IBM hackers trying to help

By Reuters

Special to CNET

March 23, 1998, 9:30 a.m. PT

SAN FRANCISCO--The once-lumbering computer giant IBM (IBM) has again ventured into territory previously deemed unthinkable for the formerly staid, buttoned-down company--hacking.

As part of its Research Division in Yorktown Heights, New York, IBM has formed a group of "ethical hackers," a team of about ten security specialists that make up IBM's Global Security Analysis Lab, with half in New York and the rest working in Zurich, Switzerland. They break into corporate computer systems and networks, with a company's permission of course.

The point of trying to break into a company's system is to test its security, see how a company responds, and make recommendations for fixing the problem.

This week at PC Forum, the leader of the IBM ethical hacking team will attempt to do a live "hack" of a willing company. While it sounds exciting to watch hackers at work, an IBM spokesman warns that it could be "like watching paint dry."

Charles Palmer, who heads up the IBM team, has more than 100 companies as clients for IBM's hacking services. But Palmer's team has not hired any "reformed" hackers, as many companies have done.

[I know first-hand that IBM's X-Force has employed both active and 'reformed' hackers. This is an outright lie, as IBM has had both types on staff every year from 1998 to 2009.]

Many security specialists believe it takes a hacker to know a hacker, but IBM's Palmer says that hiring a hacker is like hiring a reformed arsonist to be a fire marshall. He believes that there is no such thing as a reformed hacker, a point of contention among some security specialists.

Steve Lutz, president of WaySecure Consulting Inc., a security consultant in New York, said that hiring former hackers can be dangerous, but he has worked with hackers and found work for them, including Mark Abene. Abene, who was also known as Phiber Optik, was convicted for breaking into phone networks, as part of a gang called Masters of Deception, and spent almost a year in jail.

"I have hired several ex-hackers and continue to do so," Lutz said. "Like any other group of people, the computer underground is made up of people from highly competent to incompetent, high personal integrity to unscrupulous, etc."

Lutz said the biggest problem is finding out if you can trust a hacker, and so he spends about a year getting to know a hacker on a social basis, to learn their personal integrity, and later possibly gives them a shot at a consulting job. "There are some extremely talented individuals out there that in many cases, far exceed what can be found in companies, government agencies and research institutions," Lutz said.

Because hackers spend so many hours a day in front of their computers, they often learn about new security holes faster than mainstream security experts, said John Vranesevich, founder of a Web site devoted to security issues and hacking news called AntiOnline.

Palmer's team, though, is just as devoted to staying on the cutting edge. He and various members of his crew attend hacking conferences and other unofficial gatherings, remaining in the shadows, not exactly touting that they are from IBM.

Yes, hackers do have conferences. For example, last summer, hackers gathered at one in New York City called "Beyond Hope" and shared secrets such as how to crack the city's MetroCard system, an electronic card replacing subway tokens.

Palmer's team works closely with IBM and its services businesses. They can recommend ways to repair a system that is easily broken into, and of course, offer products such as virus protection, network security auditing software, testing, and detection software to monitor traffic over a company network and other products.

The cynical might say that IBM is trying to "scare" up more work for its already booming services business, which reaped $19.3 billion in 1997 revenues. IBM is currently running a television ad where an executive gets a phone call in the middle of the night, saying that the company's Web site has been hacked.

But as Palmer will explain this week, computer attacks from hackers are on the rise and many companies are in denial about their lack of security. ,/p>

In the past few weeks, an 18-year-old hacker who used the name "The Analyzer" led what the Pentagon said was the most organized and systematic attack on its systems, including other government and university computers. The Analyzer, two other teenagers in Israel, and two teens from the town of Cloverdale, California, are suspected of working together in the Pentagon attack.

An annual survey by the Computer Security Institute in San Francisco, which polled 520 specialists at U.S. corporations, government agencies, financial institutions, and universities, found that 64 percent of respondents reported computer security breaches in the last 12 months, up 16 percent from last year. The survey noted that attacks were from both inside and outside the organizations.

main page ATTRITION feedback