Computer Crime Research Center


'Hacking is a felony': Q&A with IBM's Charles Palmer

Date: April 19, 2004
By: Dr. Charles C. Palmer

(CNN) -- Dr. Charles C. Palmer is the manager of Network Security and Cryptography and head of the Global Security Analysis Lab, which includes IBM's ethical hacking unit.

1. How do you define hacking?

Hacking is unauthorized use of computer and network resources. (The term "hacker" originally meant a very gifted programmer. In recent years though, with easier access to multiple systems, it now has negative implications.)

2. Are there appropriate forms of hacking?

Hacking is a felony in the United States and most other countries. When it is done by request and under a contract between an ethical hacker and an organization, it's OK. The key difference is that the ethical hacker has authorization to probe the target.

3. What do you and the other members of your team do?

(We) work with IBM Consulting and its customers to design and execute thorough evaluations of their computer and network security. Depending on the evaluation they request (ranging from Web server probes to all-out attacks), we gather as much information as we can about the target from publicly available sources. As we learn more about the target, its subsidiaries and network connectivity, we begin to probe for weaknesses. Examples of weaknesses include poor configuration of Web servers, old or unpatched software, disabled security controls, and poorly chosen or default passwords. As we find and exploit vulnerabilities, we document if and how we gained access, as well as if anyone at the organization noticed. (In nearly all the cases, the Information Syhstems department is not informed of these planned attacks.) Then we work with the customer to address the issues we've discovered.

4. What is the background of the people on your team?

We have Ph.D.s in physics, computer scientists, and even one former photographer with a fine arts degree. They are all well-known, highly respected system security professionals from around the world. Most of them did not start their careers in this area, but ended up doing computer and network security because they were provoked by hackers at one time. Once they started on the road to improving security, they got hooked on the challenges it presents.

5. In "Helpful Hacking" from IBM Research magazine in 1997, you are quoted as saying you don't hire reformed hackers and "there's no such thing." Could you explain?

The number of really gifted hackers in the world is very small, but there are lots of wannabes.... When we do an ethical hack, we could be holding the keys to that company once we gain access. It's too great a risk for our customers to be put in a compromising position. With access to so many systems and so much information, the temptation for a former hacker could be too great -- like a kid in an unattended candy store.

6. Is it fair to say that you are opposed to hacking?

As I said before, hacking is a felony -- for good reason. Some of the "joyriders" -- hackers who access systems just for the challenge -- think it's harmless since they usually don't "do" anything besides go in and look around. But if a stranger came into your house, looked through everything, touched several items, and left (after building a small, out of the way door to be sure he could easily enter again), would you consider that harmless? These joyriders could be causing damage inadvertently since just by their presence they are using system resources.

7. Do you think hacking can be useful?

Hacking can be useful in a controlled environment where there are ground rules and contractual agreements.

8. Do you have a profile of the typical hacker?

The profile has broadened in the last couple of years to include many types of people, which makes it very difficult to call out a "typical" hacker. The motivations behind hacking have changed (see Answer No. 11 below). No longer are hackers limited to the teen-age, soda-slurping misfits, although they're probably the majority. There are girls and even younger kids. Many companies think all hackers come from outside, but surveys continue to show that the threat from inside an organization is greater than from outside. So if your system is compromised, it could be a Gen-Xer sitting in a dark apartment, or the woman in the cubicle next to you.

9. There have been reported instances where corporate security personnel have tracked hacking back to the source, broken in and stolen computers, or even used force. Do you endorse "vigilantism" as a response to hacking?

I've heard those stories, too, and I don't believe most of them. It makes zero sense to respond to an illegal attack with another illegal attack. First of all, it can be very difficult to accurately determine where an attack comes from. Whether they end up retaliating against the right or wrong person, they've committed a felony and are just as guilty as the original perpetrator. It's no different than other forms of vigilante justice.

10. What about attacking Web sites that list hacking scripts?

Again, any attack is a felony. It's a First Amendment rights issue as well. Where do you draw the line? Attacking adult sites? Attacking spammers? It makes more sense for corporations, schools and other organizations to try to block access to those sites.

11. Can you characterize the nature of most hacking attacks?

A few years ago, the original motivations were pursuit of knowledge and the desire to "show off" one's skills. Now, there are new lures of money and power. However, the statistics can be misleading, so many of these incidents go unreported due to lack of detection or fear of further losses due to tarnished image and credibility.

I believe that the majority of hacks are still motivated by curiosity and a desire to point out system weaknesses. However, as organizations have been finding, most of today's threats come from within the organization. According to a recent META Group study, current figures indicate that recent breaches of security within Information Technology organizations occur internally 58 percent of the time. The threat from the outside is rising at a steady rate, though.

12. Is there a trend in these attacks?

Denial-of-service attacks and macro-viruses are the most popular hacker activities. The denial-of-service attacks are fairly easy for hackers of all skill levels -- from "script-kids" to professionals -- to launch. This is a situation where a company's Web site or online service is simply made unavailable by a hacker overtaxing the system resources. It doesn't sound that harmful, but there can be serious monetary and image losses attached to this. If you want to buy a book and you go to a popular book-selling Web site and find that site unavailable, chances are you'll try the next most popular book Web site. There's simply too much competition on the Internet right now to overlook security needs. These denial-of-service attacks are particularly troubling because they are hard to defend against. There are defenses available with firewall products from IBM and other companies, but there can be denial-of-service attacks from inside as well, which lends credence to the argument for Intranet firewalls.

13. Where does the real threat of hacking lie: in the private sector, in government or somewhere else?

The widely reported attacks against government sites are troubling, but it's a good bet that the government would not have any sensitive information on a machine connected to the Internet. An unfortunate side effect of these reports is that people end up thinking that securing systems and networks is hard. It's not hard, but it does take time and training, and it's an ongoing process to stay one step ahead of the bad guys.

Corporate espionage is also a threat, but not in the glamorous way portrayed in the movies. There, the threat is from the inside. There have been many reports of employees purposely sending proprietary information outside the company to other companies, perhaps just before they themselves move to that company. The greater connectivity that employees have today also leads them to inadvertent leaks via e-mail.

14. To what extent is cyberterrorism a genuine concern?

There is little motivation for industrial control systems like those running nuclear plants or airports to be on the open Web. They may have dial-up access or private networks within the organization that would be susceptible to attack from the inside. IBM has found that it can be quicker and cheaper to attack a target physically, rather than digitally -- we've nonchalantly walked into businesses, snooped around, and walked out with confidential material (once with the security guard holding the door for us!). And there are many examples of unfortunate accidents that resulted in very effective "attacks." The most common example is the "backhoe attack," where an errant heavy-equipment operator accidentally cut a communications cable.

... I don't think we are "at war," because in this problem the enemy includes ourselves. We view it more as a race -- we're all trying to stay a few steps ahead of the threats ... through improved education and technology. ... The good news is that people are thinking about these issues, and some groups appear to be taking action.

15. What about responses such as the recent Pentagon counteroffensive that redirected hackers' attack to an applet that caused their browsers to crash? Is that an appropriate response to...
Add comment  Email to a Friend

Discussion is closed - view comments archieve
2010-10-20 13:49:37 - booooooooooo! this site sux!!!! buttttt
2004-04-27 20:48:06 - Computers are not very friendly now. J.E.O.
Total 2 comments
Copyright © 2001-2024 Computer Crime Research Center
CCRC logo