[619] in Intrusion Detection Systems
Re: Question. (Was re:hacker's intro)
daemon@ATHENA.MIT.EDU (Fred Cohen)
Tue Feb 20 19:55:06 1996
From: fc@all.net (Fred Cohen)
To: ids@uow.edu.au
Date: Thu, 15 Feb 1996 07:18:46 -0500 (EST)
In-Reply-To: <199602141424.BAA28005@wyrm.cc.uow.edu.au> from "G.h.van den Berg"
Reply-To: ids@uow.edu.au
> I was just wondering who you thought found any of the holes in the first
> place? It sure as hell isn't down to all you so called security consultants!
You are just about 100% wrong. Almost every vulnerability ever found in
information security was first found by an honey information protection
expert. Almost every attack ever carried out by an attacker was a copy
of a known attack previously identified by an information protection
expert.
> We use hackers in tiger teams because they use unconventional methods. How
> many of you would go trashing or try some social engineering to gain access
> to a system?
As usual, you glorify the intruder, but you are again incorrect in your
facts. The most effective demonstrations of social engineering and
planning of attacks have been done by honest information protection
experts and not by computer criminals. What you think are
unconventional methods are no such thing. They are in fact quite
conventional and have been used for many years by professionals.
> I'd guess close to none..
You guess wrong.
> How many hackers......more like *all*
Wrong again - almost all attackers use well worn techniques that the
knowledgeable defenders have been aware of for a long time. The
exception to this is, of course, the attackers-turned-defenders who
aren't as schooled at information protection as the experienced honest
defenders.
> System security is much more than applying patches.....it requires a
> pro-active approach...password's are a good example.
> How do you know your password's are un crackable? Answer, try and crack them
> yourself! There is a lot to be learnt from hackers because however secure
> you think your system is they *will* find a way in!
Wrong again - it's amazing how many common misconceptions you have about
this field. Password guessing programs are one of the worst examples of
pro-active protection. First of all, it's not pro-active - it reactive.
You are reacting to easily guessed passwords - not preventing people from
using them. Second of all - trying to crack passwords youself is not a
very effective way of protecting systems. There are proactive password
defenses and far better authentication methods than passwords.
There are plenty of systems that are regularly attacked by malicious
attackers of all sorts and that are never entered. The attackers you
call hackers will never find ways into many of these systems because
they don't understand enough about how information protection works or
how to defeat it. They will try a few tricks and give up in a few
seconds or minutes or hours or days - and when you send the police to
arrest them they will say they were only exploring - and then people
like those who read this list will hire them to protect their computers
and those are the systems that other hackers will be able to get into.
-> See: Info-Sec Heaven at URL http://all.net/
Management Analytics - 216-686-0090 - PO Box 1480, Hudson, OH 44236
