'I Hired a Hacker': A Security Manager's Confession
I'm sitting at my desk, having a cup of coffee and a toasted bagel when I notice this young, blond, pimply-faced kid standing outside my cube with this smirk on his red, puffy-cheeked face. I ask him what I can do for him, and he hands me a piece of paper with a Web site address written on it. It looks like an address that a customer would use to access the application that we host.
I ask what this is all about and he introduces himself as one of our company's application developers. He explains that he likes to "kinda hack a little bit" on the side and how he "discovered this" while playing around at home. I take the Web address, type it into my browser, hit Enter and a list of customer names, addresses, phone numbers and credit card numbers appears on screen.
Uh-oh. This information is normally supposed to be accessible only through a series
of authentications, but the address bypassed the authentication mechanisms and displayed the data. The kid goes on to explain to me how the application programming interface (API) isn't configured properly and how many other pages can be displayed by bypassing the authentication screens. I thank him for the information, take a few notes on the details of the authentication API and then begin to interview him.
He's just 23 years old and has been playing with Linux since he was 14, started programming at 16 (for fun, he says) and has had part-time and full-time jobs as a Unix and Windows NT administrator and as an application developer for the past six years. He has no college education (but has just enrolled), and security is his hobby.
Eureka! I've hit the jackpot. A perfect fit for my plan to conquer the world. Even better, the application development project he has been working on was finished and he had been expressing an interest in security for some time. To make a long story short, I put in a request to have this kid transferred into my group. He's Unix-savvy, bright, articulate and, best of all, he knows our business very well. He's been working as a developer for almost two years and therefore has an extreme in-depth knowledge of the application we host and sell to customers.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
