What happens when 20-something Beltway wonks put down their Blackberries and start getting real about hacking? Chris Wysopal can tell you. The security expert and former L0pht member is just back from D.C., where he took on the job of teaching Senate staffers on the Homeland Security and Governmental Affairs Committee about SQL injection, spear phishing and more.
In an exclusive interview, Wysopal, the co-founder of application security testing firm Veracode, said that Congressmen and women – and their staff too often turn to vendors to help understand the context of news stories about sensational attacks against the U.S. government or private firms. Too often, the information they get in return is skewed in ways that help promote the technologies those vendors sell. Its more important than ever, Wysopal says, for our elected representatives and their staff to grasp the technical details of computer security issues – the better to help them sort out competing messages from vendors, lobbyists and other interested parties.
With that goal in mind, Wysopal accepted an invitation on July 21st to speak before the Senate’s Homeland Security and Governmental Affairs Committee and help explain how, exactly, one carries out the kinds of hacks that are making headlines. It wasn’t Wysopal’s first time before Congress. The 40-something computer security expert, using the handle “Weld,” sat before the very same Senate committee thirteen years before, as a member of the hacker collective known as L0pht to talk about the problem of weak computer security in government. (And aren’t we glad they got that one nailed down?!)
This time around, Weld’s charge was somewhat different: teach, don’t just talk, and help the 50 or so staff members assembled to understand how hackers and their attacks really work.
In an exclusive interview with Threatpost, Wysopal talked about his experience teaching the Senate how to hack.
Threatpost: OK, so how did you come to be the one to teach the Senate how to hack?
Chris Wysopal: Well, Veracode has a federal sales office down in D.C. and we have a few federal customers – the FDA and some other agencies. Besides, we’re an In-Q-Tel (funded) company. As it turned out, our federal sales person was asked by someone on the Homeland Security and Governmental Affairs Committee if we could do a ‘Hacking 101’ type course for Senate Staffers. Actually, its funny, because that was the same Committee that I testified before for the LOpht. Some of the committee members were even the same.
Threatpost: And? What were your impressions?
Wysopal: It was refreshing to me. These committees get a lot of people coming in from Symantec and McAfee and telling them what they think the solutions are. This was a chance to take a step back and to try to understand the problem before they look at what all the companies are saying the solution is, so that was refreshing. I thought to myself ‘This is great.’ I’d like to see some intelligent legislation come out of the Senate. If I can show these people how these attacks work from a vendor-neutral perspective, I thought that was a great opportunity.
Threatpost: So who were these folks you were talking to? Was this a room full of 23 year olds?
Wysopal: Most of them were pretty young. Some of them were lawyers, because this is D.C., so you’ve got a lot of people who are starting out in their career and they’re in their late 20s. But, yeah, there were some younger people. I was the only one talking about how attacks work. My thinking was: if you don’t understand how attacks work, how can you understand the protection? Better security people know that – they can talk about solutions, but also about attacks. But a lot of conversation, especially from auditors, is about compensating controls and what you can put in place to address attacks.
Threatpost: So what did you show them?
Wysopal: I wanted to show them what every hacker has in his bag of tricks and how easy they are. I really wanted to demystify this, so that they realize that you don’t have to be an über hacker who spent years developing sophisticated techniques and tools. Most of these people download the tools and read a few text files and they’re ready to go. With that in mind, I started out with some common definitions – vulnerabilities versus exploits, which often get confused. So I explained how vulnerabilities were latent – they just sit there in the code – and that exploits take advantage of them. Then we went through the hacker methodology, which is: hackers don’t hack at random. They generally have a target or a particular victim and the challenge is to find a vulnerability you can exploit, or they have an exploit for a vulnerability, and the target is anyone with that vulnerability. Its usually one or the other, but it also could be the intersection of the two. So, for example, a hacker might say “I’m going to hack companies that have credit card information,” and then look for a vulnerability within that population – say: open wifi networks or remote access software that’s misconfigured. So I talked to them about how, in general, hackers have a plan like that and that they’re both targeted and opportunistic.
