Information Security News mailing list archives
How to Hire a Hacker
From: William Knowles <wk () C4I ORG>
Date: Thu, 29 Jun 2000 01:36:13 -0500
http://www.zdnet.com/smartbusinessmag/stories/all/0,6605,2577905,00.html By Christopher Null, Smart Business June 12, 2000 9:00 PM PT Jack Stevens knew his company was being hacked. Someone was snooping around in sensitive information on the company network. So Stevens (not his real name) called John Klein's Rent-A-Hacker (www.rent-a-hacker.com), a security consulting firm. Klein leapt into action. Klein logged onto the client company's network and quickly sized up the situation. The intruder had exploited a common Solaris server bug. Klein immediately found what had gone on. "The trick was not just blocking them out, but finding out who they were," Klein says. "But it's delicate. It's like a chess game: First mistake loses." Klein employs some 300 freelance computer security expertsbetter known as hackersthroughout the world. He handpicks a specialist to fit each call he gets. In this case, he tapped Kelvin Wong, a top operative who also happens to be his company's chief operating officer. Wong back-traced the intruder's connection to a Canadian @Home network, which tracked him to his cable modem. To confuse his pursuers, the offender launched several denial-of-service attacks. But eventually the intruder lost the chess game and was handed over to the Royal Canadian Mounted Police. By acting quickly and returning the attack against its intruder, the victimized company foiled the hacker and prevented any real damage. In the dot-com era more than ever, the best defense is a good offense. In the wake of recent security fiascoes like the theft of 350,000 credit card numbers from CD Universe and the rampant distributed denial-of-service attacks on top Web sites this spring, hacker-for-hire services are thriving. Andersen Consulting, IBM, Pinkertons, and even software developers like Internet Security Systems are offering what they call security auditing and other ethical hacking services. So who needs a security consultant? Everybody. "Ninety percent of all systems are insecure and hackable," according to Wong. "It's not a question of whether they can be hacked or not, it's a matter of when and how." Wong's estimate looks spot-on. In March, the Computer Security Institute (www.gocsi.com) took its fifth annual survey of large corporations and government agencies. Ninety percent said that computer security breaches had occurred within the last 12 months, and 70 percent classified those incidents as seriousconstituting theft of proprietary information, financial fraud, and sabotage. The total bill? More than $265 million in losses. The numbers are sobering, and they make Rent-A-Hacker's $175-and-up hourly rate look like chicken scratch. More traditional security companies like Internet Security Systems (www.iss.net) tend to offer a wider range of security services. Mark Sims, ISS's vice president of managed security services, leads the company's outsourced firewall, virtual private network, and antivirus management services in addition to its ethical hacking services (also known as penetration testing). ISS's ePatrol Internet scanning service scans company systems starting at $10,000 per year; subscription cost varies with network size. ISS uses internal staff for security jobs, eschewing the consultants Rent-A-Hacker uses. The reason, Sims says, is because it's crucial to build trust between ISS and its clients. ISS does background checks, Sims says, but "finding out if someone was a [malicious] hacker or not is virtually impossible. We're performing the same actions a hacker would, we're just not exploiting them. We hire people and educate them on hacker techniques." John Spain, president and CEO of Pinkertons' Information Risk Group (www.pinkertons.com), says his company provides a full range of information security and risk management services, including penetration testing. Pinkertons employs its own specialists and uses partners to cover specific areas of expertise, though the company policy is to "never employ someone with a history of [malicious] hacking." Spain declined to discuss pricing, saying fees are always negotiated with customers individually. For top-of-the-line security consulting, IBM's Ethical Hacking Service offers all kinds of security assistance, from design and implementation to maintenance. Al Decker, managing principal of security and privacy services for IBM's Global Services division (www.ibm.com/security/services), says that penetration testing is just a small part of his company's offerings. On average, clients pay from $25,000 to $50,000 for a typical contract. Rent-A-Hacker's Klein says his boutique service is better, pointing to the big guys' higher fees and saying they lack the kind of experience his contractors have. "We differ from most in the fact that we cater to small businesses and individuals," he says. "We see things more from a real-world perspective. We know there are 14-year-old kids out there who can hack and do things well beyond what someone with a computer science degree sitting in an office would ever even dream of. We know the tools those kids use, and their methods are beyond conventional thinking." To get beyond that conventional thinking, Klein says he calls on his 300-plus contractors in the hacker community, each with a specialtya particular operating system or a well-known firewall. "I match up the skills of my hackers with the particulars of the job," he says. "It's impossible for any one person, firm, or software program to cover all the