Stuart Coulson, Secarma
Chris - Most people want to keep hackers out. So the idea of paying them to attack your computer system sounds utterly mad. But this is a growing industry and it’s now worth 200 million pounds annually in the UK. The idea is to use these legitimate attacks to try to find and plug security breaches in systems. It goes by the name ‘ethical hacking’ although not everyone likes to call it that, including Stuart Coulson who is from Secarma, a company that specialises in doing just this…
Stuart - I personally don’t call it ‘ethical hacking’, I would call it ‘ethical security testing.’ I think that’s actually a more accurate title for it. The H word means many things to many different people. The general media would try and put the word ‘hacker’ as being some mastermind criminal who’s out to get your credit card details and deface your website. Ethical security testing is a much more easy thing to actually digest. We are invited in by organisations to come and test their systems, their infrastructure, their websites potentially, just to see if they have holes, vulnerabilities that someone can easily exploit, someone who can easily use the tool off the internet, they’ve download it and walk through a website and potentially pull out credit card details, user names, passwords, or anything which is sensitive off that website.
Chris - So if I give you the URL of our website, nakedscientists.com, you could run a scan to see if you can penetrate that or look for loopholes, areas where we might be vulnerable for example.
Stuart - Not a problem at all. It would be quite a simple thing for us to do. We’ve got the tools which are on the machines in front of us here. We use several tools, so we’ll set several off at the same time. If you want, we’ll set one off now for you if that’s okay?
Chris - Thank you, got a free security check into the bargain. Where do you get people from who can do this though? Because as a friend of mine once said, the only thing you can do with someone who writes computer viruses is to hire them and turn them into writers of anti-virus software. Is it the same for doing what you do? You have to get people who are very good at breaking into the systems and hire them because they all know how to stop people getting in.
Stuart - There's a very big debate at the moment, which has been circulating around is to “hire the hacker”. There are quite a few people who say no, a lot of people say yes. I've got a guru here with amazing skillset. Is it well worth using them? Absolutely. However, you always have to think about that, the ‘ethical’ word. The chaps that we use within Secarma have gone away and done a training course from a company called EC Council and they hold the CH certificates, “Certificate of Ethical Hacking”. So, they’ve actually gone and turned themselves from what I would say were “tinkerers”. The chaps that we’ve sent off on the course are “tinkerers”. One of them, who I've been working with closely at the moment, he’s our hard drive recovery specialist. So he’s well used to being around this environment and obviously he’s just turned his skillset into a new skillset of looking after and exploiting websites.
Chris - If I were actually to engage you professionally, how would you approach that? How do you effectively come and size up an operation, and work out where the vulnerabilities are?
Stuart - The first thing we have to do is work out what is it you're actually trying to achieve. For example, something like nakedscientists.com, you’ve got a very simple website. There's a lot of material on there and also users can be, within that, on your forums for example, so you may say, “Okay, we want to make sure that our forums specifically are safe.” The rest of the website, “Okay, don’t touch it.” So we’ll actually scope out the engagements. We’ll actually have a written scope from yourself just to say, “Touch these areas, don’t touch those areas.” And that’s where we start from the specifics of it. We’ll also then talk to you about what attack methods do you want us to use. Do you want us to overload the database and potentially get it to fall over, or do you want us just to do almost like a light touch on it. From that, we then go into a recognisance phase and this is where we’re now in control. We’ll do two things. We do a passive and we can do an active.
The passive is where we basically don’t touch your website at all, so we go to the public domain, have a look at email accounts, what domain names link into this, whether there's nakedscientists.com, is there something out there which links into the thenakedscientists.com which is part of your address domain. These are all very simple, Google searches almost of your site. We’ll also do an active scan as well, which is relatively start touching the business. So we’re actually – the phrase that our chaps use is ‘rattling the doorknobs’. So we are knocking on the doors virtually of your environment. So we will actually be testing various things on the network. Once we finish that phase, we’ve worked out what doors are loose, if you like.
We’ll then go into a scanning phase where we’re actually looking at what you’ve actually got as an infrastructure, what is the operating system, so your listeners will be aware of things like Windows and Linux. There are other operating systems out there and we’ll be testing at the moment to see if we can actually work out whether you’ve got specific flavour of an operating system. It may have some vulnerability because using an older version for example, that obviously will then give us the next step, which is gaining access. This is us getting through the vulnerabilities and actually doing something with your servers, trying to actually get access. Very, very simple tools, a lot of this is free software as well and published by what we call the ‘Black Hat’ hackers. So these are cyber criminals of the world. We use a lot of their tools because we’re simulating what those guys are actually doing.
Chris - But doesn’t that require you to sort of step across to the dark side? Don’t you actually have to engage with the bad guys and effectively know them, in order to know what they're doing, so that you can then defend the good guys?
Stuart - We monitor, if you like the bad guys, we monitor them on a permanent basis. We have to know what they're doing. We have to be one step ahead of the game. That’s the hardest part of our industry is to know where they're going to go to next. So when you have something as large as “Anonymous”, the hacktivist group, there's a couple of million people out to watch. There's no point in us going in with nice clean squeaky tools trying to test maybe test the Naked Scientists website when they're going to go in dirty and rough, and use it any way which about loose to actually get into your servers.
Chris - Have you come across any scary situations where you’ve gone in and actually said, “We’re going to have to stop this right now because we have found you are so vulnerable. You're leakier from the Titanic”?
Stuart - We did a research paper recently. We were using Google searches and a year ago, we found millions of credit card details, full credit card details on the internet, as clear as you could see them. So we decided we’d run it again a year later just to see the state of the market and we were looking for personal details this time, how many organisations were leaking personal details of potential clients, and we have found some absolutely horrendous stuff there. One of the companies, we actually phoned them up and so, we’ve been doing this scan off the internet and it’s just a simple Google search, and we’re literally looking at a copy of someone’s passport and his bank statement from 2011 and it was on a webserver, fully available, off the internet.
Chris - Now, what have you found in your quick scrutiny of our server? Are we leakier than the Titanic?
Stuart - Well, you'll be glad to know, you're not bad at all actually. One that you have got is something called SNMP. What SNMP basically is, it’s an announcement of who you are on the internet. So, what this is actually telling me at the moment, so I can tell you the version of your operating system, I can say what your network card is, I can even tell you the maker of your computers or servers that this is sat on. I can tell you every process that’s currently running off your server.
What else have I got in here... one of the web pages you’ve got on there has actually got an email address which I can also use as a contact by potentially phoning you up and say, “Hi, my name is…” and I can get back into your business from there. The trick is, how you now use it because obviously, I know a lot of information about Naked Scientists servers and its infrastructure. The trick is, what you now do with that information. That’s where it stumps your – what I would say, the 90%, the people out there who are just playing with being a hacker. The more serious guys will know what to do with this information, that’s where we would – if we’re taking this scan onwards, we would then use that as a potential target for someone to gain access.