For years there existed a fuzzy distinction between good and bad computer hackers. Black Hat hackers were known to crack into computer systems for the challenge and the bragging rights. These miscreants took great pleasure from wreaking havoc once they gained entry. White Hat hackers, on the other side of the ethical line, broke into systems to alert company officials to their ineffective security measures. As concerns about network security grew, computer security companies sprung up and often recruited their experts from the ranks of the White Hatters.
Law enforcement and government agencies in the recent past also relied on programmers turned reformed criminals to test for security leaks and help plug holes to keep out other intruders. IT managers sometimes had to choose between the threat of Black Hat hackers breaking into the system and White Hat hackers compromising the system for future personal gain.
Some security experts suggest the trend toward using hackers to test the security of computer systems is changing. Thomas Patterson, the former regional partner for Deloitte & Touche Security Services Group, likened the practice of hiring ex-hackers to placing a fox in a henhouse.
But new threats of hacker intrusion, data theft and cyberterrorism have heightened concerns about network security. Increased government regulations regarding customer privacy and data security are testing business priorities. The result is the return of an old debate in boardrooms over whether or not to hire hackers to catch hackers.
To Catch a Thief
Using underground hackers to bullet-proof computer networks is still going on, Patterson told TechNewsWorld. Security companies employ former hackers to do their bidding. “It’s moving upstream to big companies.”
Patterson said the Israeli government still contracts hired hackers, relying on one or two companies with former government security agents to oversee the hacker operations. Switzerland uses five very tiny local hacking firms that have relationships with police. The United States leans toward international firms. In security circles, the process is known as A&P work, for attack and penetration.
Patterson has a long track record in setting up security for major corporations. He told TechNewsWorld that the risks of hiring so-called good hackers can be minimized by following several basic rules.
“We believe we can achieve the same level of success without sacrificing the trust of our own clients. We may go to the hacking conferences and stay up on what’s the latest in the hacking community, but it’s a fine line. We hire the good guys,” said Patterson, whose book — Mapping Security: The Corporate Sourcebook for Global Security & Privacy — was released in April.
Risks May Outnumber Gains
James Harrison, co-founder of computer and Internet security firm Invisus, said he sees a very thin line between White Hat and Black Hat hackers. “The damage done by Black Hat hackers is enormous. White Hat hackers still do break laws,” he noted.
His Web site states that hacking, credit theft and identity theft are the fastest-growing crimes in America. The Invisus Web site warns that the U.S. Government estimates the average computer in America — including home computers — may be hacked as much as four or five times per week.
In his view, hackers are not really the best experts to lock down computer systems. He said safer protection comes from software security products and computer experts with security certifications. Trust and reliability issues are impediments to using hackers, he told TechNewsWorld.
Jerry Brady, CTO of Guardent, a managed security services and consulting services company, said the trust factor, the federal Violent Crime Act and banking regulations are making the practice of hiring hackers less attractive.
Banking regulations prohibit financial institutions from using anyone with a criminal background. General financial services are the most likely market for hacker use. “The entire industry is now very leery about using convicted hackers,” said Brady.
“Ten years ago it was common to hire hackers; now there are lots of legitimate companies to do security testing,” concluded Brady. “We are moving toward more professional consulting firms.”
White Hatters Viewed as Good Guys
Gary Morse, a proponent of the White Hat hacker and well-known security consultant, insists there is still a strong distinction between good and bad hackers. In fact, untrustworthy White Hatters who turn on their clients are in the minority.
“The use of hackers with criminal records is not common. The practice of using good hackers is widespread but not fully accepted,” Morse told TechNewsWorld. “White Hat hackers are seasoned programmers with no criminal records.”
Morse noted that many firms are still reactive to security issues and only call for his help after they think they have a problem. He said he hasn’t seen any predominant fear of companies worrying about an untrustworthy security consultant.
“The only impediment is the cost,” said Morse.
According to Morse, hackers-turned-consultants spend more of their time writing 55 to 80 pages of documentation on a company’s security holes than actually breaking into the system.
“There is a notable amount of back doors already compromising the systems before we get there,” he said.
As a result of the recent increase in the number of virus and hacker attacks, corporate officials at higher levels are much more aware today of the need to test system security, Morse said.
New Hacker Threats May Turn Tide
The outcome of the debate on the ethical legitimacy of using good hackers to thwart bad hackers could hinge on how scared the corporate brass gets over future threats.
Morse said the increasing number of worm incidents through e-mail pales in comparison with the severity of hacker threats.
“Viruses and worms are nuisances. They are like throwing a rock or egg through the window of a bank. It takes resources to clean up the mess,” he said.
By comparison, a hacker attack can remove everything from the bank and leave the windows intact. “A hacker threat is a major problem,” Morse said.
This story was originally published on February 13, 2004, and is broughtto you today as part of our Best of ECT News series.