by Barry Chudakov on September 30th, 2011

Black Hats and White Hats: Interview with an Ethical Hacker

Today on virtually any news site, you have to sneak around the headlines to avoid a story about hacking. Whether the recent phone hacking scandal of News of the World; the New York real estate brokerage, home to hundreds of upscale apartment listings, accused of hacking into a competitor’s computer system and stealing listing information; or Anonymous and V for Vendetta-masked LulzSec, hackers are gaining increased notoriety and profiting handsomely from their ventures.

But not all hackers aim to do harm. Some, known as white hats or white hat hackers, work with companies and organizations to stay one step ahead of the black hats, or criminal hackers. Anatoly Kozlow is an IT professional working for a securities trading firm in Cambridge, Mass. To help his company test and maintain a secure infrastructure, Anatoly was certified as an ethical hacker in 2009. Today the world needs white hats: global cybercrime costs nearly $400 billion and affects 431 million adult victims annually, according to Symantec’s Norton Cybercrime Report 2011. The report said on top of the $114 billion in money stolen, cybercrime costs victims an additional $274 billion in time lost, putting the total price tag for Internet-based crimes at $388 billion annually. As such, cybercrime is bigger than the global black market of marijuana, cocaine and heroine combined ($288 billion).

While Kozlow’s firm focuses on fixed income trading as well as a variety of other tradable derivatives, the derivative we’re most interested in here is the Metalife of online identity and data that makes hacking both possible and exceptionally lucrative. You may be surprised to learn how easy it is to impersonate you; you may also want to think about actively managing and protecting this new shadow self, your Metalife, that is now increasingly attractive to men in hats.

 

Hacker, Flickr, kenneth_rougeau, all rights reserved.

 

METALIFE: What is your exact ethical hacker title?

KOZLOW: I am actually an IT administrator for a securities trading firm. We can go ahead and use the designation for a Certified Ethical Hacker, CEH.

METALIFE: So there is actually a certification for a hacker?

KOZLOW: That’s correct. And the EC-Council is the organization that will certify someone who wants to become a Certified Ethical Hacker.

METALIFE: For most people this is going to be an eye-opener. Namely, that there is an entity called an ethical hacker as opposed to just a hacker. So what is an ethical hacker?

KOZLOW: It’s known in the business as a white hat, as opposed to the black hat worn by people like Kevin Mitnick or the folks in Anonymous. The official definition of an ethical hacker is basically an IT professional who has some special set of skills and carries some tools and uses those skills and tools to do penetration testing with authorization from the company or the customer. The ethical hacker assists organizations with internal auditing in order to align certain resources.

 

Anonymous (TypeFace), Flickr, kenneth_rougeau, all rights reserved.

 

METALIFE: As I understand it, ethical hacking is a term coined by IBM meant to imply a broader category than just penetration testing. But let me stop you there. What exactly is a penetration test and what does penetration testing do?

KOZLOW: A penetration test (sometimes called a pentest) is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders (that is, people who do not have any authorized means of accessing the organization’s systems) and malicious insiders (that is, people who have some level of authorized access). There are different ways to do a penetration test.

An external penetration test is when you have resources that are exposed to the Internet, and that would be your web server, your email server, maybe a way for your users to connect remotely, you have a website—your website is public so anyone can get to it. So when you do a penetration test you will try to find vulnerabilities, holes in the system, maybe whoever is managing your system left some ports open that shouldn’t be open, maybe the system is running services that it shouldn’t be running; they are now infected or maybe you’re running old codes on your website which is something that happens all the time. For example, suppose you’re running Microsoft Windows 95 today or Windows 98. Well, Microsoft is not supporting those, there are no patches anymore. So you can imagine that companies may replace their computers—they’re no longer running Windows 95 or 98—but they forget about their website, running very old HTML code or it could be something else that is not supported. Well, this is a hacker’s goldmine. A lot of the wrong people know about this and try to hack in. So we give the customer information about what they should be doing to prevent attacks.

An internal penetration test is simulating a user within your company. You test many of the same things but internally. In fact, internal hacking is a lot easier because once you’re in there are so many things you can find. This is especially true because these users have local administrative rights on their own computers so it’s easier to find vulnerabilities.

METALIFE: So part of what you’re doing is like a shipyard fixing holes in a seagoing vessel. You’re trying to find all the holes and patch them up. Is that right?

