Stay on top of the latest tech news with our free IT News Digest newsletter, delivered each weekday.
Automatically sign up today!


Ong Boon Kiat

Special to CNET

The chief scientist of security company Internet Security Systems believes 2004 could prove to be a watershed year for hacking.

Robert Graham says that many hackers are graduating into the pro ranks, a development that carries worrisome implications for corporate security.

“Before this year, we really saw just kids that are playing and pretending to be masterminds,” said Graham, who did important early work in the development of intrusion-prevention systems. “But this year, we saw the rise of the professional hacker.”

For many years, hackers were content with the thrill of breaking into other systems, or with whatever elevated peer status they achieved through their exploits. But not anymore, according to Graham, who says that both the pattern of hacker attacks, and the motives behind the attacks, are changing. Hackers are now far more coordinated, and they no longer merely rely on copycat tools and random attacks. What’s more, Graham detects a dangerous intent to profit financially from hacking. He recently spoke with CNETAsia about this evolving security challenge.

Q: Are hackers getting paid now?
A: It’s not so much that they get paid to hack, but that they earn money from hacking. Take phishing attacks: It’s usually the people who are running the attacks themselves that are earning money; no one is paying them to do it.

How would you define a “pro hacker”?
Before this year, hackers really were just kids playing and pretending to be masterminds. They could download hacking utilities from the Internet, but they were really clueless. And they were relatively unskilled…and it’s only after running their tools through tens of thousands of machines that they were able to find one to break into. More importantly, they weren’t really criminal masterminds. It’s been largely a game for hackers up until now. This is notwithstanding the fact that law enforcement agencies have been taking this game seriously–because the hackers haven’t.

This year, things are changing, and you can see it from the FBI’s activities in the U.S. this year. In one arrest by the FBI, the subject was a spammer who had thousands of machines under his control used to forward spam.

Is that pro mind-set reflected in the exploit patterns?
Well, what I’m seeing is more hackers are now writing their own exploits. In the past, they would just use well-known attacks. Before, whenever there was a new bug, hackers would compete among themselves to see who would be the first to write exploit programs for those bugs and then publish them to Web sites and mailing lists like BugTraq and Full-Disclosure. And then everyone else would go there, download those attack programs and run them blindly.

It’s been largely a game for hackers up until now.

Today, more people write their own exploits. Why are they able to do it? If you look at the kids graduating from school all over the world, they got interested in hacking when they were, like, 12-year-olds, in the mid-’90s. Over the years, their interests have grown into a skill set that lets them write their own attack programs.

Speaking of new exploits, what do you make of the rising number of bug variants that we’ve seen this year?
In the past, antivirus vendors would compete with each other to see which would be able to write signatures faster for each new virus that came out. But with (the) Netsky and Bagle (viruses), we saw the reverse. Now we have virus writers who compete to see how fast they can update their viruses in response to each new antivirus signature. That’s why we see a Netsky a, b, c, d and so on.

But why were hackers suddenly interested in making variants?
Well, with previous virus writers, their goal was to create a virus and see if it could be done. After that, these virus writers were done. There seems to be a change in the psyche among virus writers now. You see this with Netsky and Bagle. There are two teams of people competing with each other. The Netsky people hated the Bagle people, and Bagle people hated the Netsky people. So it was kind of like a feud between them.

So how worried should we be? Are viruses becoming more sophisticated in a hurry?
No. Viruses today are really no more sophisticated than they’ve been over the last several years. As a matter of fact, Netsky and Bagle are pretty unsophisticated. As security professionals, we know how to create a sophisticated virus. The reality is that hackers that write viruses really aren’t all that smart. They focus more on whatever defenses they see. They try to do one extra step. And so we rarely see a huge advance in hacking techniques. Rather, we see gradual growth. Most virus writers only try to stay one step ahead. And only one step, not five or 10 steps.

