Tuesday, June 01, 2004

Information Security - If you wanna be good at it, you need two hats. People think just their white hat is good enough - I'm sorry folks, it's just not.

Case in point: I've recently discovered (and discreetly reported) a severe vulnerability in a certain popular embedded system - I mean this one is BAD, run any command as root without even logging-in. Nasty one.

Anyways 2 or 3 levels of the vendor have asked me the same question: "how did you find what DoD and other security audits missed?".

Am I some sort of genius? Well, yes actually I am - BUT that has nothing to do with this particular issue. :)

The answer is simple: Audits are just lists of 'bad things', a list of rules. Now if all a skilled hax0r (read 'cracker') did was go down a list, well, he'd be a script kiddie and not a hax0r anyways. DoD may 'audit' and that's good, real good...

...but hax0rs *don't audit*. Hax0rs don't HAVE rules.

Instead, a hax0r sticks his hand in the virtual ASS of your damned system where it says 'no user serviceable parts' and starts poking and pulling things - he *keeps* poking things until something breaks or he sees something out of place - something that doesn't belong. Once they've found that thing that shouldn't be happening, it's generally a simple matter of figuring-out what STUPID assumption the original system engineer has made - and using that assumption against him.

Now, those people out there who run audit-based security, they already KNOW they are slacking-off: They KNOW the security of their system/site/product deserves the focused, intelligent and improvisational meditation that comes with a black hat. They even know how to do this.

Why don't they? Well it's hard work, folks! It's infinitely easier to just run some sort of audit tool and say 'green' or 'red' (more than likely green).

So, conclusion? Yes - if you are responsible for security, LEARN TO HACK! Quit slacking-off and know your enemy because he sure as heck will do the homework on you.