It Takes A Hacker To Catch One

As malicious hacking grows, the industry fights back, training future security pros to think like their adversaries
Fear Of The Unseen
In fact, the greatest threats are those no one sees. Some attackers find a vulnerability and develop an exploit without sharing their work. Now they've got a secret that they can use at a particularly inopportune time, Aharoni says. The severity of these unseen threats has led him to incorporate principles from the military treatise "Sun Tzu On The Art of War" into his teachings. One principle reads, "If the enemy leaves a door open, you must rush in." Prime View president and chief technology officer Victor Natanzon agrees with this analogy. There are several ways to enter through a door, he says. "You can use a key, a sledgehammer, or you can remove the hinges."

For one exercise, Aharoni has his students search for bugs in Ability Server, a low-end FTP server made by Code-Crafters Software LLP. Aharoni has let Code-Crafters know he's using its product in his exercises, and the company hasn't asked him to stop. Once students find bugs, they're expected to write working exploits that attack Ability Server. The purpose is to demystify what hackers do and how they operate, Aharoni says. "You cannot defend properly unless you know how people attack," he says. "I try to instill a sense of paranoia in my students."

In another exercise, students use exploit code downloaded from the French Security Incident Response Team Web site to hack into Microsoft Windows 2000 Plug and Play Universal Remote, creep across their local network, and reboot other students' PCs. FrSIRT is a research group that publishes information about networked computer threats.

It's an eye-opening experience that Aharoni's students hope will give them an edge in the security job market. "I'm amazed at how easy it is to gather information on potential targets," says Benjamin Pearlman, who worked as a quality-assurance tester for AT&T and is now in Prime View's retraining program. "In order to be protected properly, you have to think about how a system can be broken into."

Eye Opener
Bessalel Yarjovski, who has more than 20 years of experience in the IT world, is taking the retraining course, too, with the hope of landing a job as a chief information security officer. "The class is opening my eyes not to new technology but to how easy it is to do these exploits and how many there are," says Yarjovski, who has worked as CIO of CareerEngine Inc., a network of career Web sites, and as chief technology officer with iVillage Inc., which runs a multimedia site addressing women's issues.

The class isn't all gloom and doom. Aharoni addresses several ways that application and network security can be improved. One is to write programs that control the type and amount of information that users can input, so hackers can't add too many characters. Another is to improve QA testing after a program is written by applying hacking-defined methods to the code.

With any luck, the 12 students in Aharoni's class will be just the first in a new generation of IT workers who are up to challenging the malicious hackers who have shown an ability and willingness to endanger anyone the Web touches.

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing