Hackers for hire

J0hnny is a hacker. As a high school kid holding down a job flipping burgers, he would spend nights exploring networks and systems that didn't belong to him. Today, while employed in IT security at Computer Sciences Corp., he hacks the networks of government agencies and commercial organizations. His Web site shows visitors how they can gain passwords and logon pages for various services - all found by searching on Google.

j0hnny is actively involved in the underground hacker community and has spoken at many "black hat hacker" conferences, where hackers meet to talk about ways to exploit security vulnerabilities. He gets paid to do all this because j0hnny (aka Johnny Long) is one of a growing band of ethical hackers. "I'm able to portray an image of a hacker," says Long, whose title at CSC is security expert and ethical hacker. "My Web site looks like a hacker's site and that is my calling card." Although at first glance his Web site appears to be a hacker's domain, it serves to educate visitors about security vulnerabilities.

Many security experts advise organizations to hire ethical hackers - aka white hat hackers - as consultants to carry out penetration testing of their networks. But how should organizations go about hiring an ethical hacker? Should you hire a security consultant from a large IT organization or go to a dedicated security boutique? Or should you consider hiring a reformed black hat who has the advantage of having been there and done that and who would know the black hat's mind-set? And what's the risk of an ethical hacker turning bad and stealing your company data?

If you know where to look, you can find thousands of tools that exploit specific vulnerabilities; the difference is the way in which the tools are used, says ethical hacker Shon Harris, president of Logical Security and a former engineer in the Information Warfare unit of the Air Force. "The bad guys use the tools to find vulnerabilities to exploit. The good guys find vulnerabilities to plug," she says.

Ethical hackers say organizations should carry out the same due diligence when hiring white hats as they would when filling any other position. You can use ethical hacker certifications to weed out candidates, but such certification programs don't teach life experiences, says Pieter "Mudge" Zatko, a hacker and a division scientist at BBN Technologies who researches ways to protect Department of Defense data. "Certification courses teach you about buffer overflows and Microsoft hacking tools - stuff that's already well known and rudimentary and then you get a hacker title. It doesn't mean you have a strong grasp of security," he adds.

Good ethical hackers are security professionals who pride themselves on their technical skills and the security experiences they've gained over the years. Because their livelihood rides on their reputation, good hackers are not going to run the risk of doing something illegal, Zatko says.

For many malicious hackers, their skills are self-taught, and this is true for ethical hackers. "Typically hackers are people who didn't finish college because they were so into finishing [their hacking] project. I didn't finish high school and there are people here who have PhDs in computer science who learned hacking on the side," says Marc Maiffret, co-founder and chief hacking officer at eEye Digital Security.