of security on the Internet is poor and progress toward increased protection is slow. This has given rise to a class of action referred to as “Ethical Hacking”.
Companies are
releasing software with little or no testing and no formal verification and expecting consumers to debug their product for them. For dot.com companies time-to-market is vital, security is not perceived as a marketing advantage, and implementing a secure design process an expensive sunk expense such that there is no economic incentive to produce bug-free software. There are even legislative initiatives to release software manufacturers from legal responsibility to their defective software.
Ethical hackers find bugs and fix bugs. In the process they beta test software for companies in exchange for access and information. They scan networks for bugs and share information about software bugs over the Internet. Alerting a software company to a bug, there is an expectation
* Corresponding author; additional contact information: telephone/fax (309) 556-3064/3068; hardcopy mail: 45 Oak Park Road, Bloomington IL 61701 USA
that they are helping but sometimes software companies do not respond in-kind. Thus Ethical Hackers often take it upon themselves to disclose sensitive information they have themselves discovered in a form of blackmail to motivate software vendors into action.
There is an
incredible ambiguity in that sometimes the Ethical Hacker is a respected university professor who is perceived as doing a service to the Internet community and sometimes the Ethical Hacker is suspicious foreign student who is perceived as a malicious cracker. It is not clear that without Ethical Hackers the Internet would be a more dangerous place.
Introduction
Hacking has come to have many different and often conflicting definitions. Hackers do not require certification, anyone can say they are a hacker. For the purposes of this paper we define hacking as the software methodology to achieve a particular goal using self-taught programming experimentation “to make rough cuts” (Murray 2000). Celebrated incidents of unauthorized computer intrusions into computer systems have been attributed to hackers due to the extensive programming experimentation needed to achieve success.
Computer intrusions are considered to be unethical and laws have been passed to prosecute such behavior. Spafford clearly states that computer intrusions are ethical only in life-saving circumstances (Spafford 1992).
Once hacking ability is used to commit a crime, the hacker
becomes a criminal. However, a new class of “ethical hackers” has arisen who believe that probing for computer intrusions, a legal activity that provides sensitive information, provides a altruistic service to increase both local and global Internet security by exposing and fixing security flaws.
The debate between “ethical hacking” and criminal intrusion dates back to the very first widespread Internet virus, the Internet Worm of 1988. Robert Morris was convicted for intrusion damage caused by the Internet Worm but his defense lawyers argued that he had provided a service in exposing security flaws (Eisenberg et al.1995, Spafford 1992).
Ethical hackers use their knowledge to help improve system security.
Upon discovering a
security flaw, they do not exploit the flaw; they fully disclose all relevant information to the affected users of the systems, software companies, mailing lists, trade press, or popular media. In contrast, unethical hackers (crackers) gain unauthorized access to subvert systems. Statistics show that the motivation of unethical hackers has changed from the pursuit of knowledge and the desire for challenge to the new lures of money, power, or political purposes (hactivism) (Palmer 2001). They privately share their knowledge of security flaws, maintain unauthorized access, and do damage to systems (Goslar 2001).
The Problem If history is any indication, the information technology community is incapable of constructing networked information systems that can consistently prevent successful attacks (Evans 2001).
The natural escalation of offensive threats versus defensive countermeasures has demonstrated time and again that no practical systems can be built that is invulnerable to attack. Even an organization where network and computer security is paramount such as the US Department of Defense has continuously demonstrated how susceptible it is to attack.
We posit that the main factor contributing to the poor state of security on the Internet is the lack of quality software testing. The intellectual complexity associated with software design, coding, and testing virtually ensures the presence of “bugs” in software that can be exploited by attackers. Most software today is tested for bugs by the penetrate-and-patch approach – when someone finds an exploitable security “hole” the software manufacturer issues a patch.
This approach has proved inadequate since after-the-fact security leaves bug vulnerabilities open until they are exploited. However, software manufacturers find this approach economically attractive – why invest time and money in assurance testing if consumers are not willing to pay a premium for secure software. Time-to-market survival dictates that software is released as early as possible, often with serious undetected security flaws (Zimmerman 2001).
