by Ondrej Krehel
Hacking is illegal. But when you hack a self-designed system for learning purposes, i's a different story. Doing this can provide a solid learning experience and help those in your educational community or business or the world at large. Often these kinds of self-produced hacking attacks are put on by computer investigators and draw big crowds on the forensic conference circuit. They demonstrate how systems are broken in real time, on the fly—and offer solutions for protecting against such attacks.
But what happens when the target of an education attack is unaware that they’re under fire? What happens when i's a popular website or million-dollar desktop program? The moral line gets a little blurry.
Recently Twitter was auto-hacked as a kind of educational experiment. An add-on called Idiocy hacked accounts that were posting on http://www.twitter.com rather than https://www.twitter.com—the latter being the secure site connection—to ostensibly “teach” the users that they should always roll securely. A little harsh? Maybe. Effective? Definitely.
While one should never break the law, many—dare I say most—security tools and practices were born as a response to a hacker attack. Hackers help security professionals stay sharp. If the hacker is going after a site or account without malicious intent, I tend to think of them as doing the developer—or the system—a favor. The next hacker might have different ends in mind. Not a lesson anyone wants to learn when, say, a bank account is being drained or other important information is on the line.
There should be rules, though, or at least one big one: If a site or program is broken, the vendor should know about it and be given ample time to fix it before the information is released to the public. Once they know about it, the ball is in the developer’s or designer’s court. But if they know about it and don’t act, sometimes a public release of the information or the mode of attack can apply needed pressure. That was the case with the Twitter virus in September. Twitter officials knew about the issue for months but didn’t move on fixing it until a colorful hack made headlines.
The bonus effect of hacking to educate is that it informs and furthers development. Metasploit and Nessus started as hacking and exploitation tools, became commercialized and are now two of the industry-leading security tools in vulnerability assessment and exploitation. Hacking in this case is—forgive the cliché—like planting a seed. Which is to say that hacking, when not used for malicious purposes or ill-gotten gain, produces information—information that can be helpful and ultimately protect you from future attacks that might not be so kind.
Ondrej Krehel, Chief Information Security Officer, Identity Theft 911
Ondrej has more than a decade of network and computer security experience. His expertise extends to investigations of intellectual property theft, massive deletions, defragmentation, anti-money laundering and computer hacking. He led U.S. computer security projects at Stroz Friedberg and worked in IT security at Loews Corp.