Consider Yourself Warned
Are reformed hackers truly trustworthy? Before you answer, consider Petersen's run from justice, which resembles a Hollywood screenplay. Known as "Agent Steal" in the hacker underworld, Petersen served time in the mid-1990s for breaking into several corporate networks, making bomb threats, and stealing money electronically from a bank. Portions of Petersen's digital crime spree were committed while he was working undercover for the FBI, according to court documents. In early 1995, he pleaded guilty to computer wire fraud and wasn't released from prison until April 1997.
Petersen served additional time for violating terms of his parole, but has been a model citizen in recent years. Prior to his current (alleged) post in a Fortune 500 company, Petersen developed intranets and extranets for Cosmic Media, a Los Angeles Internet consulting firm that deployed secure electronic commerce sites for fledgling businesses.
Petersen says he started wiretapping phone systems and hacking computers when he was only twelve. He honed his hacking skills for more than a decade before breaking into TRW's credit system in 1989. Later that year, he and Poulsen rigged Pacific Bell's telecom network and seized a radio station's phone lines to win a $10,000 call-in contest. Petersen and Poulsen said they could latch onto any phone line within Pacific Bell's network, monitor it, ring it, and dial out from it.
Petersen's legal troubles took a dramatic, but brief, turn for the better in September 1991. In return for a lenient sentence after a computer crime conviction, Petersen agreed to work as an informant for the FBI. Petersen and two attorneys close to his case say he helped the FBI amass evidence against former buddy Poulsen, as well as Mitnick and Lewis DePayne.
But, in a critical lesson for corporate America, the FBI's dependence on Petersen backfired. Petersen committed more computer crimes while working for the Feds and became a fugitive in the mid-1990s. He ultimately hacked Heller Financial, a commercial financial service provider in Glendale, California. Once inside Heller's network, Petersen identified a line between two network switches that was accidentally left unencrypted. Petersen used the weak link to transfer $150,000 from Heller's electronic vaults to an account at Union Bank in Bellflower, California. Petersen even made two bomb threats to Heller in an effort to distract employees so they wouldn't notice the transfer of funds, according to court documents.
Safer Options
If the idea of hiring a reformed hacker like Petersen gives you pause, plenty of vendors are willing to step in as middlemen. The obvious first step is contacting a reputable company that has a security practicesuch as Hewlett-Packard Consulting, IBM Global Services, and the like.
HP's Global Security Consulting Practice operates security services centers in Bellevue, Washington, and Hong Kong. Both centers offer risk mitigation services (such as penetration testing), security architecture design, and integration services that leverage smart cards, directory services, and other authentication and authorization tools.
Similarly, IBM's Ethical Hacking Services division employs more than three thousand security consultants worldwide (a figure that surely will rise as a result of IBM's acquisition of PricewaterhouseCoopers). IBM's Security and Privacy Service manages security assessments, planning and design, implementation, management, outsourcing, intrusion detection, and managed firewall services.
"IBM has run a formal ethical hacking practice for more than seven years," says Mike Bilger, a global practice leader within IBM Security and Privacy Services. "Our ethical hacking capabilities evolved much earlier than that. Our Watson Labs in New York has a long history of developing tools to protect our customers. Some of those tools became the basis for our ethical hacking services." How many companies use IBM's services? "More than hundreds, but I can't give you an exact number," says Bilger.
One of IBM's first hacking customers was Your Prosperity, the first Australian company to provide online portfolio management services. While IBM Global Services Australia designed the site, an IBM ethical hacking team back in the U.S. attempted to penetrate the site's various front-end and back-end applications, including Lotus Domino and Oracle databases running on Netfinity servers.
Your Prosperity, a subsidiary of National Australia Bank, declines to discuss exactly how IBM attacked its network. But a Your Prosperity spokeswoman says the company was "completely satisfied" with IBM's services.
Similarly, security software maker Eruces of Kansas City, Missouri, paid IBM to hack its database encryption product. Eruces declined to discuss how IBM attacked its software, but a spokeswoman says the test strengthened Eruces' credibility with potential customers.
With customer demand on the rise, some members of IBM's Ethical Hacking Services team have branched off on their own. Brian Kenn, for one, led IBM's team in the Asia-Pacific region prior to launching Pure Hacking, a white-hat hacker company in Australia. His early customers include Bulletproof Networks, Australia's first managed service provider.