Welcome Guest. | Log In| Register | Membership Benefits
InformationWeek.com October 23, 2000
Printer ready
Printer ready

Vulnerabilities Beckon Some With A License To Hack

Companies must consider legal ramifications, along with ethics, when they hire hackers

By George V. Hulme with additional reporting by Tony Kontzer

More on hacking:

  • sidebar: Hacking For Dollars

  • VARBusiness: Cybercops to the rescue (10/16/00)

  • TechWeb: Is security in the cards? (10/13/00)

  • InternetWeek: Security made simple (10/2/00)

    • Send Us Your Feedback
    C ompanies that want to uncover network and system security vulnerabilities have two choices: They can hire a team of penetration experts to scan and probe their systems and uncover their vulnerabilities, or they can wait for a malicious hacker to come by and exploit them. Unfortunately, many companies choose the latter.

    Recently, there has been a flurry of security breaches among large organizations that have made headlines. On Sept. 9, Western Union warned customers about a security breach on the company's Web site that let loose the credit-and debit-card information for 15,700 customers. In mid-June, America Online's network fell victim to hackers who successfully planted on its system a Trojan horse that opened a gateway into AOL's internal network, including the company's customer-service application. Roughly 200 customer accounts were compromised.

    In August, when Verizon Communications launched an online support page to help customers diagnose phone trouble without having to speak to an operator, the site was a bit too helpful--researchers found that Web surfers could get access to any customer's personal data simply by entering a phone number.

    On Sept. 21, a Miami court sentenced a 16-year-old youth to six months in a detenstion center after he admitted to hacking into military and NASA computer networks between June and October 1999. His activities caused a three-week shutdown of NASA's systems and a security breach of a military computer network used by the Defense Threat Reduction Agency, which protects against conventional, biological, chemical and nuclear-weapon attacks.

    The youth intercepted more than 3,000 E-mails and garnered 19 defense agency employee names and passwords. He also captured proprietary software worth $1.7 million from NASA that helped maintain temperature and humidity levels in the international space station's living quarters.

    According to the hacker newsletter 2600, more than 350 high-profile sites were hacked in 1999. That's just a small sampling of actual hacks--most industry watchers agree that only a handful of security breaches are ever reported.

    To minimize the risk of being the victim of a successful hack attack, most companies would benefit from the help of a hired hacker who could scan their systems for vulnerabilities. Once completed, the consultant would deliver a report, or security posture assessment, detailing all vulnerabilities found and the actions needed to remedy them.

    This type of security consultant is commonly referred to as an ethical hacker, because the goal is to fill security holes, not exploit them.

    Jim Finn, principal of enterprise security practice for Unisys Corp., is an ethical hacker and has conducted more than 200 security engagements in more than 20 countries during the past 15 years for both private and governmental organizations. He has yet to find a system he can't hack into. "Our claim to fame is we have never failed to gain privileged control of any system we have ethically hacked," he says.

    While most companies would benefit from such careful security examination, those that consider hiring a security consultant need to take precautions. Many security firms hire "reformed" hackers--hackers with a record who've made the decision to turn their skills into a paying proposition.

    In a recent InformationWeek Research Global Information Security Survey of 4,900 security professionals, 55% indicated they would consider employing reformed hackers as consultants for security reviews.

    Don Durand, IS manager at American Radio Relay League Inc., an amateur radio operators organization in Newington, Conn., says there are things to consider when hiring a reformed hacker. "The key is to look at each hacker as an individual and judge accordingly. Was this some whiz kid at the age of 13 knocking on the doors of the Pentagon because he was curious and had the skills? Or is this some kid stealing and selling corporate secrets? I've had this discussion with many peers over drinks and nobody has a clear-cut answer," he says.

    George Johnson, chief animation and technical officer for entertainment Web site TheThreshold.com, takes another view of the hacker mentality. "People make strange choices in life," he says. "I try not to make judgments based on people's past choices. But I don't think you can be a reformed hacker. That essential curiosity on finding out how things work, which is what causes people to be hackers anyway, if that goes away, then I probably don't want you as an employee. It's a tough one. I've probably unwittingly already hired some."

    continue on to page 2, 3

    Back to This Week's Issue
    Send Us Your Feedback
    Top of the Page


    CAREER CENTER
    Looking for a new job?



    TechCareers

    SEARCH
    Function:

    Keyword(s):

    State:
    SPONSOR
    RECENT JOB POSTINGS
    CAREER NEWS
    Federal CTO Sees IT Leading U.S. Out Of Recession
    Aneesh Chopra is looking to other CIOs to advise him on fleshing out a more detailed agenda to best serve the president's IT agenda.

    IT Spending To Fall By 3.8 Percent
    IT spending is expected to decline by 3.8 percent in 2009 according to Gartner.

    More articles from our career center

    Today's Top News





    Specialty Resources

    Featured Microsite