License to hack? - Ethical hacking

"[Ethical hacking] is meant to imply a broader church than just penetration testing, which is the traditional term." - Peter Wood
"[Ethical hacking] is meant to imply a broader church than just penetration testing, which is the traditional term." - Peter Wood
Paul Vlissidis, NCC Group Secure Test
Paul Vlissidis, NCC Group Secure Test
To show that a system is secure beyond mere theory, surely you must test it to the point at which it breaks
To show that a system is secure beyond mere theory, surely you must test it to the point at which it breaks
Struan Robertson, Pinsent Masons LLP
Struan Robertson, Pinsent Masons LLP
Neil O'Neil, The Logic Group
Neil O'Neil, The Logic Group

If the term hacking means to cut or chop roughly through a computer system, then how do you perform it without damage to the software? How can you ride roughshod (hack), between applications, memory and operating systems, while other applications are live and available to the business, without causing any problems to the operators?

That's at least one dilemma for the modern ethical hacker. To distinguish ethical hacking from the coke-fuelled, bedroom-dwelling teenage hacking of legend, it must be done in the absolute knowledge of the target, and in such a way that any resulting damage is predictable and repairable.

"There is a sense of frustration in that if you were given a completely free hand there's a lot more you could do."
Paul Vlissidis

"The term was coined by IBM years ago", says Peter Wood, chief of operations at First Base Technologies. "It's meant to imply a broader church than just penetration testing, which is the traditional term. ‘Hacking’ has become the trendy term for it, but what I say to a client is 'You're asking us to impersonate a criminal to try and see what your business's defences are like but without the risk of actually being attacked by a criminal'; hence the ethical bit."

The Ethical Hacking Council defines it like this: "The goal of the ethical hacker is to help the organisation take pre-emptive measures against malicious attacks by attacking the system himself; all the while staying within legal limits."

The path from penetration testing to ethical hacking is well understood. "If we are doing a black box penetration test and it's unannounced – where the customer wants to see if they can spot us trying to get in, that their alerting systems are up to scratch – then we tend to refer to that as ethical hacking", explains Paul Vlissidis, technical director, NCC Group Secure Test.

"Penetration testing is the commercial term but ethical hacking is quite often asked for by the customer and you are essentially doing the same things", he adds.

No limits

Yet the devil is in the details, as they say. Penetration testing concentrates on attacking software and computer systems from the start – scanning ports, examining known defects and patch installations, for example – while ethical hacking, which will likely include such things, is under no such limitations. A full blown ethical hack might include emailing staff to ask for password details, rummaging through executive's dustbins or even breaking and entering – all, of course, with the knowledge and consent of the targets.

"There's no defence in our hacking laws that your behaviour is for the greater good. Even if it's what you believe."
Struan Robertson

"We go through a very rigorous rules of engagement process", explains Vlissidis. "What is off limits?

"It's a little bit contrived. If you were a ‘baddy’ you'd utilise your full range of creative talents. We have to play by the rules, you can't just go ‘off piste’ when we feel like it. Anything that might cause a legal breach and usually, a disruption to the customer services, is off limits."

If an ethical hacker is unable to bring all the available tools to bear, how can a client really know their systems are secure?

"There is a sense of frustration in that if you were given a completely free hand there's a lot more you could do", says Vlissidis. "But the further you go down that road, the more likely you are to tread on sensitive legal territory, and the more likely you are to cause denial of service failures to the customer.

"I don't just mean knocking systems over, but maybe locking out accounts might be a very serious issue. We do have one hand tied behind our backs, it is fair to say", he adds.

Some enterprises do want to answer the simple but far reaching question "Are we secure?", explains Vlissidis. "We [might] get asked to combine social engineering with hacking. That could include breaking into an office, or tailgate in, and then planting unauthorised wireless access points on the network and hack in from the car park."

Vlissidis is always aware of the boundaries of where an ethical hack becomes a hack. "There is a key difference. If we do a physical test to see if we can get into a building or gain information, the criminal would just go ahead but we have to consider the rights of the employees, we have to consider the legal issues, we can't bribe or threaten people like a criminal would, of course. But we offer as close an approximation as we can", he explains.

