Jamey Heary became involved in security in the mid-1990s when his employer, an equity trading firm, became the first in the industry to introduce Wi-Fi to the trading pit. Wireless security was in its infancy back then, and the company commonly saw other firms on the trading floor jumping on the networkoften unwittinglyand spreading worms and viruses. That ushered in the beginning of his career doing battle with computer viruses and online hackers. Heary is now a security consulting systems engineer at Cisco Systems, where he leads its Western Security Asset team and is a field advisor for Cisco's global security virtual team. He is the author of Cisco NAC Appliance: Enforcing Host Security with Clean Access, and is a regular security blogger for Network World. I spoke with Heary about how far companies have come in securing their networks, why some hackers are so successful, and whether we will ever be one step ahead of the bad guys.
Why are some hackers so successful? Or perhaps the question should be, why are people gullible enough to fall for hackers' traps?
People think about using computers as tools, as opposed to something that could be vulnerable, especially if the [user] company doesn't specialize in technology. Doctors want technology to make their jobs easier. If you give doctors a tablet PC, they don't want to log in 15 times a daythey want to stay logged in all the time. They don't want a screensaver to come up. I look at my parents, and they're not computer savvy; every time I go home I have to clean their machine up.
Aren't the consumer security packages enough?
Antivirus packages today offer around 40% protection; the other 60% [of threats] they let in. Most people don't realize that. The reality is, for today's types of attacks you need antivirus, you need anti-spyware, you need malware protectionthey all do different jobs. If you click on a web link that has cross-site scripting, that's normal behavior, and an antivirus is not going to be looking at that part of the operating system at all. [The script] then downloads a file, and that file can be named anything; they are polymorphicsomething that can change its appearance on the fly. One demo I like to do is to bring up a virusthe "I love you" virus, which made a big splash in 2000a nine-year-old virus. I launch it, open it in Notepad, move some stuff around, recompile it, launch it againand the user can't see it. That's all it takes to take a nine-year-old virus and get it out of view. So that's why antivirus only offers 40% protection.
What are the most common security mistakes that companies make?
The internal networks are basically wide open, and there is a lot of trust between machines. The mentality is to think that the outside is protected and the inside is trusted, but the annual Computer Security Institute/FBI survey always shows that internal vulnerabilities are one of the top concerns. It's like the inside of your houseyou don't worry about your employees. When admins set up the machines, they don't think about whether the machine talks to the Internet, but social engineering attacks enable anyone to go inside. You get into one box, and you get inside the whole place.
If you had a badge on, nobody would know [you were an attacker]. You'd say you were an electrician, and people would let you in the data center. We have a local hacker group, and one of the guys said, "I need to develop an application that would allow me to print badges wherever I am." He had 2,200 different badges from different companies. Any badge you want, and he could print it out.
At the external perimeter, I would leave it alone; that's about as secure as it's going to getassuming you're going to get hacked anyway. But internal is complete chaos.
It seems a lot of successful attacks, such as phishing, use social engineering. As a security professional, it seems that you'd need a degree in psychology to help you understand the mind of a hacker.
I happen to have a psychology degreeI have a degree in computer science and a degree in psychology. I love psychology, as it teaches you how the human brain thinks, and that has helped tremendously [in my work]. If you can solve the social engineering aspect of hackingboy, would you be way more secure.
How are you teaching your customers about being wise to social engineering by hackers?
Being a vendor, you need to talk to customers in a way that is personal for them. If they've had an outbreak, that would last two weeks and it would go away, and they would forget about it. You have to make it personal so they won't forget it. If you hack into the CXO's computer, that makes it personal.
I coach my customers to hack their networks. I've had customers do everything. A hospital customer told me that their physical locks are usually open and their warehouses are full of protected health informationsocial security numbers, medical records, and sometimes credit card records. I said, "Why don't you make it personal, and go and take some?" They social-engineered their way in there with easesomeone even opened the door for them. They took a box of data and left it under the desk of the CTO, who came in the next day and saw file after file after file of protected health information.
Do you think we could ever be one step ahead of the bad guys?
Nope. You'd have to change so many things, including the social engineering aspect, in such a dramatic way that I don't think it would happen. You'd have to come up with a way to maintain secure code and to maintain complexity. But with the social engineering aspect, [we're not going to be ahead] for the next 50 years.
Can the blame be apportioned to developers, as security may not be top-of-mind when they're developing software?
For sure. Microsoft is pooling millions of dollars to make its code secure, relying on coding practices and expensive testing tools that pick up on vulnerabilities. But even with all that, you still see bugs in Microsoft Windows 2008. They're a smart company and they still can't get it right. With the poster child, Apple, the Mac has not been a targetbut that doesn't mean it's more secure. But now that Macs have a 9% market share, they're starting to become a target, and you're seeing Apple come out with security packages.
Which hacker do you most admire?
Joanna Rutkowska, because the things she's doing are very cutting-edge. The big thing she is focused on is hacking into virtual machines. Virtualization is being developed without a thought to security. It's the worst security risk ever. Companies are putting VMware on servers, loading into one box up to 10, 15, 20 servers that used to be separate. If you can hack into the hypervisor, you own all the servers. You get into that box, and you get into all the boxes in the virtualized network. The servers are in a matrix and they only hear the hypervisor. Rutkowska has hacked into virtual machinesan open source virtual machine that is used by some of my big customers. She's put a blue pill [a rootkit that allows potentially malicious code to covertly take control] on a hypervisor to hack into the host hypervisor. She's published the source code.
Rutkowska is a white-hat hacker who has hacked into virtual machines. Have black hats hacked into them?
You wouldn't know if a black-hat hacker has done it. How would you detect their presence? You can't. Other researchers have tried to dispel this [idea that VMs are safe]. Virtual machines aren't super-vulnerable, but they are hackable.
Is it ethical for hackers to publish source codes of attacks or vulnerabilities?
Time and again we see security researchers find vulnerabilities and give vendors notice, and the vendors don't do anything about it. So what do the hackers do? Do they post the source code, or do they give the vendor time to fix it? It's de facto that vendors don't do anything about it, or it takes months for them to develop fixes, unless there is a massive influx of exploits.
Why does it take vendors take so long to come out with a fix?
It depends on the severity of the vulnerability. They've got to deal with the big fish first. But if you read some of the hot-fix write-ups, several of them are given low severity, but then you read that the vulnerability enables a hacker to gain admin privileges. The vendor has given it a low severity because the likelihood of an exploit happening is low, but that doesn't correlate with the damage it could do.
Linda Leung is an independent writer and editor in California. Reach her at firstname.lastname@example.org.