bases, so almost invariably [the hackers are] successful." Klein says that the prepackaged security scanners (like WebTrends Security Analyzer or Network Associates CyberCop) simply don't do the job because they focus only on common security holes and can't invent creative attacks like real hackers can. "Most of the time, what trips up system administrators is that they think like system administrators and not like hackers," Klein says. "We spend a lot of time teaching our clients to think like hackers." Thinking like a hacker means knowing what a hacker wants. Some want data, says Klein, but "the real hacker challenge comes from inventing a new way in. That's what we find: new and creative ways to exploit a system." What common holes do hackers find in systems? There's no standard answer, according to Klein, though "some of the most egregious holes we have found were the simplest things." Wong adds that hackers come up with zero-day (that is, brand-new) tactics all the time. Occasionally he finds systems that have been backdooredhackers create secret entryways by modifying the software installed on a server. Klein and Wong say that the biggest Internet security holes today are not found on Windows. Sun Solaris and Linux power a huge portion of servers connected to the Web, and security on these systems is typically spotty. However, ISS's Sims says that the most common hole his company finds involves Microsoft Windows NT running Internet Information Server. "The Web server that comes out of the box has many security problems," says Sims, adding that no one bothers to apply the patches. IBM's Decker points to a more pedestrian security issue as the most widespread. "Unfortunately, the most common security holes are default passwords and out-of-the-box settings," he says, followed by failure to do basic maintenance or upgrade to new, more secure software packages. So what about the question of hiring a supposedly reformed hacker to muck around on your network as an invited guest? Would you trust a criminal, even a rehabilitated one, with your most precious company secrets? Former hackers and their employers universally insist that potential clients have nothing to worry about. "I have taken great pains to allow my clients to trust my company as well as my contractors," says Klein. "I sign an all-encompassing nondisclosure agreement with each client, as well as provide them with copies of the nondisclosure agreement I have pre-executed with each contractor." Every company we talked to also stressed the importance of thorough background checks. But while Klein says his insistence is genuine, his NDA recognizes that even he can't guarantee the identity of his contractors: "Rent-A-Hacker hereby warrants that it has made its best-faith effort to verify the legal identity of its subcontractors, however, Rent-A-Hacker makes no warranties . . . concerning the validity, accuracy, quality, or completeness of any of the representations made by any subcontractors." But Wong pooh-poohs any notion that hired guns have a hidden agenda. The ex-hacker is pragmatic about the idea of going beyond the scope of his assignment, saying simply, "I could be sued." Security analysis services like Rent-A-Hacker are just the beginning. Companies are learning that they need more comprehensive protection. Chief among the outsourced security companies is Counterpane Internet Security (www.counterpane.com), founded by noted cryptographer Bruce Schneier. Counterpane installs hardware on its customers' premises that patrols the network for security violations. At one base of operations, Counterpane keeps tabs on clients' networks 24 hours a day, and the company can act the moment something suspicious arises. Schneier remains skeptical about his competition: "What hire-a-hacker services do is run a tiger team against your system, which is good for finding out what the vulnerabilities are. What we do is alarm monitoring . . . 24-by-7, real-time." To better illustrate the difference, Schneier offers a physical analogy: "You might want to hire someone to break into your warehouse to see if you're vulnerable, but that doesn't mean you're going to fire your burglar alarm company. Both are valuable, but certainly a burglar alarm is more valuable. Experts are expensive, and they don't tell you if you're safe or not. They tell you whether that particular expert was able to break in on that particular day using that particular set of tools." At seventeen, Austrailian hacker Kelvin Wong, made a bold decision worthy of a man thrice his age: He went legit. His juvenile exploits included such high-profile targets as nasa.gov, army.mil, and usda.gov. But before Wong could get busted, he abandoned the dark side. "I was turning 18. I didn't want to go to jail," he says. Now 18, Wong has a rosy future. Impressed with his innate knowledge of computer networks, Rent-A-Hacker founder John Klein hired Wong as his chief operating officer. Wong is now Klein's go-to guy on several security consulting gigs. Still, Wong insists that hackers aren't all bad: "Most individuals or governments project us as malicious and having vast quantities of time to waste to destroy computers. We're just people who are interested in computers." *-------------------------------------------------* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen. Alfred. M. Gray, USMC --------------------------------------------------- C4I Secure Solutions http://www.c4i.org *-------------------------------------------------* ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- How to Hire a Hacker William Knowles (Jul 01)