/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsA white hat hacker, who has given sleepless nights to Net security
professionals working for some of the biggest names in the dotcom world, was in
Bangalore last week. Tom Cervenka, who is popularly known as the Blue adept in
the hacker community, is now an Internet Security Expert in iCMG. He offers
inputs to firms on preventive measures against hacking. He doubles as a Java/Perl
instructor for the Object Technologies programs at the University of Alberta and
the Simon Fraser University. Tom has found security loopholes in sites such as
Hotmail, eBay, Excite, Zkey, Yahoo and Lycos. In a freewheeling interview with
CIOL Bureau, Tom discussed several issues that plague not just those who face
the threat of getting hacked but also the hackers themselves.
Let's start with your name. Why the nickname 'Blue Adept'?
The name 'Blue Adept' comes from a Piers Anthony book called Blue
Adept. I read and liked the book. Interestingly, the actual character
'Blue Adept' is not the main character in the book. That is where the name
came from.
How can anyone be sure that a person is a black or a white hat hacker?
How can anyone be sure that I have never done anything like black hat
hacking? Well you don't. It's like you don't know whether I have murdered
a person. If you have found out that I had murdered someday then I'll be put
away for murder.
Like a rose by any other name, a hacker is a hacker, be it black or white.
How do you react to this perception?
Once, when I faced such a question in a debate, I said that the difference
between white hat hacking and black hat hacking is like the difference between
an apple and an orange.
What is the psyche of a hacker?
The motivation, which drives all hackers I think is the love to understand
how technology works. It is to see what the system will do if they pushed it in
different directions. It really is an experience like you start exploring the
security of the system. It is not something you can do unless you fully
understand what the related technology is. Doing it is really a
self-educational, fun and interesting process. Once you start getting into the
system, it becomes like a puzzle and you really want to reach the end. If you do
reach you feel really cool like reaching the top of the mountain. It is a great
challenge.
Have you hacked any government sites?
Yes, I have hacked into the Indian government sites (laughing). That was a
joke. No, I have not hacked any government site.
Is JavaScript the most favorite language of the hackers?
No, the kind of security holes that I find is not the typical kinds of holes
that people look for when they go and look for Web services. Unfortunately, what
that means is that in a lot of Web services there is a class of security holes
that most people tend to look for. This is what most people identify as hacking.
But, the kind of hole I usually find is the kind of hole that does not deal with
accessing the system at the network level. It's an uncommon way of breaking
into the system. A lot of services never even thought that JavaScript could be
used to get the user name and password.
The reaction to your hacking eBay's site was not very favorable. Did they
take any action against you?
No, but at the time I showed that there was a problem with eBay's site
they denied it. Every time a reporter called them and asked they would deny that
any problem existed. But that didn't work very well because on my side I had a
working demonstration of how people could steal passwords. It was a situation
where the reporter would come to me and ask whether there was a problem. I would
ask them to go into the service and I will show them their username and password
and then they were convinced and went to eBay. They took a long time to fix the
problem.
Of all the sites you have tested till date, who gave you the most positive
feedback? Who gave the most negative response?
The most positive feedback was from Zkey. They acted in a way that was in
everybody's best interest. When I found a hole, they were interested to find
out what the problem was. They put a lot of people into fixing it right away.
And the negative feedback was from eBay.
On what basis do you choose to hack a site?
I don’t actually choose a site to hack to see that it does have a security
problem or does not have. In my work, I just stumble across a hole or just flip
across many times the services I am using myself. This was the case with
Hotmail, eBay and also Zkey. I was the user of the service. Take Zkey for
example. After I had uploaded my own business data I started to think "how
secure is this anyway. Let me just try and see."
Is credit card transaction safer over the Net and do you use your credit card
on any kind of transaction over the Net?
It can be done safely. In general I could say "yes" normally. No,
I don’t use my credit card over the Net.
The US government had given an open invite to hackers to join the main
stream. How have the hackers responded to that?
Well, we don’t need an invitation when we have the option. When we find a
security hole, some tell the world about it, some keep it as a secret.
Invitation or no invitation we are going to find security holes one way or the
other. It is not that the US government is offering to change the behavior of
the individual or something. It is not like black hat hackers will change into
white hat hackers. I think people who have been doing white hat hacking are the
people who enjoy doing it and people who keep it to them, keep it to themselves.
That’s the way it is going to be. What the society can do is to engage people
to do the good kind of hacking. What would be more effective than issuing
invitation is a change in rules.
What do you think are the most important utilities any organization should
have to prevent hacking/unauthorized access?
The kinds of problem I deal with are the specific kind of problem that a lot
of major service providers have. So I don’t pretend to be able to tell people
how to completely secure their site. There is no such thing as 100 per cent
security. But, what I recommend is that they pay very careful attention to
instances where they allow the person to write in some content, which then
becomes a part of the site itself that others will view. If you have something
like a message board, tech support form or auction or e-based mail, in all those
cases you have to be very certain that you carefully examine what the user wants
to post and how it will look. And make sure that it doesn’t contain any
malicious code. JavaScript is just one of them. They can use VBScript, Java
Macromedia, Shockwave, XSS style sheets, Flash etc. So, you have to be up on all
the technologies and make sure that none of them are being snuck onto you.
What are the aspects of keeping a secure site?
Keeping a secure site is a matter of constantly adapting new technology
because you have to make sure that your current version of the browser should be
on par with the new technology/software products which are constantly changing
without even knowing it. Because your software product runs through the browser,
you have to keep updating to keep up with the technology.
How can you best prevent hacking?
There are intrusion detection software that you can buy and install and that
kind of software will help you find whether something has been changed or not,
or somebody is accessing certain files that you thought shouldn’t be accessed.
It can eliminate the vast number of most common security problems. One thing you
could also do is keep up with some of the work the white hat hackers are doing.
You could also do the normal stuff like finding the right software, the right
hardware and also have a security auditor etc and see to it that your site is
safe.
How do you rate the level of security in Indian sites?
Some of them have rigid security rules. Some of them are vulnerable, but
most of them are OK. I think now they are doing much better jobs.