White Hat Hacker Breaks Silence

Flackboy Kevin writes "The nation's hackers are about to come out of their shells on Friday as one of the most notorious 'good guys' in Manhattan makes a rare-yet-cyber public appearance on USA Today's online chat. Gary Morse, Manhattan's white hat hacker and good friend of every Chief Security Officer in the financial world agreed to an online chat regarding security. Morse's uncanny knowledge of how Manhattan is wired helps keep him one step ahead of hackers and has kept him in high disregard in most hacker communities. Morse's company, Razorpoint Security Technologies does not employ hackers who've decided to come in from the cold."

Don't wait around for the USA Today chat

[Dag+Maggot]

Here is the text of a recent interview with the
reclusive security wonk from Crain's New York Business.

On the job with...

Gary Morse
Founder and CEO
Razorpoint Security

Keeping a company's computer systems and networks secure from intruders used to be the responsibility of mid-level IT managers. But after the Sept. 11 attacks, the job landed on the desk of company CEOs. Executives in all sorts of industries woke up to the fact that security--of everything from the front door to the mailroom PC--has to be a top management concern.

The new consciousness has proved a boon for companies like Razorpoint Security, which was founded in Manhattan in 2000 and saw its business take off after the attacks. Razorpoint tests just how secure a company's network is by trying to hack into it. The company then does the follow-up work of fixing problems and performing regular network audits. Crainsny.com's Judy Messina talks with Razorpoint founder and CEO Gary Morse.

Crainsny.com: Describe what Razorpoint does.

Gary Morse: In the simplest terms, you can think of us as professional hackers. We're tech professionals who in the past have built large-scale networks, including major sites on the Internet. That helps us know where the pitfalls in systems are and how to break things. Once we find vulnerabilities, we demonstrate them in a very comprehensive report. If we're able to crack passwords, for example, we'll show the list of passwords or a screen shot of them. We want to drive the point home.

Then, one of the three things happens. The company has trained staff who are capable of fixing the problems and they use our report as a roadmap. Others ask us to do the remediation for them. In the third category, and this is coming up more and more, is the client who is overwhelmed and understaffed, and we go in and act as their temporary IT security arm for a while.

Crainsny.com: How do you convince executives that their networks are vulnerable?

Gary Morse: At one firm half the executive board wanted to bring us in and the other half was on the fence. They had all the buzzwords, the firewalls, all the security products you're supposed to have. But when they finally hired us, in less than one week we had control of every device on their network - every server, every desktop computer, every laptop. We even logged on to the system as the president and we wrote an email in his name. The screen shot of that email was one of the prominent pieces in our presentation to the executive board. We had to break the report in two pieces it was so big.

Crainsny.com: What are the most common holes you find in computer systems?

Gary Morse: There's everything from the seemingly insignificant to the colossally devastating. You can have a poorly configured web server or mail server sitting next to a server with financial information. One time, we found a fax machine talking to a phone system so that a document on somebody's work station was being sent over the network as if it were being faxed. Somebody had set up the connection and forgot about it.

Crainsny.com: What do companies need to do to make their systems secure?

Gary Morse: They need to think about what services they truly need in order to be online. Security is a process not a product. There is no shrink wrapped thing you take off a shelf and install. New vulnerabilities are coming out every hour.

Crainsny.com: What changes did you see after 9/11?

Gary Morse: We saw more security awareness. The bar was raised quite a bit. People who had been on the fence about doing regular security audits were certainly calling us a lot more than we were calling them. The year 2002 was a big year for us. We grew roughly 300%.

Crainsny.com: You said new vulnerabilities are surfacing every day. What should companies be preparing themselves for?

Gary Morse: Web and web application vulnerabilities and wireless security issues are going to be concerns. In the past year, a lot of w

Re:Don't wait around for the USA Today chat

[sllim]

If you want to play that game then take it farther.
They could have forged the entire presentation. The whole thing could be nothing but a mock up of the company internet site.

Get real. These people are professionals and you have to trust them to some degree.
Hell, you have given them permission to break into your company system.

Besides, is it so farfetched that the President has his password set as 'IBGOD' and the head of networking doesn't have the guts to point out this is a bad choice for a password?

Re:Don't wait around for the USA Today chat

[fdawg]

I saw a "demonstration" of how a "security firm" broke into the 911 system of a large city. I think it was on ABC News but I could be wrong.

Their demo consisted of spoofing an email address and sending it to a worker's email address. I think it was signed the director or something. Attatched was a vb script that sent a netsend to everyone in the building to go to the director's office. And almost on queue, the camera went to the security firms office where a bunch of nerds were quoted as saying "we're in". Yeah, real impressive. I think my 4 year old cousing can cause more damage randomly hitting keys on the keyboard.

I never believe in firms like this. It all boils down to undereducated IT staff and less educated public. Its true, tell the public anything with a somewhat authoritarian/confident voice and they'll believe anything.

When was the last time a security firm noticed a a huge gaping hole in Microsoft code like the slammer, or the calls used by nimda. I cant picture a bunch of self proclaimed "experts in security" going over lines of code in Sendmail to find another buffer overflow.

Buyer beware. Its cheaper and more reliable just to read a book.

Re:Is this a joke?

[scubacuda]

Here are their whitepapers.

Kinda boring, actually...

Cracker

[mikeg22]

The word is "cracker" not "hacker" I'm neither but at least I know the difference. Thanks a bunch.

Re:This guy has no proper java experience

[Syre]

What article did you guys read, and why are people modding these as "insightful"?

THERE IS NO ARTICLE LINKED TO IN THIS NEWS ITEM.

In fact the link goes to a place you can post questions which may be asked in a chat which has not yet taken place.

C'mon mods... at least read the news story and links before modding troll posts like this.

Re:Sensible position, whether or not claim is true

[NDPTAL85]

You aren't looking at it from the right angle.

Look at it from the company's point of view. YOU are a liability if you have a criminal record. If you ever do anything wrong while working there their cleints who may be victimized by you will ask your boss "Why did you hire someone with a KNOWN criminal record for hacking?"

Then once your boss gets sued he'd be liable for damages since he'd lose insurance coverage for hiring a known convicted hacker.

Do you understand it now?

Re:Buzzzzzzz....what a sweet sound

[Surak]

FWIW, you didn't exist prior to the existance of this story. Not that it matters, the editors are probably just sloppy and lazy. Screenshot showing proof is here.