http://www.it.fairfax.com.au/industry/20000725/A26681-2000Jul24.html By NATHAN COCHRANE Tuesday 25 July 2000 Enterprises hiring reformed crackers to expose their soft underbellies will only add to the more than $2.6 trillion lost worldwide annually because of security intrusions, warns professional services firm PricewaterhouseCoopers. That's trillion -with a "T". [And we all know PWC never hires reformed crackers either. This is more Fear, Uncertainty and Doubt (FUD) designed to increase their own business.] The shift from business-to-consumer (B2C) to business-to-business (B2B) marketplaces could accelerate this trend at exponential rates. And in Australia, the lack of a well-funded coordinated group backed by the Federal Government to monitor our network health leaves us particularly vulnerable. PwC Technology Risk Services partner Frederick J. Rica says organisations should beware the "grey hat hacker" - a reformed criminal cracker. He says many don't have the business skills to fully appreciate business practices. Worse, he cautions that many may be wolves in sheep's clothing. "If you do a penetration study well, you will get access to the most sensitive information possible," Rica says. "From our clients' perspective, they want confidence that people on the team won't trade that information on underground bulletin board systems with their friends or post on underground websites. "I have not seen that any of these black hats (criminal crackers) have more technical skills than white hats (business security consultants); they're not more skilful or creative. It's a myth." [Fred Rica is not telling the readers about his own past blunders in penetration testing. Because of non disclosure agreements, client names and specific inicidents can't be disclosed, however, asking around about Mr. Rica will potentially reveal some amusing anecdotes about his team's lack of ability. Further, if what he said was true, companies could easily keep hackers out. In reality, these black hats keep developing new ways to beat the best security out there. Sounds like someone doesn't know who he is up against.] Rica believes that what makes a good hacker is creativity and curiosity; someone who likes to pull apart something to see how it works. If you find someone like that with business acumen, he says, you can teach them the technical skills. This is what he looks for in candidates for his "tiger teams" - security consulting and penetration specialists. Rica, PwC's head "white hat" hacker, oversees a global group of more than 700, most in the US and Europe. More broadly, the Global Risk Management Services Group, of which his tiger teams are a part, comprises 5000 specialists who help companies assess strategic, financial and operational risks. A PwC tiger team follows a standardised methodology when assessing a company's risk of exposure. First, it conducts a scouting mission, what Rica calls "casing the joint". Next, it identifies vulnerabilities, things like known bugs in operating systems software or common passwords. Finally it goes on a "trophy hunt", looking for sensitive information it can show to the client to prove its exploits were successful. "You would be surprised with just a demon dialler and good password cracking software how many systems you can crack," he says. Companies have hardened their Internet attack points through use of firewalls, but many still did not secure their dial-in lines. "You've got a big steel door and a two-foot fence," is how Rica puts it. He says big-name online B2C retailers like Amazon.com and eBay are natural targets because of their public exposure and the notoriety that would follow a successful crack. Fortune 500 companies like Microsoft are also big targets. But this is about to shift to emerging B2B electronic marketplaces, where scores of trillions of dollars of transactions annually will be up for grabs in a few years. For instance, PwC last week joined the 14 founding members of the CorProcure B2B electronic marketplace, which includes Amcor, AMP, Australia Post, ANZ, BHP, Coca-Cola Amatil, Coles Myer, Foster's, Goodman Fielder, Orica, Pacific Dunlop, Qantas, Telstra, and Wesfarmers. Founders estimate pushing through $2 billion in the first year. "In two to three years in terms of dollars the B2C marketplace will be considered to be very small," Rica says. "Today, it's tempting for the cracker because of credit card numbers. But when we move to the B2B economy and millions of dollars are trading hands through networks like automobile and pharmaceutical networks that's where the threats will lie." It is only a matter of time before today's sporadic attacks escalate into full-scale online organised crime, and even war between countries, he warns. "Internal attacks are still the largest threat, but it won't be long before external attacks overtake. "Clearly there's a belief that it's not the pony-tailed, tie-dyed teenager any more." Rica says Australia should look to the US Government, which two years ago created the Critical Infrastructure Assurance Office. It has a budget of $2 billion to work at all levels in government and private enterprise to secure that nation's digital infrastructure as a matter of national security. Australia spends less than $2 million a year. In its October 1997 report, Critical Foundations: Protecting America's Infrastructures, the US President's Commission on Critical Infrastructure Protection chair, Robert Marsh, concluded the threat "is real". "It is growing at an alarming rate; and we have little defence against it," Marsh wrote. The commission found that governments and private industry would have to work together closely to secure the nation's security from attack because networks are mostly in the hands of corporations. This contrasts with the situation in Australia where successive state and federal governments, while championing the "Clever Country" and "Knowledge Nation", have squeezed funds to groups tasked with watching our networks. Australia's only computer security incident response team of note, AusCERT, is an arm of the University of Queensland, which receives funding from membership and services fees. It nearly collapsed in 1996 from a lack of public monies and Telstra's decision to abandon it. This year, a National Information Infrastructure secretariat was established, under the auspices the national security sub-committee of Cabinet, with private and public sector representation. Its private enterprise members include Telstra, the Institution of Engineers, banks and financial institutions, business, Internet and utility supply associations. The public sector is represented by the Defence Signals Directorate, the Federal Attorney-General, the National Office for the Information Economy and the Australian Federal Police. "If everybody locks their doors, we can reduce the chance of people breaking into our houses," Rica says. "We're doing the same thing electronically. "You have to believe there will be some very large electronic component taking out command and control systems and air traffic systems in the next war. The phase we're in is the espionage phase."