crackers
Nic Turner
The word hacker is enough to strike fear into anyone’s heart, but the South African Tiger Team Initiative (Satti) is trying to change that. They are at pains to make a distinction between enthusiast programmers – hackers – and their criminal counterparts – crackers. To help spread the word, Satti organised Zacon, a network security conference, in Johannesburg last month.
A tiger team is United States military jargon for a top squad sent in to test defences. In cyberjargon a tiger team is a team of hackers who look for weaknesses in systems.
The first such team in Africa, Satti includes a team of online entrepreneurs and system administrators as well as “underground ghosts”.
“We are hackers and we will always be hackers … we will leave no stone unturned in our pursuit of bringing a system under our temporary control. We are not malicious though, and we do not destroy,” says the team’s founder, Bretton Vine (21).
A Michigan State University survey estimated the losses from computer and communications fraud in the US at $10- billion. According to a joint FBI/private sector survey, the value of security incidents was $137-million last year. The FBI estimates that only 8% of security breaches are reported.
Information technology (IT) security services comprise the fastest-growing segment of the IT market. Worldwide the market will double in value from $5,9- billion currently to $13,1-billion in the year 2000 as more companies go online.
Trent Rossini, security manager for the service provider Internet Solutions, says with proper mechanisms in place, the risk is low. “We can provide security at different levels … with the most secure offerings being close to completely secure. Even then there is a 1 in 10 38 chance of a compromise.”
Auditing firm Deliotte and Touche have offered network auditing services in South Africa for more than two years. Their service is more passive. “We are against employing the services of ex- hackers. In our service we offer a very strong relationship built on trust and you don’t want to be associated with people of dubious background with underground links,” says Kobus Burger, senior manager of networks and systems.
Auditing firm Price Waterhouse uses hackers to find weaknesses. “It’s a question of trust. Clients need to know that if they pay someone to hack their system, they won’t steal information or use their knowledge of loopholes later,” says Howard Henson, enterprise security solution manager.
The services don’t come cheap. A recent Price Waterhouse client paid R78 000 for a test and a further R1,5-million to fix the problem. Satti’s services cost R3 500 a day or R15 000 a week, but there have not been many takers: “Companies don’t want to invest in people, they want software, something physical with bells on,” says Vine.
A tiger team will use all the weapons in a hacker’s armoury to expose weaknesses, then tell clients just how they did it. “Sometimes we don’t even need to hack the system,” he says. An estimated 80% of network intrusions come from within organisations: a network’s greatest vulnerability is its own users.
Commercial security tools do not test the human factor, says Vine. The tiger team will, for instance, call the help desk and ask to change the password of user X. Using a tiger team may be using a thief to catch a thief, he says, but it is precisely this underground link that makes Satti’s tests so effective. Hackers are privy to flaws in commercial systems long before patches and work- arounds, solutions to computer software and ad-hoc upgrades, are released, and they know all the tricks of the trade.
Their methods include going through dustbins, looking over shoulders to collect data from computer screens and even using pretty women to get information from system administrators.
Satti have been approached by companies more interested in the security arrangements of their competitors than their own. But Vine claims the whole notion of the tiger team is one of ethics. “We’re not interested in fighting other people’s wars, and we’re not going to help bullies. We’re not salesmen, or liars, we’re trying to bring some awareness into the scene.”