Ethical Hacking

[ThumpAZ]

I happen to be a memeber of the League of Ethical Hackers and can honestly say that I ONLY do contract work. A lot of the folks perform hacks on an unknown and then report to the sysadmins (if reachable).

Have any of you ever heard of this type of activity? What do you think about those that perform the same functions as the teenie boppers that figured out sniffers but do it for good?

 

Discuss? Thumbs Up

[MikeJ]

Heard it. Seen it. My personal opinion is that intruding on someone's systems without their permission is not ethical, period, even if the intent is good.

[ThumpAZ]

And that is why I do it for companies and other organizations on a contract basis.

I agree with you that intrusions without that approval is not right.

It is kinda funny sometimes, though. Typically it will be a CIO or MIS that is hiring you, and they won't tell the net admins. You can almost watch them tracking you if you get discovered in the system. If that happens, though, I consider it a fail on the aspect of being "seen"

There are times, though, that I have gotten in so easily that I was shocked, and somewhat appalled that they are paying folks to operate their network.

[MikeJ]

Combination of hiring underqualified admins, and in many cases, underhiring the number of required admins to maintain the systems. I often find security lacking more due to lack of resources (admins) than intelligence.

 

Many companies don't perceive it as a problem until it is one. Sad really.

[Boojum]

Shortsighted obsession with the immediate bottom line is the defining malady of modern American business, and has now pervaded our government as well.

 

As long as the stockholders/campaign contributors are happy, officials will take on no expense except in reaction to a crisis—generally, a crisis that could easily have been prevented with a modicum of forethought.

 

Until we learn to think in the long term, and plan for contingencies, this kind of problem will persist.

[Deverill]

Have any of you ever heard of this type of activity?

Yes, but they usually call themselves Security Consultants.

 

As long as the proper owner of a system contracts for your services then what could be wrong with it?

[LunarMagic]

Funny, too, is that most people/small companies don't encrypt or secure their wireless networks... so anyone with a wireless card and a laptop can get right into their system. A friend from college found out by accident that a local restaurant has no security on theirs... and when he downloaded a big file it completely cut off their computer/payment system! I told him he ought to offer to fix it for them for a fee. =) (he's in training to be a network guru - I'm in programming, myself)

[Madmanmcp]

You are paid to come in and find holes in Networks for a President or a Director of a company that does not know the technical side of the business. If you did not find any holes you maybe accused of not doing a good job, so you look everywhere and find whatever you can by doing your best...and yes there are lots out there to find.

 

The Network Admins are the ones who more than likely inherited these systems which were setup by others and are just there doing the administrative work of keeping it running, backing up, applying patches and upgrading the systems when the money is available.

 

So you come in without the knowlege of these Admins, break into the system because there are always going to be holes and get the guy fired or put on the hotseat because he was left with an unsecure system.

 

Systems are built and none are perfect and some are better than others. Lots of factors go into this process and money and time is usually a major force. If you invest enough money and time to make the system secure upfront, then your job is a little more difficult and you find a lot fewer holes to break into. But the majority of the time the cost for this security is too much and these holes are left open for you to find.

 

A job is a job and security is a very interesting field and an extremely important one, I hope you enjoy what you do. But personally I do not want a job that may be the deciding factor on whether someone can feed his kids next week because of the work of someone before him.

[Lianna]

No different than internal auditing controls for accounting, internal security assessments for MIS are a necessary part of running a world-class business. Here's the trick, the results of such an 'audit' should be used for *improving the business* rather than *building ammunition* against those responsible for the system.

 

Boojum, not ALL companies view these audits, for lack of a better word, as firing mechanisms or excuses. As a matter of fact, every company that I've worked with has met suggestions with open arms and asked for details on how to implement controls. Not saying it doesn't happen, but less than you'd think I bet. I'd be interested to hear Thump's experiences with that too.

[Boojum]

Boojum, not ALL companies view these audits, for lack of a better word, as firing mechanisms or excuses.

Er, Lianna:

 

Great, only I never said anything of the kind. Did you mean to direct this to Madmanmcp?

[Lianna]

DOH! Sorry, yes.

[Madmanmcp]

Lianna, I haven't seen it but have heard it.

 

I agree, an "audit" is a very necessary tool in a lot of aspects in the business world and a network security audit is one of them. But putting the "ethical hacking" label on it I suppose rubbed the wrong way

 

Criticism is hard to swallow and thats what an audit is. I guess my point was this "criticism" was aimed at the wrong folks, the current Admins. They were hired to administer what was already set up and probably did not even know there were such holes so how could they be responsible for it.

[Lianna]

Bob, I completely see your point, but that's where we start getting into work ethic philosophies, which might start a riot. I am a strong believer in proactivity. If my car is my responsibility, then I although I did not build it, I still take steps to determine if I am safe prior to driving anywhere. That doesn't always just mean reading the manual either. It means, being observant, inquisitive and out-of-the-box sometimes.

 

My two cents.

[ThumpAZ]

I agree with you all that is can be a touchy situation when you walk into a meeting that has everyone from the machine techs to the CIO and you layout where and what you were able to get in to and how you did it. However, by the end of the meeting it does make you feel a little better when you have made it out that you were not there to get anyone in to any trouble, but were there to help.

I have not personally seen where the ramifications of my actions have caused the loss of a job. It very could have happened a few times (some admins get very nervous/reactive when confronted with this information), and in some case probably should have. One of the things I make a point of doing when I go in to these meetings is to lay it out in laymen's tems so it does not paint the picture of ineffective people at the controls, but that there are always ways to improve a system.

 

Typically, it turns out that I am able to make new friends that will email me later and discuss other intrusion attempts they have seen now that they know what to look for. they develop a new respect for the "other side" and that respect makes them more cautious. It is also a great way to get money out of the execs to improve security measures, especially when the admins can prove where they requested something but were never given funds to do/buy it.

 

There have been systems that I and a few friends have not been able to get in to. We are always logging everything and taking screen caps and such. This type of failed attempt typically will show up in the admins logs and they will be investigating it already (maybe even letting the person who hired me know of the attempts). This is how I prove that I was trying and the system was well protected.

 

I agree, the term Ethical Hacking can rub the wrong way, but that is what it is. Security Consultant is a title given so as not to offend anyone.

 

Just an FYI... I don't do it "for fun" on anyone, so you can all relax.

[Deverill]

This is similar to a programmer's code review. Basically one programmer on a team gives complete access to his code to the others who review it line by line in hopes of finding better methods of doing something or a flaw in the code.

 

I had a boss once that was burned by people laughing at his self-taught methods and would not do a review. I asked him to cause a review on my code because I know the other guys on the team were brilliant and could add something to my code. There were some things they criticized but many others they commented on as being good. Either way I came out a better programmer.

 

If a company takes a hack-attack as ammo against their admins they have a much bigger underlying problem. The only time this may be a real problem is if someone gets in on port 1800 and the admin says "I thought ports only went to 255!" - then they really do need new staff

 

There are a ton of analogies - for example, Florida Power & Light does an energy survey of your home for free. They don't say "Boy, the guy that built this house is an idiot!" but rather "If you weather strip the door you'll save $20/month.!

 

Finally madmancp, beware what you hear. It's real easy for me to say "Those losers fired me because TCH is such an invasive part of one's life." but it may be more true to say "I got fired for goofing off on company time." (By the way, I'm taking a late lunch if anyone is wondering )