KOZLOW: That is correct.

METALIFE: What if someone didn’t know about ethical hacking, what would they do? How would anyone find an ethical hacker?

KOZLOW: It’s actually quite simple. With any browser you can just type in ‘ethical hacker‘ and you’ll see there is considerable training available, for example with the company I mentioned earlier, the EC-Council. It’s kind of scary actually because without any experience anyone can learn how to use all these tools and learn all these techniques. And not only the tools and techniques. Hackers become expert at social engineering. That is, they can find and talk to someone, become almost a friend to that person, and you’d surprised at all the information the person will release. Probably a lot of the hackers today start playing with tools and they realize how easy that is and then they take hacking to the next level.

 

Social Engineering, Flickr, karl151k, all rights reserved.

 

METALIFE: So they are like amateur IT people who have more than a passing interest in computer systems and then they develop their skills and get really good at it and they take their show on the road to find some really powerful target. Is that correct?

KOZLOW: That’s right. Drawing the fine line is getting harder every day. Even to the point where, let’s say, some so-called ‘ordinary person’ encounters a Windows system and then he or she gets a prompt to log in and thinks, “Let me try this password, try that password … OK I’m in.” The rush starts. Then maybe the person tries different combinations just for fun thinking, “Oh that’s cool.” At this point the person is trying to break the code or at another turn he’s lying just to try to get some information—well, that’s a hacker right there. You may think it’s somehow valid because you’re trying to get some information from somebody else and you’re social engineering (telling lies) in order to get what you want. But make no mistake. At that point you’re a hacker. So given whatever ends people may have, the means are easy: these tools are readily available and it’s not hard to learn these techniques.

METALIFE: So what would you describe as the mission and work of an ethical hacker? Isn’t protection at the heart of what you do?

KOZLOW: Well, protection and education. In my opinion many of the vulnerabilities we find are due to lack of knowledge. Sometimes you have a company that segregates roles within the IT department. So you have the web developers who take care of the website; you have a group of people who take care of the software or the server. And sometimes these people don’t talk to each other. The person doing the website design doesn’t have the security background to protect the code. As long as the HTML code is working properly, there are no problems. But when they open it to the outside and it has all kinds of vulnerabilities or they set up a server with extra ports available or protocols that don’t need to be running—the ethical hacker educates the IT people or even the end user just to be careful when they get an email or how to securely set up the servers or how to make sure the code does not have any holes. And once you find those vulnerabilities, we detail how to close those holes or patch the server. This is the primary mission of an ethical hacker: you use the information you’re finding to do something beneficial with it. And as part of the engagement, the partnership between you and the customer, you will never release the information you find.

METALIFE: Last year, 662 organizations publicly disclosed data breaches, according to the nonprofit Identity Theft Resource Center, a figure that includes real-world theft and accidents as well as cyberintrusions. And the actual number is likely much higher than that, since not all hacking incidents get disclosed. So let’s say someone is reading this who realizes that every now and then on Facebook or with their Yahoo account or maybe a server for their own business—let’s say they realize that someone is hacking into these sites and places. Is this on the rise do you think? Tell us what you’re seeing as an ethical hacker.

 

Personalising the way visual data is used and created, Flickr, russellarnold, all rights reserved.

 

KOZLOW: Here’s the key: A lot of hackers are trying to avoid going directly to the companies. They’re trying to go through the users. So today if I want to hack into some entity where many customers interact, say a bank, I can start by finding out about their social lives. So I can go on Twitter or Facebook, so many different sites, where I can go and get an idea of what these people are up to, see their family, their pictures, etc. If I know I want to hack the bank but I’m having trouble actually penetrating the bank, instead I’ll focus on 20-30 users whom I can contact indirectly, using social engineering to find what I need, getting as much information on them as I need. For example suppose I send an email on behalf of somebody else, but I’m not really that person. The receiver can click on it, they can go to a link and I can install a new application on their system and I can monitor what they are doing. Now that brings us to passwords. Many times the password people use for their personal email is the same password they use day-to-day within the company. Or they use the same password on many different websites. Well, at that point I can take that information and try to break into the company through the user, through their personal information. That’s actually the easiest way. Any of the users on your website can just send you an email and make a comment … this is my blog if you want to click on it … and then you click on it and the next thing you know you get some information. You wanted to see the blog, but now there’s something running on your PC that you don’t know is there. And this thing you don’t see can start monitoring what you do, recording your keystrokes and at that point they have you. They know everything you’re doing. They can take that information and do something else with it using the same PC to get into your bank records and do online banking. So when people are being hacked on AOL or on GMail, that is frequently a doorway to hack into a company. In other words, as a black hat I start by going through your email but you don’t even know I’m there. I have your password, I have your information, I can search through your old emails—a lot of people keep pictures, financial information, social security number, all sorts of sensitive information in emails—and now I can do simple searches and find a lot of information about you.

