Good midday, 54.196.72.162.
Today is monday the 23rd of October 2017. The time is 13:39:26 and it's week number 43.

(2010-07-14) It’s just not fair!


You may think of them as super-geniuses doing the impossible, villains bringing the Internet to its knees or heroes “sticking it to the man”.

Forgive me for not being impressed, but I never have had any high thoughts about those so called “hackers”. I’m talking about “hackers” in the meaning “people that attack and subvert IT-systems” not the positive term meaning “computer wizards”.

My sympathy goes to the embattled system administrators fighting an unfair fight to keep systems secure. Ok, let’s be honest. My beef is not with the people finding, documenting and communicating vulnerabilities to the world. They deserve a big collective thank you-note. I’m just tired of how media tries to give the cyber-villains an almost godlike status. They miss out quite a few things about how tilted the balances are.

Here’s my (incomplete!) top 10 list why hacking is so unfair to us defending the networks. When I use the term “we” I refer to any organization, corporation or group of people owning an Internet presence that they’re trying to keep secure. This essay covers a general view of security problems that we all can relate to, not a state of any specific entity.

10. We can’t see them in their true form – they see us only that way

“The ultimate in disposing one's troops is to be without ascertainable shape. Then the most penetrating spies cannot pry in nor can the wise lay plans against you.”
- Sun Tzu, “The art of war”

We, the defenders, have a shape and a size. As does the systems that we seek to defend. The assets we protect are most likely physical to a certain degree. Consider the cost of finding information about us: it’s relatively small. We want to be found as we want to be seen. Hackers prefer to be anonymous and hard to trace. You do the math.

9. They’re simple – we’re complex.

“Fatal accidents never have just a single cause, they happen at the end of a whole series of errors.”
- Charles Stross, “The Fuller memorandum”.

As the size of the organization grows, so does the complexity. But don’t forget that time works against us as well. We install new servers, setup support systems, install applications, add functions, add features and create our own programs and scripts. Over time many of these become obsolete, forgotten or we may stop developing them. We may not even remember if they’re in use or who used to be responsible for their care. Complexity increases exponentially, since systems interact and all components have the potential to affect each other. Especially if we know they shouldn’t be able to. Then we won’t even consider the possibility. Let me give you a list of places where vulnerabilities appear. It’s mercifully short: everywhere. However one type of vulnerability that gets way too little attention is the misconfiguration vulnerability. But I digress.

A good hacker generates just a modest amount of information in our logs that he then tries to remove. In a flood of legitimate activity his actions tend to vanish. Especially if he understand the concept of time (See point 5)

8. They can pull the plug – we can’t

“Beware lest you lose the substance by grasping at the shadow.”
- Aesop

There’s an episode of the TV-series “NCIS” where two of the characters find out that a virus is running rampant on one of their computers. They scramble to stop it the way Hollywood always deals with this situation: by letting the characters frantically hammer the keyboard while going through various stages of panic. Finally their boss walks in and pulls the plug on the computer, solving the problem in the best possible way.

If this is a good idea in real life is hard to say. If you pull the plug you risk losing logged activity not yet written to disk and you may make the hacker to realize that he’s been caught. The calling card of a good hacker is not leaving one. But they may feel the need to erase all logs and evidence if there’s a risk that we’re onto them. So instead of a few “doctored” logs, missing relevant data, we might end up with nothing. Or we might cut them off before we get enough information about what they’re up to and how far they come.

Then there’s the problem with shooting ourselves in the foot but shutting down the network. We kind of need our network and our servers running in order to exist and make money, right? Hackers can drop of the network, lay low and then find a new proxy or connection to strike from.

7. Neither of us have a full overview – They don’t need one

“Every solution breeds new problems..”
- One of Murphy’s laws.

Knowing the land should be our advantage. The hackers have to figure it all out, but we already know everything, right? Maybe. Hopefully.

The problem is that we may have this advantage, but they don’t need it. Before a hacker strikes, he or she does some serious background information gathering … or not. We have to understand that the attacks may not target us specifically. Hackers have their reasons. Often the fact that we have a fast enough network, people trust us and that we have computational power in the form of servers can be reason enough. Automated SQL-injection scripts scour the Internet for vulnerable web/application servers they can exploit and use to attack unsuspecting web surfers trusting them. Or we could have an attacker targeting us that actually needs to do some research about us. Either way, they only need enough information about us to find a way in.

