Going Security Geek
on Penetration
Tests With
IRA WINKLER
by David Geer
Q: When is hacking legal?
A: When the company being hacked hires the hacker.
These hacks — called penetration
tests — are done on purpose to
show companies how much they
stand to lose if they don’t patch their
security holes.
Penetration tests are used to try to
compromise the security of computer
systems to make sure they are not vulnerable. This is a good thing, done by
good guys, called White Hat Hackers.
There are many reasons to do a
pen test, including:
• To see how a malicious party may
attack ... and how far they would get.
• To see if the company can detect the
attacks.
• To identify as many vulnerabilities as
possible.
• To get the attention of management.
Taken (from “Ideal Goals of a Pen Test,”
presentation slide by Ira Winkler, president and CEO, the Internet Security
Advisors Group (ISAG), “an international information security firm specializing
in mass marketing product security
offerings through channel partners.”)
Pen tests use simulated corporate
espionage, social engineering, physi-
cal access to computers, and remote
hacking. Pen tests often require a
combination of two or more of these
elements. With the help of Mr.
Winkler, we’ll cover pen tests and
protections against hacking.
Who is Ira Winkler? He’s a straight
shooter and someone who can speak
with authority on the subject. Ira is a former software tester, NSA guru, and now
confirmed good guy hacker. Dubbed a
modern day James Bond by the media,
Ira has a history of discovering how
information systems are hacked.
Mr. Winkler has been hired to
hack into many Fortune 500 companies. He has done so, handing them
back anything from access to $1
billion in assets to plans for a nuclear
reactor. All this is done to point out the
companies’ network vulnerabilities.
The author of Corporate
Espionage: What It Is, Why It Is
Happening in Your Company, What
You Must Do About It, Ira advises the
FBI and other top dog organizations.
They listen; so should you.
Espionage Simulations,
Social Engineering, and
Physical Access
Photos courtesy of Ira Winkler.
Ira usually starts with corporate
espionage, in an effort to pull together
the non-technical pieces of the puzzle. This brings the system or systems
he wants to penetrate out into the
open. Sometimes, Ira uses social engineering — a form of social interaction.
Social engineering lets you gather
bits of information, compiling what you
need until you have the whole picture.
In this case, the information is how to
access the company’s computers.
Social engineering can be done in person, but is usually done over the phone.
For example, Ira once called a
bank and took control of it in three
days. The information he used to
accomplish this was gained entirely
over the phone — information about
computer access. You may have seen
these kinds of calls portrayed in
movies or TV, usually being used by
private detectives. Deceit and misrepresentation are definitely on the menu.
In the following detailed example,
espionage, social engineering, and
physical access were all used.
“I stole the designs for a nuclear
reactor by saying I was doing a quick
security audit. I walked over to the
people who put together the design
plans for a proposal that was going to
be presented to the people buying the
nuclear reactor. I said I just needed to
62
May 2007