In this section, we attempt to provide answers to some of the questions that we find we are most regularly asked. Please click on a link below to have a question answered:

• An interview with Peter Wood, founder of First Base Technologies.
• Why is a passphrase more secure than an eight character password?
• So what is an "ethical hacker"?
• So what does it mean to be "SC" (Security Cleared)?

If you have a question concerning security and ethical hacking that you'd like answered, why not use our Contact Form?

An Interview with Peter Wood, founder of First Base Technologies

Who are you?

Founder and Chief of Operations of First Base Technologies.

What do you do?

Ethical hacking and penetration testing. My personal specialities are Windows networks and social engineering (or both!)

How did you get into it?

My first packet sniffing exercise was in 1978 whilst working on airline systems for Raytheon - looking at 3270 data for fault finding. I've loved networks ever since and got involved as soon as IBM PCs started to be networked using Torus Tapestry and Novell file servers in the mid-80s.

I was running an IBM systems centre dealership throughout most of the 1980s. There was a falling out between the owners of the firm in 1988, so I left and formed First Base, focusing on local area network consultancy. In those days, very few organisations had a proper handle on the security of Ethernet and/or Novell NetWare and how to configure them properly. Our first project was to work with the Group Finance department of a large multi-national to help set up a Novell network securely and with the right Chinese walls between departments. We also got involved in data security and ultimately what became BS 7799.

Next came the web - we'd used gopher and Usenet for years, but when the web started to take off back in 1995, we ran seminars explaining to business people what it was all about. By 1997 we had started running vulnerability scans against firewalls and begun teaching people about Internet security.

After that the rest is obvious I guess. Penetration testing became a major requirement and now we do everything from network penetration testing to web application security reviews to social engineering.

What advice do you have for people getting into ethical hacking?

You need much more than just technical skills unless you're going to be a back-room person or researcher working for government (or large organisations I guess). You must be able to think outside the box - to look at things like an engineer and a child - asking "what happens if I do this?" At the same time you must be highly ethical and professional, never exceeding the boundaries agreed with the client, which takes discipline. Of course you also have to be very, very patient as often it's like panning for gold - loads and loads of work before you find the nugget that you're after.

You need a good command of English and report writing skills too, which need to be combined with an understanding of the points of view of the people who are going to read your report. If you can't make your findings (and recommendations) accessible, there's no point in doing the job.

You also need to be a good team player - to take advice, criticism and help from your colleagues. I'm sure there are more things I haven't thought of, but in summary you need to be inquisitive, technically competent, disciplined and a good communicator. You must be able to set your ego aside to learn.

What are the tools you couldn't do without?

Now this is my favourite question. The tools I use depend on the task I'm conducting.

If I'm on site testing a corporate network I'll be focused on Windows, because that's what they'll be using on the desktop and it can provide access to just about everything else. I always use a Windows laptop because it's the easiest way to test a Windows network. My favourite tool in this environment is Hyena - a program designed for Windows admins that gives me just about everything I need when testing a Windows network. I use fgdump and SAMInside with rainbow tables for Windows password cracking - although I could use Cain and Abel, SAMInside gives me more options and better reporting. If I'm running exploits I prefer Core Impact - it creates a solid audit trail and is very easy to use. I keep meaning to look at Metasploit but I haven't had the time yet. I can "own" most Windows networks through poor configuration rather than using exploits, so frameworks aren't a big thing for me.

For laptop testing I use the Active@ NTFS read program or perhaps Ophcrack Live to make a point. Oh, and a screwdriver to take out the hard disk in some cases! For social engineering, my favourite is my BT engineer's kit, which has proved successful on several occasions. It includes a reflective jacket, a tool bag, a fake ID and some BT business cards.

Last, but not least I depend a great deal on my Google-fu.

What is your biggest security fear?

Well-designed Trojans!

What is the biggest security threat you see in the future?

Well-designed Trojans coupled with social engineering!

Who is your hacking hero?

I have a very soft spot for Steve Gold, who along with Robert Shifreen, hacked BT's Prestel service in 1984 and left messages for the Duke of Edinburg. This was the hack that led to the Computer Misuse Act in 1990. Like most famous or infamous hackers, all they really did was social engineering and guessing passwords.

Clifford Stoll's The Cuckoo's Egg is required reading for everyone who works at First Base Technologies - it gives a real insight into hacking and counter-hacking. So I guess he's a hero of mine.

Who is your biggest hacking villain?

Any of the criminals out there who are making ordinary people's use of the Internet a misery.

What is your top security tip?

For home users: Don't click on it, don't open it unless you are certain! Install anti-virus software and update it hourly, install a proper personal firewall (not the Windows one).

For business: vet your staff thoroughly and then make them part of the solution (the human firewall) not part of the problem.

What is your most memorable security incident?

