The Owner
Neopytes Area
News News
Phone Phreak
Cell Phreak
Dark Music
News News

Special Edition: Def Con X

'CyberCrime' goes back to Vegas to get a look inside the underground computer community's biggest event.

Live from DefConFor the fourth year in a row, "CyberCrime" is going to Def Con, the largest hacker conference in the world. Thousands of hackers, corporate suits, and law enforcement officers will converge in the Las Vegas desert to attend the two-day conference. In our half-hour special devoted to the event, hosts Alex Wellen and Jennifer London go behind the scenes to reveal the latest in hacking, computer security, and online privacy.

Playing With Fire

Can hackers be trusted in the workplace?
How far would you be willing to go to improve your network security? Hiring a hacker may not be the first choice that pops into your head, but for those looking to ensure the integrity of their network, hiring a hacker is becoming an increasingly popular option. In our special Def Con X episode, we discuss the implications of bringing a hacker out from the shadows and into the workplace.

While the benefits of a fresh set of eyes examining your security measures are obvious, can someone known to attack other businesses be trusted with yours? Do hackers ever completely reform, or will they just bide their time for a paycheck, only to return uninvited later on? The question becomes even more important when our government gets in on the act, and national security is at stake.

Many hackers have turned the tables on their hacker cronies and are being employed to identify network vulnerabilities, allowing IT departments to patch holes and persuade upper management to invest in security

An old cliche says that the enemy of an enemy is your friend. The question is, can the longtime enemies of network security suddenly become allies in the fight to keep our networks secure? Some people think so.

The case for hiring hackers was addressed in a recent article that looked at how CFOs and other executives are becoming increasingly reluctant to spend money on security until their networks have been attacked. The article noted that many companies are now paying hackers to break into their networks and produce a report assessing the network's vulnerability.

Your responses to the article indicate that despite a little hesitancy, most of you believe that hiring hackers is a good way to test security and reveal network vulnerabilities.

Hiring hackers works
One of the biggest challenges facing IT pros is making nontechnical executives understand the need for increasing security spending and the consequences of reducing spending or dismissing the issue.

Member Jim Huggy said that when he had trouble convincing his superiors that spending money on security measures was necessary, he hired hackers to break into the company network and report on the vulnerabilities. Once the company's vulnerability was confirmed by the hackers' success in breaking in, company officials became convinced of the dangers facing their network.

"The report was well received by the executives, and the dollars were spent," Huggy said.

Member ahedler compared the hiring of hackers to an inspection before buying insurance.

"[With] many types of insurance, an inspection is required before a policy can be issued."

Ahedler also pointed out that company officials would not consider doing business without physical security measures such as locks and alarm systems, so network security should be given the same level of attention.

It takes a thief
Why turn to hackers to uncover vulnerabilities? Sometimes, it takes a thief to catch a thief. As Gary Anderson pointed out, a system designer is perhaps not the best one to test the system that he or she has designed because, "He tests for success, not failure." It's difficult to see how to break into something from the outside when you're looking at things from the inside, and a designer or builder has a perspective of creation, not destruction. It only makes sense that those who spend their time breaking into things are better judges of what good security is all about.

Huggy agreed that hiring someone from the outside is a prudent way to audit security, comparing it to audits by accounting firms.

"Does your company use auditors... to review their books? What's the difference in hiring an outside company or person to test [the] security of [your] systems?"

No matter how knowledgeable a security professional or administrator is, another security guru is always going to have a different perspective on issues in the field. Also, there are always new tricks and techniques in the hacker community that have not yet filtered down to security pros. Thus, perspectives from "white hat" hackers and other security pros can lend valuable insights.

Reader rock.stefano agreed that it's wise to take advantage of others' knowledge, no matter where it comes from. "You can't possibly know everything about security. I've been doing it for 10 years, and I'm still learning. Yes, even kids from college can educate me, and there's nothing wrong with that."

At some point, you'll likely have to turn to outside sources to help you improve the security of your networks, and looking to the people who work at breaking in might be the most logical answer.

The practice may have risks
However, not everyone is sold on the idea of hiring hackers. Many members raised legitimate concerns about the dangers this practice could pose and the security risks it entails.

For example, rcartright suggested that using hackers could open a company up to attack. Whether a security company of hackers is reputable or not, rcartright said that you don't really know how much you can trust that company or its employees. They might not report some important security holes when they submit their audit, enabling them to break into your network later.

Rcartright also raised the issue of disgruntled employees. If a hacker who audited your network left the security company you hired, he or she could potentially use detailed information about your network to attack your company and make their old company look bad.

If you need to test your security measures, who can you trust to do it without opening yourself up to the risk of attack? It would obviously be better to place your trust in a reputable security auditing company than to simply hire an independent hacker or two. But even though these are valid concerns, most readers felt that the potential benefits in terms of the knowledge gained outweighed the risks associated with trusting hackers to audit company security measures.

Risks and solutions
When it comes to how companies conduct business and maintain communication, the Internet is no longer the wave of the future; it's the here and now. This makes network security a primary concern. As the frequency and severity of network attacks occur, companies will likely be more open to turning to white-hat hackers to help them bolster their defenses.

When security company @stake began operating, it turned heads by making it known that it employed hackers to help test company networks. Its continued success indicates that the feedback of TechRepublic members on the issue accurately reflects the willingness of companies to take calculated risks to secure their data.

Firing (and Hiring) Hackers

The Air Force kicks out a cadet for an alleged incident of hacking. But meanwhile, military and government officials are trying to recruit hackers left and right.
By Jack Karp
Print Printer-friendly format
Email Email this story

hacker w/ laptopIn March of 1999, Chris Wiest was dishonorably discharged from the United States Air Force Academy after being convicted by a military court of "illegally accessing a computer system and causing damage."

Wiest's court-martial and discharge stemmed from the fact that Wiest had been using his Air Force computer to access Internet Relay Chat (IRC), an application that allows multiple users to chat interactively with one another through a single server. But because of security concerns, the Air Force Academy had prohibited the use of IRC among its cadets.

Wiest admits he chose to do it anyway.

"I made a decision that, yes, I'll do this and I'll accept the risks that go with it and, if I get caught, I am quite sure that I will be out on the tour pad marching some tours and paying the consequences for the choice of my actions," Wiest told "CyberCrime."

But Wiest didn't end up marching tours. He ended up out of the Air Force, largely because the IRC program he was using had been set up illegally on a North Carolina Internet company's hacked servers. Wiest insists that he was not the one who set up the program and that someone else had simply given him the passwords. Despite the fact that the Air Force could find no evidence that Wiest had hacked the servers and that the Air Force's own investigators agreed that Wiest probably was not the hacker, Wiest was still dismissed from the service.