“The attack I am going to demonstrate now enables access to an organization’s database and to delete or change data. I’ll demonstrate how, for example, one can bypass the ‘ogin system of a specific bank.” Only a few characters and hyphens were needed for our interviewee to get into the database of a banking site abroad.
After he was in, he typed a code-line in the search field and pulled out the whole list of users and codes that were in the banking site.
Shaharabani is a senior expert for data security at IBM. He explains that when a user types his username and password, an interpellation is taking place, placing this data in a specific code field. This is a normal, regular, computer procedure done in the background of the site. The hacker can then change the interpellation in order to hack into the system. This is exactly what Shaharabani did to bypass the security systems of the banking site.
“This attack is called SQL Injection and is commonly used by hackers—25 percent of sites’ attacks are done with this technique,” he says.
With the same ease, he asks us if we would like to see how a smartphone can be hacked. He borrows one of ours, an Android, which we hesitantly hand over to him after our uneasiness is overcome by curiosity.
While doing some preparations on his computer, Shaharabani tells us a story: “Several years ago an animation video with the character of Muhammad was aired on YouTube. As the video was a bit inconsiderate, the government of Pakistan issued an order to all her Internet suppliers not to allow their clients to surf YouTube. While one of the Internet suppliers was trying to navigate all its clients to YouTube via its own servers, it did not think of the applications. What it actually did was to notify online that it was best to enter YouTube via its servers. Thus, all worldwide traffic to YouTube went via its servers.”
“One year prior to this, there was a Turkish guy who mistakenly navigated a large portion of the Internet traffic through his systems. At that time it could still be done. Nowadays, however, there are security systems warning about such a situation and are able to rectify it. This is one example which shows how easy it is to do these things.”
And that’s exactly what Shaharabani did in front of our eyes. He navigated all our wireless Internet activity to his computer, and from then on we could see on his computer each and every note we typed in our smartphone, including a Facebook password.
“I can launch such an attack in every net I’m in. My goal, however, is to convey to people the message that the Internet is a wide world which had been built without the thought of its security,” he says.
“Patches of security were later added on, but this way there remained loopholes which I can utilize. For instance, a device needs a router, which serves as a port to the Internet. Yet in between them there exists a protocol. Since this protocol is not secured, I can ‘tell’ the device that ‘I am the router’ and make it connect through me,” he says.
At the age of four, Sharabani got his first computer, non-colored XT type. “It served me loyally until I was 18,” he says. Windows could not be run on that computer, but what was worse for him is that the old game “Digger” could not be run on it either. “May be that was what motivated me to go as far as that,” he wonders aloud.
In 9th grade he entered his first computer class. Two students asked the teacher to dismiss them from all classes since they were were already developing software and knew all the information. “All three of you?” the teacher asked. “Yes,” Shaharabani answered, jumping on the opportunity.
“I had to justify it, show I have knowledge in computers,” he says now, “So I did some work to go deeper into this world.” Thus when he was enlisted into the Israeli army, he served in an intelligence technological unit, and when his service was over, he started working for the start-up Watchfire, which was later on bought by IBM.
Watchfire was a pioneer in the field of application security. Shaharabani says “a lot of the problems known today in the web were brought to light as a result of our research in this firm.”
After being bought, Watchfire’s name was altered to IBM AppScan. It now helps firms that develop software to trace security loopholes and repair them. Sometimes the staff approaches a firm, or an entity that runs a secured system, to ask their permission to hack into it and find loopholes. Their current flag-product is called AppScan. It scans applications to find what should be repaired and how.
“We were able to hack into each product we targeted,” Shaharabani says, “we always make it within two weeks or so, and then we spend some more time on a detailed report and demos.”
The loopholes are of course kept secret in order not to let ill-willed hackers utilize them. But sometimes, in coordination with the client, some of the vulnerabilities are published after being repaired.
Recently the group found a loophole in the Android OS that can be used by a malicious application downloaded from Google application store. It can then track down your Internet activity even when the application is closed. The staff approached Google staff and helped them repair it.
Shaharabani had a vision for the potential his unit. “I started pondering how we could expand what we did,” he says. He then led a series of tests to see whether IBM’s own products were immune to hacking. “I knew we could succeed in the attacks enough to enhance an inside awareness and procedure.”
His passion made it. After some time he was offered to “take the reins” into his own hands. He accepted the task to lead data security at “Rational,” the section responsible for one-fifth of the software development in IBM.
For the last one-and-a-half years, Shaharabani has worked to bring a substantial change to the development methodology in IBM, and changed the spirit of the organization by creating secure code. Now he has finished his job and is about to return from “Rational” to IBM as a senior figure in data security—a job he cannot yet speak about.
The Saudi Hacker
After a Saudi hacker published a list of Israeli credit card numbers online, groups of Israeli hackers decided to reciprocate and knocked down Saudi websites.
Contrary to the Israeli media, which depicted them as heroes, Saharabani sees their actions as criminal and unlawful. “It is unethical and achieves nothing whatsoever. There is no connection between that Saudi hacker and the attacked websites in Saudi Arabia, except they are maybe both citizens of the same country. If someone steals my car it doesn’t mean I am allowed to take the law into my hands and react with a criminal deed—this is a criminal act with all it implies, and it is not allowed,” he says.
From another perspective, however, Shaharabani thinks that what that Saudi hacker did can probably be of use and have a positive effect.
It awakened Israelis to the need for data security.
“Nothing really terrible happened on a national scale. Of course I do realize that there are people and companies who were wronged by this action. But these attacks are very weak,” he says. “Among the hackers, no one was surprised by it—it was obvious that these things could happen and that we would see something like this. What I am content about is that now my mother, and my grandmother, has heard about it.”
“People know that in order to cross the street securely they have to look to their left and to their right, to discern which place is dangerous, and leave their bags in the trunk of the car to not attract burglars. These are intuitions that are engrained in us. Yet they do not function when it concerns the virtual world. People do not know how to surf the Internet securely,” he says.
Shaharabani explains that handling data security requires public education on the matter. Increasing awareness can minimize the problem.
“Most of the computers connected to the Internet are contaminated with malicious software, and these do all kind of things, including tracking down your activities and sending spam,” he says.
Shaharabani says there is a whole industry around it, and all of us may have malware in our computers that serves hackers, and allows them to attack others or collect information going through our networks. He hopes awareness of this problem will grow.