Briefing Note - White Hat Hacking and Software Security

Security in software in an increasingly more global market and the threats faced with global terrorism promote an ever increasing need for secure software systems and white hat hacking provides the means to test computer software security .

Hackers in practice vary from the young person still at school to the sinister hacker that wants to infiltrate a company or government body to obtain information to use to their own advantage.

However, even in the face of this threat software development projects and organisations place the security of systems down the list of priorities.

The Causes of the Problems

What we are doing does not need to be that secure? Is the threat that great? These are two of the most commonly spoken sentences and the reason why security in systems are usually no where near as strong as necessary.

The problem the security community has is that it is the prevention of what might happen and not what will happen that is being articulated.

The reality is that you may never get hacked. However, for those that have there is a very different story. Loss of reputation, revenue, customers, potential customers, goodwill that may have taken years to build may be lost in minutes and legal liability for failure to comply with the seventh data protection principle of the Data Protection Act 1988 to store data securely may ensue. This issue is critical in the event that trade secrets are publicly disclosed.

The problem for the software developer or more appropriately the security experts is that security is a constantly moving target. The discovery of holes in the security of software systems and having them plugged only plug the holes that are known. There is still the potential for significant numbers of other security holes in the system that may not yet have been discovered.

Software Problems

The commercial reality of the situation is somewhat different from a hackers’ perspective. Exploits in developed code are estimated to be 5 – 50 bugs per 1,000 lines of code.

From a hackers’ perspective, they only require a single weakness; whilst programmers can only defend against known threats. Whether attackers are looking to compromise an operating system or application software, the primary means of penetrating computer systems is feeding input, examining the result and building the exploit on the basis of the result.

First base for information security therefore is to lock down the hackers’ ability to build the exploit.

Object oriented software assists in maintaining security. However, software systems are rarely single black box solutions that may be made impenetrable. Software integration across enterprise architectures increases system complexity which reduces the ability to maintain a secure application.

Data is usually the key element that is being protected in whatever form it may take. The design of intrusion protection requires knowledge of where security must reside, how and when data is transmitted across the network and use of the correct technology in the correct place to keep the data secure.

Commercial Solutions

Solving the problem of the threat of being hacked is a fairly simple paradigm. Commercial people have evolved into commercial hackers to beat the hacker to discover exploits in the systems.

Ethical Hackers, otherwise known as white-hat hackers are computer network security professionals that use hacking techniques to stand in the shoes of an unauthorised person attempting to gain access to a network. The purpose of the exercise is to ascertain the adequacy of the security on a given network.

Usually the activities of ethical hackers will usually contravene the provisions of the Computer Misuse Act 1990 as it would include copying sensitive data, industrial espionage and other criminal activity. The Terrorism Act 2000 also applies to such conduct were there is an intention or threat to cause serious disruption to a computer system. Anything beyond scanning is potentially a criminal offence.

The solution to the commercial problem of needing a hacker to preventing hacking is simply in the form of a contract for services.

The Company

The target company and the hacker enter into contracts to absolve the hacker from all liability other than violence and criminal damage. A get-out-of-jail card free usually takes the form of a personally signed letter from the chairman or managing director should the hacker be challenged whilst performing the services. During negotiations for the services to be performed, minds should be turned to the event that the testing results in inadvertent damage to property or computer systems and the legal liabilities of the parties to the contract should this occur.

The Purpose of White-Hat Hacking

These activities are focussed on ascertaining what information is available by penetration testing (scanning a target from an external source), determining what can be done with information that is obtained and lastly whether the security and/or non-technical staff have implemented and follow a sound Security Policy. Part of the testing may also include impersonating or standing in the shoes of a trusted employee or consultant, with or without the knowledge of the general IT staff.

Types of Hacking Activities

White-hat hacking may involve obtaining IP addresses; a password obtained by social engineering; looking for unsecured workstations; plugging in a laptop with a wireless network card; holding the door open to a secure area such as the server room; or establishing a domain administrator account.

The major steps in the process are:

1. attack surface enumeration – foot printing the target company by analysing every facet of interaction with external data of any kind; and
2. focused enumeration

Physical and Electronic Presence

The types of conduct that may be involved may be the white-hat hacker asking non-technical staff for their password, asking whether they may plug a wireless network card in the back of their computer, or even finding an unused computer and waiting for staff to notice that a wireless card has been plugged into it. These may be amusing questions, however they have serious consequences when done by persons with criminal intention.

A wide variety of issues arise in performing white-hat hacking such as the those arising from the Data Protection Act (such as dealing with sensitive personal data), copyright (dealing with third parties copyright works, and breaches of licence terms).

The end game in this business is to provide proof of ownership of a designated box, evidence of administrator or root user privileges or reproducing the contents of a flag file. Screen shots of a director’s email or other sensitive information provide similar accounts of the access attained.

If this is possible to obtain then the Security Policy and security of the organisation is not adequate enough. However, better an ethical hacker under contract discovers the security holes than a true hacker. The holes discovered by an ethical hacker are reported and may be plugged to prevent that costly attack to the business.

Ethical Hacking Contracts

A thorough contract will cover:

1. assessment;
2. penetration testing;
3. vulnerability enumeration; and
4. vulnerability exploitation.

Contracts dealing with systems hacking should specify the types of tests that will take place. The specified tests may then be married up with a specific consent to perform the activity. The potential consequences should be made known to the client and incorporated into the contract. Testing may be broadly defined. For example, port scanning, obtaining passwords by asking staff or by technical means such as a data packet sniffer.

Due to the nature of hacking adverse results may take place and this should be catered for. To counter adverse effects and possible downtime, penetration and vulnerability testing should ideally take place after-hours or over the weekend, unless the adverse effects can be avoided or a mirror production environment can be established, or a specific objective is to be achieved.

However, in certain cases testing may not take place without staff being present. In these cases it is necessary for strict agreement to be reached between the ethical hacker and the target company.

An essential deliverable to the target company by the ethical hacker is therefore a well drafted report that details all possible exploits discovered. In turn it may also be best to ensure that the ethical hacker is available for a limited time to answer questions on the report to establish the best policy decision moving forward for the target company.