(The Internet, 07/21/97)
At 15, computer hacker Matt Willis had a run-in with the FBI, which gave him an ultimatum: Stop what you're doing or we'll seize every last piece of your computer and communications equipment.
It was more effective than prison.
``That's death,'' Willis, now 23, said seriously. ``Then I started on the `light side.'''
Willis' business card reads ``information security professional,'' and he puts his skills to use at companies that pay him to test their network vulnerabilities. ``I'm traveling around breaking in to places. I couldn't be happier,'' he said at the annual DEF CON hackers' convention earlier this month. ``What I am employed to do is walk in and scare the hell out of people.''
What he often finds is that companies spend so much time worrying about ``perimeter security'' that they don't pay enough attention to what he calls the ``soft chewy center ... all the systems you never thought would be touchable.'' For example, although encryption has helped secure transactions moving across the Internet, ``the endpoints (desktop systems that are connected to the network) are attackable.''
Willis saw himself as a role model at DEF CON, where an estimated 1,000 hackers many sporting rainbow-colored hair, multiple pierced body parts and in one case even a three-dimensional tattoo (a metal shape is implanted under the tattooed skin) converged to hear the latest in computer security.
``Everyone was [once] a stupid teen-ager,'' Willis said. ``It's nice for them to see [a hacker] who turned out OK.''
For information systems professionals who try to secure their systems, ``stupid teen-agers'' trying to prove their skills by cracking are becoming a bigger problem.
Graphical user interfaces have come to hackerdom, opening up the field to kids who simply download tools and launch attacks on systems worldwide.
But system administrators can do a great deal to thwartcybermischief by taking care of basics and keeping up with new bug reports and vendor fixes, according to the skilled hackers who attended the convention.
``Pay attention and get the latest patches,'' advised one, a heavyset, tattooed ``computer enthusiast'' who goes by the name Biffsocko.
Biffsocko said he finds that system administrators often make basic errors such as not trying to hide password files or leaving crucial data easily accessible via anonymous file transfer protocols, which doesn't even require a password. His hacker friend Imaginos said he often finds backups of key files that aren't given the stringent access permission requirements of originals.
Regardless of technical advances in the hacker community, Willis said, the easiest way to break in to a system is through human lapses such as easy-to-guess passwords. ``Social engineering,'' he said, ``is still the strongest attack.''
He often finds that companies don't even try to harden their networks against attack, with administrators claiming they don't have enough time and resources to cope. ``They hide behind it. It makes a good excuse,'' Willis said. ``A lot of people just give up on security because they feel hackers are everywhere. You have to at least put a speed bump in there.''