The problem presented by lack of quality testing is also acerbated by automated attacks, operating system homogeneity, and poor practices. Devastating attacks appear in executable scripts that can be downloaded to anonymously target systems anywhere in the world. The homogeneity of operating system software from the same manufacturer (i.e., Microsoft Windows) makes it possible for a single-attack strategy to have a wide-ranging and devastating
impact. Poor system administration practices result in a system remaining susceptible to vulnerabilities even after corresponding patches have been issued from software manufacturers. It has been estimated that over 90% of all Internet attacks would have been deterred if system administrators had implemented the most current versions of their system software (Schneier 2000).
The Scanning Solution?
Testing for security flaws appears to be a natural attraction many for hackers – it is both challenging and contributes to the public good by exposing and patching vulnerabilities. Manual testing has evolved into automated programs scanning a network of computers for known weaknesses (de Vivo 1999). Scanning is not a one-time fix – new software versions bring new bugs and new security flaws that can be exploited are discovered. The frequency of the scan will depend on the software lifecycle of the systems involved and the ability to cleanup vulnerabilities – it makes no sense to discover weaknesses if they are simply ignored.
In 1995 Dan Farmer introduced a scanner called SATAN (Security Administrator for Analyzing Networks) (Freiss 1997, Farmer 1993). Unlike previous automated scanners that ran on the particular system being analyzed, SATAN could analyze any system accessible over the Internet. The dual nature of SATAN was quickly understood even in the mass media- Newsweek published a brief article “SATAN: Friend or Foe?” (April 3, 1995). Proponents of SATAN view it as a system administration tool to find bugs to prevent intrusions. Opponents of SATAN view
it as an easy-to-use tool an inexperienced hacker can use to bring down systems all over the Internet.
Hypocrisy – Beta Testing, Penetration Testing, and Hacking Contests
As a whole, the hacker community represents a testing environment far more effective than any one corporation could ever construct. Ethical hacking has become institutionalized by most major software companies in the form of “beta” testing new software with select groups of customers who will stress test and report back information about defects (e.g. extensive beta testing of Microsoft’s Windows XP). Often the only reward for the “beta” testers is privileged access to the software. This may work well for testing software performance but security bugs do not often show up in “beta” testing unless the testing is done by security experts or a security bug is stumbled upon (Schneier 2000). In the rare cases where a security flaw is discovered by beta testers, fixing the bug may not be a high priority for the software vendor and “ethical hackers” have sometimes had to resort to a form of blackmail (threaten release of bug information to mass media) to motivate action.
Some firms offer penetration testing or “ethical hacking” services (IBM Consulting). For a fee ($15K to $200K), a red team will launch a controlled simulated attack to test known vulnerabilities and report back corrective patches that need to be installed (Wood 2000). An overall evaluation of a system’s security will focus on there three questions: (Palmer 2001)
(A) What can an intruder see on the target system? (B) What can an intruder do with the information from (A) (C) Does anyone at the target system notice the intruder’s attempts or successful attacks?
The hypocrisy in penetration testing is that organizations are paying hackers to attack with the same behavior that they would legally prosecute if under any other circumstances.
The irony of
penetration testing is that it is only superficial, real attacks will exploit unpublicized vulnerabilities, and the most attractive red team employee may be a “reformed” cracker-for-hire – who better to test your system than the kind of people who may break in? (Koch 2000, Winkler 2000, Marr 1999).
If outsourcing penetration testing, trusting contractors becomes important
because real things can be damaged and sensitive security details will be revealed. Public perception in the integrity of an organization’s information assets may be more important than an objective technical security assessment. Lastly, quantitative system security assessments need to be mapped to an organization’s subjective risk profile
all vulnerabilities do not have equal risks
and there are different probabilities for exploitation: (Palmer 2001)
(A) What are you trying to protect? (B) What are you trying to protect against? (C) How much time, effort, and money is the organization willing to expend to obtain adequate protection?
