It Takes a Hacker to Catch a Hacker - Boston Application Security Conference Part 3

It Takes a Hacker to Catch a Hacker - Boston Application Security Conference Part 3

by Sarah Cortes - "Set a thief to catch a thief" derives, as a saying, from Libyan Greek Callimachus, according to the Oxford Dictionary of Proverbs. "Being a thief myself I recognized the tracks of a thief," he wrote in 230 BC. "Set a fool to catch a fool," added Edmund Gayton in 1654 in "Pleasant Notes Upon Don Quixote," borrowing Callimachus's pith. Did Alfred Hitchcock know Sir Robert Howard echoed Gayton and Callimachus when, in his 1665 volume "Four Plays," Howard tweeted "Set a thief to catch a thief," providing the title to the 1955 Cary Grant movie of the same name?

Non-computer experts can, at any rate, grasp the essence of computer security research in its similarly and seemingly contradictory focus on computer hacking. Skipping from Callimachus to Diggitys, the suite of free online software tools recently demonstrated at Microsoft's NERD Center in Cambridge, attendees of the Boston Application Security Conference ("BASC") recently observed the ease with which the tools penetrated familiar Amazon Web Services cloud computing accounts.

Presenting at BASC, Francis Brown of Stach & Liu referenced the recent computer data breach at Yale University. John Carney of CNBC reported August 19 that Yale sent letters to alumni, faculty and staff admitting that names and social security numbers of 43,000 Yale affiliates had been available to Google search engines for months. The Yale breach illustrates a specific category of computer vulnerability, one in which search engines including Bing and China's Baidu are used as tools to penetrate an organization's computer perimeter.

"There's just a wealth of information out there [on the internet] that could be used in an attack," stated Brown. "Google is not responsible for vulnerabilities, but it has made things easy to find for organizations such as Lulzsec," he said, referencing the Wikileaks sympathizers who have recently claimed credit for numerous computer attacks. Anonymous, a similar group of Wikileaks sympathizers, breached Visa and Mastercard's computer servers, following Visa's refusal to process contributions to Wikileaks. Wikileaks release of classified information, leaked by Private Bradley Manning, such as the video "Collateral Murder," showing US troops firing on journalists and children in Iraq, had engendered reprisals from the US government. This led to Visa's retaliatory shutdown of Wikileaks' contributions. Manning leaked the classified information just days after visiting David House, a Boston University computer science student, at a Boston University hackerspace. House has recently filed a lawsuit against the US government claiming harassment as retaliation for his support of Manning.

"Also, we're seeing mass SQL injection-type attacks recently," added Brown, commenting on hacking trends. "We're seeing a couple of million websites simultaneously compromised." Brown explained that the targets are actually the visitors to these sites. The attackers plant malicious software on the targeted sites, so that site visitors are infected in numbers that multiply "exponentially from millions of sites."