It takes a hacker to catch one

[InfoSec News <isn () C4I ORG>]

http://www.telegraph.co.uk/et?ac=003100565149417&rtmo=qXbpdde9&atmo=99999999&pg=/et/00/10/12/ecfhack12.html

Last month, Britain's biggest bank HSBC had its web site defaced by
Herbless the Hacker. Mike Anderiesz meets the professionals who fight
such attacks

A HACKER, it is generally thought, is the person who sabotages the
government's computer system, defaces web sites and generally causes
techno-havoc.

But don't forget their ethical cousins, sometimes known as counter
hackers or white hackers, who actually get invited to the party,
rather than gatecrashing.

Their job is to break into supposedly secure networks, servers and
desktop terminals, expose the security flaws, collect a big fat cheque
and leave by the front door. That is the important bit. Ethical
hackers don't need to scuttle out through the back door after breaking
the system and causing havoc. They are paid by companies to spot the
flaws in their security system to stop attacks from less welcome
visitors.

Ethical hacking was virtually unknown 10 years ago, but it is now used
by many of the world's largest companies. So what exactly makes a good
ethical hacker? How does somebody end up with such a job? It is not
exactly listed high on the traditional career options of law,
accountancy or banking.

In general hackers do not suddenly turn evangelical - poachers rarely
turn gamekeeper. Most ethical hackers have a military background. Bill
Pepper, UK head of security at an online security consultants Computer
Sciences Corporation which does work for the White House, said:
"People from a military background understand the capabilities of
hostile activities rather more than commercial people. They've lived
with a real threat which few people in sales or marketing have."

What skills do you need to be an ethical hacker? Mark Shaw, head of
security at management consultants Buchanan International, said: "A
basic recognition of what is right and what is wrong is a key
character foundation. These people work within sensitive environments
and on sensitive projects that are at the very heart of some
businesses." The ideal candidate is young, predominantly male, with
knowledge of corporate computer software such as Unix and NT, but
above all curiosity.

John Butters, head of the accountants Ernst & Young's splendidly-named
Attack and Penetration unit, said: "Mostly there's a lot of 'detective
work' gathering as much information as possible without drawing
attention to oneself. This includes scanning publicly available
information.

"We also use 'social engineering' to glean information. We might pose
as a journalist doing research and then coax security information from
interviewees."

Ethical hackers typically earn between 40,000 and 80,000 a year. The
industry is recruiting quickly after a summer of security scares from
companies including PowerGen, Barclays Bank and Prudential's online
bank Egg.

The working hours are rarely 9am to 5pm as most of the best stuff gets
done in the small hours. "War-dialling", or blanket calling, company
telephones to find modems not connected to a firewall, even going
through the rubbish in search of passwords scribbled on scrap paper.
Such detective work is probably the main reason why it attracts so
many people from the military and security services.

Butters, who does not have a military background, says: "Typically
they have specific training and experience in matters relating to
security. They know how to define what it is that we should protect
against, how to identify our vulnerabilities, how to identify 'the
enemy', and how to counter the threats posed."

It is estimated that around 80pc of all security breaches are internal
with the majority caused by basic negligence. Herbless, the hacker who
last month defaced around 450 corporate web sites including Britain's
biggest bank HSBC with anti-fuel cost slogans, even taunted his
victims with their own ineptitude. "Admin: Learn how to change
passwords," he boasted. "Hint: SQL server doesn't just do SQL."
Herbless has since taken early retirement.

Shaw says: "I would say that around 70pc of companies have not taken
security into serious consideration at the levels which it demands. By
that, I mean actually woven it into their business plan.

"We go into companies that say they have tight security and find
anything from nothing at all, and then there are companies with a
security policy which is actually preventing them doing business."

Butters goes even further. He says: "Often we just look for senior
management who are so important they have high levels of access but
are too busy to use their computers. The biggest fish can be the
biggest liabilities."

With more companies going online, ethical hacking looks set to follow
virus-busting as one of those services which you ignore until disaster
strikes. "There is a 100pc solution to security," says Shaw. "Don't go
online in the first place."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".