Does it take a thief to stop a thief? That's the question many businesses are weighing as they consider hiring reformed hackers to lock down their IT systems.

January 14, 2003
URL:http://www.drdobbs.com/dangerous-dealings/184411617

"People have to do themselves a favor and stop condemning hackers as bad," says Ian Murphy, a reformed hacker and one of the first people convicted of a computer crime in the United States. "Hackers have a better understanding of technology environments than a typical IT manager could ever gather on his own."

Murphy, known in the hacker community as Captain Zap, spent portions of the early 1980s probing telecom systems and private networks. He even claims to have used the White House switchboard to make calls to Europe before being fined $1,000 and sentenced to thirty months' probation for his online exploits.

Murphy now runs IAM/Secure Data Systems, a decade-old consulting firm that specializes in IT security. "In my opinion, companies that need security experts are best served by hiring burglars instead of cops," says Murphy, from his office in Tampa Bay, Florida. "The burglar knows how to get into your facilities and how to attack you." The cop, by contrast, typically can't help you until after the crime has been committed.

Murphy's hacker-for-hire business is hardly unique. Convicted hacker Kevin Mitnick now runs Defensive Thinking, a computer security firm in Los Angeles (despite the fact that he's been unable to use a computer since his incarceration). Reformed hacker and former FBI informant Justin Tanner Petersen (a.k.a. "Agent Steal") says he works as a security analyst at a Fortune 500 company. Kevin Poulsen ("Dark Dante") is editorial director at SecurityFocus Online, a security news service that Symantec acquired in August 2002. And Max Ray Butler ("Max Vision") was an FBI informant before he was busted for hacking government and military networks.

Despite the war on terror and international cyber-security initiatives, the Internet remains a hacker's paradise. More than 70,000 computer-security incidents were reported during the first nine months of 2002, up from 21,750 for all of 2000, according to the Computer Emergency Response Team (CERT) at Carnegie Mellon University.

One recent denial-of-service attack, launched in October 2002, targeted at least seven of the Internet's thirteen DNS root servers. Security experts described the attack as an ICMP (Internet Control Message Protocol) flood; the attack sent waves of status requests to each of the servers. It didn't halt traffic or degrade the Internet's performance, but experts are worried that the event was a trial run for some sort of larger attack in the months ahead.

If such an attack comes, many companies won't be prepared for it. Only 27 percent of U.S. companies have conducted security training for system and network administrators, according to PricewaterhouseCoopers. And only 14 percent of U.S. companies are willing to hire former hackers to help secure their networks, according to Information Security magazine.

Instead of hiring hackers to actually touch, tour, and attack your systems, a better option may be a more cautious approach. Reformed hackers are more than happy to host full-day seminars for your IT personnel. During the seminars, they can discuss tricks of the trade, "social engineering" techniques that fool users into revealing their passwords, and common hacker tools that may bring down your systems. The seminars can be hosted on neutral ground—away from your offices and, more importantly, without internal access to your systems.

Still, there's a big difference between hacking seminars and hands-on penetration testing, where a hacker can actually show your networks' weak links. "It's a shame that Fortune 500 companies hire suits with high-and-mighty attitudes rather than hiring the real technical geniuses of our society," quips Murphy, an outspoken critic of "certified" security experts who lack hands-on experience.

"Working with a reformed hacker is a worthwhile but potentially embarrassing experience," adds Cheryl Currid, a former IT manager at Coca-Cola who now runs Currid & Co., a consulting firm in Houston. "My advice is to hire the reformed hacker, deal with the embarrassment, and learn from the experience—before an outside hacker plugs into your systems without you knowing it."

Plenty of Options

Of course, reformed hackers aren't the only ones peddling their security expertise to potential customers. Consulting firms (such as Computer Sciences and Electronic Data Systems), service providers (Exodus), and hardware and software vendors (Cisco Systems, Hewlett-Packard, and IBM, to name a few) all want to cash in on the security boom.

