Be honest, and be prepared. It is time to get rid of all the myths that surrounds hacking and security.
If you are an old school hacker or old school security professional, I'm going to be upfront with you. Old school hacking is dead, network hacking is dead, firewalls are useless and AV software is a mere redundant software package that underlines your frustration and ignorance about contemporary hacking. Defense in depth is deceased since the nineties and it will never come back. The Internet is operated with knowledge that stems from the late eighties and nineties. All you learned about the Internet from the seventies 'till the late two thousandths is dead. It is no longer the landscape we work on. It is no longer the Internet of today, it is certainly not the Internet of tomorrow. It belongs into history books and nothing more. It is crucial to understand this. If we do not agree, the security field stays behind the facts of today.
There, I've said it.
Evolution means adaptation to the environment. Some old school hackers or security professionals never adapted beyond their terminal, and if you think that whistling through a captain crunch whistle and telnetting to a server is still leet, you are wrong. Sure, you can long for the old days. But that doesn't solve our problems we face today. I've been around long enough to witness the dawn of scripting languages that made the shift from the hardware/static to the hardware/dynamic.
Software.
Today everything is software, even in the form of virtual hardware. The network today is no longer the main landscape for attack. Take the firewall for instance. Without the firewall, hacking was a walk in the park. Anyone with a dial-up modem could hack. Launch a telnet client and you had a very good chance that port 23 was open. Along came the firewall and now we have 99,99% of all ports blocked. Only port 80 and 25 are open if you are secure. So, most of the network is secure and does not pose an issue anymore. While the firewall is here, everyone in security fell asleep. We thought we were secure now right? the firewall and the IDS and other stuff is monitoring it right? Yes, that was the old view of security. That view is dead, and buried with the old school hackers because this isn't how the Internet operates today. What is happening now, is that the whole security of every server depends on the programmer that writes software. Software is the main culprit of almost all hacks today. If you can define hacking today, it no longer means telnetting into servers or blowing whistles, but exploiting the application layer. With the application layer, I also mean the scripting language beneath it, since it interacts with the applications that it's running and share memory, and thereby the hardware it's running on.
The 7 char attack.
We can even prove that we can own your network with only seven characters typed into your query string: 1' OR 1=1 is far more dangerous than any shellcode I've ever seen in my life. You might ask why, and that is a clever question:
fact 0x01: it always works.
fact 0x02: it's network independent.
fact 0x03: my little sister could do it.
So, there you sit behind your terminal. Monitoring all traffic in and out, upgrading your latest snort IDS rules, patching your BSD box and drinking exotic beers. Not knowing that you are insecure due to the fact that you've installed WordPress, PHPBB or some other software package which can be abused to own your network. All this software had holes, others still do. Code vulnerabilities pop up like mushrooms and there is no way to patch all systems that run it. Everyday a dozen new exploits are released for open source or commercial software packages. Real hacking is based upon code vulnerabilities and exploiting the programmers mistake. We are not going to be secure if we do not teach programmers to create secure code. Anyone who read a book on PHP can start coding. Utilizing and manipulating real system resources with native functions that them self aren't secure all the time.
It is time to say goodbye to old school hacking, because to me it's a mere artifact of the past. It worked back then, it doesn't work today. What works today works also tomorrow. And what will work in two or 5 years from now is software and application hacking. Sure, old school hacking still works, like guessing passwords -have fun with that- but don't flatter yourself too much. I mean if you only memorized your Linux man-pages and are oblivious to contemporary hacks, you are whistling tones into a cellphone that doesn't respond to it anymore. It's time to accept that if you are into hacking or network security. The facts are here, the Internet is insecure and no Firewall or IDS can solve that if the software that causes this stays insecure.
