Feature

The ethical hacker: out to save corporate reputations

The biggest names on the Internet are under attack and the FBI is investigating, but things could be a lot worse if it weren't for an unsung band of ITers who use the hacker's own methods to foil incursions before they happen. Pravin Jeyaraj meets a legitimate code cracker

In recent weeks several major Internet sites have been targeted by hackers, prompting the FBI to launch an investigation into the attacks.

Internet search engine Yahoo! was brought to a standstill for three hours after hackers overloaded the site with information and effectively blocked users from accessing it. Online retailer Amazon.com, CNN Interactive, discount retailer Buy.com and the online auction house e-Bay have all suffered substantial attacks recently.

The FBI was called in after Buy.com announced that some of the attacks were traced to powerful computers in Boston, New York and Chicago - although computer security experts have warned that these computers could also have been hacked into.

Security breaches like these only serve to further society's perception of hackers as malicious and shady individuals who take delight in displaying their technical skills at the expense of other people.

However, some hackers do it for the greater good. One such example is Matthew Pemble. Based in Malvern, Worcestershire, Pemble is a hacker for the good guys.

I find him sitting in front of a computer tapping away at the keyboard. Suddenly, a grey box appears on the screen with the message "administrator access request successful". He sits up, draws his elbow backwards and hisses, "Yes!" He has just managed to hack into and take control of a government server.

But he does not share his achievement, in true hacker solidarity, with the rest of people in the room - they are trying to access other servers. Instead, he reports his findings, including recommendations on how to prevent a similar electronic break-in, to Defence Evaluation Research Agency (Dera) officials.

For Matthew is not a typical hacker, and is not concerned with showing off his skills or beating the IT establishment. He is an "ethical hacker", employed to expose security flaws in computer systems so that they can be fixed. At Malvern, he was being trained by Dera.

Here Pemble reveals his route into ethical hacking:

How did you get involved with the Government?

Through a scheme called IT Health Check, which is run by Communications-Electronics Security Group (CESG) and Dera. The computer testing company I was involved with had to bid for a place on the scheme.

What was IT Health Check about?

It was a three-day course, followed by a written exam and then an "assault course" where I had to hack into a dummy system. We learnt how to use publicly available tools to analyse network structure and look for possible vulnerabilities that hackers could exploit.

We learnt port scanning tool Nmap; Luftcrack, which is a password cracking tool for NT; Crack, which is a password cracking tool for Unix; monitoring tool Spynet and TCP Dump, amongst others.

Why did you decide to take part in the scheme?

I was interested in getting deeper into security issues. I was the lead consultant with the company and it was the obvious next step.

What do you do now?

I am the senior consultant at IS Integration, responsible for issuing the security services portfolio. I have been there for about five weeks now. My job includes Web site auditing, helping development staff integrate security into their products and penetration testing - hacking into a system with the owner's permission. I also help clients to put together a security policy and strategies.

How did you end up there?

After working for the testing company for 18 months, I was made redundant at Christmas. A friend of mine who was working in the IS sales department passed the word on and soon after I got a call.

What did you do before?

I was an IT manager for the Royal Navy, with specific responsibility for security issues. I had an awareness of hacking skills through the job and people that I met. I knew people who were involved in hacking, both ethical and otherwise.

How long were you in the Navy?

Twelve years - from 1986 to 1998. I joined when I was 17 for my year out before university. I was originally a weapons engineer, responsible for all electronic equipment.

What is your view of unethical hackers?

There are two types of hackers. People who run computer programs on their own system and try to break the code are OK. But anyone who hacks into other people's systems is a criminal and should be dropped from a great height.

The best analogy is car theft. There are the same opportunities as walking down the street and trying every car. The fact that someone is stupid enough to leave the door unlocked does not make it right to nick their car.

Ever been tempted to hack outside of work?

No, but when I was at university there was always a race to try and get as far as possible into the university's network.

What about the future?

I would like to expand and run the security organisation within IS and then, who knows?

The hacker's toolkit

A good "ethical" hacker needs a good knowledge of:

  • UNIX and NT and TCP/IP communications
  • The law pertaining to computers, such as the Computer Misuse Act
  • Port scanning tools (eg Nmap), monitoring tools (eg Spynet), Win32
  • Vulnerability assessment software
  • A hacker's CV

    Name: Matthew Pemble

    Age: 31

    Qualifications: BSc (Hons) Electronic Engineering, Herriot-Watt University

    IT skills: Unix, NT, Win32, TCP/IP

    Current job: Senior consultant at IS Integration

    Previous employers: Software Laboratory; Royal Navy

    Hobbies: reading, cooking, DIY, gardening

    Favourite book: Neuromancer by William Gibson

    Favourite film: Return of the Jedi


    Email Alerts

    Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

    This was first published in February 2000

     

    COMMENTS powered by Disqus  //  Commenting policy