METALIFE: Amazing. If I’m a hacker, and I want to get into the bank, I’m going to go through one of the people who banks with the bank, a customer. And I’m going to find something from that customer, let’s say an email, that I can attach myself to. Is that correct?

KOZLOW: That is correct.

METALIFE: And how exactly, without giving away all the secrets, is that done?

KOZLOW: Take Facebook, that’s the number one social website many people visit. Let’s say I become a ‘friend‘ of yours, you’ve clicked on a phishing link, and I know what your email address is, and you start posting your Facebook information, you’re telling me you’re going to be going out and doing this and that. Then I can go ahead and target you with an email. Say, you mentioned going to a concert. I can send you a discount coupon for the concert, for example. You click on the coupon link—people automatically do things like that without even thinking. And then you wonder how you ever got hacked.

 

Facebook "Are you on Facebook?", Flickr, JoeMitraglia, all rights reserved.

 

METALIFE: So when you talk about ‘social engineering‘ you mean that a hacker insinuates his or her way into a social network, gets the person to trust the hacker for a moment with some small thing like a coupon or piece of information. But what the hacker has really done is fake out the user and he or she has information coming back now that can be put to nefarious use in ways the user never dreamed of.

KOZLOW: People come to me and say that their Facebook account has been hacked and now someone is actually trying to attack their bank, that is, get at their banking information. The first thing I tell them is: if I go to your Facebook page and I start looking at everything you have on your Facebook page or associated with your Facebook account, am I going to be able to figure out your user name? And what I hear most often from people is, “Wow, I cannot believe that I have all my information on there.” For example, they have their pets‘ names, their kids‘ names and birthdays, the date and place they were born, I mean they have everything online. See there are tools out there that you can use that quickly discover your keywords and start what is known as a dictionary attack which is to take over your keywords. I already know your email address which for many people is their login ID; then I just find your password (which is often some combination of personal data that is on your Facebook page) and I’m in. They don’t realize they’re putting all their information online on all these websites. See, the question is if I take all the keywords on your sites, everything you have on your sites, am I going to get your password? And you’d be surprised how many people say, “Yes.”

METALIFE: Astonishing. Can you elaborate somewhat on that attack?

KOZLOW: There are a number of ways to execute an attack. One is taking over the user’s keywords. We know from experience that a lot of people might be using first names, or might be using 123456 or the word password as a password. So I can just build a simple dictionary attack and start trying every single password and if your company or your website does not lock the account after so many times, I’ll be trying all kinds of different passwords, as many as I want. You’d be surprised at how frequently the twenty most common passwords are used. By the way, here are the top five: number one is 123456, number two is 12345, three is 123456789, four is password, and five is I love you. I could also be guessing passwords based on information that you have on the site, just try them one after the other. But you’d be surprised: a lot of people keep their passwords on their email! And in their Contacts file they keep all their bank information: serial number, pin number, secret word, a passcode—everything is within the Contacts folder.

 

Dictionary Attack, Flickr, hortont424, all rights reserved.

 

METALIFE: A lot of us have heard about various hackers, from LulzSec to Anonymous. Recently Bay Area Rapid Transit (BART) spokesman Linton Johnson ran afoul of the hacking group Anonymous’ campaign against the commuter-rail system when Anonymous leaked several compromising photos of Johnson on August 24. The next day personal info of 43,000 Yale students, staff and alumni—including social security numbers—was hacked using Google. Names and Social Security numbers were uncovered on an unprotected File Transfer Protocol (FTP) server. This business of hacking Google, also known as Google dorking, is essentially cybercriminals’ enterprising use of Google’s advanced search functions to find caches of valuable data ripe for the taking. USA Today reported that the hackers used a new Google FTP search function to locate this unsecured server: “With the addition of indexing data that is accessible via FTP, hackers can now identify wide-open FTP sites that may contain sensitive data or can be used to leapfrog to other machines on the company’s internal network,” said Tom Rabaut, RedSeal analyst, [a security firm]. “Also, Google offers the ability to restrict searches to a single domain which will make it easier for hackers to limit their data mining to only target companies.” So what is the difference between that kind of hacking and what we might call ‘everyday hacking’? And then remind us, what is the difference between that and what you do as an ethical hacker?

