Tuesday, April 11, 2006

Ethical Computer Hackers

As reported in Business Week:

Thrill or no, this is boot camp, and there's a big task at hand: earning the right to be called a "certified ethical hacker," a distinction bestowed by the International Council of Electronic Commerce Consultants. The e-commerce trade group has been administering the program for several years, but the need for IT professionals who know how to think -- and code -- like the enemy is as urgent as ever.

Time was, companies that wanted to fight hackers would go out and hire the bad guys themselves. But as hackers proliferate and get smarter, companies increasingly want homegrown experts, so-called white hats.

Another shift they're responding to: Increasingly, attacks are financially motivated. These are no longer mere "hacktavists" who spread viruses to take down Corporate America or spread social and political commentary. Nor are they out to make a name for themselves. Today's hackers want to fly under the radar (see BW Online, 1/23/06, "Coming to Your PC's Back Door: Trojans"). According to the latest Interne threat report by Symantec (SYMC), attacks that have the potential to give bad guys confidential information rose 74% in the second half of 2005 to comprise 80% of all threats.

And here's what may be the scariest part: to be a hacker, you don't even have to be a hardcore techie or particularly good at writing code. Take me, for instance. I'm an English major who hasn't written a line of code since third grade when I wrote a BASIC program that quizzed you on state capitals. Camp got started at 9 a.m., and within an hour, I was hacking into fictional banks' Microsoft databases and retrieving credit card numbers.

It's a matter of knowing tricks and what to look for. For instance, the default Microsoft database user name is "SA" and there's no default password. An alarming number of administrators never change these settings, so once hackers get into a system, they often try this first -- successfully.

Here's another trick. Put a single quote mark in the user name line of a password. If you get a particular error message, you know that site is vulnerable to a technique of stealing database contents called "sequel injection." "Pretty cool, huh?" Whitaker says to the stunned crew. "You guys want to see some more scary stuff?"


There is more to the article, but basically, it reinforces in my mind this thought I've had for years: I can't believe how easy it is for some hackers to steal sensitive data.

,

Brought to You By Jay at 9:20 AM

Filing Cabinet: ,

Subscribe to: Comment Feed (RSS)