Two internet security consultants deny they are “blackmailing” organisations into using their services by hacking into sites and subsequently contacting the owners.
Brett Moore of Auckland company Software Creations says his firm recently tested a variety of local websites and found more than 100 were vulnerable (see Security firm: one hundred NZ sites have flaws).
Auckland internet security consultant Grant Cherrington says his company has also tested systems and found the growing use of high-speed internet access through technologies such as Telecom’s JetStream DSL service is increasing the vulnerability of organisations.
Both firms say they perform a useful service, particularly in light of New Zealand sites being defaced as part of the US-China “cyberwars”. Moore says he is a “responsible person” for warning firms that don’t know they are at risk, but such actions have been branded as “spam-based scaremongering” (see Good riddance to bad rubbish). Cherrington says what makes “white-hat hackers” different to other hackers is intent. A white-hat hacker earns money defending the security of websites and software.
But Auckland networking specialist Kaon Technologies calls the practice unethical. Company head Tony Krzyzewski says the targets of such practices have no way of knowing whether they’re being maliciously attacked.
“I consider it completely, entirely unethical to do that,” Krzyzewski says. “If they did that and in the process caused damage to your system, there would probably be a good case against them for malicious damage.
“How is an end-user site supposed to know it’s not an attack but is valid? Where is their credibility?”
Cherrington, however, likens himself to a de facto security guard, testing doors and telling companies if they are found unlocked. “[Vulnerable organisations] range from schools to charity organisations and IT networks. We will not identify them to anyone other than a person from that organisation and, where in doubt, we will take steps to verify their relationship [with the company].”
Cherrington says his firm can be trusted. “Unfortunately there is no government-funded internet police cruising the cyber highway and checking the doors. Given the current state of our police service, I’d suggest they’d have trouble logging on, let alone detect an offence, if there was in fact an offence enacted into law.
“So who is left to try to make things better? We like to think we are. We don’t really want to be involved in this story, but with your assistance, it seems like a good way to make lots of noise and maybe shake a few IT administrators awake to the problem,” he says.
Moore warns that organisations, even with security staff, need to know of new vulnerabilities. Some companies he tested have since applied security patches, while others were simply grateful to be notified.
“My initial scan and email was not directly about drumming up business, but trying to do the ‘Kiwi thing’ and help protect New Zealand websites and educate people on their weaknesses. And as I suspected, we are now seeing evidence of New Zealand computers being accessed as part of the global hack war that is going on,” Cherrington says.
Moore is sceptical about proposed legislation that might prohibit unsolicited hacking or testing of sites. “Changing the law does not mean making New Zealand a hacker-free zone. If anything, it would just make it harder to educate the public about security issues.”