The first time I realised that most organisations have almost no security inside their buildings. Walking into this office, straight past reception, plugging in my laptop in a meeting room and getting Windows Domain Admin privilege in 20 minutes (with their permission of course!)

What are your plans for the future?

Personally: to share my knowledge as much as possible, to get people to realise that security is about people - not products and gadgets.

Professionally: to keep the First Base Technologies vision going: Ethical, Pragmatic and Professional.

14 April 2009

Why is a passphrase more secure than an eight character password?

The reason that a long passphrase is more secure than, for example, an 8-character mixed-type password depends on the situation.

For Windows operating systems, there is a particular vulnerability for any password shorter than 15 characters, caused by the way Windows encrypts the password (for backwards compatibility reasons).

For environments other than Windows, it's simply about dramatically increasing the number of permutations and hence length of time taken to crack (actually to automatically guess) the corresponding password. Fundamentally there are five attack types:

1. Dictionary attacks: This involves using a dictionary of all words and proper nouns in a language (typically 800,000 words in English) to automatically test each against the encrypted password. This takes only a matter of minutes on a typical PC.
   
   See this Wiki entry for more info.
   
   
2. Hybrid attacks: This combines the dictionary attack with testing *every* possible character as both a prefix and/or a suffix to the dictionary word (usually one prefix and up to two or three suffixes, such as "XpasswordXXX"). It often also includes common substitutions such as '0' for 'o', '3' for 'e', '@' for 'a' and so on. This also takes only a few minutes on a normal PC.
3. Brute-force attacks: This technique simply tries every possible character in every position in the password. The time taken for this type of attack increases dramatically with the length of the password. Nevertheless, recent developments in using Nvidia video cards as secondary processors has resulted in significant reduction in attack times, making even a previously uncrackable password potentially vulnerable. Note that "uncrackable" really means that it would take an unfeasibly long time to try every permutation - say years or even centuries - but that as processors become more powerful and new techniques emerge, this time will inevitably shorten significantly.
   
   - See this Wiki entry for more info on brute-force attacks.
   - See this page regarding the Nvidia attack.
   
   
4. Rainbow table attacks: This is the technique which is pretty much always successful against Windows passwords of less than 15 characters. Once a passphrase of 20 or 30 characters is employed, the LM hash vulnerability disappears and rainbow table attacks are unfeasible due to the size of the tables required for a long NTLM hash (thousands of terabytes).
   
   See this Wiki entry for more info about Rainbow Tables.
   
   
5. Social engineering informed attacks: This involves researching personal details of the user and trying words which may correspond to their interests, pet names, loved ones and so on. This is really a specialised dictionary attack and is usually unsuccessful against a passphrase due to word order, spaces (which are characters as well!) and the wide variety of combinations of words available - contrast "I want a red Ferrari" with "I'd love a red Ferrari" or "I want a Ferrari Enzo" each of which may also include exclamation marks, full stops etc.

Hope that all helps. If you've read this far you deserve a medal! ;-)

Answered by Peter Wood on 22 October 2008

So what is an Ethical Hacker?

Ethical Hacking is mentioned with increasing frequency in the press and elsewhere, but what does it actually mean? Here is our explanation for this term:

One of the best ways to measure your vulnerability to malicious attack is to have independent computer security professionals, such as ourselves, attempt to break into your systems. In industry jargon, these are known as "tiger teams" or "ethical hackers". They deploy the same tools and techniques as a malicious attacker, but ensure that they do not damage your systems.

Successful ethical hackers need to possess a variety of skills. Beyond everything they must be completely trustworthy. They will have strong programming and computer networking skills and have been in the computer and networking business for many years. They will also demonstrate detailed knowledge of the most popular hardware and software in use. Critically they will have more drive and patience than most people - their work demands a lot of time and persistence. Lastly they will invest considerable time in keeping up with the world of computer and network security.

Ethical hackers have to know the techniques of the criminal hackers, how their activities might be detected, and how to stop them. However, in line with our professional standards, First Base Technologies will not employ ex-criminal hackers.

Answered by Didi Barnes on 22 October 2008

So what does it mean to be "SC" (Security Cleared)?

Security Clearance allows routine and uncontrolled access to material marked SECRET and below with occasional, supervised, access to TOP SECRET material where required in the course of one's duties.

SC Clearance will normally consist of:

• A check against the National Collection of Criminal Records and relevant departmental and police records
• In accordance with the Security Service Act 1989, where it is necessary to protect national security or to safeguard the economic well-being of the United Kingdom from threats posed by persons outside the British Islands, a check against Security Service records
• Credit references checks and a review of personal finances

In some circumstances further enquiries, including an interview with the subject, may be carried out. The review period is set by vetting department but 10 years is the norm.

Answered by Peter Wood on 2 December 2008