Dr. Dobb's is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Channels ▼
RSS

Dangerous Dealings


"People have to do themselves a favor and stop condemning hackers as bad," says Ian Murphy, a reformed hacker and one of the first people convicted of a computer crime in the United States. "Hackers have a better understanding of technology environments than a typical IT manager could ever gather on his own."

Murphy, known in the hacker community as Captain Zap, spent portions of the early 1980s probing telecom systems and private networks. He even claims to have used the White House switchboard to make calls to Europe before being fined $1,000 and sentenced to thirty months' probation for his online exploits.

Murphy now runs IAM/Secure Data Systems, a decade-old consulting firm that specializes in IT security. "In my opinion, companies that need security experts are best served by hiring burglars instead of cops," says Murphy, from his office in Tampa Bay, Florida. "The burglar knows how to get into your facilities and how to attack you." The cop, by contrast, typically can't help you until after the crime has been committed.

Murphy's hacker-for-hire business is hardly unique. Convicted hacker Kevin Mitnick now runs Defensive Thinking, a computer security firm in Los Angeles (despite the fact that he's been unable to use a computer since his incarceration). Reformed hacker and former FBI informant Justin Tanner Petersen (a.k.a. "Agent Steal") says he works as a security analyst at a Fortune 500 company. Kevin Poulsen ("Dark Dante") is editorial director at SecurityFocus Online, a security news service that Symantec acquired in August 2002. And Max Ray Butler ("Max Vision") was an FBI informant before he was busted for hacking government and military networks.

Despite the war on terror and international cyber-security initiatives, the Internet remains a hacker's paradise. More than 70,000 computer-security incidents were reported during the first nine months of 2002, up from 21,750 for all of 2000, according to the Computer Emergency Response Team (CERT) at Carnegie Mellon University.

One recent denial-of-service attack, launched in October 2002, targeted at least seven of the Internet's thirteen DNS root servers. Security experts described the attack as an ICMP (Internet Control Message Protocol) flood; the attack sent waves of status requests to each of the servers. It didn't halt traffic or degrade the Internet's performance, but experts are worried that the event was a trial run for some sort of larger attack in the months ahead.

If such an attack comes, many companies won't be prepared for it. Only 27 percent of U.S. companies have conducted security training for system and network administrators, according to PricewaterhouseCoopers. And only 14 percent of U.S. companies are willing to hire former hackers to help secure their networks, according to Information Security magazine.

Instead of hiring hackers to actually touch, tour, and attack your systems, a better option may be a more cautious approach. Reformed hackers are more than happy to host full-day seminars for your IT personnel. During the seminars, they can discuss tricks of the trade, "social engineering" techniques that fool users into revealing their passwords, and common hacker tools that may bring down your systems. The seminars can be hosted on neutral ground—away from your offices and, more importantly, without internal access to your systems.

Still, there's a big difference between hacking seminars and hands-on penetration testing, where a hacker can actually show your networks' weak links. "It's a shame that Fortune 500 companies hire suits with high-and-mighty attitudes rather than hiring the real technical geniuses of our society," quips Murphy, an outspoken critic of "certified" security experts who lack hands-on experience.

"Working with a reformed hacker is a worthwhile but potentially embarrassing experience," adds Cheryl Currid, a former IT manager at Coca-Cola who now runs Currid & Co., a consulting firm in Houston. "My advice is to hire the reformed hacker, deal with the embarrassment, and learn from the experience—before an outside hacker plugs into your systems without you knowing it."



Related Reading


More Insights






Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.