Our security cannot be based on withholding as much information about ourselves as possible. This is “security by obscurity”. But we can use it as a way to make us a tougher target and to win a bit of time. Time that is wasted unless we can also detect them.

6. Hackers have one goal

Concentration is the secret of strength.
- Ralph Waldo Emerson

We have a lot of goals. If we’re a political organization, reach out is an important one. If we’re commercial, the bottom line is king. We also have many smaller goals, mission statements and requirement to attend to. A hacker has one or a few.

We have one thing in common, though: a finite amount of resources.

5. Time is on their side

“Ability is of little account without opportunity.”
- Napoleon Bonaparte

How time works for an attacker depends on their goals. A hacker that needs to get full access to a network may take over one server or a PC and then use it as a bridge head. This allows the hacker to try to monitor network traffic or to attack other systems. He might be able to take over a PC and make it crash. After a while, when it’s back online, he can connect to it again and harvest the passwords-hashes. It’s quite likely that an administrator has logged on to restore the PC, and thus stored his password on it. If the hacker lays low and let some time pass between every action, he can use the time to his advantage. Any suspicious pattern drowns in the sheer amount of data being logged and the logs eventually roll over and it gets deleted. The key is that a good hacker working to get into the network of a known target lays low and awaits opportunities. A hacker just searching for any vulnerable target on the Internet does not necessary need to concern himself with timing at all.

The good news is that time can be on our side too. It depends on if we can detect the intrusion and keep monitoring the hacker while he works. Then time is on our side and we can gather evidence.

And another thing about time: security deteriorates over time. We cannot just stop applying patches, verify settings, harden baselines and monitor traffic. And there’s no guarantee that we won’t miss one or a few systems.

4. We can’t strike back

"For every problem, there is one solution which is simple, neat and wrong."
- Henry Louis Mencken

I admit that the legal side of IT-security is not my strong side. But it’s all about a bit of common sense: as a white hat working for a reputable organization you really should think twice before trying to strike back or “counter-hack” the hacker.

The reasons are mostly legal ones, but as you probably understand there are many bad things that could happen. What if the system the hacker uses belongs to an unsuspecting party, like a corporation or foreign government?

The correct approach to this problem must be involving your incident response team. But this is out of the scope of this discussion.

3. We can’t repair the damage right away

“Haste in every business brings failure.”
- Herodotus

When hack happens, trying to sanitize the systems and get everything working again seems like a good idea. It may actually be a good idea, if you have no intention to catch the perpetrator. If you do, touching the crime scene will invalidate the evidence and probably destroy some or all of the tracks.

2. They gain reputation the same way we lose our

“Character is like a tree and reputation its shadow. The shadow is what we think it is; the tree is the real thing.”
- Abraham Lincoln

They stand to win reputation, money and “goodwill” with organizations that hire hackers to do things like this. The opposite is true for us. We risk losing reputation, money and goodwill with people that trusts us.

1. Hackers only have to find one way in – We have to close all of them.

“If a elderly but distinguished scientist says that something is
possible he is almost certainly right, but if he says that it is
impossible he is very probably wrong.”
- Arthur C. Clarke

“As a young boy, I was taught in high school that hacking was cool. “
- Kevin Mitnick

And number one reason it’s unfair: you can prove a system vulnerable but not the opposite. Proving that something does not exist is known as “proving a negative”. It just can’t be done. Sorry.

It’s the big thing that works against us. If we could apply hard work and reshape the network with all its components into a provably invulnerable network, we could just close the door and leave the whole security problem. But we cannot!

And off course, a hacker can get lucky and gain entrance by exploiting just one single vulnerability. Most of the time, they need more than one, but you can’t prove it isn’t possible to fully own a network through one single vulnerability.

So to conclude: complexity is the killer. It comes back in all of the examples.

Posted: 2010-07-14 by Erik Zalitis
Changed: 2010-07-15 by Erik Zalitis

News archive