Learning how to hack the enemy

NEWS With a few keystrokes, nearly 40 student hackers started mapping the computer network of Rutgers University. Using a Unix-based command known as a "traceroute", students who were sequestered in a room in San Francisco caused every server in the path used to send data between the class and Rutgers to identify itself. "If you are doing a denial-of-service attack, this is a perfect way to find out how high up in the hierarchy you need to hit to take out their entire service," said William Chan, one of the instructors. It's day one in a four-day seminar on hacking. By the end of the day, the students have learned how to map a network and pull information from the Internet. It's key information in determining where and how to attack. Yet these are not teenagers bent on taking over servers or defacing Web pages. The students are network managers, security consultants and government employees learning the tricks of the enemy to better defend against them. Rutgers, New Jersey's state university, gave permission for its network to become the target du jour. This particular class is taught by members of security firm Foundstone, a group that routinely breaks into the networks of its clients to tell them where the security holes are. "We are doing this for the sake of protection," said Chan, who is also a vice president of Foundstone. "We provide countermeasures for each exploit that we teach." By the end of day four, Chan hopes the class will understand a bit more about the enemy and how to better protect their networks. For Brian Chang, vice president of information services for a national real-estate company, the first day of class was an eye-opener. "By learning the vulnerabilities, you see just how easy it is to get access to this stuff," said Chang, who spoke on condition that his company's name remained anonymous. No wonder. The company's network has already been hit a number of times, he said. In addition to the network break-ins, Chang said that the real-estate company had its fair share of damage from both the Melissa virus and the ILOVEYOU worm. "The vulnerable businesses are the ones like ours -- non-technical ones," he said. "We use the Internet as a tool, but we don't take it too seriously." Part of the problem is that the company puts too few resources into security. While considered a "medium-sized" company, the only network administrators are Chang and one other person -- neither of whom has a strong security background. That's why he had come, he said. "If we don't know what's coming in from the outsider, how are we going to stop it?" Another student, who asked to remain anonymous for fear his company would become a target -- a fear that kept most students from talking to ZDNet -- believed that any growing e-commerce company will soon be in the crosshairs of network attackers. "The sites that are really popular today are the ones that are getting hacked," said the systems engineer, whose company provides content to a variety of Web sites. "If we end up growing much bigger, we need to watch out as well." "The big fear is getting hit so hard that we are not able to provide content to our customers," he said. Despite courses like this one, Chris Prosise, vice president of consulting for Foundstone, believes most companies are still in the dark. "For the most part, the network administrator is unaware of the security issues," he said. For the students, however, much of the mystery will have been revealed. Take me to the Summer of Hacking Special Take me to Hackers Take me to the Virus Workshop What do you think? Tell the Mailroom. And read what others have said.