Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] OSS is an easier hack: Mitnick

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] OSS is an easier hack: Mitnick
Date: Tue, 31 Jan 2006 00:44:21 -0600 (CST) 
http://www.tectonic.co.za/view.php?src=rss&id=839

By Jason Norwood-Young
30 January, 2006 
 
In an exclusive interview on Friday, infamous hacker Kevin Mitnick
told Tectonic that, given the choice between finding security
vulnerabilities in closed and open source, he'd prefer to attack an
open source environment.

"Open source would be easier [to hack]," admits ex-hacker turned
security consultant Mitnick. "It's less work."

Mitnick says that open source software is easier to analyse for
security holes, since you can see the code. Proprietary software, on
the other hand, requires either reverse engineering, getting your
hands on illicit copies of the source code, or using a technique
called "fuzzing".

Fuzzing means putting fake data - such as really long strings - into
portions of the application that allow user input. "You want to make
that function call fail. Does it cause an exception? If it does then
the programmer probably hasn't validated the input. You could supply
your code in a particular manner - thus tricking the application or
function into executing your own code. Hackers want to execute their
own code - preferably with privileges - and then they gain control.

"On the face of it, open source software is more secure," says
Mitnick. "A lot of eyes are looking at the code. You'd think that with
OSS, with more people looking at the code, you're more apt at finding
security holes. But are enough people really interested?"

Mitnick does qualify his statement carefully - it's six of one and
half-a-dozen of the other. "Then again, a lot of people are really
good at reverse engineering. You can obtain illicit copies of
[proprietary] source code," he says diplomatically.

Mitnick was arrested in 1995 by the FBI for hacking. He served five
years in prison, including eight months in solitary confinement after
it was alleged that he could launch nuclear missiles by whistling into
a telephone. He will be in South Africa next month for the ITWeb
Security Summit 2006, and will speak about social engineering and
wireless security.

He runs Microsoft Windows XP Pro, Microsoft Windows 2003 Server,
Debian, Gentoo and Solaris. Currently he's penning an autobiography to
clear up some myths about himself. And no, you can't launch a nuclear
attack by whistling into a telephone.



_________________________________
InfoSec News v2.0 - Coming Soon! 
http://www.infosecnews.org
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] OSS is an easier hack: Mitnick, InfoSec News <=
Previous by Date:  [ISN] SOX Compliance Is Worth the Effort, InfoSec News
Next by Date:  [ISN] Oracle denies researcher's security claims, InfoSec News
Previous by Thread:  [ISN] SOX Compliance Is Worth the Effort, InfoSec News
Next by Thread:  [ISN] Oracle denies researcher's security claims, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]