It Takes A Hacker To Catch One - InformationWeek
Business & Finance
04:25 PM

It Takes A Hacker To Catch One

As malicious hacking grows, the industry fights back, training future security pros to think like their adversaries

Information technology professionals have been conditioned to think defensively, draping their networks with sensor-studded barbed wire and using firewalls to lock down doors and windows. Another school of thought advocates a more proactive approach to security.

New York IT consulting and job-placement firm Prime View recently held its first "Hacking-Defined Training" course, aimed at retraining laid-off IT workers in relevant and marketable skills, security being top of the list. The 10-day course goes beyond security technologies and principles, teaching students to write exploit code and hack each other's computers.

Latest Threat
Security pros and network administrators are learning the hard way that even their security vendors are having difficulty keeping up with today's malicious hackers. Cisco earlier this month issued the latest advisory for a serious Internetwork Operating System, or IOS, "heap-overflow" vulnerability that could let hackers get control of routers and switches running certain versions of the software. The heap-overflow advisory was the third security advisory Cisco issued that same week; others affected certain Cisco Airespace Wireless LAN Controllers and Cisco intrusion-prevention system devices configured by IPS Management Center version 2.1.

Mati Aharoni wants students to be able to think like hackers because he believes technology alone won't stop them.

Mati Aharoni wants students to be able to think like hackers because he believes technology alone won't stop them.

Photo by Sacha Lecca
Prime View's weapon is Mati Aharoni, lead penetration tester with Israeli IT-security education firm See Security Technologies Ltd. Aharoni has students take a hands-on approach to learning security. "Technology itself will not stop a hacker," says Aharoni, who wears a black T-shirt with white lettering that reads, "Not Even Norton Will Protect You." "Instead," he says, "you have to use induction to understand what it takes to secure a network."

Aharoni describes to his students the components of a basic hack, where an attacker would exploit a user login program written to accept a 64-character name. If the programmer didn't include a command to reject any login greater than 64 characters, an attacker could input a 100-character login and break the program, possibly overwriting memory within it.

Hackers use several tools to search for and exploit victims. They write or borrow other hackers' "fuzzer" code that can be unleashed on programs to look for vulnerabilities in that program's code. They use a reverse shell, which tricks a program into sending the attacker a command prompt for logging in to that program. From there, the attacker can break in and remotely access the program's features and data.

Attackers also use Web sites that offer free shell code. Metasploit, an open-source project for developing, testing, and using exploit code, lets hackers copy this code right into their own scripts. "What should make you really paranoid is that these are the bugs that the hackers tell you about," Aharoni told his class. "For every exploit released, you have two that are not."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
2018 State of the Cloud
2018 State of the Cloud
Cloud adoption is growing, but how are organizations taking advantage of it? Interop ITX and InformationWeek surveyed technology decision-makers to find out, read this report to discover what they had to say!
Tech Vendors to Watch in 2019
Susan Fogarty, Editor in Chief,  11/13/2018
Getting DevOps Wrong: Top 5 Mistakes Organizations Make
Bill Kleyman, Writer/Blogger/Speaker,  11/2/2018
AI & Machine Learning: An Enterprise Guide
James M. Connolly, Executive Managing Editor, InformationWeekEditor in Chief,  9/27/2018
Register for InformationWeek Newsletters
Current Issue
The Next Generation of IT Support
The workforce is changing as businesses become global and technology erodes geographical and physical barriers.IT organizations are critical to enabling this transition and can utilize next-generation tools and strategies to provide world-class support regardless of location, platform or device
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll