Information Security News mailing list archives
It is motivation that drives hackers: Tom Cervenka
From: William Knowles <wk () C4I ORG>
Date: Fri, 1 Sep 2000 03:47:16 -0500
http://www.ciol.com/content/news/interviews/100083101.asp Hackers love to understand how technology works. They like to explore what the system will do if pushed in different directions. And, that needs a complete grasp of technology, says the hacker who has done it all. Thursday, August 31, 2000 Krithi Aiyappa and Reena Ganesh A white hat hacker, who has given sleepless nights to Net security professionals working for some of the biggest names in the dotcom world, was in Bangalore last week. Tom Cervenka, who is popularly known as the Blue adept in the hacker community, is now an Internet Security Expert in iCMG. He offers inputs to firms on preventive measures against hacking. He doubles as a Java/Perl instructor for the Object Technologies programs at the University of Alberta and the Simon Fraser University. Tom has found security loopholes in sites such as Hotmail, eBay, Excite, Zkey, Yahoo and Lycos. In a freewheeling interview with CIOL Bureau, Tom discussed several issues that plague not just those who face the threat of getting hacked but also the hackers themselves. Lets start with your name. Why the nickname Blue Adept? The name Blue Adept comes from a Piers Anthony book called Blue Adept. I read and liked the book. Interestingly, the actual character Blue Adept is not the main character in the book. That is where the name came from. How can anyone be sure that a person is a black or a white hat hacker? How can anyone be sure that I have never done anything like black hat hacking? Well you dont. Its like you dont know whether I have murdered a person. If you have found out that I had murdered someday then Ill be put away for murder. Like a rose by any other name, a hacker is a hacker, be it black or white. How do you react to this perception? Once, when I faced such a question in a debate, I said that the difference between white hat hacking and black hat hacking is like the difference between an apple and an orange. What is the psyche of a hacker? The motivation, which drives all hackers I think is the love to understand how technology works. It is to see what the system will do if they pushed it in different directions. It really is an experience like you start exploring the security of the system. It is not something you can do unless you fully understand what the related technology is. Doing it is really a self-educational, fun and interesting process. Once you start getting into the system, it becomes like a puzzle and you really want to reach the end. If you do reach you feel really cool like reaching the top of the mountain. It is a great challenge. Have you hacked any government sites? Yes, I have hacked into the Indian government sites (laughing). That was a joke. No, I have not hacked any government site. Is JavaScript the most favorite language of the hackers? No, the kind of security holes that I find is not the typical kinds of holes that people look for when they go and look for Web services. Unfortunately, what that means is that in a lot of Web services there is a class of security holes that most people tend to look for. This is what most people identify as hacking. But, the kind of hole I usually find is the kind of hole that does not deal with accessing the system at the network level. Its an uncommon way of breaking into the system. A lot of services never even thought that JavaScript could be used to get the user name and password. The reaction to your hacking eBays site was not very favorable. Did they take any action against you? No, but at the time I showed that there was a problem with eBays site they denied it. Every time a reporter called them and asked they would deny that any problem existed. But that didnt work very well because on my side I had a working demonstration of how people could steal passwords. It was a situation where the reporter would come to me and ask whether there was a problem. I would ask them to go into the service and I will show them their username and password and then they were convinced and went to eBay. They took a long time to fix the problem. Of all the sites you have tested till date, who gave you the most positive feedback? Who gave the most negative response? The most positive feedback was from Zkey. They acted in a way that was in everybodys best interest. When I found a hole, they were interested to find out what the problem was. They put a lot of people into fixing it right away. And the negative feedback was from eBay. On what basis do you choose to hack a site? I dont actually choose a site to hack to see that it does have a security problem or does not have. In my work, I just stumble across a hole or just flip across many times the services I am using myself. This was the case with Hotmail, eBay and also Zkey. I was the user of the service. Take Zkey for example. After I had uploaded my own business data I started to think "how secure is this anyway. Let me just try and see." Is credit card transaction safer over the Net and do you use your credit card on any kind of transaction over the Net? It can be done safely. In general I could say "yes" normally. No, I dont use my credit card over the Net. The US government had given an open invite to hackers to join the main stream. How have the hackers responded to that? Well, we dont need an invitation when we have the option. When we find a security hole, some tell the world about it, some keep it as a secret. Invitation or no invitation we are going to find security holes one way or the other. It is not that the US government is offering to change the behavior of the individual or something. It is not like black hat hackers will change into white hat hackers. I think people who have been doing white hat hacking are the people who enjoy doing it and people who keep it to them, keep it to themselves. Thats the way it is going to be. What the society can do is to engage people to do the good kind of hacking. What would be more effective than issuing invitation is a change in rules. What do you think are the most important utilities any organization should have to prevent hacking/unauthorized access? The kinds of problem I deal with are the specific kind of problem that a lot of major service providers have. So I dont pretend to be able to tell people how to completely secure their site. There is no such thing as 100 per cent security. But, what I recommend is that they pay very careful attention to instances where they allow the person to write in some content, which then becomes a part of the site itself that others will view. If you have something like a message board, tech support form or auction or e-based mail, in all those cases you have to be very certain that you carefully examine what the user wants to post and how it will look. And make sure that it doesnt contain any malicious code. JavaScript is just one of them. They can use VBScript, Java Macromedia, Shockwave, XSS style sheets, Flash etc. So, you have to be up on all the technologies and make sure that none of them are being snuck onto you. What are the aspects of keeping a secure site? Keeping a secure site is a matter of constantly adapting new technology because you have to make sure that your current version of the browser should be on par with the new technology/software products which are constantly changing without even knowing it. Because your software product runs through the browser, you have to keep updating to keep up with the technology. How can you best prevent hacking? There are intrusion detection software that you can buy and install and that kind of software will help you find whether something has been changed or not, or somebody is accessing certain files that you thought shouldnt be accessed. It can eliminate the vast number of most common security problems. One thing you could also do is keep up with some of the work the white hat hackers are doing. You could also do the normal stuff like finding the right software, the right hardware and also have a security auditor etc and see to it that your site is safe. How do you rate the level of security in Indian sites? Some of them have rigid security rules. Some of them are vulnerable, but most of them are OK. I think now they are doing much better jobs. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- It is motivation that drives hackers: Tom Cervenka William Knowles (Sep 01)