"People have to do themselves a favor and stop condemning hackers as bad," says Ian Murphy, a reformed hacker and one of the first people convicted of a computer crime in the United States. "Hackers have a better understanding of technology environments than a typical IT manager could ever gather on his own."
Murphy, known in the hacker community as Captain Zap, spent portions of the early 1980s probing telecom systems and private networks. He even claims to have used the White House switchboard to make calls to Europe before being fined $1,000 and sentenced to thirty months' probation for his online exploits.
Murphy now runs IAM/Secure Data Systems, a decade-old consulting firm that specializes in IT security. "In my opinion, companies that need security experts are best served by hiring burglars instead of cops," says Murphy, from his office in Tampa Bay, Florida. "The burglar knows how to get into your facilities and how to attack you." The cop, by contrast, typically can't help you until after the crime has been committed.
Murphy's hacker-for-hire business is hardly unique. Convicted hacker Kevin Mitnick now runs Defensive Thinking, a computer security firm in Los Angeles (despite the fact that he's been unable to use a computer since his incarceration). Reformed hacker and former FBI informant Justin Tanner Petersen (a.k.a. "Agent Steal") says he works as a security analyst at a Fortune 500 company. Kevin Poulsen ("Dark Dante") is editorial director at SecurityFocus Online, a security news service that Symantec acquired in August 2002. And Max Ray Butler ("Max Vision") was an FBI informant before he was busted for hacking government and military networks.
Despite the war on terror and international cyber-security initiatives, the Internet remains a hacker's paradise. More than 70,000 computer-security incidents were reported during the first nine months of 2002, up from 21,750 for all of 2000, according to the Computer Emergency Response Team (CERT) at Carnegie Mellon University.
One recent denial-of-service attack, launched in October 2002, targeted at least seven of the Internet's thirteen DNS root servers. Security experts described the attack as an ICMP (Internet Control Message Protocol) flood; the attack sent waves of status requests to each of the servers. It didn't halt traffic or degrade the Internet's performance, but experts are worried that the event was a trial run for some sort of larger attack in the months ahead.
If such an attack comes, many companies won't be prepared for it. Only 27 percent of U.S. companies have conducted security training for system and network administrators, according to PricewaterhouseCoopers. And only 14 percent of U.S. companies are willing to hire former hackers to help secure their networks, according to Information Security magazine.
Instead of hiring hackers to actually touch, tour, and attack your systems, a better option may be a more cautious approach. Reformed hackers are more than happy to host full-day seminars for your IT personnel. During the seminars, they can discuss tricks of the trade, "social engineering" techniques that fool users into revealing their passwords, and common hacker tools that may bring down your systems. The seminars can be hosted on neutral groundaway from your offices and, more importantly, without internal access to your systems.
Still, there's a big difference between hacking seminars and hands-on penetration testing, where a hacker can actually show your networks' weak links. "It's a shame that Fortune 500 companies hire suits with high-and-mighty attitudes rather than hiring the real technical geniuses of our society," quips Murphy, an outspoken critic of "certified" security experts who lack hands-on experience.
"Working with a reformed hacker is a worthwhile but potentially embarrassing experience," adds Cheryl Currid, a former IT manager at Coca-Cola who now runs Currid & Co., a consulting firm in Houston. "My advice is to hire the reformed hacker, deal with the embarrassment, and learn from the experiencebefore an outside hacker plugs into your systems without you knowing it."