Reprinted from Ziff Davis Smart Business Magazine (formerly PC Computing)
July 2000

Article text in Adobe PDF
Article text in MSWord97+

How to Hire a Hacker

By Christopher Null

 Jack Stevens knew his company was being hacked. Someone was snooping around in sensitive information on the company network. So Stevens (not his real name) called John Klein’s Rent-A-Hacker (http://www.rent-a-hacker.com), a security con­sulting firm. Klein leapt into action. Klein logged onto the client company’s network and quickly sized up the situation. The intruder had exploited a common Solaris server bug. Klein im­mediately found what had gone on. “The trick was not just blocking them out, but finding out who they were,” Klein says. “But it’s delicate. It’s like a chess game: First mistake loses.”

 Klein employs some 300 freelance computer security experts-better known as hackers- throughout the world. He handpicks a specialist to fit each call he gets. In this case, he tapped Kelvin Wong, a top operative who also happens to be his company’s chief operating officer. Wong back-traced the intruder’s connection to a Canadian @Home network, which tracked him to his cable modem. To confuse his pursuers, the offender launched several denial-of-service attacks.  But eventually the intruder lost the chess game and was handed over to the Royal Canadian Mounted Police. By acting quickly and returning the attack against its intruder, the victim­ized company foiled the hacker and prevented any real damage. In the dot-corn era more than ever, the best defense is a good offense.

 

Hired Guns

In the wake of recent security fiascoes like the theft of 350,000 credit card numbers from CD Universe and the rampant distributed denial-of-service attacks on top Web sites this spring, hacker-for-hire services are thriving. Andersen Consulting, IBM, Pinkertons, and even software developers like Internet Security Systems are offering what they call security audit­ing and other ethical hacking services.

 So who needs a security consultant? Everybody.

 “Ninety percent of all systems are in­secure and hackable,” according to Wong. “It’s not a question of whether they can be hacked or not, it’s a matter of when and how”

Wong’s estimate looks spot-on. In March, the Computer Security Insti­tute (wwwgocsi.com) took its fifth an­nual survey of large corporations and government agencies. Ninety percent said that computer security breaches had occurred within the last 12 months, and 70 percent classified those inci­dents as serious-constituting theft of proprietary information, financial fraud, and sabotage. The total bill? More than $265 million in losses.

The numbers are sobering, and they make Rent-A-Hacker’s $175-and-up hourly rate look like chicken scratch.

Big Boys Hack Too

 More traditional security companies like Internet Security Systems (www.iss.net) tend to offer a wider range of security services. Mark Sims, ISS’s vice president of managed secu­rity services, leads the company’s out­sourced firewall, virtual private net­work, and antivirus management services in addition to its ethical hack­ing services (also known as penetration testing). ISS’s ePatrol Internet scan­ning service scans company systems starting at $10,000 per year; subscrip­tion cost varies with network size.

 ISS uses internal staff for security jobs, eschewing the consultants Rent-A-Hacker uses. The reason, Sims says, is because it’s crucial to build trust be­tween ISS and its clients. ISS does background checks, Sims says, but “finding out if someone was a [malicious] hacker or not is virtually impossible. We’re performing the same actions a hacker would; we’re just not exploiting them.  We hire people and educate them on hacker techniques. 

 John Spain, president and CEO of Pinkertons’ Information Risk Group, says his company provides a full range of information security and risk management services, including penetration testing. Pinkertons employs its own specialists and uses partners to cover specific areas of expertise, thought the company policy is to “never employ someone with a history of [malicious] hacking.” Spain declined to discuss pricing, saying fees are always negotiated with customers individually. 

  For top-of-the-line security consult­ing, IBM’s Ethical Hacking Service offers all kinds of security assistance, from design and implementation to maintenance. Al Decker, managing principal of security and privacy ser­vices for IBM’s Global Services divi­sion (www.ibm.com/security/services), says that penetration testing is just a small part of his company’s offerings. On average, clients pay from $25,000 to $50,000 for a typical contract.

Rent-A-Hacker’s Klein says his bou­tique service is better, pointing to the big guys’ higher fees and saying they lack the kind of experience his con­tractors have.

“We differ from most in the fact that we cater to small businesses and indi­viduals,” he says. “We see things more from a real-world perspective. We know there are 14-year-old kids out there who can hack and do things well beyond what someone with a com­puter science degree sitting in an office would ever even dream of. We know the tools those kids use, and their methods are beyond conventional thinking.”

