Ex-hackers 'rubbish at security'

[InfoSec News <isn () c4i org>]

http://www.pcw.co.uk/News/1147140

By Iain Thomson 
[04-11-2003]

Companies should stop hiring hackers to beef up security - not for
ethical reasons but because they are no good at it, according to
experts.

Delegates at the RSA Security Conference in Amsterdam heard a panel of
reformed hackers, police officers, members of the legal profession and
corporate security experts launch scathing attacks on the abilities of
most hackers.

The skills that make a good hacker are not the same as those required
by an IT security officer, delegates were told.

"Everyone thinks that if you know how to break into a system then you
must know how to protect one. It's rubbish. I could teach a monkey to
break into a system in four hours," claimed Ira Winkler, chief
security strategist at Hewlett Packard.

"While there are highly skilled technical hackers out there, they are
the ones you never know about because they don't get caught."

But most hackers are IT professionals in their 20s and 30s, suggesting
that companies may be late in their realisation that cyber-poachers do
not make good cyber-gamekeepers.

"Why would you want to employ a hacker with a criminal record, i.e.  
someone so bad they'd been caught?" asked Tony Neate, industry liaison
officer at the National High Tech Crime Unit.

"After all, if a bank is looking to employ a security guard they don't
try and find a former bank robber to guard their safe. Companies must
be sure that they know their staff's backgrounds."

Checking employees was highlighted as essential, but there was a gap
in the law as juvenile criminal records are sealed when the
perpetrator reaches adulthood.

But a quick search of the internet using a web or newsgroup search
engine should reveal details of a person's hacking history, if it
exists.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.