Sleeping with the enemy

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.theage.com.au/articles/2002/08/10/1028158034389.html

By Kim Zetter
August 13 2002
Next

A good hacker is hard to find, or so it seemed during the dot-com
boom. Companies, particularly in the United States, were making the
rounds of hacker conferences and IRC channels willing to pay $150,000
for a security guru who was still going through his voice change.

Even the American assistant secretary of defence showed up last year
at the hacker blowout in Las Vegas known as Def Con to recruit "the
best of the best" for a cyber-terrorism unit.

But as computer security has become more specialised and training has
improved, legitimate pros have elbowed aside the teens.

So it seems odd that only 43 per cent of Australian organisations
would be willing to hire former hackers to help secure their networks;  
only 14 per cent of US organisations said they would do the same.

Perhaps it all depends on who you are calling a hacker.

Some of the most respected names in computer security are also some of
the most respected names in the hacking community.

And many tools used for testing the security of networks (and, well,
for cracking them) were designed by hackers.

Massachusetts-based security firm @stake is composed of former members
of the L0pht hacking group, which developed a password-cracking tool
called L0phtCrack. Peiter Zatko (aka Mudge), the company's pony-tailed
founder, even testified before the US Congress on computer security.

Then there's Chris Goggans (aka Erik Bloodaxe) of Security Design
International, who served as editor of the notorious hacker zine
Phrack, a cornucopia of illegal tips and tricks. And Rain Forest Puppy
(he prefers not to have his real name published), another security
pro, has found many holes in Microsoft products and has developed a
respectful relationship with that company. But he has also developed
an anti-IDS Web scanning tool called Whisker that hackers use to
ferret out their prey.

Most hackers working in security are either reformed black-hat hackers
or people who never dirtied their hats beyond grey. That is, they may
have cracked systems but didn't cause destruction or steal data. Or at
least they did not get caught doing it.

Hackers with a criminal record or who admit to still hacking are
rarely trusted with a job these days, although, incredibly, at one
time they were.

The hiring of the latter type of hackers in the US has, thankfully,
fallen out of fashion, says Giga analyst Steve Hunt. "You can hire
someone who is an expert at defending resources or who is an expert at
violating them. They both have the same fundamental skills. But just
one has a professional ethic and a legacy of honour and service."

The risks of hiring a known hacker are obvious. But you face the same
risks with any disgruntled employee or with a closet hacker who does a
little unauthorised sleuthing through your system.

Companies that claim to oppose hiring hackers are probably unwittingly
hiring them, says William Knowles, editor of security news list
InfoSec, who notes that today's hackers have little to distinguish
them from traditional security administrators.

"A few years ago at Def Con I saw a lot of familiar faces in the
hacking crowd, but I didn't know why they were familiar. Then I
realised they were the same faces I'd seen at security conferences.  
Companies have been hiring hackers for years, they just don't realise
it," he says.

Mario Duarte, a former administrator of the now-defunct Zuma, a San
Francisco-based host for e-commerce sites, considered himself
brilliant for hiring Optyx a few years back.

Optyx was a skinny, 19-year-old hacker with blue hair and ties to Cult
of the Dead Cow, makers of a Trojan horse called Back Orifice.

Duarte says Optyx was invaluable for showing him holes in Zuma's
systems that he was sure didn't exist.

But he had sleepless nights over the next couple of months, wondering
if the hacker would turn on him.

As it happened, it was another hacker hired by Duarte at Optyx's
request who proved a liability when a bad attitude and personal
problems made it clear the teen didn't belong in a corporate
environment.

But how do you fire a hacker? Pretty easily, it turned out. Optyx, who
took pride in Zuma's servers as his personal domain, made it clear to
his departing friend the possible consequences of seeking revenge:  
"Don't even think about it, dude. I'll hunt you down and kill you."


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence 
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.