The biggest names on the Internet are under attack and the FBI is
investigating, but things could be a lot worse if it weren't for an
unsung band of ITers who use the hacker's own methods to foil
incursions before they happen. Pravin Jeyaraj meets a legitimate
code cracker
In recent weeks several major Internet sites have been targeted
by hackers, prompting the FBI to launch an investigation into the
attacks.
Internet search engine Yahoo! was brought to a standstill for
three hours after hackers overloaded the site with information and
effectively blocked users from accessing it. Online retailer
Amazon.com, CNN Interactive, discount retailer Buy.com and the
online auction house e-Bay have all suffered substantial attacks
recently.
The FBI was called in after Buy.com announced that some of the
attacks were traced to powerful computers in Boston, New York and
Chicago - although computer security experts have warned that these
computers could also have been hacked into.
Security breaches like these only serve to further society's
perception of hackers as malicious and shady individuals who take
delight in displaying their technical skills at the expense of
other people.
However, some hackers do it for the greater good. One such
example is Matthew Pemble. Based in Malvern, Worcestershire, Pemble
is a hacker for the good guys.
I find him sitting in front of a computer tapping away at the
keyboard. Suddenly, a grey box appears on the screen with the
message "administrator access request successful". He sits up,
draws his elbow backwards and hisses, "Yes!" He has just managed to
hack into and take control of a government server.
But he does not share his achievement, in true hacker
solidarity, with the rest of people in the room - they are trying
to access other servers. Instead, he reports his findings,
including recommendations on how to prevent a similar electronic
break-in, to Defence Evaluation Research Agency (Dera)
officials.
For Matthew is not a typical hacker, and is not concerned with
showing off his skills or beating the IT establishment. He is an
"ethical hacker", employed to expose security flaws in computer
systems so that they can be fixed. At Malvern, he was being trained
by Dera.
Here Pemble reveals his route into ethical hacking:
How did you get involved with the Government?
Through a scheme called IT Health Check, which is run by
Communications-Electronics Security Group (CESG) and Dera. The
computer testing company I was involved with had to bid for a place
on the scheme.
What was IT Health Check about?
It was a three-day course, followed by a written exam and then
an "assault course" where I had to hack into a dummy system. We
learnt how to use publicly available tools to analyse network
structure and look for possible vulnerabilities that hackers could
exploit.
We learnt port scanning tool Nmap; Luftcrack, which is a
password cracking tool for NT; Crack, which is a password cracking
tool for Unix; monitoring tool Spynet and TCP Dump, amongst
others.
Why did you decide to take part in the scheme?
I was interested in getting deeper into security issues. I was
the lead consultant with the company and it was the obvious next
step.
What do you do now?
I am the senior consultant at IS Integration, responsible for
issuing the security services portfolio. I have been there for
about five weeks now. My job includes Web site auditing, helping
development staff integrate security into their products and
penetration testing - hacking into a system with the owner's
permission. I also help clients to put together a security policy
and strategies.
How did you end up there?
After working for the testing company for 18 months, I was made
redundant at Christmas. A friend of mine who was working in the IS
sales department passed the word on and soon after I got a
call.
What did you do before?
I was an IT manager for the Royal Navy, with specific
responsibility for security issues. I had an awareness of hacking
skills through the job and people that I met. I knew people who
were involved in hacking, both ethical and otherwise.
How long were you in the Navy?
Twelve years - from 1986 to 1998. I joined when I was 17 for my
year out before university. I was originally a weapons engineer,
responsible for all electronic equipment.
What is your view of unethical hackers?
There are two types of hackers. People who run computer programs
on their own system and try to break the code are OK. But anyone
who hacks into other people's systems is a criminal and should be
dropped from a great height.
The best analogy is car theft. There are the same opportunities
as walking down the street and trying every car. The fact that
someone is stupid enough to leave the door unlocked does not make
it right to nick their car.
Ever been tempted to hack outside of work?
No, but when I was at university there was always a race to try
and get as far as possible into the university's network.
What about the future?
I would like to expand and run the security organisation within
IS and then, who knows?
The hacker's toolkit
A good "ethical" hacker needs a good knowledge of:
- UNIX and NT and TCP/IP communications
- The law pertaining to computers, such as the Computer Misuse
Act
- Port scanning tools (eg Nmap), monitoring tools (eg Spynet),
Win32
- Vulnerability assessment software
A hacker's CV
Name: Matthew Pemble
Age: 31
Qualifications: BSc (Hons) Electronic Engineering,
Herriot-Watt University
IT skills: Unix, NT, Win32, TCP/IP
Current job: Senior consultant at IS Integration
Previous employers: Software Laboratory; Royal Navy
Hobbies: reading, cooking, DIY, gardening
Favourite book: Neuromancer by William Gibson
Favourite film: Return of the Jedi