IBM®
Skip to main content
    Country/region change    Terms of use
  
 
 
    Home    Products    Services & solutions    Support & downloads    My account    
IBM Research

Think Research


 


 Featured Concept
Helpful Hacking

By Mark Fischetti

Members of IBM's Global Security Analysis Laboratory break in to other companies' computer systems - on request - to expose vulnerabilities before malicious hackers can exploit them.

In Brief:

Working in the shadows, the members of IBM's Global Security Analysis Laboratory devise means of breaking into computer systems - at clients' invitations. The group has the goal of protecting clients' systems from nonbenevolent hackers, by diagnosing security problems and suggesting remedies. The team is also developing commercial programs that alert companies to attacks on their computer systems.

As more companies conduct business over public and private computer networks, hackers have increasing opportunity to wreak havoc by destroying files, stealing trade secrets or using the threat of damage as a blackmail weapon. To prevent that, companies need to analyze how hackers could break in to their computer systems. The only realistic way to do that is, well, to break in yourself. That's what the members of IBM's Global Security Analysis Laboratory (GSAL) do. With permission, of course.

"We attack just like a bad guy would," says Charles Palmer, leader of the team, which operates from a sealed room at IBM's Thomas J. Watson Research Center. Hired quietly by more than 100 clients, Palmer's clandestine five-man team, which has a sister team at IBM's Zurich Research Laboratory, has penetrated 85 percent of the systems it's encountered in its first two years. Once in, the team recommends practices and products that will plug the holes. In between assaults, the group is working on commercial software to improve security.

The rapidly expanding use of email, Internet accounts and Web sites has created simple gateways through which hackers can pass. A recent FBI study of 400 companies found that half had experienced unauthorized use of their computer systems in the previous year. A third of the break-ins occurred despite the presence of a firewall, sophisticated software that is supposed to stop illegitimate traffic.

The damage from hacks can take several costly forms. In 1994, Russian hackers tapped into Citibank and transferred $10 million in funds. Stolen passwords of employees at San Jose chip maker Xilinx appeared on bulletin boards across Europe. Employees at other companies have stolen inside information to sell to corporate competitors. Would-be hackers can easily find help. Some 1,900 Web sites offer hacking tips and tools, and the black market price for a simple break-in is $8,000 to $10,000. Estimates put the losses from computer crime at $10 billion over the past five years (including cell phone fraud).

Nevertheless, many companies fail to take adequate preventive actions. "Security is almost always seen as an impediment," Palmer says. Companies fear that adding security procedures and software will cost too much, slow their systems, make them cumbersome to use, and complicate the lives of already stressed systems administrators. "Properly engineered," says Paul Karger, a senior member of the GSAL team, "security doesn't significantly degrade performance. But many solutions are not properly engineered."

Furthermore, in the stampede to get on the Web, many companies simply ignore security. "Doing security right means designing software slowly, carefully and methodically," Karger says. "You can't do that when you're working in Web-years, trying to get things out last week." Palmer adds that most companies don't call GSAL until there's a problem. "They say, 'We've been broken into. Now can we add security?'"

Common Security Loopholes

The first step in thwarting hackers is to know the most common vulnerabilities. They include:

  • Use of simplistic passwords that can easily be guessed or found with brute force by hacker programs.
  • Failure to change preset passwords shipped with software. IBM and other vendors are beginning to ship software that forces the user to customize a password.
  • Poor protection of the "root account," the file that has access to the whole system, including system files containing all passwords used.
  • Failure to configure a company's Web server with security in mind.
  • Failure to fix well-known bugs in Web, email and local area network software that can give hackers access.
  • Sniffer programs planted by a hacker on a local area network, which can record unencrypted computer traffic as it passes by, including the keystrokes of passwords as they are typed.
  • Web spoofing, in which hackers post fake Web pages that mimic the pages of real companies, allows them to intercept communications from people trying to access the real pages who might unwittingly supply credit card numbers or bank account and PIN numbers. Authentication and encryption software can prevent spoofing (see "Making the Internet More Secure," Research, Number 2, 1997), but widespread deployment is still an issue.

Quick Fixes and Firewalls

Fixes for many vulnerabilities involve nothing more than educating employees, who should be encouraged to choose passwords that combine letters and numbers, change them regularly and never divulge them. They should also learn about hackers' "social engineering" tactics, such as posing as an employee who calls and says, "I'm working from home and forgot the modem number." Companies should also encrypt sensitive communications and install firewalls; even though expert hackers might penetrate them, firewalls make access a lot harder. Finally, systems administrators should regularly test the security of their company's network, and keep up with fixes for newly discovered bugs. The ultimate responsibility for security rests with top management. "Most executives simply don't take it seriously enough," Palmer says.

In addition to conducting benevolent break-ins to order, the Watson team is developing software products with Zurich. IBM is already shipping the Network Security Auditor, which enables a company to test its own systems for weaknesses. Haxor, a program now in testing, detects intrusions by monitoring the traffic over a company's network. It recognizes hundreds of telltale electronic signatures of attempted attacks - such as the several thousand efforts per second to log on to the system that give away a hacker program trying a dictionary's worth of possible passwords. "So far, it's catching invasions other security software isn't," Palmer says.

The Zurich team, meanwhile, is assembling a database of all the major operating systems' known vulnerabilities. "Right now, the lists are distributed all over the place," Palmer says. "This would allow us, for example, to say: 'All right, we think someone broke into the Web server through a weak cgi-bin script and then changed the company's product pictures. What are the known possibilities?'"

The Watson group is also working with visiting scientist Wietse Venema on VMail, a secure replacement for the widely used - and widely vulnerable - Send Mail, a program that underlies the email software used on popular operating systems such as UNIX, and in which at least one serious new bug has been found every quarter. Venema, from the University of Eindhoven in the Netherlands, is a renowned security expert and coauthor of Satan, a sophisticated program used to find security flaws, and the developer of TCP wrappers, a widely used countermeasure.

Staying Incognito

GSAL has to stay one step ahead of the hackers in the game of countermeasures. "We do not hire reformed hackers," Palmer says. "There's no such thing." So the lab keeps current on hacking tools and trends "by maintaining awareness through contacts over the Internet and on bulletin boards. The trick is to know where to listen to find out what's going on." Lurking in the shadows is part of the game. Palmer and Karger are somewhat known publicly, but their other colleagues are not. Even so, Palmer doesn't pass out business cards when he attends hackers' conferences. "I just say I'm a guy from IBM who's interested in security," he explains.

Mark Fischetti is a technology and business writer in Great Barrington, Massachusetts.

More Information:

The Implications of Information Warfare

Hackers aren't just a threat to computer systems. They could hold people, companies or entire nations hostage.

Terrorists no longer have to blow up the World Trade Center to command attention. With the right hack, they could seize control of a nuclear power plant and threaten to initiate a meltdown, or rig computer trading systems to crash Wall Street. They could jam the national phone network or subject companies to blackmail.

The danger of information warfare can quickly get personal. Last year, hackers penetrated a radiology company in Canada that held numerous records of patients' MRI scans. The intruders could have altered individual patients' images. A surgeon who used a faulty image as a guide in a subsequent operation could unwittingly kill the patient. Defense against information warfare has received little attention. "There are serious national security implications," says Paul Karger, an expert on the subject at IBM's Global Security Analysis Laboratory. Although encouraged by the formation of the Presidential Commission on Critical Infrastructure Protection, Karger urges that more effort be placed on educating the business community about real information warfare threats and on encouraging the private sector to develop higher-security products.


    About IBM    Privacy    Contact