[ http://188.8.131.52/wire/news/1997/11/1106hackers.html ] Consultant Warns Of Ex-Hackers (11/06/97; 3:00 p.m. EST) By Douglas Hayward, TechWeb LONDON -- Skilled hackers posing as "reformed" are making their way onto the payrolls of unsuspecting corporations, warned a security expert at the Compsec 97 computer security conference here Thursday. But the dangers aren't limited to expert hackers. Most computer hackers are "wannabe" and entry-level operators who bluff about their exploits and merely copy the work of a small minority of talented hackers. Even these less skilled hackers present a security threat, said Ken Lindup, a senior consultant at security specialist SRI Consulting. Once every few months.. some self proclaimed security expert goes on record saying not to hire young hackers, or reformed hackers, or _____ hackers. Often times this is said not so much as a real warning, but to help get business for themselves. Ask most young security consultants (hackers or not) about their experience, and you will get as many stories about them working with incompetant older 'experts' who only work in the field because of their age and their supposed skills that are largely made up. "My concern is that these [low-level] people are not knowledgeable enough that they won't do damage when they go in [to a computer system], just through ignorance or by making mistakes," Lindup said. Hackers have a recognizable pecking order which divides into four groups, according to Lindup. The first group, called "the alternative computer society," comprises politically alienated or radical people who would not themselves break the law but who see hacking as a defense mechanism against the power of government and big business. "They provide the moral justification for the people at the top who do the research and who do the actual [hacking] work," Lindup said. The second and third groups, wannabe hackers and entry-level hackers, provide the peer-group acclaim the elite hackers crave, and also provide occasionally new recruits to the elite. They are mostly young and motivated by a desire for publicity as well as by a need for peer-group recognition. At hacker conferences or when meeting the media, many will publicly bluff or boast about exploits that are, in reality, fairly routine, Lindup said. "Legislation [banning hacking] does act as a block to these youngsters and stops quite a few of them going further," Lindup said. "We should be teaching ethics as part of computer science courses." Most hackers don't take computer science courses. The fourth group, the "hard-core" hackers, are serious experts who set the standards by which attacks are measured. These people carry out basic research, create new hacking tools, and pioneer new forms of attacks, Lindup said. "These people are getting more organized. They are picking projects, assembling project teams, and carrying out research. The current hot topic is Java, and these people will be taking the time to take [Java] apart," Lindup said. "There is a tremendous effort and commitment. They will be putting in days, weeks, and months. They will put in the kind of resources that you wouldn't believe were merited by the project." Most hard-core hackers I know of aren't working on java at all. Because of the time and effort needed to research and carry out attacks, hard-core hackers are increasingly earning money by working as computer security consultants, Lindup said. Many large corporations now employ ex-hackers as consultants or as part of "tiger teams" hired to carry out controlled attacks on corporate networks. But collaboration with supposedly reformed hackers is dangerous, because users cannot be sure that someone has really stopped hacking, Lindup said. Dangerous why? Is there recorded incidents of these hackers going bad and causing problems? I haven't seen any... "Would you trust an ex-burglar or an ex-arsonist?" Lindup asked. And do you trust an expert who has never been on the other side of the firewall? That has no expertise in penetration assessments? "Security managers will be approached more and more over the next two years by these people, and their senior managers will say it's a good idea to work with them. But my advice would be that you shouldn't do it, because it's too dangerous and it might not even be particularly effective," Lindup said.