[ISN] Ex-hackers 'rubbish at security'

From: InfoSec News (isn@private)
Date: Wed Nov 05 2003 - 01:16:39 PST

  • Next message: InfoSec News: "[ISN] Info assurance should include sharing, general says"

    http://www.pcw.co.uk/News/1147140
    
    By Iain Thomson 
    [04-11-2003]
    
    Companies should stop hiring hackers to beef up security - not for
    ethical reasons but because they are no good at it, according to
    experts.
    
    Delegates at the RSA Security Conference in Amsterdam heard a panel of
    reformed hackers, police officers, members of the legal profession and
    corporate security experts launch scathing attacks on the abilities of
    most hackers.
    
    The skills that make a good hacker are not the same as those required
    by an IT security officer, delegates were told.
    
    "Everyone thinks that if you know how to break into a system then you
    must know how to protect one. It's rubbish. I could teach a monkey to
    break into a system in four hours," claimed Ira Winkler, chief
    security strategist at Hewlett Packard.
    
    "While there are highly skilled technical hackers out there, they are
    the ones you never know about because they don't get caught."
    
    But most hackers are IT professionals in their 20s and 30s, suggesting
    that companies may be late in their realisation that cyber-poachers do
    not make good cyber-gamekeepers.
    
    "Why would you want to employ a hacker with a criminal record, i.e.  
    someone so bad they'd been caught?" asked Tony Neate, industry liaison
    officer at the National High Tech Crime Unit.
    
    "After all, if a bank is looking to employ a security guard they don't
    try and find a former bank robber to guard their safe. Companies must
    be sure that they know their staff's backgrounds."
    
    Checking employees was highlighted as essential, but there was a gap
    in the law as juvenile criminal records are sealed when the
    perpetrator reaches adulthood.
    
    But a quick search of the internet using a web or newsgroup search
    engine should reveal details of a person's hacking history, if it
    exists.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Nov 05 2003 - 04:11:54 PST