The bread-and-butter defense today remains the firewall. Where does this mature technology go from here?
Firewalls have basically been supplanted by intrusion-prevention systems. In the old days, it was enough just to lock the doors. But these days, we realize that some doors have to be unlocked. And we need to protect against cases when doors aren’t locked. It’s like a bank. Robbers will come in and rob the bank in the day, when doors are unlocked. The problem is not that you need to find a stronger lock for the front door, because fundamentally you can’t lock the front door all the time. You need to let customers in. And that’s what firewalls basically are–doors that are locked.

IPS (intrusion-prevention systems), on the other hand, are able to look for attacks coming in the open doors. IPS and firewalls are probably going to merge soon into one product. But firewall technology, by itself, is done. It already has become a commodity.

No room for improvement at all?
There is really going to be nothing new for firewalls. In fact, a lot of the more-complicated firewall features can actually reduce security, rather than increase it.

How so?
Well, the more-complicated firewall rule-sets can trip users up. Remember, firewalls are tools that you use to stop bad traffic. And how effective they are depends on your skill in using them. And the more complicated something is, and the more feature-sets it has, the more educated you’ll need to be to use it right.

And we’ve seen (organizations not using their firewalls correctly). For example, we find that Slammer occasionally comes through the firewalls, even though it is supposed to be blocked by the rule-sets. The reasons are varied. Sometimes it is because people go into the

The reality is that hackers that write viruses really aren’t all that smart.

firewalls to open ports they shouldn’t be opening. Other times they just remove the whole configuration from the firewalls and reset them back to the default state of “open,” which lets everything through. They may do this for only a few seconds before they re-apply the policy again, but that is enough for Slammer to come through. And these things happen partly because of the complexities of today’s firewalls. With simpler systems, you are unlikely to make those mistakes. How important do you think application firewalls will become in the future?
Not very. The application firewall space really is targeted at Web applications. These firewalls are about proxying HTML or HTTP. The thing we have to remember is that no Web applications are bug free. Some have well-known bugs that people can take advantage of. Application firewalls may be able to solve some of these things, but not all.

Let me give you an example of something that happened with me. Not long ago, I ordered a plasma screen online, which was to be shipped by a local company in Atlanta. And the company gave me a six-digit shipping number. Accidentally, I typed in an incremental of my shipping number (on the online tracking Web site). Now, a six-digit number is a small number, so of course I got someone else’s user account information. And the reason that happened was due to the way they’ve set up their user IDs, by incrementing from a six-digit number.

So here’s the irony: Their system may be so cryptographically secure that (the) chances of an encrypted shipping number being cracked is lower than a meteor hitting the earth and wiping out civilization. Still, I could get at the next ID easily.

There is no application firewall that can solve this problem. With applications that people are running on the Web, no amount of additive things can cure fundamental problems that are already there in the first place.

What’s security technology’s next frontier?
Voice over IP and general packet radio service are going to be the next biggest security issues.

How big?
Several years ago, we were researching Microsoft remote procedure call, and we were talking to the media, saying that that’s going to be the next big thing, that all the worm occurrences that we’ve seen in the past will be nothing compared to what we are going to see happening with RPC. And of course, that was exactly what happened when Blaster and Sasser came along. We are now at the same stage with VoIP and GPRS.

What’s the lowdown on VoIP?
VoIP is completely insecure. At the protocol level, there is no encryption and authentication. I mean, I call you, and there’s no way for you to verify who I am. I can send a caller ID from the U.S. president, or the CIA, and you won’t know who I am. And people can easily hack a caller ID and claim to be whoever they want.

With GPRS, the systems that mobile operators share between each other are largely wide open. Operators have so far trusted each other not to hack each other. While the average hacker from the Internet doesn’t have access to these systems, the mobile operators do. And once you get into one mobile operator, you can start attacking the rest of the mobile operators via the backbone that they share. And once hackers compromise the gateway machines, they can then have fun with the internal networks, as well as come in from the Internet or handsets.