[ISN] Former hacker turns over new leaf

InfoSec News isn at c4i.org
Mon Mar 21 06:13:59 EST 2005


http://www.thejakartapost.com/detailfeatures.asp?fileid=20050321.S06&irec=5

M. Taufiqurrahman
The Jakarta Post
March 21, 2005

A statement that says "computer hacking is stupid and equivalent to
throwing stones at the windows of jewelry shops" sounds hollow if made
by cyberpolice whose designated job is to curb the offense.

However, the remark rings true and carries a serious moral when it is
cited by a former big-time hacker who once broke into the Federal
Bureau of Investigation's (FBI)'s communications system, compromised
the system for his own use and cost the top U.S. security agency
dearly.

The hacker's (mis)conduct in 1994 and the subsequent legal proceedings
were so famous they became a case study for social engineering in his
country, France.

Eleven years on, the man, Anthony Zboralski, has not looked back and
painstakingly engages in a campaign to combat the very offense he
committed in his youth. He now ardently advises companies to better
manage their information security systems.

Zboralski is the current principal of Bellua Asia Pacific, a
Jakarta-based Information Security consulting company whose clients
include a number of the country's top banks and government agencies.

His previous clients included numerous Fortune 500 companies like Air
France, Aerospatiale, Allianz, AXA and Total Fina.

"After the problem with the FBI, I thought that people would blame me
and would not really appreciate my company. But as soon as it was in
the press, I got invited to all the conferences for security and
information warfare and people started to offer me jobs," said
Zboralski, recalling how he first plunged into the information
security consulting business.

He said that among his first clients were French companies in
aerospace and defense.

"At the beginning, I was doing mostly technical work, but after a
while, I started realizing that if you just fixed only technical
issues it is not going to solve problems, because there are also the
human factors," he told The Jakarta Post.

The emphasis on human factors also led him to embark on a campaign to
"convert" active hackers into doing more constructive work. "We look
for young hackers who have the potential and skills and put them in
the right direction. We give them the opportunity to carry out
security research and have them as interns," he said.

To further pursue his crusade in promoting the cause, in 1998
Zboralski founded a nonprofit organization, Hacker Emergency Response
Team (HERT), to provide analysis and expertise on information
security, attack and defense in an information warfare setting and
reverse engineering with membership in more than 24 countries.

In 2000, he took part in a project in the Philippines and in Indonesia
that would lead to the establishment of Bellua. "Unlike in Europe
where the system is already there, we found the project in Asia very
interesting as there is much new infrastructure to be built and we can
engage from planning to action. It was a lot more interesting," he
said.

Backed by security experts, practitioners and researchers, Zboralski
founded Bellua to help companies comply with organizational security
policies and standards.

Among numerous services offered by his company, the most famous is the
one that Zboralski was taught to do from experience -- a penetration
test, also known as ethical hacking. "We test the security of our
clients from the outsiders' point of view like offensive hackers or
rival companies."

The involvement with Bellua also exposed him to the laxity in
information security management systems among companies operating in
the country and the dire consequences it would bring.

"There is a lot of fraud here. For instance, while we were doing a
security review for a company, we found that there was someone trying
to erase or change interest rates. That kind of problem happens all
the time," he said.

But such an incident would not appear in the press and the public is
exposed only to petty cyber crimes, he said. "You will not often hear
about a multimillion dollar case as that would panic everyone."

He said companies tended to protect only the data center, but leave
all infrastructure around it unguarded. "It is like spending a million
dollars on the front door but leaving all the windows open."

Zboralski's predilection for computer science and information security
was inspired by the 1983 film War Games, starring John Badham and
Matthew Broderick. The film is about a child who hacks into the North
American Aerospace Defense Command (NORAD) computer system and starts
a war.

"Kids of my generation started to think that it was something that
they would like to do -- something that was more realistic that James
Bond or Superman movies," he said.

He said the movie sparked a deep passion in him for computers and gave
him the urge to start hacking. "However, we view it more as a tool
than a goal. Hacking is just a tool for creating projects," he said.

Against the widely held notion that most hackers commit the crime
purely for fun, Zboralski said the activity was sometimes far from
enjoyable and, in reality, too risky. "People do that for power. It is
like a king, when one can do something no one else can," he said.





More information about the ISN mailing list