IT managers learn to hack it


1 Apr 2003

A twentysomething in combats and an Old Navy T-shirt taps away at a laptop. To his right, a young woman enters commands into her own machine and gives a running commentary as lines of computer code appear staccato-style on a projector image on the wall.

There are grunts of recognition from around the table and occasional words of advice. “No, hit the back button on the browser … easiest way”. “I think you might have missed an ‘s’ there, that’s why it didn’t do it …”

Welcome to the frontline in the battle against computer hackers. A dozen IT security professionals from the cream of Ireland’s blue-chip companies are taking a day out to learn more about the latest tactics adopted by hackers to outwit the best minds and machinery ranged against them.

Since the birth of the internet, a fierce battle has been waging between computer hackers and those protecting corporate IT systems. It is a skirmish that hackers have not won but often have the upper hand in. At one time, attacks on firewalls and web servers were standard launch pads for hacking attacks but as organisations have tightened up their network security, hackers have been forced to turn to other access routes to achieve their aims. It is now web applications themselves that form the battleground for hacking, says Mike Harris, head of Ernst & Young’s Advanced Security Centre in Dublin, who led the seminar.

“Most organisations have learned the lessons that you have to set up your firewalls correctly, patch your servers and properly configure your underlying operating system. Worms such as the Slammer came out and those that hadn’t put a patch on their systems before certainly did so afterwards. What’s happening is that hackers are being driven to what’s available to them. And what’s available from most organisations? Websites and web applications.”

Web applications are computer programs that run many of the common features we see on websites from search engines to shopping carts. Where they differ to normal desktop applications such as Word and what makes them potentially vulnerable is that they are often created or modified by in-house developers for whom security is often not a priority.

“What we’re doing on this course is targeting the common programming mistakes that are being made over and over by developers that put big, wide security holes in those web applications,” explains Harris.

Security loopholes in web applications leave organisations wide open to attack. One of the new types of attack being used to take advantage of them is called SQL Injection. This is where a hacker gains access to information held on an SQL (structured query language) database by manipulating the communication between the database and a web application. This can often give hackers access to sensitive corporate information, says Harris.

“I’ve seen issues where organisations have an e-commerce transaction-type website where someone has used SQL Injection to access customer credit card details. So this sort of thing does happen and it’s becoming more and more common because this is what hackers are being driven towards as firewall security improves,” he adds.

While the seminar gave security personnel the means to spot these attacks and ward them off, Harris emphasises that prevention is the best form of defence. This means addressing security at the product development phase. “You should treat security problems in web applications as bugs to be fixed during the testing stage of the development life cycle. It’s often said that to fix a bug during development costs one dollar but to fix it after the product goes into production costs ninety nine.”

Harris also believes that security professionals need to get better at networking and sharing tips and information, an activity that their adversaries – hackers – have elevated to an art form.

“As soon as a new hack comes out, it’s up on a website and everyone has it. If an organisation gets hacked, it doesn’t tell anyone for fear of negative publicity. Traditionally, information security has been a hush-hush thing but security professionals need to get better at sharing information with each other and in that sense they need to emulate the hackers,” notes Harris.

The fight against hackers involves not only just addressing current security threats but also predicting where attacks will come from in the future. When web applications no longer offer the rich pickings they do today, the emerging area of web services – a type of middleware that provides a framework for web applications to dynamically interact with each other – is likely to be the new battleground in the hacking war, Harris believes.

“The security protocols for web services are still being developed. The [security] issues that you currently see with web applications are also going to apply to web services, possibly even to a greater extent. The concept of web services is that a business application is accessible from all over the web … So you’re opening up your core business functions to the internet and if you don’t have proper security in place you’re just opening the door wide for all the hackers to come in.”

While organisations are getting far better at defending themselves against attack, it’s a battle that will continue so long as hackers manage to find new ways to probe company defences.

By Brian Skelly