In recent months, hundreds of hackers have been joyriding throughout the nation, using laptops with wireless LAN cards to seek out insecure corporate networks. These "war riders" use NetStumbler and other PC software to hunt down signals from wireless LAN access points. Instead of linking to the wireless networks—which is illegal—most war riders just seek to raise awareness about poor wireless LAN security practices.

Jeremiah Grossman, former information security officer at Yahoo, is a poster boy for the corporate hacker movement. At Yahoo, Grossman designed, audited, and attempted to penetrate the company's Web applications. He also oversaw Yahoo's partner-integration security reviews. Grossman is now CEO of WhiteHat Security, a consulting firm in San Jose, California, that performs security and penetration testing for its clientele.

"All hackers aren't necessarily criminal per se, but they do have very advanced skills," says Grossman. "It's similar to any other profession. For example, doctors have very advanced skills, yet some of them are involved in bad and or illegal activities. Such is the case with hackers."

Security Services

Reformed hackers and security consulting firms offer a fairly similar list of services, including security assessment and penetration testing, systems and network auditing, security policy reviews and consultations, and denial-of-service-attack mitigation.

The fees for such services vary widely. IBM Global Services charges from $15,000 to $200,000 (plus travel costs and applicable taxes) for its Ethical Hacking Services. By contrast, Rent-A-Hacker (www.rent-a-hacker.com) charges $1,400 for a typical Web site security assessment, and former black-hat hackers are known to charge more than $250 an hour for their services.

"The question becomes, Who can you trust?" says Grossman. "Security is about limiting risk. Does hiring someone like a reformed hacker decrease your level of risk? That's a personal question every customer has to weigh."

Generally speaking, companies are loath to disclose their dependence on reformed hackers. Convicted Mitnick accomplice Lewis DePayne, for one, has confirmed that he worked for a Fortune 500 company. Hacker Petersen also says he works for a Fortune 500 firm. Neither hacker, however, cares to mention his employer by name.

Consider Yourself Warned

Are reformed hackers truly trustworthy? Before you answer, consider Petersen's run from justice, which resembles a Hollywood screenplay. Known as "Agent Steal" in the hacker underworld, Petersen served time in the mid-1990s for breaking into several corporate networks, making bomb threats, and stealing money electronically from a bank. Portions of Petersen's digital crime spree were committed while he was working undercover for the FBI, according to court documents. In early 1995, he pleaded guilty to computer wire fraud and wasn't released from prison until April 1997.

Petersen served additional time for violating terms of his parole, but has been a model citizen in recent years. Prior to his current (alleged) post in a Fortune 500 company, Petersen developed intranets and extranets for Cosmic Media, a Los Angeles Internet consulting firm that deployed secure electronic commerce sites for fledgling businesses.

Petersen says he started wiretapping phone systems and hacking computers when he was only twelve. He honed his hacking skills for more than a decade before breaking into TRW's credit system in 1989. Later that year, he and Poulsen rigged Pacific Bell's telecom network and seized a radio station's phone lines to win a $10,000 call-in contest. Petersen and Poulsen said they could latch onto any phone line within Pacific Bell's network, monitor it, ring it, and dial out from it.

Petersen's legal troubles took a dramatic, but brief, turn for the better in September 1991. In return for a lenient sentence after a computer crime conviction, Petersen agreed to work as an informant for the FBI. Petersen and two attorneys close to his case say he helped the FBI amass evidence against former buddy Poulsen, as well as Mitnick and Lewis DePayne.

But, in a critical lesson for corporate America, the FBI's dependence on Petersen backfired. Petersen committed more computer crimes while working for the Feds and became a fugitive in the mid-1990s. He ultimately hacked Heller Financial, a commercial financial service provider in Glendale, California. Once inside Heller's network, Petersen identified a line between two network switches that was accidentally left unencrypted. Petersen used the weak link to transfer $150,000 from Heller's electronic vaults to an account at Union Bank in Bellflower, California. Petersen even made two bomb threats to Heller in an effort to distract employees so they wouldn't notice the transfer of funds, according to court documents.

