Should You Trust a Reformed Hacker?

[InfoSec News <isn () C4I ORG>]

http://www.businessweek.com/bwdaily/dnflash/aug2000/nf2000088_425.htm

Forwarded By: Eric Budke <budke () budke com>

AUGUST 8, 2000

By Alex Salkever

Should You Trust a Reformed Hacker?

Top security outfits are excluding anyone with a tainted past -- no
matter their expertise. That's bad news for the Kevin Mitnicks

He's fresh out of jail, five years after a controversial and highly
publicized criminal-fraud conviction that marked him as the country's
most dangerous computer criminal. Now Kevin Mitnick wants to return to
the Internet fold, this time as a good guy. Mitnick will make his
first post-prison paid speaking appearance on Sept. 27, at a Los
Angeles conference organized by Giga Information Group. Naturally, he
will address computer-security issues.

His scheduled public appearance has caught the attention of many folks
in the Internet-security sector. Mitnick's speaking gig shines a
bright light on a touchy topic for the business: Namely, can a cracker
-- a malicious hacker who broke into computers illegally -- ever be
trusted to help guard sensitive systems for corporate or government
clients? As the sector grows by leaps and bounds and Internet-security
companies struggle to find fresh warm bodies, the issue grows in
prominence. "The Kevin Mitnick story has raised significant questions
in our marketplace," says Chris Darby, CEO of Net-security firm
@stake.

The saga highlights the dilemma involving a large number of computer
aficionados with hacker pasts. Mitnick had been incarcerated since
February, 1995, on charges of wire fraud and illegal possession of
computer files stolen from such companies as Motorola and Sun
Microsystems. He was arrested after what Assistant U.S. Attorney
Christopher Painter called "a countrywide hacking spree" that earned
Mitnick a spot on the FBI's Most Wanted list. Over a 2 1/2-year
period, Mitnick was alleged to have hacked into computers, stolen
corporate secrets, scrambled phone networks, broken into the national
defense warning system, and caused millions of dollars in losses.
Mitnick is an extreme case -- most hackers never get caught. In fact,
these days, many are out in the high-tech workforce. It's possible
that some even hold top jobs at computer-security companies. Does a
hacker's past mean he should be excluded from jobs that might be a
perfect match for his skills?

UNIX ADVENTURES.

Maybe, maybe not. In a recent poll published by CIO magazine, 31% of
respondents said they would hire Mitnick to work for them. And many
hackers believe a "No blood, no foul" ethos should be applied to the
Internet-security field. "I exercised poor judgment. That's how I
learned and how I got good at what I do. But I can say for myself, I
never intentionally damaged a computer system or sent a virus or
erased anyone's information," says Mitnick.

Rather, according to Mitnick, his transgressions should be viewed as
misdemeanors, akin to trespassing, rather than felonies. He points out
that such intrusions are an accepted artifact of an earlier time, when
computing resources were scarce and hackers routinely broke into big
corporate or university systems, partly for adventure, but also so
they could play on powerful Unix machines beyond the reach of most
individual users.

For Mitnick and others in the underground, the line that separates a
hacker from a cracker is intent to harm or reap personal gain. "Would
I recommend hiring someone who accessed a banking system without
authorization and used hacking skills for some kind of financial gain?
I would be inclined not to. It comes down to looking at the morals and
the values of the person," says Mitnick.

CAPTAIN'S LOG.

But the party line among top security companies these days is total
exclusion of any questionable characters. Any criminal record means an
automatic no. "We do not believe there is room for cyber-criminals in
this industry. The real question is whether a responsible executive
would take advice on a strategic business issue from someone who has a
criminal record," says Darby.

For @stake and others, background checks beyond criminal records are
becoming increasingly common to ensure a potential hire does not have
a dark past of, say, breaking into the Pentagon's systems. "Our
company policy is not to hire crackers. We ask all candidates their
history with hacking and cracking. We ask them if they have knowingly
gained unauthorized access to a system. If they say yes, then we don't
hire them," says Stuart McClure, president and chief technology
officer of Internet-security consultant Foundstone.

Beyond the moral issues, the colorful cast of characters in the hacker
underground is not exactly a good fit with procedure-oriented
corporate security auditing. "Would you, as a chief investment officer
of a Fortune 500 company, feel comfortable going to your board and
saying 'We had a security audit, and Captain Bazooka says we're
O.K.'?" asks Frederick Rica, an Net-security expert with
PricewaterhouseCoopers.

IMPORTANT CONTRIBUTION.

Then there's the fear that Captain Bazooka could go off on your
system. "There's always a potential that reformed hackers may revert
back to their old ways. In a worst-case scenario, they would share
confidential information with others in the underground," says Rica.
He would know. One of his clients hired a well-known hacker to do
penetration testing and later found the hacker's exploits inside his
company's system splashed across a cover story in underground hacker
magazine 2600.

Off the record, some computer-security managers expressed sympathy for
Mitnick. Others suggested that convicted hackers be given a second
chance in a limited arena until they prove themselves trustworthy and
loyal. "You can bring someone in for a part of a project or to do only
certain parts of the audit. You don't have to give them the keys to
the kingdom," says Jim Williams, the director of business development
at computer-services and consulting firm S3 Networks.

For his part, Williams will not hire criminals and openly briefs
customers on the background of his security consultants. And he looks
to hire people with security clearances and backgrounds at big
corporations or in the government. He's not alone: @stake, Foundstone,
and PricewaterhouseCoopers all prize candidates with clearances and
Fortune 500 pedigrees. The presence of such individuals, in most
cases, represents a clear sign of the integrity of the company. That's
bad news for the Kevin Mitnicks of the world.

That said, hackers clearly have an important contribution to make. "Do
you want to hire someone who went to school for four years in car
security, or do you want to hire the person who is an expert at
stealing the car?" asks Mitnick. The answer is both. But just be
careful who has the keys and who's left alone in the parking garage
with the Ferraris.

Salkever writes about Internet security and technology for BW Online

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".