Here is a link to the Article in the July 1 edition of the Globe and Mail.
wallstreetinterview.com
"Stealthy hacker dons a white hat"
Firms are relieved when Brian Lynch steals their data
Brad Grier
Thursday, July 1, 1999
Calgary -- in
Bryan Lynch looked like any other executive traveller as he flew to his
next business meeting, typing notes on his laptop and finishing off yet
another memo.
But the papers in the clean-cut young man's carry-on told a different
story. The bag contained a printout of 10,000 valid credit-card
numbers, taken after a successful security penetration of a computer
system.
When the victim company discovered what Mr. Lynch had done, it
was relieved. Very relieved -- because it was a client.
Mr. Lynch is a hacker. A "white hat hacker" to be precise.
His primary job is to audit data security and network infrastructure for
corporations -- before someone with a much more malicious agenda
can get in. In order to beat the bad guys at their own game, Mr. Lynch
and his colleagues draw on a host of technical and non-technical skills.
Most importantly, they have to virtually wear a black hat themselves --
set a thief to catch a thief.
"In this profession we're seeing a blend of network administrator,
psychologist, system administrator, tech support and management," Mr.
Lynch says. "But to actually think in the sense of the person who wants
to break into a network -- or to fully assess what the network
vulnerabilities are -- is probably not something that can be learned in
school."
And that raises the question: How do you learn to hack?
Not formally at college or university, in Mr. Lynch's case. While he
attended university, his computer skills were entirely self-taught.
He began his education in the early days of home computing, using a
386 PC and a 2,400-baud modem. Bulletin boards were his primary
school, and he used them to exchange tidbits of information.
"I saw how neat connecting computers can be," he notes, recalling
using text-based Internet browsers such as Lynx, Mosaic and Gopher.
His interests expanded into operating systems such as Unix. More
recently, his expertise has extended into Windows NT, an operating
system increasingly used in corporate networks.
After dabbling in on-line explorations, Mr. Lynch worked on private
security-related contracts, consulting and learning more about the
business.
Jaws Technologies Inc. of Calgary recognized Mr. Lynch's talent,
and persuaded him to join its cause. At Jaws, he's a member of a team
of security specialists that market their diverse skills to businesses with
a need for security. Jaws, which employs about 30 people, hires out its
staff as consultants and also develops security software.
The Internet provides a digital smorgasbord of knowledge for both the
black hat and white hat communities. Today's budding hackers can
easily learn anything they need to know about corporate networks
on-line. With a bit of research they can learn all about defenses such as
firewalls.
L0pht (pronounced loft) Heavy Industries and Cult of the Dead Cow
are two of the more famous on-line security specialist groups. The
informal, U.S.-based organizations draw membership from the entire
Internet community. Their Web sites detail new "exploits" and "fixes"
for many operating systems and applications. Curious users will also
find "warez" -- programs designed to break passwords and system
security.
Mr. Lynch says that a lot of hackers are initially neither white hat nor
black hat -- instead they inhabit a grey area.
"A lot of people have crossed the line, either way, from white to black
-- black to white," he observes. "But there's a period of research for
any person, where they realize what they're becoming interested in, and
they see a lot of information they like -- it's not really black or white
hat, I think that's where I would have started, and moved into white
hat."
Mr. Lynch notes that internal security is usually the first and most
important target of the audit. "More than 70 per cent of information
theft and security breaches occur from inside," he observes.
For obvious reasons, Mr. Lynch declined to go into detail about the
methods he uses when performing an audit. But a scenario could work
in the following manner.
Worker X at the Target Company receives a phone call from a
supposed help desk staffer. The caller sounds convincing, and even
mentions some personal or work-related detail to help establish
credibility. The user is then instructed by the caller to run a computer
program, sent through E-mail. Now the deed is done: The program
was a Trojan horse, a type of program that appears harmless but is
actually used for illicit purposes. The employee's machine now
surreptitiously relays corporate data to a black hat.
You may not think there's much valuable information buried in your
E-mail, but Mr. Lynch disagrees. "I don't mind scrolling through 50
pages of information to exploit things. Maybe there's text lying around,
and I don't mind reading a month of someone's E-mail, to scan for
useful corporate information." Mr. Lynch says the first thing he does as
a consultant is to find out what a company's security needs are. Then
the real grunt work begins, looking for the vulnerabilities.
External "attack and penetration" audits expose the other big
vulnerability of today's networks -- the corporate firewall, a technology
used to protect company data when connected to the Internet.
The work's not very easy, or glamorous, but occasionally the payoff
can be huge, such as finding those credit card numbers, unprotected
and exposed.
"I like finding holes in people's system that are so extraordinary it just
makes me sit back from the monitor," Mr. Lynch says. "I've had root
access on very large systems, just suddenly you're there! You just sit
there. You're suddenly holding all their corporate records, and you can
control anything you want on their system."
Mr. Lynch cautions that a black hat hacker wouldn't necessarily delete
data or infect the system with a virus. "Someone can use that
information in a secondary sense, steal your identity, apply for credit
cards, things like that." This sort of thing happens, as one of his clients
found out.
The real fun, Mr. Lynch says, is in closing these security holes, and
discovering new ones.
"That's a high," he says. "To have that, or to get the access of someone,
or to come across a nugget of information that's quite useful, that's a
good feeling, if that's what you're looking for."
Site seeing
jawstech.com
l0pht.com
cultdeadcow.com
CURRICULUM VITAE
Who: Brian Lynch
What: Professional services consultant, Jaws Technologies Inc.
Job description: Member of computer security specialist team.
Why he's in: "It's an emerging field with amazing potential."
Why he does it: He enjoys "thinking one step ahead of the bad guy
every day."
Barrie Einarson
Director Investor Relations
JAWS Technologies Inc.
1-888-301-5297
1-403-508-5055
Hours: 8:00AM - 5:PM MST
Contact me @ mailto:invrel@jawstech.com
Website: jawstech.com
--------------------------------------------------------------------------------------
Keep your data safe! Download a free trial copy of JAWS Data Encryption
For The Desktop Software.
Click here: jawstech.com |
