Not all the problems were ones we could solve (some were baked into NAS box and wireless router firmware), but all could be mitigated by locking down the network and increasing the security on its firewall.
Crack it to win it
One area where cracking tools and techniques have helped to secure the rest of the industry is the cracking contests held at major hacker conventions.
The format is simple. A group of machines running popular operating systems are set up in a secure area. Attendees are then given hacking tasks such as installing a certain file on the machines' hard disks.
At a convention contest, attackers are initially denied all access to the machines, meaning that they have to attack them through their networking stacks and default applications and services. If the machines survive the first round of attacks, restrictions on access are removed one by one until a machine has been compromised using driveby attacks.
The attacks used can be published (unless a sponsor has a non-disclosure agreement in place), and security researchers keep a careful eye on the results. PR teams also keep track of the contests, as a win or a fail can affect how their products are perceived by an influential part of the market.
There are some problems with these contests, however. The winners get to keep the hardware that they compromise, so contestants are often more inclined to attempt to break into the more attractive machines. Cash can also make a difference, as if there's more than one machine on offer, the attacker will go for the easiest machine to compromise.
That was the case at the PWN 2 OWN contest at CanSecWest in March 2008, where $10,000 was offered as a prize alongside three PCs. The winners broke into a new MacBook Air rather than attempting to gain access to Windows and Linux systems. While the exploit in question was a simple browser attack, it was kept under wraps by a security research company in order to give Apple time to clear it up.
These secrecy agreements aren't put in place just to spare an individual company's blushes. Releasing the details of an exploit before there's a fix available would be irresponsible, instantly putting every vulnerable system out there straight into the firing line.
Rewarding the honest crackers
The contest was sponsored by TippingPoint, a security consultancy that runs its own Zero Day Initiative. This program is designed to keep significant exploits from leaking out into the black hat community.
Rewards are offered for exploit, and the more that you submit, the more you earn. It works like a frequent flyer program: you get points (as well as cash) for submitted exploits, and the more points you get, the more bonuses you receive – including access to the main security and hacking conferences, Defcon and Blackhat.
TippingPoint isn't the only company that rewards security researchers for finding problems with their products. Most operating system vendors are rumoured to pay well for undisclosed exploits (and they also have the legal wherewithal to make sure that non-disclosure agreements stick).
The goal of these payment systems is to patch the holes in the software before a piece of zero-day malware gets out there, ready to use the exploit to compromise systems all over the world. If it means paying for an exploit, then that's what it takes to make sure that millions of users are secure next time Patch Tuesday or its equivalent rolls around.
We may not all have our own tiger teams of security analysts and hackers, but the legal hacking tools and legal hackers out there certainly make our networks and PCs safer. They're everyone's penetration testers, finding the weak spots in our increasingly important – and always vulnerable – networks and making sure that the white hats get the information about them first.
Vulnerabilities need to be discovered and patched to avoid being turned into exploits. If there were no legal hackers out there, black hats would have even more ways to threaten our PCs.
-------------------------------------------------------------------------------------------------------
First published in PC Plus, Issue 278
Now read How to catch hackers on your wireless network
Sign up for the free weekly TechRadar newsletter
Get tech news delivered straight to your inbox. Register for the free TechRadar newsletter and stay on top of the week's biggest stories and product releases. Sign up at http://www.techradar.com/register