KOZLOW: Good question. The big difference is that an ethical hacker will never compromise the information. Once the ethical hacker finds the information, he will not release or use that information. There are grades of hackers: the white hat hacker basically works with companies to find vulnerabilities and secure information. And you have the gray hat hackers: some people describe them as being white hat hackers during the day and black hat hackers during the night. They release information: they like to find information and then release it.

METALIFE: So you’re saying the gray hat hackers pretend to be ethical hackers, but they’re not really ethical?

KOZLOW: Yes, that accurately characterizes the gray hat hackers. The big difference with an ethical hacker is that once that information is found, we’re just not going to release it. With some of the gray hat hackers, for example, they may see a Microsoft vulnerability and release it to the public. They may do this because Microsoft didn’t pay them what they wanted as developers so they say, if you don’t pay me what I want, I’m going to release this information.

METALIFE: Is this a kind of extortion? They’re extorting the company to either pay them a certain sum or they will commit a bad deed?

KOZLOW: That’s correct. There are some companies like Google who will pay for those findings. But Microsoft, as far as I know, will not. That’s the big difference. Speaking for white hats, once we find the information we’re not going to post it on some website or take advantage of it.

 

There always has been a deception, Flickr, dagomatic, www.flickr.com/photos/dagomatic/ all rights reserved.

 

METALIFE: So why would someone become an ethical hacker? We can guess at this but why did you become one? Why would anyone want to do ethical hacking, and who are some of the people you have done ethical hacking for?

KOZLOW: In my case, I became an ethical hacker because I’m fascinated with security and this enables me to do hacking legally. I can do a lot of security work and I can do hacking and if at the end of the day the FBI comes knocking at the door and sees that I have all these tools, well, I have a reason to have them. If they ask me why am I trying to hack into certain companies, I can say because I have an agreement to do this. Regarding why would anyone want to do ethical hacking? To expose the weaknesses of systems, find vulnerabilities in the current infrastructure, with a view to strengthening them. Of course, you could also join one of these penetration testing companies and do hacking legally.

METALIFE: We’re seeing more of the black hat hackers, often times as part of a plea bargain, leave that world and move over to the world of the white hats, right? Take Kevin Mitnick. He broke into the systems of half a dozen high-profile tech companies. The Feds found him and he served a five-year jail sentence. Then he turns around a becomes a security consultant. What do you think of these black hats becoming white hats?

KOZLOW: My personal opinion is that once you’ve been a black hat, then you go from being a bad guy to being a good guy—well I don’t buy it. Once you’ve gone over to the dark side, I wouldn’t trust you around sensitive information.

METALIFE: Looking at this from an ethical perspective, essentially you don’t trust this conversion, you wouldn’t trust this person with your sensitive data?

KOZLOW: Not at all. Once they do that they could just be playing another game. Of course, companies want to hire these people to expose their systems before real hackers can find the holes that will show up sooner or later. They take a proactive approach: let me find them before the bad guys find them. And you do want to hire people like that to find those holes before somebody else does. Further, it’s very unique to have somebody with those skills, even if he’s not 100% dedicated to doing security. When you have someone with those skills in your company they bring something completely different to the table.

 

Note: I have used the name Anatoly Kozlow and the details of his life and company to shield this ethical hacker’s actual identity. Despite your best hacking skills, you will not find him, or details about his company, in a Google search.

 

More Information

Can’t stop the tweet: the peril—and promise—of social networking for IT

Custom Word List Generator or

Find your IP or

Go back in time (Use when Looking for an old website posting)

PDF File Scanner

People Search

Tor Network

Who is by IP

 

Email This Post Email This Post     Print This Post Print This Post

From Interview, News

1 Comment
  1. Normally I do not learn from an article found on blogs, but I wish to say that this write-up very much
    compelled me to check it out and do so! Your writing style amazed me. Thanks, very great article.

We invite your thoughts and comments about this post. Leave a reply here.

Note: XHTML is allowed. Your email address will never be published.

Subscribe to this comment feed via RSS