[Moderator: 'Disorder' is the name of the conference, NOT an individual.] Forwarded From: Nicholas Charles Brawn <ncb05at_private> (url: http://www.smh.com.au/computers/content/980630/news/news2.html) Disorder saves the day Who you gonna call when your IT systems get raided? SUE LOWE talks to the new security consultants. SECURITY The ethical hacker. It sounds like the oxymoron of the late '90s, but according to the three co-founders of Disorder, a start-up company intent on teaching Australia's private and public organisations about IT security from a hacker's perspective, being a well-behaved hacker is very much in vogue. "Hacking is one of those words people argue about a lot," says Stephen James, who at 28, is the oldest of Disorder's management. "A hacker is someone who breaks into systems but once inside they don't cause any harm. What they do is illegal and we certainly don't condone it - but once inside they don't steal or modify data, they don't install viruses and so forth. Crackers do. Crackers break in and break the system." James has been running his own security auditing consultancy, ITAC, for the past four years. His company has been contracted by banks, stock exchanges and government departments to find, and help fill, the holes in their IT systems. Before that he spent 5 years as a senior security auditor with Price Waterhouse in the United States, making him roughly 19 when he started. It's obviously a good age. James's two partners in Disorder, Damien Mascord and Nick Brawn are both 19, both in their first year of computer science courses at university, and both have been poking into IT security holes for at least four years. Brawn complains the term hacker has been "Hollywood-ised" by the media. "You read about the hacks on the Internet, with Web pages destroyed and all this porn put up. That's just like ... to me, plain childishness. "There are kids with far too much time on their hands and for the most part there's no technical skill exhibited in the attack." But not all hacks - or are these cracks? - are considered juvenile. Brawn refers to recent attacks on government sites in Indonesia, staged purely to promote the cause of civil rights. "Three or four weeks ago there was an attack in response to the nuclear tests in India. The research site was hacked ... it was a protest," he says. As recognition of the "ethical hack" the perpetrators scored an interview with Wired magazine. At the other end of the bad guys scale are "Warez pups". Brawn describes them as "kids who have obscene fun in trading copyrighted, commercial software: games, productivity tools, Microsoft products. Some claim to be hackers but what they do is just immature." All three deny being bad guys turned good. Mascord and Brawn maintain they've gained their experience by finding all the holes in their own "vanilla" (straight out of the box) Unix servers, plugging up the holes, then seeing if their mates could break in. Disorder's immediate goal is to bring to Australia a trend that has gained significant notoriety in the US. The hacker-run security conference. In the best traditions of DEF CON (DEF CON 6.0 will be held in Las Vegas at the end of next month), Australia's first SecCON will be held in Sydney on July 16 and 17. Guest speakers will include encryption and virus specialists, authors on the Australian "underground", even a couple of police sergeants. David Caldwell, a detective senior sergeant with the Victorian Computer Crime Squad, says he's completely comfortable about sharing the podium with a bunch of hackers with an average age of 22. "That's quite normal," he says. "A typical profile of a hacker is that they have a very good education, they've grown up with computers, and are between 13 and 29." But he too, has problems with the term hacker. "It describes such a wide range of activities. Some of it just a political statement. It's a '60s thing using current Year 2000 technology," he says. There is, however, a lot more than political protest going on. Last year, computer-based crime was almost non-existent, or at least not being reported. Whereas, says Caldwell, "in the first six months of this year we were getting three to five reports a week." Reports of credit card-related fraud far outnumbered corporate IT system intrusions, but "that's not because they're not happening". But rather "reluctance about reporting them". Last year the computer crime unit surveyed 500 companies on IT security issues. Of the 54 per cent that responded "all had experienced intrusions in the last 12 months, but only 19 per cent had reported them". The most frequent reason given, says Caldwell "was lack of confidence in law enforcement agencies. I don't take it personally." Even where unauthorised access had occurred, hackers and crackers still escaped most of the blame. "90 per cent were traced back to employees, consultants or contractors," he says. SecCON details are available via the Web site or from IBC Conferences on (02) 9290 1133. -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:57:07 PDT