Safer Options

If the idea of hiring a reformed hacker like Petersen gives you pause, plenty of vendors are willing to step in as middlemen. The obvious first step is contacting a reputable company that has a security practice—such as Hewlett-Packard Consulting, IBM Global Services, and the like.

HP's Global Security Consulting Practice operates security services centers in Bellevue, Washington, and Hong Kong. Both centers offer risk mitigation services (such as penetration testing), security architecture design, and integration services that leverage smart cards, directory services, and other authentication and authorization tools.

Similarly, IBM's Ethical Hacking Services division employs more than three thousand security consultants worldwide (a figure that surely will rise as a result of IBM's acquisition of PricewaterhouseCoopers). IBM's Security and Privacy Service manages security assessments, planning and design, implementation, management, outsourcing, intrusion detection, and managed firewall services.

"IBM has run a formal ethical hacking practice for more than seven years," says Mike Bilger, a global practice leader within IBM Security and Privacy Services. "Our ethical hacking capabilities evolved much earlier than that. Our Watson Labs in New York has a long history of developing tools to protect our customers. Some of those tools became the basis for our ethical hacking services." How many companies use IBM's services? "More than hundreds, but I can't give you an exact number," says Bilger.

One of IBM's first hacking customers was Your Prosperity, the first Australian company to provide online portfolio management services. While IBM Global Services Australia designed the site, an IBM ethical hacking team back in the U.S. attempted to penetrate the site's various front-end and back-end applications, including Lotus Domino and Oracle databases running on Netfinity servers.

Your Prosperity, a subsidiary of National Australia Bank, declines to discuss exactly how IBM attacked its network. But a Your Prosperity spokeswoman says the company was "completely satisfied" with IBM's services.

Similarly, security software maker Eruces of Kansas City, Missouri, paid IBM to hack its database encryption product. Eruces declined to discuss how IBM attacked its software, but a spokeswoman says the test strengthened Eruces' credibility with potential customers.

With customer demand on the rise, some members of IBM's Ethical Hacking Services team have branched off on their own. Brian Kenn, for one, led IBM's team in the Asia-Pacific region prior to launching Pure Hacking, a white-hat hacker company in Australia. His early customers include Bulletproof Networks, Australia's first managed service provider.

Back to School?

Rather than hire reformed hackers or pay big consulting fees to vendors like IBM, some companies are sending their IT employees to hacker school.

Foundstone, a security vendor in Irvine, California, offers a popular four-day course titled "Ultimate Hacking: Hands On." The course teaches students how to use hacking tools like AntiSniff and Big Brother. After each morning session, students apply their newly acquired knowledge by trying to break into computers in the rear of the classroom. Foundstone monitors each classroom system to make sure students aren't attempting to hack outside networks.

David Raikow, a lawyer and IT security expert in San Francisco, completed Foundstone's course a couple of years ago for a technology article he was writing at the time. "The class really opens your eyes to security holes that may exist in your own company," he says. After taking the class, Raikow managed to spot dozens of weak links within his employer's network.

The course, which costs about $7,000, appears to be popular with IT managers from blue-chip companies. Best Buy, Intuit, Symantec, Visa International, and Yahoo, just to name a few, have sent their IT employees to the course.

Still, reformed hackers like Murphy insist that the best education comes from former members of the digital underworld. "Hackers are responsible for much of the testing and workarounds found in today's software," says Murphy. "They have provided real knowledge to IT managers."

But would you trust them with your own systems?

Joseph C. Panettieri ([email protected]) is editorial director at the New York Institute of Technology.

Terms of Service | Privacy Statement | Copyright © 2024 UBM Tech, All rights reserved.