A year ago, it was the buzz of the RSA Conference.
Hewlett-Packard chief security strategist Ira Winkler stood before a cramped session room at the annual security show in San Jose, Calif., talking about audits, assessments and penetration testing when the subject of hiring a hacker to do pen tests surfaced. It didn't take long for Winkler to take convicted computer criminal Kevin Mitnick's name in vain as an example of why hiring a former criminal is a bad idea.
As Winkler made his case, a voice made itself known. Mitnick was in the room.
The debate was heated and attendees loved it. This year, they're getting a rematch, though on a less impromptu scale.
At Winkler's recommendation, RSA is hosting a general session on hiring a reformed hacker in your enterprise called "Foxes in the Hen House." Also on the panel in addition to Winkler and Mitnick are Mitnick's attorney Jennifer Granick of Stanford Law School and Christopher Painter of the Department of Justice who prosecuted Mitnick. Mark it down on your personal agendas: Tuesday, April 14, 4:55 p.m. PST, Moscone Center, North Hall E.
'Only bad hackers get caught'
Needless to say, Winkler, formerly with the National Security Agency, is not a fan of hiring hackers in the enterprise. His contempt for Mitnick, who only recently was allowed back online as part of his punishment for socially engineering his way into several companies and stealing source code, is clear. Currently, Mitnick is trying to get his own security consultancy called Defensive Thinking off the ground and claims his crimes were not for profit, but out of intellectual curiosity.
"It's a bad idea," Winkler said. "If you can get past the criminal nature of these people, how do you know they are hackers? If they haven't been caught, then you are taking their word for it. And to get a particular job, they are basically admitting to felonies. That's not too smart.
"There are other aspects to this as well. Like Scott Charney [Microsoft chief security strategist] said. 'Only the bad ones get caught.' What does that say about those who get caught?"
Mitnick said in his case he was turned in by informants and did not leave a trail to his whereabouts.
"In each case, the only reason they had enough evidence to prosecute me was because people I trusted turned against me and were informants," Mitnick said.
Once Winkler learned Mitnick was in attendance, he pointed out to the audience that Mitnick had been arrested five times and had not been allowed to touch a computer since Windows NT was introduced. Yet, he rhetorically wondered how enterprises could consider paying him tens of thousands of dollars to test their Windows networks.
"It was the highlight of many a trip to RSA last year, I'm sure," Winkler said.
You say intellectual curiosity, he says crime
Mitnick, meanwhile, said Winkler is wrong about his resume. He said that while he was a fugitive, he worked as a network administrator for a law firm in Denver where he said he implemented a security program where one did not exist previously. Mitnick said he also has developer experience working for 20th Century Fox films and General Telephone.
"As a hacker I was successful compromising targets, but my objective was not to cause harm, but for intellectual curiosity and the pursuit of knowledge," Mitnick said.
Mitnick was convicted for moving intellectual property [source code] from companies like Sun Microsystems, SGI, Digital Equipment.
"I'm best at circumventing technological vulnerabilities and the best way to find out more about those was to analyze source code," Mitnick said. "I moved code from Sun, SGI and DEC and became adept at finding vulnerabilities. That was the focus of the prosecution. It was wrong and I regret what I did."
Mitnick was arrested in 1995 and sentenced to five years in prison. Following his term, Mitnick was prohibited from using a computer or going online for another three years as part of his probation, which ended in January.
Last year's encounter prompted Winkler to ask RSA to put on this year's session.
"I realized with Kevin's book ["The Art of Deception"] that he was going to get a lot of attention. I figured let's hype him in a proper forum," Winkler said. "These people don't have the skills [enterprises] think they do. It's easy to break into computers. I'm hated in hacker circles because I say I could train a monkey to break into a computer system. Hackers live off the work of other people. They're really not that smart."
Winkler said hackers display "situational morality," and that's bad business for enterprises.
"If these people have a known criminal past, it's hard for some of them to stop," Winkler said. "If they break into a company [doing a penetration test] and stumble upon something they should not know about, will they be forthright for you?"
Mitnick's new venture focuses on doing penetration testing and awareness training for companies. He acknowledged that there is apprehension when it comes to trusting a convicted computer criminal, but said in most cases, he is in an advisory capacity where he is providing information rather than taking information from a firm. But the reverse does happen where Mitnick does have to ask for a network topology or IP range.
"Our clients have more than a cursory view of Kevin Mitnick," he said. "I take a proactive approach [with clients]. I never conceal my background and have had no problem convincing people of my skill sets. I try to get people to focus on what I have done since my release. Time is the only indicator of what I will do in the future. I leave the decision with them. They have to do a risk assessment and determine what risk do I [and other reformed hackers] pose to their organization."
Hackers often work cheap
Enterprises, however, often don't have the skills in-house to do proper training. Even Winkler said enterprises should go outside for auditing and assessment help.
"Even if staff is qualified, an outsider should look things over, even if it's just a second opinion," he said. "Insiders are too familiar with things and could overlook at lot. Hackers work cheaper than most [outsourcers], but some people buy into the hacker myth. These people are not as qualified as some make them out to be.
"At the same time," Winkler said. "You know [a legitimate outsider] works for an established company, and they have liability and they know the business case of security and exercise good procedures."
Winkler questions the technical skills of hackers, who understand how to break into systems, which is a different science than securing them. Mitnick's specialty, for example, is social engineering.
"Because you can break a computer's security, doesn't make you an expert," Winkler said. "They have no expertise in implementing or developing a corporate-wide security program. [They have] never had lessons learned."
FOR MORE INFORMATION:
- FEEDBACK: Would your enterprise hire a reformed hacker to do penetration testing?
Send your feedback to the SearchSecurity.com news team.