Bug Watch: Ethical hackers expose legal flaws

This week journalist Roger Howorth casts his eye over the world of ethical hacking.

I have spent most of the last week attending a training course on ethical hacking. A course like this is bound to raise a number of eyebrows, but the agenda is harmless enough, and covers the kinds of misconfigurations and programming bugs which are exploited by hackers and their worms.

This is fascinating stuff, with the practical coursework peaking as each student took control of Windows and Linux servers despite the best efforts of a series of routers and firewalls.

Our classroom network demonstrated that Windows and Linux are now so robust that several hackers can simultaneously exploit the same flaws without crashing the servers. I think those software developer folks have really turned things around since the year 2000 debacle.

Anyhow, it turned out that, while the routers were properly set up, there was a common misconfiguration problem with the firewall: it was not blocking TCP port 53.

As far as I can work out, a common misconfiguration is actually a euphemism meaning that one or more well-known products once shipped with a dangerous default setting. That could be one to bear in mind when reading vulnerability announcements from the vendor community.

In our case, the misconfiguration allowed us to connect to the Trojan horse that we installed on a Windows server.

Not that we should be too hard on the firewall people, because we installed the Trojan by exploiting a buffer overflow in an old version of the popular Washington University FTP server running on Red Hat, and a Unicode validation flaw in Microsoft IIS, neither of which would be blocked by a firewall.

While both these weaknesses allowed us to take full remote control of the systems, it seems to me that the Unicode problems with IIS are a particular concern because of the ease with which they can be exploited. It also appears that legislation covering this area is far from clear.

For example, experts suggest that servers should clearly display a message, warning that unauthorised users are forbidden by law. In the absence of this precaution, it seems hackers can argue that they were unaware that their actions were unwelcome.

I'm not sure where the Unicode vulnerabilities fit with the law. It could depend on how they are deployed and used.

Rightly enough, the law stipulates that you cannot punish people for proper use of the TCP/IP protocols. The drawback is that this leads to a grey area between legitimate use and hacking activity.

For example, any hacker worth their salt would try to obtain a target company's DNS server database. The trouble is, unless the DNS servers are configured to keep this information private, there is no law to prevent anyone from downloading it.

As a new career development option in our business, education for ethical hacking still has a PR problem. However, the value of such training is obvious if it helps firms to identify flaws in their servers before the bad guys do.