|NOW HIRING: HACKERS (TATTOOS WELCOME)
Special to the Chicago Tribune April 12, 1998
Even the computer professionals who like to wear Birkenstocks and T-shirts to work find the dress code of GenX hackers a bit extreme. The main elements seem to be tattoos and nose rings.
They'd better get used to them. Many computer hackers, some of them recovering computer criminals, are adeptly turning their coveted expertise into big bucks.
A surge in computer crime, spurred by the shift to networked computers and by the growing popularity of the Internet, has created a huge demand for information security experts who can help protect companies' computer systems. Recent high-profile attacks on government and university computer networks highlighted the vulnerability of these networks and spurred corporate executives to seek ways to fortify their systems.
"Is the threat getting worse? Definitely yes," said Eugene Schultz, research director of Integrity Solutions International, a subsidiary of San Diego, Calif.-based Science Applications Corp., a high-tech R&D corporation (www.saic.com). "That's largely the inevitable consequence of the shift from the mainframe work environment to one of interconnected PCs and workstations," which means anyone with access to one machine has easy access to the whole network, Schultz said.
NASA, the U.S. Navy and university campuses throughout the country were recently the targets of "denial of service" attacks on thousands of computers running Microsoft Corp.'s Windows NT and Windows 95 operating systems. The attacks, launched over the Internet, made computers crash but apparently caused no data loss.
In a separate recent incident, the Justice Department last month arrested three Israeli teenagers suspected of masterminding the break-ins of hundreds of military, government and university computer sites to gaze at unclassified information. The Federal Bureau of Investigation is also investigating two California teens who linked up with their Israeli co-conspirators over the Internet.
Schultz said it could have been much worse. "Do I say the sky is falling? No way. But the sky could fall," he said.
One thing dropping from the skies into hackers' laps are fat checks from frightened clients.
Many companies are amassing teams of in-house experts to guard their networks against cyber prowlers, while others prefer to bring in outside consultants. The most experienced network security experts are often hackers--commonly defined as computer whizzes who love to write code (and not, as is often--but incorrectly--used as a generic term for a computer criminals).
Many hackers over the years have relished poking holes in Fortune 500 and other big companies' computer programs and chip-making codes, and then publicly, brazenly attacking the likes of Microsoft Corp. and Netscape Communications Corp. for selling products with bugs. In fact, some hackers operated Web sites devoted to discovering and disclosing flaws in companies' products.
But it seems many are taking the lead from hacker-experts like Dan Farmer, the creator of "SATAN," a software tool for probing for security weaknesses on the Internet. He was scooped up by Sun Microsystems Inc. to help detect and repair computer security holes. And with hackers increasingly in hot demand, they can demand hefty fees or salaries--an attractive way to pay off college tuition or supplement meager income elsewhere.
Hackers' anarchistic style is gradually gaining acceptance in corporations and government agencies, although some conservative organizations feel safer renting experts from established consulting firms.
Fred Villella, a 60-something retired Army colonel, runs a computer-security consulting business out of San Diego, Calif. The firm offers educational seminars for businesses and dispatches highly skilled, renowned hackers to help companies patch network holes and guard against future cyberattacks. He knows well the unmatched talent of many funky hackers as well as the corporate skittishness toward them.
"I'm an old traditionalist, so when I first took one of my brightest young hackers--he had dyed yellow hair, an earring, tattoos on his arm--into a government research center, I was worried," said Villella. "I've got a long-standing reputation as a colonel. But then I relaxed when I saw the system administration guy (at the government site) was wearing earrings and the network manager had a ponytail and a beard to go with his suit."
That yellow-haired hacker, a 24-year-old who prefers to be known by his alias, "Route," also sports a tongue bar. His work as an information security consultant is worth $1,500 to $2,000 a day to clients who want to arm themselves against attacks by "crackers"--the correct term for hackers who use their computer expertise to commit malicious acts of infiltrating computer networks. On his own time, Route edits Phrack, a computer security journal (phrack.com). And he occasionally gives talks to government and corporate clients for Villella's firm, New Dimensions International (www.ndi.com). Route writes his own security-related tools and claims he's never used them for illegal snooping.
Route says his "fringe" appearance might help him stand out in people's minds and thus draw new business, but that his appearance is unimportant to the more computer-savvy clients who come to him for his talent. "Besides," he said, "I've got friends that look even more freakish than I do."
Villella's New Dimensions just conducted a technical seminar in Elk Grove Village titled "The Hacker Phenomenon and Penetration Techniques," aimed at teaching corporate executives and engineers the secret formulas used by crackers.
One way to help fend off intruders, he said, is to have employees use passphrases (rather than passwords, which can be readily cracked by software tools like L0phtCrack). "Unless someone is really committed to getting your stuff, they'll go away and get something easier."
Villella helps hackers tempted to become crackers see that the choice between a potential jail sentence or a six-figure income working as security consultants shouldn't be too difficult to make.
An informal survey published earlier this month points to the increasing perils of the wired world--and the concomitant rising opportunities for hackers to capitalize on the fear and strike it rich as troubleshooters. The Computer Security Institute, a San Francisco-based watchdog group, reported that 64 percent of 520 companies said they had suffered security breaches within the last 12 months, a 16 percent jump over the 1997 results.
American Information Systems, a Chicago-based Internet service provider (ISP), stands among the ranks of ISPs that offer firewall solutions, audits and other computer security services to augment their core--and often unprofitable--access business. "We've seen extremely dramatic revenue growth in this area," said Stephen Schmidt, a vice president at AIS.
Information security experts offer a range of services for clients. An experienced hacker might start with a network intrusion and penetration test. Basically that means breaking into a company's physical site--to check on the overall quality of a company's security environment--and then its computer network.
"It's fun breaking into sites," said Peter Shipley, a 32-year-old Berkeley,Calif., hacker whose accomplishments include breaking into most of the computer systems at the University of California, Berkeley, while a student there. He runs a consulting firm, called Network Security Associates (www.network-security.com), and charges $1,500 to $2,500 a day, depending on the project.
The experts also conduct external and internal security audits of a client's existing networks, assess the risks, and recommend improvements.
Another hacker who now makes a healthy living consulting goes by the alias "Mudge." He is a member of L0pht, a sort of "hacker think tank" consisting of a handful of Boston-based hackers who work out of a loft space, where they research and develop products and swap information about computer and cellular phone security, among other things. Mudge consults for private and public organizations, teaches classes on secure coding practices, and writes his own and reviews others' code. "It pays well, but the money isn't the main reason I'm doing it," he said.
What he likes best is knowing he's among the elite experts who understand computer security more than big-name consultants. He's proud that he and his ragged assortment of hacker friends are called in to solve problems that stump the buttoned-down set.
"Not bad for a bunch of bit-twiddlers," he wrote in an e-mail missive.