http://www.it.fairfax.com.au/industry/20000725/A26681-2000Jul24.html

By NATHAN COCHRANE
Tuesday 25 July 2000

Enterprises hiring reformed crackers to expose their soft underbellies
will only add to the more than $2.6 trillion lost worldwide annually
because of security intrusions, warns professional services firm
PricewaterhouseCoopers. That's trillion -with a "T".

[And we all know PWC never hires reformed crackers either. This is
more Fear, Uncertainty and Doubt (FUD) designed to increase their
own business.]

The shift from business-to-consumer (B2C) to business-to-business
(B2B) marketplaces could accelerate this trend at exponential rates.
And in Australia, the lack of a well-funded coordinated group backed
by the Federal Government to monitor our network health leaves us
particularly vulnerable.

PwC Technology Risk Services partner Frederick J. Rica says
organisations should beware the "grey hat hacker" - a reformed
criminal cracker. He says many don't have the business skills to fully
appreciate business practices. Worse, he cautions that many may be
wolves in sheep's clothing.

"If you do a penetration study well, you will get access to the most
sensitive information possible," Rica says. "From our clients'
perspective, they want confidence that people on the team won't trade
that information on underground bulletin board systems with their
friends or post on underground websites.

"I have not seen that any of these black hats (criminal crackers) have
more technical skills than white hats (business security consultants);
they're not more skilful or creative. It's a myth."

[Fred Rica is not telling the readers about his own past blunders
in penetration testing. Because of non disclosure agreements, client names
and specific inicidents can't be disclosed, however, asking around about
Mr. Rica will potentially reveal some amusing anecdotes about his team's
lack of ability.

Further, if what he said was true, companies could easily keep
hackers out. In reality, these black hats keep developing new
ways to beat the best security out there. Sounds like someone
doesn't know who he is up against.]

Rica believes that what makes a good hacker is creativity and
curiosity; someone who likes to pull apart something to see how it
works. If you find someone like that with business acumen, he says,
you can teach them the technical skills. This is what he looks for in
candidates for his "tiger teams" - security consulting and penetration
specialists.

Rica, PwC's head "white hat" hacker, oversees a global group of more
than 700, most in the US and Europe. More broadly, the Global Risk
Management Services Group, of which his tiger teams are a part,
comprises 5000 specialists who help companies assess strategic,
financial and operational risks.

A PwC tiger team follows a standardised methodology when assessing a
company's risk of exposure.

First, it conducts a scouting mission, what Rica calls "casing the
joint". Next, it identifies vulnerabilities, things like known bugs in
operating systems software or common passwords. Finally it goes on a
"trophy hunt", looking for sensitive information it can show to the
client to prove its exploits were successful.

"You would be surprised with just a demon dialler and good password
cracking software how many systems you can crack," he says.

Companies have hardened their Internet attack points through use of
firewalls, but many still did not secure their dial-in lines. "You've
got a big steel door and a two-foot fence," is how Rica puts it.

He says big-name online B2C retailers like Amazon.com and eBay are
natural targets because of their public exposure and the notoriety
that would follow a successful crack. Fortune 500 companies like
Microsoft are also big targets.

But this is about to shift to emerging B2B electronic marketplaces,
where scores of trillions of dollars of transactions annually will be
up for grabs in a few years. For instance, PwC last week joined the 14
founding members of the CorProcure B2B electronic marketplace, which
includes Amcor, AMP, Australia Post, ANZ, BHP, Coca-Cola Amatil, Coles
Myer, Foster's, Goodman Fielder, Orica, Pacific Dunlop, Qantas,
Telstra, and Wesfarmers. Founders estimate pushing through $2 billion
in the first year.

"In two to three years in terms of dollars the B2C marketplace will be
considered to be very small," Rica says.

"Today, it's tempting for the cracker because of credit card numbers.
But when we move to the B2B economy and millions of dollars are
trading hands through networks like automobile and pharmaceutical
networks that's where the threats will lie."

It is only a matter of time before today's sporadic attacks escalate
into full-scale online organised crime, and even war between
countries, he warns.

"Internal attacks are still the largest threat, but it won't be long
before external attacks overtake.

"Clearly there's a belief that it's not the pony-tailed, tie-dyed
teenager any more."

Rica says Australia should look to the US Government, which two years
ago created the Critical Infrastructure Assurance Office. It has a
budget of $2 billion to work at all levels in government and private
enterprise to secure that nation's digital infrastructure as a matter
of national security.

Australia spends less than $2 million a year.

In its October 1997 report, Critical Foundations: Protecting America's
Infrastructures, the US President's Commission on Critical
Infrastructure Protection chair, Robert Marsh, concluded the threat
"is real".

"It is growing at an alarming rate; and we have little defence against
it," Marsh wrote.

The commission found that governments and private industry would have
to work together closely to secure the nation's security from attack
because networks are mostly in the hands of corporations.

This contrasts with the situation in Australia where successive state
and federal governments, while championing the "Clever Country" and
"Knowledge Nation", have squeezed funds to groups tasked with watching
our networks.

Australia's only computer security incident response team of note,
AusCERT, is an arm of the University of Queensland, which receives
funding from membership and services fees. It nearly collapsed in 1996
from a lack of public monies and Telstra's decision to abandon it.

This year, a National Information Infrastructure secretariat was
established, under the auspices the national security sub-committee of
Cabinet, with private and public sector representation. Its private
enterprise members include Telstra, the Institution of Engineers,
banks and financial institutions, business, Internet and utility
supply associations. The public sector is represented by the Defence
Signals Directorate, the Federal Attorney-General, the National Office
for the Information Economy and the Australian Federal Police.

"If everybody locks their doors, we can reduce the chance of people
breaking into our houses," Rica says. "We're doing the same thing
electronically.

"You have to believe there will be some very large electronic
component taking out command and control systems and air traffic
systems in the next war. The phase we're in is the espionage phase."