Who are CRusad3r, Xylorg, Swift Griggs, Oblivion and Jericho?
They are all aliases for hackers, or better, hackers with a conscience–the
white hat hackers.
And what makes them so hot? Well, years of hands-on,
hard-to-find experience with telephone systems, dial-up modems, operating
systems and networking systems.
These long-haired, jargon-speaking lawbreakers are ill-fits
for even part-time corporate jobs–until, of course, they choose to wear the
‘white hat’. And the moment they do so, all their past foibles are pardoned.
Hacking for good?
A few years ago, some hackers started offering their services
to scan software and corporate networks for security lacunas. This phenomenon
led to hackers being classified as white and black hat hackers. For desperate
corporates keen to seek bugs in their network security and plug them before they
are exploited for nefarious ends by malicious ‘black hackers’, white hat
hackers were like manna from heaven.
The US law, though, does not see any difference between black
and white hats. Hacking–the act of breaking into computers and networks of
other people–itself is considered criminal. While many hackers would say they
break into systems just for a kick, the consequences for the victim organization
could be disasterous–it would lose its confidential data and its trust among
the B2B or B2C community. A hacking incident could make network administrators
paranoid, buying network tools they wouldn’t really need. This is where the
role of white hats becomes important.
Although the law is yet to make a differentiation between the
black and white hacking, the industry has already started recognizing the
significance of this new role. On a global scale, KPMG, Computer Associates,
Gartner Group’s ICSA and Cambridge Technology Partners are said to have
security services units that actually have white hat hackers on their rolls.
These units may be hired by a company to, say, build security into a
newly-developed e-commerce package, identify the vulnerabilities and then design
defense mechanisms accordingly. In the US, the community of white hackers has
been made famous by the annual DEFCONs, the latest was in July.
The Boston-based LHI Technologies does white hat hacking at
the developer level. It quietly notifies a software development company of a
problem, and if the company refuses to fix it, it publicizes the problem by
posting it on its Web site. The developer is thus forced to fix the problem lest
malicious hackers exploit the flaws. LHI is credited with identifying a flaw in
Windows NT that made it possible to decode an entire registry of user passwords
in 26 hours, a task Microsoft claimed would take more than 5,000 years.
Recently, even the Pentagon hired hacking freelancers. The trend, however, is
yet to catch on in India.
Spy vs spy?
But why hire hackers of dubious past, when network security
experts strut around with their impeccable records? Paul O’Nolan, network
administrator, International Rice Research Institute, is against the idea,
"Mostly, a crime affecting organizations is internal and not external.
People inside organizations are best placed to discover and take advantage of
weak security. The idea of hackers coming in over the Internet and stealing
valuable information is dramatic and frightening."
But, hiring hackers to counter hackers is like befriending
the enemy’s enemy, says another school of thought. John Vranesevich, founder,
Antionline.com, a site that tracks hacking activities, has talked of seeing a
promise by one US-based hacker that he would show how to navigate US military
networks to terrorists. White hats can help counter such hacking activities, as
they would find it easier to predict what their malicious counterparts intend to
do next. They would stay anonymous, moving around the hacker community like
spies to find out the moves that others plan to make.
How to ensure that the hacker being hired will be competent
enough to do the job, and will workes to stay anonymous, "Ensure that they have a clear background
and good client references. More important is that they come out as ‘good
people’ (unlike ‘bad people’ who could use their new found position to
wreck havoc). Talk to them about security, find out who they really are. Hire
them to test a small segment of your network, and review the report. Ask
questions, make sure they are qualified to do the work before hiring them. If
budget and time permits, hire a second team to audit the first and vice
versa." This recruitment strategy, however, need not be applied to
well-known teams and firms who would lose more than a single contract in case a
bug went unnoticed. Says O’Nolan, "White hackers are not people you
advertise for. It’s possible to get external security audits conducted by
specialist firms. But word of mouth from trusted sources is arguably the best
way to go, for hiring white hackers."
Hackers in good stead
Satish Kumar, head, IT, TERI, a non-governmental organization
with offices around the world, says, "White hat hackers can contribute a
great deal in exposing security loopholes in your network, in turn strengthening
the security of the entire network." Though his department is yet to try it
out, he is open to the option. He says, "I do not see any reason for not
hiring them and fine tuning the security of my network, especially since it is
an extended public network." He already uses some network security tools,
including SATAN. O’Nolan adds, "In principle, white hat hackers could be
a good idea. How good, depends on what you’ve got to lose and what you think
the cost-benefit ratio is. I would first make sure that my disaster recovery
systems are working and tested before contracting white hats (just a question of
getting real and possibly imaginary risks correctly prioritized)."
Good white hacker teams can be very effective, patching
minute bugs that may otherwise lead to disasters, and finding vulnerabilities
that a formally trained security staff will fail to notice. On the other hand,
novices posing as hackers can turn out to be a calamitous experience. There have
been several instances of white hat teams missing obvious vulnerabilities,
running off-the-shelf tools and giving ‘all clear’ security reports.
Portals: Enough room for white hats
A Canadian security expert, Tom Cervenka, during his visit to
India in August, had tested the top five portals in India and judged their
security risk as "medium to high". He said, "Portals are much
more vulnerable. The larger the portal and more the links, the more vulnerable
it is." In the US, a FBI survey had more than half the respondents citing
the Internet as the leading point of vulnerability. And the Internet and
e-commerce are bouncing up.
A KPMG survey on information security in India says the
emergence of e-commerce presents a two-pronged threat to organizations. Entry in
the market is fraught with the risk of unauthorized access, frauds and losses,
while non-entry in the area would most definitely result in a loss of market
share to the competition. Key challenges for the future include e-commerce and
internet-based trading, confidentiality and security of information in private
and public domains, increased use of intranets and security of intranet access.
According to the survey, 5% of the respondents use the Internet technology for
updating their current and prospective customers. The risk of frauds and hacking
comes a close second to the loss of confidentiality and legal issues here.
Regardless of the extent of security enforced in an
organization, there always exists a risk that the boundaries may be breached and
access gained to the organizational data, held on its digitized databases.
Hackers may choose for a one-time breach or repeatedly attack the integrity of
an organization’s systems. The scenario becomes grim in view of the fact that
77% of respondents to the KPMG survey do not have a formal program for security
risk awareness among employees. The only mitigating factor is that more than 90%
of these organizations use private internal networks, with limited use of public
networks like the Internet. Similarly, the use of extranets, connecting
organizations to their customers and suppliers, is not widespread in India with
only 8% of the respondents indicating existence of such networks in their
organizations.
This, however, means only temporary respite, as organizations
in the Internet era cannot afford to do without B2B or B2C e-commerce for long.
So, as activities increase in these spaces, and as security becomes a major
issue, will the tribe of white hats also thrive? Time to watch!
BIJESH KAMATH
in New Delhi