Who are you?
Founder and CEO of First Base Technologies.
What do you do?
Ethical hacking and penetration testing. My personal specialities are Windows networks and social
engineering (or both!)
How did you get into it?
My first packet sniffing exercise was in 1978 whilst working on airline systems for Raytheon - looking at
3270 data for fault finding. I've loved networks ever since and got involved as soon as IBM PCs started to be networked
using Torus Tapestry and Novell file servers in the mid-80s.
I was running an IBM systems centre dealership throughout most of the 1980s. There was a falling out between
the owners of the firm in 1988, so I left and formed First Base, focusing on local area network consultancy. In those
days, very few organisations had a proper handle on the security of Ethernet and/or Novell NetWare and how to configure
them properly. Our first project was to work with the Group Finance department of a large multi-national to help set up
a Novell network securely and with the right Chinese walls between departments. We also got involved in data security and
ultimately what became BS 7799.
Next came the web - we'd used gopher and Usenet for years, but when the web started to take off back
in 1995, we ran seminars explaining to business people what it was all about. By 1997 we had started running vulnerability
scans against firewalls and begun teaching people about Internet security.
After that the rest is obvious I guess. Penetration testing became a major requirement and now we do
everything from network penetration testing to web application security reviews to social engineering.
What advice do you have for people getting into ethical hacking?
You need much more than just technical skills unless you're going to be a back-room person or researcher
working for government (or large organisations I guess). You must be able to think outside the box - to look at things
like an engineer and a child - asking "what happens if I do this?" At the same time you must be highly ethical
and professional, never exceeding the boundaries agreed with the client, which takes discipline. Of course you also have to be
very, very patient as often it's like panning for gold - loads and loads of work before you find the nugget that you're after.
You need a good command of English and report writing skills too, which need to be combined with an
understanding of the points of view of the people who are going to read your report. If you can't make your findings (and
recommendations) accessible, there's no point in doing the job.
You also need to be a good team player - to take advice, criticism and help from your colleagues. I'm sure
there are more things I haven't thought of, but in summary you need to be inquisitive, technically competent, disciplined and
a good communicator. You must be able to set your ego aside to learn.
What are the tools you couldn't do without?
Now this is my favourite question. The tools I use depend on the task I'm conducting.
If I'm on site testing a corporate network I'll be focused on Windows, because that's what they'll be
using on the desktop and it can provide access to just about everything else. I always use a Windows laptop because it's the
easiest way to test a Windows network. My favourite tool in this environment is Hyena - a program designed for Windows admins
that gives me just about everything I need when testing a Windows network. I use fgdump and SAMInside with rainbow tables for
Windows password cracking - although I could use Cain and Abel, SAMInside gives me more options and better reporting. If I'm
running exploits I prefer Core Impact - it creates a solid audit trail and is very easy to use. I keep meaning to look at
Metasploit but I haven't had the time yet. I can "own" most Windows networks through poor configuration rather than using
exploits, so frameworks aren't a big thing for me.
For laptop testing I use the Active@ NTFS read program or perhaps Ophcrack Live to make a point. Oh, and a
screwdriver to take out the hard disk in some cases! For social engineering, my favourite is my BT engineer's kit, which has
proved successful on several occasions. It includes a reflective jacket, a tool bag, a fake ID and some BT business cards.
Last, but not least I depend a great deal on my Google-fu.
What is your biggest security fear?
Well-designed Trojans!
What is the biggest security threat you see in the future?
Well-designed Trojans coupled with social engineering!
Who is your hacking hero?
I have a very soft spot for Steve Gold, who along with Robert Shifreen, hacked BT's Prestel service in 1984
and left messages for the Duke of Edinburg. This was the hack that led to the Computer Misuse Act in 1990. Like most famous or
infamous hackers, all they really did was social engineering and guessing passwords.
Clifford Stoll's "The Cuckoo's Egg" is required reading for everyone who works at First Base Technologies -
it gives a real insight into hacking and counter-hacking. So I guess he's a hero of mine.
Who is your biggest hacking villain?/p>
Any of the criminals out there who are making ordinary people's use of the Internet a misery.
What is your top security tip?
For home users: Don't click on it, don't open it unless you are certain! Install anti-virus software and
update it hourly, install a proper personal firewall (not the Windows one).
For business: vet your staff thoroughly and then make them part of the solution (the human firewall) not part
of the problem.
What is your most memorable security incident?
The first time I realised that most organisations have almost no security inside their buildings. Walking into
this office, straight past reception, plugging in my laptop in a meeting room and getting Windows Domain Admin privilege in
20 minutes (with their permission of course!)
What are your plans for the future?
Personally: to share my knowledge as much as possible, to get people to realise that security is about people -
not products and gadgets.
Professionally: to keep the First Base Technologies vision going: Ethical, Pragmatic and Professional.
|
