Plenty of Options
Of course, reformed hackers aren't the only ones peddling their security expertise to potential customers. Consulting firms (such as Computer Sciences and Electronic Data Systems), service providers (Exodus), and hardware and software vendors (Cisco Systems, Hewlett-Packard, and IBM, to name a few) all want to cash in on the security boom.
In recent months, hundreds of hackers have been joyriding throughout the nation, using laptops with wireless LAN cards to seek out insecure corporate networks. These "war riders" use NetStumbler and other PC software to hunt down signals from wireless LAN access points. Instead of linking to the wireless networkswhich is illegalmost war riders just seek to raise awareness about poor wireless LAN security practices.
Jeremiah Grossman, former information security officer at Yahoo, is a poster boy for the corporate hacker movement. At Yahoo, Grossman designed, audited, and attempted to penetrate the company's Web applications. He also oversaw Yahoo's partner-integration security reviews. Grossman is now CEO of WhiteHat Security, a consulting firm in San Jose, California, that performs security and penetration testing for its clientele.
"All hackers aren't necessarily criminal per se, but they do have very advanced skills," says Grossman. "It's similar to any other profession. For example, doctors have very advanced skills, yet some of them are involved in bad and or illegal activities. Such is the case with hackers."
Security Services
Reformed hackers and security consulting firms offer a fairly similar list of services, including security assessment and penetration testing, systems and network auditing, security policy reviews and consultations, and denial-of-service-attack mitigation.
The fees for such services vary widely. IBM Global Services charges from $15,000 to $200,000 (plus travel costs and applicable taxes) for its Ethical Hacking Services. By contrast, Rent-A-Hacker (www.rent-a-hacker.com) charges $1,400 for a typical Web site security assessment, and former black-hat hackers are known to charge more than $250 an hour for their services.
"The question becomes, Who can you trust?" says Grossman. "Security is about limiting risk. Does hiring someone like a reformed hacker decrease your level of risk? That's a personal question every customer has to weigh."
Generally speaking, companies are loath to disclose their dependence on reformed hackers. Convicted Mitnick accomplice Lewis DePayne, for one, has confirmed that he worked for a Fortune 500 company. Hacker Petersen also says he works for a Fortune 500 firm. Neither hacker, however, cares to mention his employer by name.