Channels ▼
RSS

Dangerous Dealings




Consider Yourself Warned

Are reformed hackers truly trustworthy? Before you answer, consider Petersen's run from justice, which resembles a Hollywood screenplay. Known as "Agent Steal" in the hacker underworld, Petersen served time in the mid-1990s for breaking into several corporate networks, making bomb threats, and stealing money electronically from a bank. Portions of Petersen's digital crime spree were committed while he was working undercover for the FBI, according to court documents. In early 1995, he pleaded guilty to computer wire fraud and wasn't released from prison until April 1997.

Petersen served additional time for violating terms of his parole, but has been a model citizen in recent years. Prior to his current (alleged) post in a Fortune 500 company, Petersen developed intranets and extranets for Cosmic Media, a Los Angeles Internet consulting firm that deployed secure electronic commerce sites for fledgling businesses.

Petersen says he started wiretapping phone systems and hacking computers when he was only twelve. He honed his hacking skills for more than a decade before breaking into TRW's credit system in 1989. Later that year, he and Poulsen rigged Pacific Bell's telecom network and seized a radio station's phone lines to win a $10,000 call-in contest. Petersen and Poulsen said they could latch onto any phone line within Pacific Bell's network, monitor it, ring it, and dial out from it.

Petersen's legal troubles took a dramatic, but brief, turn for the better in September 1991. In return for a lenient sentence after a computer crime conviction, Petersen agreed to work as an informant for the FBI. Petersen and two attorneys close to his case say he helped the FBI amass evidence against former buddy Poulsen, as well as Mitnick and Lewis DePayne.

But, in a critical lesson for corporate America, the FBI's dependence on Petersen backfired. Petersen committed more computer crimes while working for the Feds and became a fugitive in the mid-1990s. He ultimately hacked Heller Financial, a commercial financial service provider in Glendale, California. Once inside Heller's network, Petersen identified a line between two network switches that was accidentally left unencrypted. Petersen used the weak link to transfer $150,000 from Heller's electronic vaults to an account at Union Bank in Bellflower, California. Petersen even made two bomb threats to Heller in an effort to distract employees so they wouldn't notice the transfer of funds, according to court documents.

Safer Options

If the idea of hiring a reformed hacker like Petersen gives you pause, plenty of vendors are willing to step in as middlemen. The obvious first step is contacting a reputable company that has a security practice—such as Hewlett-Packard Consulting, IBM Global Services, and the like.

HP's Global Security Consulting Practice operates security services centers in Bellevue, Washington, and Hong Kong. Both centers offer risk mitigation services (such as penetration testing), security architecture design, and integration services that leverage smart cards, directory services, and other authentication and authorization tools.

Similarly, IBM's Ethical Hacking Services division employs more than three thousand security consultants worldwide (a figure that surely will rise as a result of IBM's acquisition of PricewaterhouseCoopers). IBM's Security and Privacy Service manages security assessments, planning and design, implementation, management, outsourcing, intrusion detection, and managed firewall services.

"IBM has run a formal ethical hacking practice for more than seven years," says Mike Bilger, a global practice leader within IBM Security and Privacy Services. "Our ethical hacking capabilities evolved much earlier than that. Our Watson Labs in New York has a long history of developing tools to protect our customers. Some of those tools became the basis for our ethical hacking services." How many companies use IBM's services? "More than hundreds, but I can't give you an exact number," says Bilger.

One of IBM's first hacking customers was Your Prosperity, the first Australian company to provide online portfolio management services. While IBM Global Services Australia designed the site, an IBM ethical hacking team back in the U.S. attempted to penetrate the site's various front-end and back-end applications, including Lotus Domino and Oracle databases running on Netfinity servers.

Your Prosperity, a subsidiary of National Australia Bank, declines to discuss exactly how IBM attacked its network. But a Your Prosperity spokeswoman says the company was "completely satisfied" with IBM's services.

Similarly, security software maker Eruces of Kansas City, Missouri, paid IBM to hack its database encryption product. Eruces declined to discuss how IBM attacked its software, but a spokeswoman says the test strengthened Eruces' credibility with potential customers.

With customer demand on the rise, some members of IBM's Ethical Hacking Services team have branched off on their own. Brian Kenn, for one, led IBM's team in the Asia-Pacific region prior to launching Pure Hacking, a white-hat hacker company in Australia. His early customers include Bulletproof Networks, Australia's first managed service provider.



Related Reading


More Insights






Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.