The cybercrime paradox: Good hackers make great cops
Cyber legend has it that Onel de Guzman, the Filipino student accused of unleashing the ILOVEYOU virus last year, submitted a thesis to his computer school detailing a program which would steal passwords for Internet access and post them to a specified e-mail address. Apparently the thesis was rejected, as were job applications he sent out to major software companies in the months leading up to the attack.
It would seem de Guzman believed his capabilities as a hacker would ultimately win him a job in cyber security. And he wasn't all that wide of the mark.
Even in tough times a combination of TCP/IP know how, Web applications knowledge, and some Unix or NT skills provides a substantial meal ticket, especially in the cyber security rounds.
In fact one of the major difficulties faced by state-based security institutions is their capacity to attract and keep skilled staff. Des Berwick, researcher for the Australasian Centre for Policing Research says cyber policing is still fairly reliant on private and educational institutions to gather information to prosecute would be cyber criminals.
-While we cannot rely on the private sector to provide law enforcement cybercrime is certainly an area where we can work with companies to track down and prosecute criminals," Berwick said. -We also have a very strong working relationship with universities."
Poaching campaigns launched by security companies have seen up to 70 per cent of the Web-based boys in blue don civvies. However, rather that being a negative influence this level of flux has facilitated public sector efforts to work together with policing services.
Courses in cybercrime prevention are still thin on the ground, with most security professionals earning their stripes on the job. Gradually universities are writing cyber security into their syllabi and companies are providing product based security courses such as Dimension Data's ISS, Cisco, Symantec and Check Point training.
However, not all the security courses are product focused. Dimension Data also runs one and two day courses aimed at network administrators and CIOs. Defending against Computer Attacks is a monthly course which lasts one day and discusses how attacks are actually carried out, while the two day Security Fundamentals talks about specific security technologies and runs over two days.
In a similar vein managed security provider eSec is soon to run the US based Foundstone Ultimate Hacking: Hands On course in Sydney and Melbourne. Aimed squarely at network administrators and other IT professionals interested in maintaining the integrity of their systems, the course will provide theoretical and practical training in the latest hacking techniques.
Course coordinator, Jeff Paine, concedes cyber security training is always fraught with a fundamental ethical dilemma: in training people to prevent cybercrime, you also arm them with hacking skills.
-It is a dilemma faced by all educators in this area," Paine says. -In order to make sure security professionals know what they are looking for we need to show them how the hackers are getting in."
Paine also points out that specific attacks do not remain valid for very long, but serve to show network administrators what they need to be aware of.
Neil Campbell, who learnt the tricks of the trade on the Australian Federal Police computer crime team before going to work for eSec, points out the debate surrounding secrecy and cyber crime is not a new debate.
-The whole secrecy debate surrounding system vulnerabilities has been tried before," Campbell said. -But it is basically a pointless exercise."
Campbell refers to the Zardoz mailing list as a case in point. Zardoz consisted of a group of elite security administrators, who used the Internet to discuss known system vulnerabilities.
-The group became a prime target for hackers," Campbell said. -Rather than increase security protection, they ended up endangering people who were not on the list."
