Information Security News mailing list archives
It takes a hacker to catch one
From: InfoSec News <isn () C4I ORG>
Date: Thu, 12 Oct 2000 08:41:56 -0500
http://www.telegraph.co.uk/et?ac=003100565149417&rtmo=qXbpdde9&atmo=99999999&pg=/et/00/10/12/ecfhack12.html Last month, Britain's biggest bank HSBC had its web site defaced by Herbless the Hacker. Mike Anderiesz meets the professionals who fight such attacks A HACKER, it is generally thought, is the person who sabotages the government's computer system, defaces web sites and generally causes techno-havoc. But don't forget their ethical cousins, sometimes known as counter hackers or white hackers, who actually get invited to the party, rather than gatecrashing. Their job is to break into supposedly secure networks, servers and desktop terminals, expose the security flaws, collect a big fat cheque and leave by the front door. That is the important bit. Ethical hackers don't need to scuttle out through the back door after breaking the system and causing havoc. They are paid by companies to spot the flaws in their security system to stop attacks from less welcome visitors. Ethical hacking was virtually unknown 10 years ago, but it is now used by many of the world's largest companies. So what exactly makes a good ethical hacker? How does somebody end up with such a job? It is not exactly listed high on the traditional career options of law, accountancy or banking. In general hackers do not suddenly turn evangelical - poachers rarely turn gamekeeper. Most ethical hackers have a military background. Bill Pepper, UK head of security at an online security consultants Computer Sciences Corporation which does work for the White House, said: "People from a military background understand the capabilities of hostile activities rather more than commercial people. They've lived with a real threat which few people in sales or marketing have." What skills do you need to be an ethical hacker? Mark Shaw, head of security at management consultants Buchanan International, said: "A basic recognition of what is right and what is wrong is a key character foundation. These people work within sensitive environments and on sensitive projects that are at the very heart of some businesses." The ideal candidate is young, predominantly male, with knowledge of corporate computer software such as Unix and NT, but above all curiosity. John Butters, head of the accountants Ernst & Young's splendidly-named Attack and Penetration unit, said: "Mostly there's a lot of 'detective work' gathering as much information as possible without drawing attention to oneself. This includes scanning publicly available information. "We also use 'social engineering' to glean information. We might pose as a journalist doing research and then coax security information from interviewees." Ethical hackers typically earn between 40,000 and 80,000 a year. The industry is recruiting quickly after a summer of security scares from companies including PowerGen, Barclays Bank and Prudential's online bank Egg. The working hours are rarely 9am to 5pm as most of the best stuff gets done in the small hours. "War-dialling", or blanket calling, company telephones to find modems not connected to a firewall, even going through the rubbish in search of passwords scribbled on scrap paper. Such detective work is probably the main reason why it attracts so many people from the military and security services. Butters, who does not have a military background, says: "Typically they have specific training and experience in matters relating to security. They know how to define what it is that we should protect against, how to identify our vulnerabilities, how to identify 'the enemy', and how to counter the threats posed." It is estimated that around 80pc of all security breaches are internal with the majority caused by basic negligence. Herbless, the hacker who last month defaced around 450 corporate web sites including Britain's biggest bank HSBC with anti-fuel cost slogans, even taunted his victims with their own ineptitude. "Admin: Learn how to change passwords," he boasted. "Hint: SQL server doesn't just do SQL." Herbless has since taken early retirement. Shaw says: "I would say that around 70pc of companies have not taken security into serious consideration at the levels which it demands. By that, I mean actually woven it into their business plan. "We go into companies that say they have tight security and find anything from nothing at all, and then there are companies with a security policy which is actually preventing them doing business." Butters goes even further. He says: "Often we just look for senior management who are so important they have high levels of access but are too busy to use their computers. The biggest fish can be the biggest liabilities." With more companies going online, ethical hacking looks set to follow virus-busting as one of those services which you ignore until disaster strikes. "There is a 100pc solution to security," says Shaw. "Don't go online in the first place." ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- It takes a hacker to catch one InfoSec News (Oct 12)