Nuts & Volts - May 2007

Going Security Geek

on Penetration

Tests With

IRA WINKLER

by David Geer

Q: When is hacking legal?

A: When the company being hacked hires the hacker.

These hacks — called penetration tests — are done on purpose to show companies how much they stand to lose if they don’t patch their security holes.

Penetration tests are used to try to compromise the security of computer systems to make sure they are not vulnerable. This is a good thing, done by good guys, called White Hat Hackers.

There are many reasons to do a pen test, including:

• To see how a malicious party may attack ... and how far they would get.

• To see if the company can detect the attacks.

• To identify as many vulnerabilities as possible.

• To get the attention of management.

Taken (from “Ideal Goals of a Pen Test,” presentation slide by Ira Winkler, president and CEO, the Internet Security Advisors Group (ISAG), “an international information security firm specializing in mass marketing product security offerings through channel partners.”)

Pen tests use simulated corporate espionage, social engineering, physi-

cal access to computers, and remote hacking. Pen tests often require a combination of two or more of these elements. With the help of Mr. Winkler, we’ll cover pen tests and protections against hacking.

Who is Ira Winkler? He’s a straight shooter and someone who can speak with authority on the subject. Ira is a former software tester, NSA guru, and now confirmed good guy hacker. Dubbed a modern day James Bond by the media, Ira has a history of discovering how information systems are hacked.

Mr. Winkler has been hired to hack into many Fortune 500 companies. He has done so, handing them back anything from access to $1 billion in assets to plans for a nuclear reactor. All this is done to point out the companies’ network vulnerabilities.

The author of Corporate Espionage: What It Is, Why It Is Happening in Your Company, What You Must Do About It, Ira advises the FBI and other top dog organizations. They listen; so should you.

Espionage Simulations, Social Engineering, and Physical Access

Photos courtesy of Ira Winkler.

Ira usually starts with corporate

espionage, in an effort to pull together the non-technical pieces of the puzzle. This brings the system or systems he wants to penetrate out into the open. Sometimes, Ira uses social engineering — a form of social interaction.

Social engineering lets you gather bits of information, compiling what you need until you have the whole picture. In this case, the information is how to access the company’s computers. Social engineering can be done in person, but is usually done over the phone.

For example, Ira once called a bank and took control of it in three days. The information he used to accomplish this was gained entirely over the phone — information about computer access. You may have seen these kinds of calls portrayed in movies or TV, usually being used by private detectives. Deceit and misrepresentation are definitely on the menu.

In the following detailed example, espionage, social engineering, and physical access were all used.

“I stole the designs for a nuclear reactor by saying I was doing a quick security audit. I walked over to the people who put together the design plans for a proposal that was going to be presented to the people buying the nuclear reactor. I said I just needed to