To get beyond that conventional thinking, Klein says he calls on his 300-plus contractors in the hacker community each with a specialty-a particular operating system or a well-known firewall.

“I match up the skills of my hackers with the particulars of the job,” he says. “It’s impossible for any one per­son, firm, or software program to cover all the bases, so almost invari­ably [the hackers] are successful.”

Klein says that the prepackaged se­curity scanners (like Webtrends Secu­rity Analyzer or Network Associates CyberCop) simply don’t do the job because they focus only on common security holes and can’t invent creative attacks like real hackers can.

 “Most of the time, what trips up sys­tem administrators is that they think like system administrators and not like hackers,” Klein says. “We spend a lot of time teaching our clients to think like hackers.”

 

Put on Your Hacker Shoes

Thinking like a hacker means knowing what a hacker wants. Some want data, says Klein, but “the real hacker chal­lenge comes from inventing a new way in. That’s what we find: new and cre­ative ways to exploit a system.”

What common holes do hackers find in systems? There’s no standard an­swer, according to Klein, though “some of the most egregious holes we have found were the simplest things.” Wong adds that hackers come up with zero-day (that is, brand-new) tactics all the time. Occasionally he finds systems that have been backdoored-hackers create secret entryways by modifying the software installed on a server.

Klein and Wong say that the biggest Internet security holes today are not found on Windows. Sun Solaris and Linux power a huge por­tion of servers connected to the Web, and security on these systems is typi­cally spotty. However, ISS’s Sims says that the most common hole his com­pany finds involves Microsoft Win­dows NT running Internet Informa­tion Server.

“The Web server that comes out of the box has many security problems,” says Sims, adding that no one bothers to apply the patches.

IBM’s Decker points to a more pedestrian security issue as the most widespread. “Unfortunately, the most common security holes are default passwords and out-of-the-box set­tings,” he says, followed by failure to do basic maintenance or upgrade to new, more secure software packages.

So what about the question of hiring a supposedly reformed hacker to muck around on your network as an invited guest? Would you trust a criminal, even a rehabilitated one, with your most precious company secrets?

Former hackers and their employers universally insist that potential clients have nothing to worry about.

“I have taken great pains to allow my clients to trust my company as well as my contractors,” says Klein. “I sign an all-encompassing nondisclosure agree­ment with each client, as well as pro­vide them with copies of the nondis­closure agreement I have pre-executed with each contractor.” Every company we talked to also stressed the impor­tance of thorough background checks.

But while Klein says his insistence is genuine, his NDA recognizes that even he can’t guarantee the identity of his contractors: “Rent-A-Hacker hereby warrants that it has made its best-faith effort to verify the legal identity of its subcontractors, how­ever, Rent-A-Hacker makes no war­ranties  concerning the validity, ac­curacy, quality, or completeness of any of the representations made by any subcontractors.”

But Wong pooh-poohs any notion that hired guns have a hidden agenda. The ex-hacker is pragmatic about the idea of going beyond the scope of his assignment, saying simply, “I could be sued.”

 

Beyond Mere Hackers-for-Hire

Security analysis services like Rent-A-Hacker are just the beginning. Compa­nies are learning that they need more comprehensive protection.

Chief among the outsourced secu­rity companies is Counterpane Inter­net Security (wwwcounterpane.com), founded by noted cryptographer Bruce Schneier (see “Hot Seat,” April 2000, page 42). Counterpane installs hardware on its customers’ premises that patrols the network for security violations. At one base of operations, Counterpane keeps tabs on clients’ networks 24 hours a day, and the com­pany can act the moment something suspicious arises.

Schneier remains skeptical about his competition: “What hire-a-hacker services do is run a tiger team against your system, which is good for finding out what the vulnerabilities are. What we do is alarm monitoring…24 - 7, real-time.”

To better illustrate the difference, Schneier offers a physical analogy: “You might want to hire someone to break into your warehouse to see if you’re vul­nerable, but that doesn’t mean you’re going to fire your burglar alarm company. Both are valuable, but certainly a burglar alarm is more valuable. Experts are expensive, and they don’t tell you if you’re safe or not. They tell you whether that particular expert was able to break in on that particular day using that par­ticular set of tools.”

#END#