A Hack by Any Other Name

When seeking to implement the proper safeguards against unwanted intrusions, IT organizations often face the reality that they don’t possess the necessary technical know-how to rebut such intrusions in the first place. In an attempt to help enterprises prepare against invasion, Canadian consultancy Computer Security Canada Inc. (CSCI, Ottawa, www.csci.ca) announced the availability of its Hackers4Hire program, an auditing and testing program for enterprise networks.

The name alone of CSCI’s Hackers4Hire program is probably of sufficient associative import as to give a number of seasoned IT managers room to pause. But as CSCI’s Mitton explains it, his company doesn’t actually hire hackers to test the defenses of enterprise customers. Rather, CSCI runs a battery of auditing tests on a client’s Internet and network infrastructure. Hackers4Hire, the resulting assemblage of Internet network and server audit and testing services.

At the same time some enterprises are finding that there is nothing like the real thing, and are enlisting the services of professional hackers to prowl their data networks for security holes. Many members of the Boston-based hacker group l0pht (www.l0pht.com)have provided security consulting services for enterprises at one time or another.

A Windows NT hacker and 10pht member known as Mudge recently published a white paper in conjunction with Bruce Schneier, renowned cryptography expert and president of Counterpane Systems, a Minneapolis-based cryptography and security consultancy. The paper revealed gaping holes in Microsoft Corp.’s implementation of the Point-to-Point Tunneling Protocol (PPTP), problems that Microsoft has partially patched with the release of a PPTP hotfix for Windows NT.

While recognizing the contributions of so-called above-ground hackers, many in the security community are loath to resort to the strategy of bringing professional hackers in-house for security testing purposes. "If you're asking about hiring a hacker, that is, someone who is loosely organized as a business and not associated with a business that has a reputation for providing these services in a sound and ethical manner, I would recommend unequivocally against this," maintains David Bovee, an MCSE and security engineer.

CSCI’s Jon-Paul Mitton, director of communications with CSCI, also pooh-poohs the idea of employing actual hackers to test a company’s defenses. "Some of our clients have already found the hard way that hiring real hackers to check corporate defenses might be imprudent at best," he contends.

"With the increased vulnerability of global computer networks and the raising competitive pressure to provide services through the Internet, our clients need to ensure that the integrity of their data and that of their own customers is well-preserved," says Mitton.