"If you take down a critical service - particularly in transaction business - the financial cost of that can be colossoal."
Neil O'Neil

Breaking point

To show that a system is secure beyond mere theory, surely you must test it to the point at which it breaks. To try and replicate some of the destructive techniques a real attack might employ, ethical hackers arrange for cloned test systems, or organise a hack late at night while systems are less critical.

"If you take down a critical service − particularly in transaction business − the financial cost of that can be colossal”, says Neil O'Neil, ethical hacker and principal digital forensics investigator for the Logic Group. "You do passive and aggressive tests. You'd run passive if it's a critical system and going down isn't an option. But for an aggressive test you may run in off-peak hours, 3am on a Sunday morning, for example. Run when the least disruption will take place. Even then, they are probably executing an end of day batch for all their transactions, so you have to understand the systems.

"The very first thing an ethical hacker does after signing the agreements is talk with the engineers, get the network diagrams to find out what they think they've got, look at the environments and make an inventory of the current systems."

So how close does ethical hacking get to reality? "In 95% of case it's very accurate. If you are concerned the cleaning company could gain access to the system, we can impersonate a cleaner but what we can't do is test whether the cleaners are open to being bribed or not, because that would be illegal", says Vlissidis.

The BBC’s (un)ethical hack

The BBC was in technical breach of the law earlier this year when, by prior arrangement, its Click programme used an illegal botnet to send spam and deny service to a website owned by security company Prevx.

The programme has said that the activity would only be illegal if those behind it had 'criminal intent', but Struan Robertson insists that this is not true.

"The BBC appears to have broken the Computer Misuse Act by causing 22 000 computers to send spam. It does not matter that the emails were sent to the BBC's own accounts. Criminal intent is not necessary to establish an offence of unauthorised access to a computer", he said.

"The Act requires that a computer has been made to perform a function with intent to secure access to any programme or data on the computer. Using the botnet to send an email is likely to satisfy that requirement. It does not matter that the BBC's intent was not criminal or that someone else created the botnet in the first place", says Robertson.

"The maximum penalty for this offence is two years imprisonment, but it is very unlikely that any prosecution will follow because the BBC's actions probably caused no harm. On the contrary, it probably did prompt many people to improve their security", he concludes.

Legal distinction

In such circumstances ethical hackers might be considered digital versions of private investigators or investigative reporters. However, the unwary can come unstuck and clear rules of engagement are essential to ensure the law is not broken.

"Broadly speaking, if the access to a system is authorised, the hacking is ethical and legal. If it isn't, there's an offence under the Computer Misuse Act. The unauthorised access offence covers everything from guessing the password, to accessing someone's webmail account, to cracking the security of a bank. The maximum penalty for unauthorised access to a computer is two years in prison and a fine. There are higher penalties – up to 10 years in prison – when the hacker also modifies data", explains Struan Robertson, legal director at Pinsent Masons LLP, and editor of OUT-LAW.com.

Unauthorised access even to expose vulnerabilities for the benefit of many is not legal, says Robertson. "There's no defence in our hacking laws that your behaviour is for the greater good. Even if it's what you believe."

It's an interesting legal distinction and it has tripped the unwary, as the BBC's click online programme discovered when it used a live, criminal botnet to illustrate an email-spam and denial of service (DoS) attack (See box out).

"You take a big risk in breaking those laws. The merits of your crime could be lost on a judge", says Robertson.

Such is the fine line in legality, that it turns out Ethical Hackers might be criminals after all, simply by creating software tools to do the job. The Computer Misuse Act also makes it an offence to make, adapt, supply or offer to supply any article which is likely to be used to commit, or to assist in the commission of a hacking or unauthorised modification or DoS offence.

"There is no cause for alarm, though", says Robertson. "Such prosecutions are very unlikely to take place, in my view."

What’s hot on Infosecurity Magazine?