News Stay informed about the latest enterprise technology news and product updates.

Want secure software? Break it first

No software is perfect, but by thinking like a hacker you can better anticipate threats and create a more secure product.

BALTIMORE -- If you think like a hacker, you can better protect your software.

That was the main message at this week's Secure Software Summit. Avi Rubin, technical director of the Information Security Institute at Johns Hopkins University, in particular, emphasized that concept during his keynote address on breaking security systems.

"If you just make systems and don't break them, you don't know how to think like a hacker," Rubin said.

Rubin, author of the books Web Security Sourcebook, White-Hat Security Arsenal and the upcoming Brave New Ballot, told the nearly 100 conference attendees about the benefits of breaking systems. For him and many other security testers, the best part is that it's fun.

A hacker has to be right only once. A builder has to anticipate all types of attacks.
Avi Rubin
Technical director of the Information Security InstituteJohns Hopkins University

"It's interesting and challenging, and it teaches you how to build systems more securely," Rubin said. "People who make the thing think I'm a troublemaker and I'm just trying to make a name for myself."

In reality, however, it keeps companies honest, he said. They don't want to see their names in news reports.

Rubin acknowledged that it's significantly easier to break a system than to build a secure system. "A hacker has to be right only once. A builder has to anticipate all types of attacks," he said. "The consequences of building a bad system are worse than the consequences of a bad attack."

Knowing that, builders have to outline threats at the start of software development. "When building a system, security doesn't mean anything without a threat model," Rubin said.

In addition, many decisions need to be made: What protocols and algorithms should be used? What effect will security have on performance? How do you measure security?

It's a challenge to securely design software, as even if you think it's secure there can be errors upon implementation and the threat model could be wrong, Rubin said.

Other ways things can go wrong:

  • Bugs in the code
  • Poor administration
  • Malicious insider threats
  • Unrealistic assumption of attackers

If a vulnerability is discovered
In some cases, people discover vulnerabilities accidentally. In other cases, however, researchers consider it a challenge to break systems. Regardless, people need to report the issue to the vendor directly, Rubin said.

"It is the responsible thing to go to the vendors first," he said. "They may deny [the vulnerability], but you need to do that."

Rubin explained how he and his graduate students at Johns Hopkins discovered how to break the TIRIS system, Texas Instruments Registration and Identification System. These are RFID chips that are used in 150 million vehicle keys as immobilizers and in the Exxon Mobil Speedpass.

Thinking like a hacker

Misuse cases: Understanding the hacker's approach

Keep the bad guys out: Build security into the SDLC

Breaking software easier than you think

The students spent several months trying to re-engineer the cipher. They eventually broke the circuit and were then able to think of several ways to break the system, Rubin said. One thing they did was figure out how to use a regular key to start a car that requires a chip-enabled key to start it. In addition, they were able to scan a person's Speedpass, take that information and use it to purchase gas.

"Once they knew the key, they could fool a reader and spoof a valid tag to buy gas and start a car," he said.

Rubin told Texas Instruments and Exxon Mobil about the system break and that he wanted to publish a paper on it. The companies didn't believe him and wanted proof that it could be done. Rubin's team proved it and the paper was published.

Security breaks such as that prove that if an attacker has a will, he can find a way. "No useful system is really secure," Rubin said. "Some are just harder to break."

Dig Deeper on Internet Application Security

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

"Thinking like a hacker" should also include studying patterns of known problems and monitoring appearance of new exploits.
Another important aspect is putting all found vulnerabilities into business context. Security scanning tools typically report hundreds of problems. Some of that is just noise. But some need to be skillfully investigated to see if hackers may take advantage of the weakness.
I tend to find a lot of issues when testing. I try not to test like a programmer or developer. I think like a first time user and try stupid things. Place data in the wrong field, use bad characters and typos. Click things out of sequence.. This is great for looking for things like SQL injection.  A good system should already prevent this. Then try to look for other ways to access the data. Is there any clues or data path as to where my data is being shown?  It's like looking for an "Easter egg" that may be hidden to grant access.