Next message: mea culpa: "[ISN] UK Seminar: Proving Computer Crime"
http://www.chicago.tribune.com/splash/article/0,1051,SAV-9804120386,00.html
NOW HIRING: HACKERS (TATTOOS WELCOME)
By Susan Moran
Special to the Tribune
April 12, 1998
Even the computer professionals who like to wear Birkenstocks and T-shirts
to work find the dress code of GenX hackers a bit extreme. The main
elements seem to be tattoos and nose rings.
They'd better get used to them. Many computer hackers, some of them
recovering computer criminals, are adeptly turning their coveted expertise
into big bucks.
A surge in computer crime, spurred by the shift to networked computers and
by the growing popularity of the Internet, has created a huge demand for
information security experts who can help protect companies' computer
systems. Recent high-profile attacks on government and university computer
networks highlighted the vulnerability of these networks and spurred
corporate executives to seek ways to fortify their systems.
"Is the threat getting worse? Definitely yes," said Eugene Schultz,
research director of Integrity Solutions International, a subsidiary of
San Diego, Calif.-based Science Applications Corp., a high-tech R&D
corporation (www.saic.com). "That's largely the inevitable consequence of
the shift from the mainframe work environment to one of interconnected PCs
and workstations," which means anyone with access to one machine has easy
access to the whole network, Schultz said.
NASA, the U.S. Navy and university campuses throughout the country were
recently the targets of "denial of service" attacks on thousands of
computers running Microsoft Corp.'s Windows NT and Windows 95 operating
systems. The attacks, launched over the Internet, made computers crash but
apparently caused no data loss.
In a separate recent incident, the Justice Department last month arrested
three Israeli teenagers suspected of masterminding the break-ins of
hundreds of military, government and university computer sites to gaze at
unclassified information. The Federal Bureau of Investigation is also
investigating two California teens who linked up with their Israeli
co-conspirators over the Internet.
Schultz said it could have been much worse. "Do I say the sky is falling?
No way. But the sky could fall," he said.
One thing dropping from the skies into hackers' laps are fat checks from
frightened clients.
Many companies are amassing teams of in-house experts to guard their
networks against cyber prowlers, while others prefer to bring in outside
consultants. The most experienced network security experts are often
hackers--commonly defined as computer whizzes who love to write code (and
not, as is often--but incorrectly--used as a generic term for a computer
criminals).
Many hackers over the years have relished poking holes in Fortune 500 and
other big companies' computer programs and chip-making codes, and then
publicly, brazenly attacking the likes of Microsoft Corp. and Netscape
Communications Corp. for selling products with bugs. In fact, some hackers
operated Web sites devoted to discovering and disclosing flaws in
companies' products.
But it seems many are taking the lead from hacker-experts like Dan Farmer,
the creator of "SATAN," a software tool for probing for security
weaknesses on the Internet. He was scooped up by Sun Microsystems Inc. to
help detect and repair computer security holes. And with hackers
increasingly in hot demand, they can demand hefty fees or salaries--an
attractive way to pay off college tuition or supplement meager income
elsewhere.
Hackers' anarchistic style is gradually gaining acceptance in corporations
and government agencies, although some conservative organizations feel
safer renting experts from established consulting firms.
Fred Villella, a 60-something retired Army colonel, runs a
computer-security consulting business out of San Diego, Calif. The firm
offers educational seminars for businesses and dispatches highly skilled,
renowned hackers to help companies patch network holes and guard against
future cyberattacks. He knows well the unmatched talent of many funky
hackers as well as the corporate skittishness toward them.
"I'm an old traditionalist, so when I first took one of my brightest young
hackers--he had dyed yellow hair, an earring, tattoos on his arm--into a
government research center, I was worried," said Villella. "I've got a
long-standing reputation as a colonel. But then I relaxed when I saw the
system administration guy (at the government site) was wearing earrings
and the network manager had a ponytail and a beard to go with his suit."
That yellow-haired hacker, a 24-year-old who prefers to be known by his
alias, "Route," also sports a tongue bar. His work as an information
security consultant is worth $1,500 to $2,000 a day to clients who want to
arm themselves against attacks by "crackers"--the correct term for hackers
who use their computer expertise to commit malicious acts of infiltrating
computer networks. On his own time, Route edits Phrack, a computer
security journal (phrack.com). And he occasionally gives talks to
government and corporate clients for Villella's firm, New Dimensions
International (www.ndi.com). Route writes his own security-related tools
and claims he's never used them for illegal snooping.
Route says his "fringe" appearance might help him stand out in people's
minds and thus draw new business, but that his appearance is unimportant
to the more computer-savvy clients who come to him for his talent.
"Besides," he said, "I've got friends that look even more freakish than I
do."
Villella's New Dimensions just conducted a technical seminar in Elk Grove
Village titled "The Hacker Phenomenon and Penetration Techniques," aimed
at teaching corporate executives and engineers the secret formulas used by
crackers.
One way to help fend off intruders, he said, is to have employees use
passphrases (rather than passwords, which can be readily cracked by
software tools like L0phtCrack). "Unless someone is really committed to
getting your stuff, they'll go away and get something easier."
Villella helps hackers tempted to become crackers see that the choice
between a potential jail sentence or a six-figure income working as
security consultants shouldn't be too difficult to make.
An informal survey published earlier this month points to the increasing
perils of the wired world--and the concomitant rising opportunities for
hackers to capitalize on the fear and strike it rich as troubleshooters.
The Computer Security Institute, a San Francisco-based watchdog group,
reported that 64 percent of 520 companies said they had suffered security
breaches within the last 12 months, a 16 percent jump over the 1997
results.
American Information Systems, a Chicago-based Internet service provider
(ISP), stands among the ranks of ISPs that offer firewall solutions,
audits and other computer security services to augment their core--and
often unprofitable--access business. "We've seen extremely dramatic
revenue growth in this area," said Stephen Schmidt, a vice president at
AIS.
Information security experts offer a range of services for clients. An
experienced hacker might start with a network intrusion and penetration
test. Basically that means breaking into a company's physical site--to
check on the overall quality of a company's security environment--and then
its computer network.
"It's fun breaking into sites," said Peter Shipley, a 32-year-old
Berkeley, Calif., hacker whose accomplishments include breaking into most
of the computer systems at the University of California, Berkeley, while a
student there. He runs a consulting firm, called Network Security
Associates (www.network-security.com), and charges $1,500 to $2,500 a day,
depending on the project.
The experts also conduct external and internal security audits of a
client's existing networks, assess the risks, and recommend improvements.
Another hacker who now makes a healthy living consulting goes by the alias
"Mudge." He is a member of L0pht, a sort of "hacker think tank"
consisting of a handful of Boston-based hackers who work out of a loft
space, where they research and develop products and swap information about
computer and cellular phone security, among other things. Mudge consults
for private and public organizations, teaches classes on secure coding
practices, and writes his own and reviews others' code. "It pays well, but
the money isn't the main reason I'm doing it," he said.
What he likes best is knowing he's among the elite experts who understand
computer security more than big-name consultants. He's proud that he and
his ragged assortment of hacker friends are called in to solve problems
that stump the buttoned-down set.
"Not bad for a bunch of bit-twiddlers," he wrote in an e-mail missive.
-o-
Subscribe: mail majordomo�t_private with "subscribe isn".
Today's ISN Sponsor: Dimensional Communications (www.dim.com)
This archive was generated by hypermail 2b30
: Fri Apr 13 2001 - 12:51:40 PDT