March 16, 2001, 3:16 PM —
I recently heard of yet another penetration test in which the vendor charged $150,000 for two days of testing. It seemed pretty expensive to me, but I assumed that the testers must have brought in some major security gurus who ran uber-elite secret exploits against the systems. In fact, they ran ISS Scanner.
Don't get me wrong; ISS Scanner is a useful tool that tests for all known vulnerabilities. (I'm not picking on ISS; there are other tools like this as well.) It's just that for $150,000, I want Robert Redford testing
my system. (OK, who hasn't seen Sneakers?) It also occurred to me that there are hackers capable of penetrating almost any system. The good ones get paid for it.
What is a hacker's approach to penetration testing? What tools do hackers use? I decided to find out.
Hacker phobia
The term hacker has been abused by the media and by hacker wannabes to the extent that many people think all hackers are criminals. This is simply not true. For the purposes of this column, I'll define a hacker as "an expert with informal training."
While it's true that there are hackers who have violated laws and/or cannot be trusted, the same can be said for people who avoid the hacker label. We've all heard of insiders who, using their computers, rob a company blind. To make a hiring decision based solely on the label a person uses to describe him or herself is a copout.
In the following Q&A, I asked three well-known security specialists about their background and approach to penetration testing. The players include:
- Brian Martin, a.k.a. Jericho:
- Founder of Attrition.org, a popular hacker site with an eclectic mix of computer security tools, humor, rants, and the ever-popular Attrition Defacement Mirror. Brian presently works as a computer security consultant responsible for leading a security audit and penetration assessment team. In recent months, Brian's articles focusing on security issues have been widely circulated in corporate newsletters, in print magazines, and on the Internet.
- Mark Abene, a.k.a. Phiber Optik:
- Cofounder and president of Crossbar Security. Mark's teenage curiosity with phone networks prompted a federal judge to sentence him to a year in jail. While the experience deterred Mark from illegal hacking, time has proved that it wasn't much of a deterrence to others.
- Rain Forest Puppy, a.k.a. RFP:
- The bane of Microsoft. Best known for releasing the Microsoft IIS RDS exploit used by thousands of script kiddies. RFP is the author of the Web-scanning tool
whisker, which can defeat intrusion detection systems. RFP is credited for recently revealing a backdoor inserted by Microsoft engineers that stated that "Netscape engineers are weenies!" RFP prefers to keep his professional identify anonymous.
Q: How long have you been doing penetration testing?
Brian: Professionally, for five years.
Mark: Professionally for over five years, but I first started penetrating systems when I was about 12.
RFP: Professionally with a company for about eight months, although individually as needed for about two years.
Q: Do you work for a company or independently?
Brian: I presently work for a company, although I've done both in the past.
Mark: Both. Currently, I'm the president of my own firm, Crossbar Security, Inc.
RFP: Company.
Q: Do your perceive yourself as a hacker-type or a computer security professional?
Brian: A bit of both. I try to be a well-balanced hybrid of the two.
Mark: One's experiences as a hacker-type are what make one a truly great computer security professional -- which is to say [that] it's one thing to be book smart or school taught and quite another to have years of hands-on experience defeating security systems.
RFP:
I'm a hacker-type, but I'm billed as a computer security professional because my clients are scared by the former. (Laughs)
Q: Do you see any problems with how penetration tests are typically performed? If so, what?
