[ ]

Consultant Warns Of Ex-Hackers
(11/06/97; 3:00 p.m. EST)
By Douglas Hayward, TechWeb 

LONDON -- Skilled hackers posing as "reformed" are making their way onto the payrolls of
unsuspecting corporations, warned a security expert at the Compsec 97 computer security
conference here Thursday. But the dangers aren't limited to expert hackers. Most
computer hackers are "wannabe" and entry-level operators who bluff about their exploits
and merely copy the work of a small minority of talented hackers.  Even these less
skilled hackers present a security threat, said Ken Lindup, a senior consultant at
security specialist SRI Consulting. 

Once every few months.. some self proclaimed security expert goes on record
saying not to hire young hackers, or reformed hackers, or _____ hackers.
Often times this is said not so much as a real warning, but to help get 
business for themselves. Ask most young security consultants (hackers or not)
about their experience, and you will get as many stories about them working
with incompetant older 'experts' who only work in the field because of
their age and their supposed skills that are largely made up.

"My concern is that these [low-level] people are not knowledgeable enough that they
won't do damage when they go in [to a computer system], just through ignorance or by
making mistakes," Lindup said. 

Hackers have a recognizable pecking order which divides into four groups, according to
Lindup. The first group, called "the alternative computer society,"  comprises
politically alienated or radical people who would not themselves break the law but who
see hacking as a defense mechanism against the power of government and big business.
"They provide the moral justification for the people at the top who do the research and
who do the actual [hacking] work,"  Lindup said. 

The second and third groups, wannabe hackers and entry-level hackers, provide the
peer-group acclaim the elite hackers crave, and also provide occasionally new recruits
to the elite. They are mostly young and motivated by a desire for publicity as well as
by a need for peer-group recognition. At hacker conferences or when meeting the media,
many will publicly bluff or boast about exploits that are, in reality, fairly routine,
Lindup said.

"Legislation [banning hacking] does act as a block to these youngsters and stops quite a
few of them going further," Lindup said. "We should be teaching ethics as part of
computer science courses."

Most hackers don't take computer science courses.

The fourth group, the "hard-core" hackers, are serious experts who set the standards by
which attacks are measured. These people carry out basic research, create new hacking
tools, and pioneer new forms of attacks, Lindup said. 

"These people are getting more organized. They are picking projects, assembling project
teams, and carrying out research. The current hot topic is Java, and these people will
be taking the time to take [Java] apart," Lindup said. "There is a tremendous effort and
commitment. They will be putting in days, weeks, and months. They will put in the kind
of resources that you wouldn't believe were merited by the project." 

Most hard-core hackers I know of aren't working on java at all.

Because of the time and effort needed to research and carry out attacks, hard-core
hackers are increasingly earning money by working as computer security consultants,
Lindup said. Many large corporations now employ ex-hackers as consultants or as part of
"tiger teams" hired to carry out controlled attacks on corporate networks. 

But collaboration with supposedly reformed hackers is dangerous, because users cannot be
sure that someone has really stopped hacking, Lindup said. 

Dangerous why? Is there recorded incidents of these hackers going bad and
causing problems? I haven't seen any...

"Would you trust an ex-burglar or an ex-arsonist?"  Lindup asked. 

And do you trust an expert who has never been on the other side of
the firewall? That has no expertise in penetration assessments?

"Security managers will be approached more and more over the next two years by these
people, and their senior managers will say it's a good idea to work with them. But my
advice would be that you shouldn't do it, because it's too dangerous and it might not
even be particularly effective," Lindup said.