Hacking contests are promoted by organizations for two reasons: to publicize the supposed security of a product against sustained hacking and to use the hacking community to harden software that has not been adequately tested. These contests are generally unfair and the prize money not scaled to the level of effort required but they still remain very popular – even causing network congestion (Baltazar 2000, Schneier 2000, Solomons 2000).
The hypocrisy in contests
is that organizations are paying (prize money) and thus encouraging the same expertise they would legally prosecute against if under any other circumstances.
Conclusions
Security on the Internet is broken and “ethical hacking” has evolved as part of the potential solution. Ethical hacking is fixing a system by compromising it – destructive testing in other domains – which has a long history of achievement but it is not clear that this technique is applicable for Internet security.
A security hole on one computer is not just an isolated problem as demonstrated by recent distributed denial-of-service attacks – processes on compromised computers can be used to attack other systems worldwide. At present, the Internet has poor security and “ethical hacking” may be one of the most effective ways to proactively plug rampant security holes. “Ethical hackers” see themselves as a necessary part of a larger vanguard protecting freedom and privacy in addition to security.
On the other hand, “ethical hacking” tools (such as scanners) have also been notorious tools of malicious attackers. A fine line exists between hacking for the public good and releasing scanning tools that enable malicious attacks.
Trying to fix the Internet security problem with
automated tools over a wide scale may have actually made the Internet less secure taken as a whole.
We have focused in this paper on technical aspects of what may intrinsically be a non-technical problem. If human intent does indeed dominate then technical solutions will not suffice and instead solutions will need to focus on behavioral modification. Internet security is a complex problem and while altruistic behavior such as “ethical hacking” may make a difference (not sure in which direction), there needs to be stronger incentives to software vendors, system administrators, and users to do the right thing.
References
Baltazar, Henry. June 26 2000. Hacker Attacks Welcomed. eWeek 30, 34.
de Vivo, Marco, Eddy Carrasco, Germinal Isern, and Gabriela O. de Vivo. April 1999. A Review of Port Scanning Techniques. ACM SIGCOMM Computer Communications Review, 2: 41-48.
Eisenberg, Ted. et al., 1995. The Computer Worm: A Report to the Provost of Cornell. within Computer Ethics & Social Values. by Deborah G. Johnson and Helen Nissenbaum, Prentice Hall 6089.
Emmanuel Goldstein interview within “Two Views of Hacking: ‘Hackers are Necessary.’” CNN Interactive.
Ethical Hacker 1999. IBMConsulting e-business advertisement, trademark, service mark & logo.
Evans, Bob. June 4 2001. The Sorry State of Software. InformationWeek 112.
Farmer, Dan and Weitse Venema. 1993. Improving the Security of Your Site By Breaking Into It.
Freiss, Martin. 1997. Protecting Networks with Satan. O’Reilly Press.
Goslar, Martin D. August 2001. Is There Such a Thing as “Ethical Hacking?” Information Security.
Koch, Lewis Z. June 29 2000. Hacking for the Common Good? Inter@ctive Week.
Marr, Steph. October 1999. Ethical Hackers: Latest IT Craze or Real Deterrent? SC Magazine 17-18.
Murray, William Hugh. July 26 2000. personal communications (Email).
Palmer, Charles C. 2001. Ethical Hacking. IBM Systems Journal 3: 769-780.
Schneier, Bruce. 2000. Secrets & Lies: Digital Security in a Networked World. John Wiley & Sons.
Solomons, Mark. September 13 2000. Hackers Offered $10,000 Bait. Financial Times.
Spafford, Eugene H. 1992. Are Computer Hacker Break-ins Ethical? Journal of Systems Software 17:41-47.
Winkler, Ira. July 2000. The “Ethical Hacker” Debate, Information Security 82.
Wood, Bradley J. and Ruth A. Duggan. Red Teaming of Advanced Information Assurance Concepts. DARPA Information Survivability Conference and Exposition (DISCEX). 112-118.
Zimmerman, Christine. March 26 2001. Race to Deploy May Magnify Software Bugs. InternetWeek 13.
