- The Washington Times - Monday, February 21, 2000

Tim Belcher caught a fairly sophisticated hacker breaking into a corporate computer network last year

When he discovered the hacker was a 16-year-old high school student in Nebraska, Mr. Belcher, vice president and chief technology officer at Alexandria-based RIPTech Inc. Secure Solutions, gained a measure of respect for the young vandal's skills.

The good guys and bad guys of computer security have a strange relationship.

They are rivals, but they also rely on each other for their livelihoods. The good guys, known as white hats, work feverishly to bolster computer security, while hackers, known to the work-for-a-living crowd as black hats, search for ways to poke holes in those defenses.

Episodes like the recent denial of service attacks that began Feb. 7 when Yahoo Inc. was struck are just another in the ongoing battle between white hats and black hats.

White hats say denial of service attacks have not stopped entirely since eight sites were affected in the days following the Yahoo attack. But none have shut down a Web site or included as many zombies third-party computers used to bombard a site and close it to other traffic as the Yahoo incident.

"There are times when the industry is ahead and times when the industry is behind," Mr. Belcher said.

The two sides play a technological cat-and-mouse game. Because of the damage the attacks did and the attention they got for their ability to seize electronic commerce, denial of service attacks have given black hats the upper hand. Area computer security companies are in the thick of the fight to reverse those roles.[

What a rush

White hats don't hold black hats in high esteem, though they believe some of them have talent.

They are social outcasts, bright but with misguided intentions, Mr. Belcher said.

"Do you need to take a Web site down for three or four hours?" he said. "There are other ways to get your point across that are socially acceptable."

Many hackers are simply followers with little creative or technical skill "script kiddies" who point-and-click to unleash malicious software, white hats argue.

Some hackers, like the 20-year-old German known as "mixter" who created the software tools believed to have been used in some of the denial of service attacks, have the technical skill to cripple networks. They also have the ability to send white hats, the White House and Internet companies scrambling.

At Infrastructure Defense Inc., an Alexandria computer security consultant, "crisis mode" did not end until Feb. 12.

It was mayhem once Yahoo got flooded with requests for information in the first large-scale denial of service attack.

Techies at most computer security companies had known since last November that tools to carry out denial of service were available, and they warned clients to install software to protect computer systems.

Even though security professionals knew hackers could carry out the attacks, no one knew they could perform the kind of bandwidth-choking attack that seized Yahoo.

Someone was out to prove theory could be put into practice.

"My belief is that they were proof-of-concept attacks," said Kenneth van Wyk, vice president and chief technology officer at Alexandria computer security consultant Para-Protect Services Inc.

When the attack happened, the cat-and-mouse game got serious. White hats were trying to undo the damage caused by black hats.

"It's the kind of thing I live for. Most of us in the back room do," said Ben Venzke, editor of intelligence services at Infrastructure Defense.

Para-Protect President Michael Higgins felt the same rush.

"My first thought was 'thank God it wasn't one of my customers.' Then the adrenaline gets flowing," Mr. Higgins said.

White hats research their counterparts and the tools available to them on the Web, but attacks still can have the element of surprise.

At Para-Protect, senior security information engineer Bob McNeal spends up to two hours each day reading up on new hacker tools and new problems revealed about software.

"We try hard to keep up, but we acknowledge that we can be a couple of months behind the newest exploits," Mr. McNeal said.

White hats often are left reacting to problems black hats create, but research helps narrow the gap between release of a new hacker method and development of antidotes.

"One thing that applies across the board is the interest in being able to put together all the information that's out there and be ahead of the curve and anticipate what's going to happen next," Mr. Venzke said.

United front

Despite efforts to predict hacker behavior and research the tools they use, the potential for black hats to continue causing trouble puts computer security experts on edge.

"In my eyes, we haven't seen the black hats put it all together. If they do, there could be serious trouble," said Frank J. Cilluffo, deputy director of the organized crime project at the Center for Strategic and International Studies, a nonpartisan think tank in the District.

Sammy Migues, chief scientist at Alexandria-based computer security consultant Infrastructure Defense, said that if black hats with technical skills align themselves with black hats with malicious intent, new difficulties are sure to arise.

"What's scary is the thought of cooperation among different groups. I don't think we've seen that yet, and as soon as we see malicious groups using denial of service software, we're in deep [trouble]," Mr. Migues said.

Some hackers break into networks to prove they can, and security experts say their interest typically wanes when they prove they can make an intrusion.

Others have an agenda, which can include sabotage and theft.

If hackers become mercenaries for those with an agenda, the groups could work in concert to carry out coordinated attacks for the purpose of causing more damage.

"The hacker community includes a lot of different types of people," Mr. Cilluffo said. "There are many young adults driven by the thrill of bringing down a site or a company. But more and more, there are people with nefarious aims. The ones with the real talent will be in high demand."

Techies also are concerned about computer security and the vulnerability of corporate computer networks because they don't think the private sector has done all it can to secure those systems.

Hackers use the Internet to gain access to corporate networks. The Internet is an open network, available to anyone with access. The Internet's predecessor, ARPAnet, started in 1969 but was never intended to be a secure connection between the four universities that got on the network first.

"The Internet is open. That's one of its strengths and one of its perceived weaknesses," said Jeff Richards, executive director of the Internet Alliance, a District-based industry association.

Electronic commerce companies, which arguably rely most on technology and on the Internet, often have modest security measures in place, security experts said.

"There is such intense market pressure to get products out there as quickly as possible, some things are pushed aside, and security typically is one of those things," said Mr. van Wyk.

Mr. van Wyk said some companies neglect taking simple measures such as installing fire walls, which prohibit access from the Internet to a company's computer network.

A new platform

White hats aren't entirely pessimistic about their chances in the game of one-upsmanship against black hats.

When the White House got involved in the discussion over security breaches by hosting a summit on the issue Tuesday, it gave white hats a new platform to push an agenda promoting computer security.

"This is a good opportunity to take advantage of awareness about the problem," Mr. Cilluffo said.

Tech executives emerged from their meeting with President Clinton and agreed to share anti-hacking tactics to respond to Internet attacks.

"Symbolically that meeting was very important," Mr. Cilluffo said. "So far there's been a lot of talk and no action, and improving computer security is something that must be a partnership issue between the public and private sectors. The good guys are doing wonderful work, but you need greater awareness and greater sharing of information between companies and, arguably, the government."

In addition, President Clinton has sent a budget request to Congress that includes $2 billion for government efforts to fight computer sabotage.

But Para-Protect's Mr. Higgins and other white hats are unsure how deeply the federal government should be involved in bolstering computer security.

"I'm not a big believer in government intervention," Mr. Higgins said.

Mr. Clinton said he wants to make sure the cooperative effort between the public and private sectors isn't seen as a new form of government regulation of the Internet.

The burden for improving security should fall on the private sector, Mr. Higgins said.

Companies from Yahoo to Amazon.com and other electronic commerce sites will reduce their vulnerabilities if consumers worried about the security of on-line shopping begin to flee from unsecure sites, experts predict.

If white hats have consumers, the private sector and the White House on their side, they think they just might be able to gain the upper hand.



LOAD COMMENTS ()

 

Click to Read More

Click to Hide