“White hat” hackers claim they do organisations a favour by finding and alerting companies to the vulnerabilities in their systems, but many in the IT industry believe otherwise. Darren Greenwood asked a security professional to conduct an “ethical” hack on two firms which had given their permission. We spoke to the firms before and after the hack and evaluate what they learned about their security systems.
Child pornography could well be today’s feature on the website of the Auckland office of US multinational DataGlobal, replacing the widgets in its product range. Its news portal may well be running media releases about its products causing cancer to users in the US, its Asian workers being exploited and its Australian offshoot wrecking the environment. Its Chinese interests may even have attracted fire during the recent US-China “cyberwars”, during which individuals in each country sought to deface or disable each other’s websites.
DataGlobal is a real company, a top IT services provider, but for this article we are not using its real name and blurring a few other details, and seeing how vulnerable it is to hacking.
Computer Associates’ Srinivasan Vanamali probed the systems of DataGlobal, and a similar test on another company, this time in Wellington. For a time this firm agreed to be identified, to be held up as a shining example of a company with sound security systems. However, once CA tested its systems and found plenty of holes, it thought better of it. This firm, it should be noted, sells services though the web and is talking to large corporates about partnerships.
We don’t know who this firm is. CA won’t tell us, even though we promised not to identify them, so we have also not been able to speak to the firm’s security chief. However, we are able to reveal what CA found in all its gory detail.
Part of the problem of writing about IT security is that users of security services don’t want to be identified, as the mere mention of their names and security systems presents a challenge to every hacker. They are naturally embarrassed, too, when their expensive systems are breached and infected by a simple virus let in by an inattentive staff member.
Figures in the US suggest reported hacking has more than tripled in recent years, despite greater security and tougher penalties. Systems are broken into either for fun, to spread a political message (“hacktivism”), to cause commercial damage (the US-China cyberwars), or as revenge from a disgruntled employee.
Nineteen-year-old Raphael Gray from Wales recently obtained Bill Gates’ credit card details and sent the Microsoft boss some Viagra tablets. More seriously, though, Gray obtained the personal finance details of 23,000 people and posted them on the internet, to show that online trading is unsafe — an action Visa says cost it $250,000 in repairs.
Hacking has increased so much that Attrition.org has stopped updating its daily list of defaced websites because it can’t keep up. The US Department of Defense says its systems are probed 250,000 times a year. The US government’s Computer Emergency Response Team adds corporate hack attacks increased from 5000 cases in 1999 to 17,000 in 2000. The FBI in the US estimates worldwide business lost $US1.5 trillion due to security breaches.
The real worry is that these are just the recorded cases, as to avoid negative publicity most companies don’t report them.