Threatpost: Right. And we see that even with hacktivists – people are inclined to try to connect the dots between their targets, but many of them are opportunistic.
Wysopal: That’s right. LulzSec might have a target list that is government agencies and associated entities. Then they look for SQL injection vulnerabilities within that population. When they find it, they exploit it and make fun of that organization.
I also do this to point out that having vulnerabilities that are exposed is a big factor here. Let’s not forget that. Its rare that an attacker will pull out all the stops. In general, you’re going to get targeted because you have a targeted vulnerability. If a vulnerability isn’t there, typically, you move on. In my presentation, I gave an example of targeted attacks, including the ultimate targeted attack, which was Stuxnet. That’s a case where they had a precise target in mind and used precise vulnerabilities to target their victim. RSA was the other. Those attackers wanted to get information about RSA tokens and there was only one place to get that information, so we’ll target that.
Threatpost: Tell us what the actual demonstrations were like?
Wysopal: First I talked about where the attack tools and information about talk about where the attacking tools and information about vulnerabilities come from. I talked about how Web sites, mailing lists and open source projects can have a dual use: they’re used by defenders and by attackers. I used one tool specifically: W3AF, which stands for the Web Application Attack and Audit Framework. Its a free, easy to use tool to scan Web sites for SQL injection vulnerabilities. We talked about how to find (SQL injection vulnerabilities) in web sites, and how attackers take advantage of all the stuff defenders are publishing.
I demonstrated a spear phishing attack, and talked about how a lot of the high profile corporate attacks start with spear phishing. So we talked about how those work, how the RSA attack worked and the Google (Aurora) attacks worked.
Threatpost: What was the reaction to that?
Wysopal: It was interesting. One guy asked me what legitimate use these tools have – that maybe we should just outlaw them. I talked about how the people who write software should use these tools to find vulnerabilities in their own code. The problem isn’t that the tools exist, its that the defenders aren’t using them.
I also wanted to make clear that you might get a lot of people who say ‘all i need to do is run AV (antivirus software) or a Web or e-mail gateway that’s looking for malware.’ I wanted to show them why that’s not going to happen – that the people behind these attacks are good at coming up with variations of their malware that won’t be detected.
For the Web application attack, I was running a Web server on a virtual machine. I ran the Web scanner and showed how to exploit (a vulnerability) and use it to dump data using the W3AF tool. I showed how easy it was to start up a tool, pick the OWASP Top 10 Audit, plug in a URL and hit go. It started scrolling and found a SQL injection hole. W3AF has an exploit model and it will try different permutations of those until it gets something better than “you have a SQL error.” I took a bit of typical malicious SQL code and fed it into the Web application and was able to dump all the user names. The idea was to image running this against an ecommerce or ebanking Web site and getting all the users of that application. I think they got that.
Threatpost: what kinds of issues did you get a sense that they were wrestling with?
Wysopal: Well, It was important to me that they not walk away wanting to outlaw hacking tools. I think these folks are hearing from a lot of software vendors who are saying ‘we’ve got a new type of AV that can detect everything.” I think they have a lot of solutions thrown at them: better firewalls, better encryption and better antivirus. But none of them will work. Firewalls won’t work because you ultimately want your employees to go on the Internet or you want folks on the outside to get into your applications. Encryption won’t solve the problem because, at some level, you need data in the clear in order to use it. I got the impression that they were looking for new solutions. But I wanted to come with a new story, which was ‘Let’s take another look at the problem.’
Threatpost: Did you leave encouraged?
Wysopal: I did. There were about fifty people there. They were, on average, in their late twenties. When I looked up, nobody was on their Blackberry or iPhone. They were all paying attention. I think I got through with one thing that I always try to communicate, which is that, yes you need layered protections like AV and IDS and firewall. That’s all well and good, but that you need to look at the problem and not listen to vendors who are trying to sell you a product. Its the software, stupid. There are vulnerabilities in the software that need to be fixed. This is the one thing I’ve been working on for the past 10 years: which is how people can write better software. I think I got through to them that some of this (hacking) stuff is really easy to do.