The term hacker may be used to describe people who steal information from computers, but that's just the dark side of the story.
Like the cowboy heroes of childhood, there are white hats as well as black, and the former are legal hackers: security professionals who aim to make the wilds of the internet a safer place for us all, tracking down and rounding up the exploits that endanger our computers.
The movie Sneakers features a team of hackers who are employed to show businesses just where their weak spots are.
The film may be a little dated, but security experts agree that it's still one of the best depictions of just how they go about their work, which involves examining both networks and systems to find exploits based on both social and technological weaknesses.
The US Military runs exercises where 'tiger teams' of good guys think like bad guys in order to penetrate secure facilities, testing just how secure they really are.
That's the idea behind network penetration tests, where security consultants are challenged to get inside a system or network in order to find holes, which are then filled with patches, policies or other security measures.
Penetration test teams include people with a wide-ranging mix of different skills, from social engineers and network specialists to hardware and software engineers. The exploits that they find vary, but they all share one fundamental element: they are ways into a network that compromise both data and computer systems.
The making of a legal hacker
Not everyone is cut out to be a security analyst; for one thing, it's not easy to develop that level of professional paranoia. One of the most famous security analysts, Bruce Schneier, tells a story about how as a child he realised that a company that sold ant farms (and mailed out tubes of live ants) could be used to send ants to anyone, anywhere.
That's a very different mindset to that of most of us, and essentially it means looking at the world to see how it can be broken or subverted. A security analyst would walk into a shop and think of three different ways to rob it and another dozen to defraud it. It's a good job that those minds are on the side of good and serve to help protect us against their less than honourable counterparts.
Opportunities are everywhere. You might see a USB charging port at an airport as a quick way of getting your phone or iPod charged between flights, but a security analyst will be counting the connections in the port and wondering just how much data someone could steal from an idle phone using nothing more than a USB connection.
Penetration tests capitalise on that security mindset. White hat hackers working for security companies attempt to use their skills (and the tools that the black hats use) in order to find ways into a business network.
If you're running a big network that carries data that needs to be secure, you're likely to need certification from one of the big security consultancies before you'll get any insurance – and that certification is going to require one or more major penetration tests.
These tests aren't simply restricted to the computer side of things. Network security is about people, policy and technology. While you may be thinking about encrypting your network traffic and using two-factor authentication, your penetration testers may well be gaming your social network, tracking down backdoors into your network through staff who might have forgotten passwords one time too many and tailgating their way into the office building.
Your comments (2) Click to add a new comment
kroshi
February 2nd
2. The making of a legal hacker -
Opportunities are everywhere :
If you open Moscow Yellow Pages, you would be surprised how many foreign companies have their offices in Moscow...
Although the international financial crisis has caused the collapse which has never occurred since the Great Depression, the Russian Federation is still considered as a quiet harbor.
Amongst the transcontinental companies there are a considerable number of Japanese corporations such as Toshiba, Mitsubishi, Fujitsu, NEC, Sanyo, etc.
Though the latter are thought to be well-known for their successful in retailing of high-quality products worldwide, there have been cases which must be interesting to investigating institutions.
We are going to take Mr. Vadim Danilov’s employee fraud case including asset misappropriation, money laundering, and kickback scheme.
The story goes Mr. Vadim Danilov was hired by Mr. Harry Fujimaki to work for Toshiba Corporation (Kabushiki-gaisha Toshiba) as a general logistics manager in Russia.
The event occurred in 2004.
In the course of two years Mr. Danilov had been “employed” in other areas such as, a certification specialist, customs broker, trader, promoter, etc. Mr. Danilov worked effectively and honestly thinking that he was a team player contributing to Toshiba’s profits.
Moreover, Mr. Koichiro Natsume, an executive manager of Toshiba Corporation in the CIS, declared him a Toshiba Official Trader at the Conference at the Imperial Park Hotel, Moscow, 2006.
In addition, Mr. Natsume declared that Mr. Vadim Danilov was officially registered by Toshiba Corporation as Toshiba's Official Trader named “the Ninth Wave” in the UK.
To conclude the announced procedures, Mr. Natsume issued to Danilov’s Ninth Wave an invoice which was paid to a TCMS official account at Sumitomo Mitsui Banking Corporation, Singapore Branch.
Furthermore, there were other financial transactions during 2006-2007-2008 years, executed by Mr. Vadim Danilov between clients and Toshiba Consumer Marketing Singapore, SMBC Singapore branch account.
After all the payments were completed, Mr. Natsume vanished somewhere in Japan. Toshiba Corporation managers in Russia, Japan and Singapore refused to explain to Mr. Vadim Danilov how those payments had been used.
Toshiba Corporation & TCMS, Mitsubishi and MCLogi, insist nowadays that Mr. Vadim Danilov has no evidences and the corporations declare now that Mr. Vadim Danilov had never had any relations with Toshiba Group Companies or Mitsubishi's MCLogi stuff.
Moreover: the Toshiba and Mitsubishi MCLogi staff has been running away from Mr. Danilov for 35 months 9!).
The Metropolitan Police Department of Tokyo also refused to investigate the accident and explained to Mr. Danilov that he had no right to bring in an action against a Japanese citizen.
It would be better for the Metropolitan Police Department of Tokyo to check diligently some backgrounds of Toshiba's and Mitsubishi's Conformity Certification procedures in Russian Federation. As well as Customs Clearance documents with false Japanese stamps and signatures of false "Japanese Customs" or "Thailand Customs"...
It seems to be a confrontation between David and Goliath but David had had no backup…
It seems The Heaven's Referee is judging nowadays all the involved sides by crisis processings ...
That's a very different mindset to that of most of us, and essentially it means looking at the world to see how it can be broken or subverted...
Alert a moderator
penflash
January 31st
1. I always think that these hacking tools is suposse to find whole in a networking enviroment, but what about a disguised hack tool can also be an intruder or a virus. How can a regular user knows if is a good Hacking tools doing the good or if is Evil hack tool that wants to penetrate network system. It is very difficult to know the difference between them because there are identical tool. The only diferenciated is EVIL and the GOOD.
Alert a moderator
Tell us what you think
You need to Log in or register to post comments