[prev in list] [next in list] [prev in thread] [next in thread]
List: isn
Subject: [ISN] Disorder saves the day
From: mea culpa <jericho () dimensional ! com>
Date: 1998-06-30 7:51:29
[Download RAW message or body]
[Moderator: 'Disorder' is the name of the conference, NOT an individual.]
Forwarded From: Nicholas Charles Brawn <ncb05@uow.edu.au>
(url: http://www.smh.com.au/computers/content/980630/news/news2.html)
Disorder saves the day
Who you gonna call when your IT systems get raided? SUE LOWE talks
to the new security consultants.
SECURITY
The ethical hacker. It sounds like the oxymoron of the late '90s,
but according to the three co-founders of Disorder, a start-up
company intent on teaching Australia's private and public
organisations about IT security from a hacker's perspective, being
a well-behaved hacker is very much in vogue.
"Hacking is one of those words people argue about a lot," says
Stephen James, who at 28, is the oldest of Disorder's management.
"A hacker is someone who breaks into systems but once inside they
don't cause any harm. What they do is illegal and we certainly
don't condone it - but once inside they don't steal or modify data,
they don't install viruses and so forth. Crackers do. Crackers
break in and break the system."
James has been running his own security auditing consultancy, ITAC,
for the past four years. His company has been contracted by banks,
stock exchanges and government departments to find, and help fill,
the holes in their IT systems.
Before that he spent 5 years as a senior security auditor with
Price Waterhouse in the United States, making him roughly 19 when
he started. It's obviously a good age. James's two partners in
Disorder, Damien Mascord and Nick Brawn are both 19, both in their
first year of computer science courses at university, and both have
been poking into IT security holes for at least four years.
Brawn complains the term hacker has been "Hollywood-ised" by the
media.
"You read about the hacks on the Internet, with Web pages destroyed
and all this porn put up. That's just like ... to me, plain
childishness.
"There are kids with far too much time on their hands and for the
most part there's no technical skill exhibited in the attack."
But not all hacks - or are these cracks? - are considered juvenile.
Brawn refers to recent attacks on government sites in Indonesia,
staged purely to promote the cause of civil rights.
"Three or four weeks ago there was an attack in response to the
nuclear tests in India. The research site was hacked ... it was a
protest," he says.
As recognition of the "ethical hack" the perpetrators scored an
interview with Wired magazine.
At the other end of the bad guys scale are "Warez pups". Brawn
describes them as "kids who have obscene fun in trading
copyrighted, commercial software: games, productivity tools,
Microsoft products. Some claim to be hackers but what they do is
just immature."
All three deny being bad guys turned good. Mascord and Brawn
maintain they've gained their experience by finding all the holes
in their own "vanilla" (straight out of the box) Unix servers,
plugging up the holes, then seeing if their mates could break in.
Disorder's immediate goal is to bring to Australia a trend that has
gained significant notoriety in the US. The hacker-run security
conference.
In the best traditions of DEF CON (DEF CON 6.0 will be held in Las
Vegas at the end of next month), Australia's first SecCON will be
held in Sydney on July 16 and 17.
Guest speakers will include encryption and virus specialists,
authors on the Australian "underground", even a couple of police
sergeants.
David Caldwell, a detective senior sergeant with the Victorian
Computer Crime Squad, says he's completely comfortable about
sharing the podium with a bunch of hackers with an average age of
22.
"That's quite normal," he says. "A typical profile of a hacker is
that they have a very good education, they've grown up with
computers, and are between 13 and 29."
But he too, has problems with the term hacker.
"It describes such a wide range of activities. Some of it just a
political statement. It's a '60s thing using current Year 2000
technology," he says.
There is, however, a lot more than political protest going on.
Last year, computer-based crime was almost non-existent, or at
least not being reported. Whereas, says Caldwell, "in the first six
months of this year we were getting three to five reports a week."
Reports of credit card-related fraud far outnumbered corporate IT
system intrusions, but "that's not because they're not happening".
But rather "reluctance about reporting them".
Last year the computer crime unit surveyed 500 companies on IT
security issues. Of the 54 per cent that responded "all had
experienced intrusions in the last 12 months, but only 19 per cent
had reported them".
The most frequent reason given, says Caldwell "was lack of
confidence in law enforcement agencies. I don't take it
personally."
Even where unauthorised access had occurred, hackers and crackers
still escaped most of the blame. "90 per cent were traced back to
employees, consultants or contractors," he says.
SecCON details are available via the Web site or from IBC
Conferences on (02) 9290 1133.
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic