Hacking 101: Learning the Trick

NEW YORK (AP) â€” Leandro Oliveira flew in from Brazil to learn how to hack. Little did he know he'd be breaking into his own computer. <br><br>During a class, the security consultant put into practice

Monday, October 23rd 2000, 12:00 am

By: News On 6

NEW YORK (AP) â€” Leandro Oliveira flew in from Brazil to learn how to hack. Little did he know he'd be breaking into his own computer.

During a class, the security consultant put into practice some newfound skills. He typed a few simple commands into a PC and bypassed a security firewall â€” at his employer in Brasilia â€” meant to block intruders.

Oliveira smiled. ``I have to go back now and reconfigure my firewall and my machine,'' he shrugged.

It was a productive week for Oliveira at Foundstone's hacking school, one of a growing number of training seminars made popular over the past year by real-world hacking, which has cost companies tens of millions of dollars.

There is no simple software solution to security on the Internet. Hence sessions like the Foundstone class, whose operatie philosophy could be described as: If you want to beat them, join them.

``It's very empowering,'' said Nicolas Wuorenheimo, security analyst for Commerz Bank's New York branch and one of 31 students at a recent Foundstone class. ``I've taken lots of security classes, but there's nothing like Breaking and Entering 101.''

Security threats increase as computers become more connected with one another and tools that automate attacks make hacking easier. Plus, as businesses become more dependent on e-commerce, there's more to lose.

A March report from the Computer Security Institute found 273 large companies and government agencies reporting losses totaling $266 million in the past year.

``There's always been a vulnerability to hacks, but there hasn't always been the economic impact,'' said Bob Bassett, a trainer for Ernst and Young. His company has offered its ``Extreme Hacking'' class for about three years. Internet Security Systems of Atlanta has conducted ``Ethical Hacking'' seminars in Europe for some three months and plans to start a U.S. version next year.

Foundstone, of Irvine, Calif., runs ``Ultimate Hacking'' about twice a month around the country. It costs about $3,500 per student for three or four days. Some 300 students have attended since the first class in March.

Dane Skagen, Foundstone's director of training, likens computer security to football.

``The defense usually understands how the offensive plays work,'' Skagen said. ``When something new is thrown at them, they have a much better chance at reacting.''

With a simulated network set up in a rented conference room, Skagen teaches students to identify open access ports into the network and exploit known security flaws in common software products including Microsoft operating systems.

He offers tips on guessing master passwords and shows ways to capture password files in transit when guessing fails. He demonstrates L0phtcrack and other software that can decrypt most passwords in seconds.

Students are shown how to deactivate software designed to monitor such intrusions â€” the programming equivalent of bypassing burglar alarms.

Working in pairs, students break into simulated payroll machines, using clues a typical system administrator might inadvertently leave in a computer file's comments field. They learn how hackers devise attacks, and are encouraged to turn off unneeded software features to prevent them from being exploited.

One student, Ed Walsh, said the class taught him to rethink password policies at his company, Bridgewater Associates Inc., an investment firm in Westport, Conn.

``My thinking is, know your enemy,'' the network administrator said. ``Every time a (software) vendor comes out with a fix, hackers will find ways around it.''

No product can prevent all threats, security experts say. Firewalls, by design, allow e-mail and Web site inquiries through. Intrusion detection systems can identify known types of attacks â€” but new ones are devised all the time.

And while larger companies have long hired hackers to test their systems for vulnerabilities, those tests are conducted once every year or so. Simply installing new software or adjusting old ones during that year can create new security holes.

With security ever more complicated, Ernst and Young gets three applicants for every class spot available. And it can't find enough qualified trainers: Like its competitors, the company won't hire malicious hackers who have claimed reform.

Though a few students signed up after their networks were attacked, most joined simply because they are worried, said T.J. Klevinsky, an Ernst and Young trainer.

Not anyone can be a student â€” the schools want to make sure applicants work for legitimate companies. At Foundstone, participants also must sign an agreement not to use their newly acquired skills for illegal or malicious attacks.

Hacking classes should not lull system administrators into a false sense of security, though.

Corporate network sentinels will still be hard-pressed to stop more sophisticated attacks, says David Remnitz, chief executive of IFSec, which offers customized training to clients upon request.

The high school and college students who participate in Sandia National Laboratories' College Cyber Defenders internship always spend more time on defensive measures than on hacking, says coordinator Fred Cohen.

``It turns out it's much harder to defend than to attack,'' Cohen said. ``What happens when you defend is you have to think of all sorts of attack possibilities.''

â€”â€”â€”

Foundstone: http://foundstone.com

Ernst & Young: http://ey.com

Sandia program: http://heat.ca.sandia.gov