Slashdot Mirror
DHS Seeks "Ethical Hackers" To Protect Federal Net Infrastructure
Death Metal sends this excerpt from an AP report:
"General Dynamics Information Technology put out an ad last month on behalf of the Homeland Security Department seeking someone who could 'think like the bad guy.' Applicants, it said, must understand hackers' tools and tactics and be able to analyze Internet traffic and identify vulnerabilities in the federal systems. In the Pentagon's budget request submitted last week, Defense Secretary Robert Gates said the Pentagon will increase the number of cyberexperts it can train each year from 80 to 250 by 2011. With warnings that the US is ill-prepared for a cyberattack, the White House conducted a 60-day study of how the government can better manage and use technology (PDF) to protect everything from the electrical grid and stock markets to tax data, airline flight systems, and nuclear launch codes. ... Nadia Short, vice president at General Dynamics Advanced Information Systems, said the job posting for ethical hackers fills a critical need for the government."
How do you prove you're good enough?
There is a secret NSA computer somewhere for potentiial job applicants to leave their C.V. on.
I am a free slashdotter. I will not be modded, blogged, DRM'd, patented, podcasted or RFID'd. My life is my own.
The only black hats who would be interested in this type of work are script kiddies looking for a legal outlet for their elite skills.
But if these kids are the experts, who is going to develop the hacking tools?
Why are those even remotely accessible?
While i see a need for networking ( at least in some cases ) they should be on their own completely dedicated line.
---- Booth was a patriot ----
let me get this straight, they're training tens (hundreds?) of thousands of various kinds of soldiers each year, and they're aiming to train only 250 "cyberexperts" a year by 2011? And this after all the "reports" about russia and china bullying the entire world, including the US, with their DoS and other kinds of attacks? I see, if you can't see it explode, then it can't hurt you, right?
weinersmith
Who wants the politics?
Ooops, politics is the issue. Better shutup before they come and get me.
Too bad they don't provide a link of where to apply.
Worse for some of us is the typical stumbling block for us well skilled civilians who haven't worked for the government yet. I just skimmed through the GD listings for "Defense/Military Intelligence Analysis" and "Information Technology". They all require at least TS/SCI
Since I haven't worked for the government, nor for any company who would sponsor security clearance, I can't even apply for these jobs. It's not that would be excluded. Anything in my history is trivial at best. I've held many secrets. I've ensured privileged data has never been released. I've joked with friends about things I've told them. They say "You can't keep a secret", but I've always responded "Those are the secrets I could tell. You'll never know the secrets I can't."
Us civilians are stuck. We're well qualified for the jobs, but we'll never be considered if we apply for the jobs. This is a perfect example. I spent years intercepting, analyzing, and protecting against people doing "bad things". I'm well versed in what the "bad guys" can do, and used their own tools and methods against myself to ensure my defenses were up to par. For example, it's one thing to know my firewalls can block any unwanted traffic. It's another thing to poke a huge glaring hole in the firewall for myself to attack, and then proceed to attack.
I've posed as an inside attacker. I've posed as an outside attacker. I see what each can get away with, and protected against both.
I won't claim that I know everything. No one does. But people come to me asking "What the hell is this?" and I can give them a practical off-the-cuff response, and a detailed response after a good analysis. Most of the time, they match.
Without the clearance, I'd never be allowed to use these skills for a position like that. I know if I ever got my foot in the door, things would be different. Until then, I do my job well for civilian clients
Then again, none of you know me. Maybe I have TS/SCI with EBI and FSP. If I had it, would you know? :) Bragging rights aside, if I were to announce my clearance, that indicates that I may have access to information that someone may want, which could put myself, my family, my friends, and my neighbors at risk. Don't get too anxious, officially my clearance is "none" and my work history is "civilian". :) I'd like to correct that some day, so if any real recruiters read this, feel free to find me. It won't be hard for you. Check the file for "Smythe, JW (alias)"
Serious? Seriousness is well above my pay grade.
If you are old school, hacking IS ethical, and any damage/profit beyond learning is against the "code".
Amazing how powerful the media is in twisting definitions, public perception and alienating an entire culture.
---- Booth was a patriot ----
Someone who really knows how to game Technology needs to be kept very very happy if he or she is not to turn on you.
During the Cold War certain 'Special Forces' were used to entice secrets from many using torture free and very 'personal' interrogation techniques in undisclosed hotel rooms. No amount of technology can stop that unless the hacker has a smart phone implanted to record and transmit everything.
This opens the question of whether there need to be several such persons in separate undisclosed locations, that are tasked with monitoring each of the others.
Her lips were softer than a duck's bill, but her quacks
. . . this would be much too expensive for folks in the US to do . . . outsource it to some place like China or Russia.
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
Oh come on, who has never watched YouTube while waiting to be told or not to push the red button?
You just got troll'd!
It's a trap, they just want to know who to watch.
Only three things are certain; death, taxes, and apocryphal quotations - Ben Franklin.
Has anyone considered this is just another version of the common ploy police use to round up criminals with outstanding warrants? They entice these people using false pretenses, then arrest them when they show up.
I'm not saying this is the case here, but what better way to build up a database of hackers (i.e., possible terrorists)?
So Obama can clear a runway and launch a nuke from his Blackberry.
just get someone who will do it to get out of having to go to jail for being a Hacker.
The government does realize that any hacker will behave like a Wall Street CEO walking out of the Treasury with a wheelbarrow full of money? No... Cool! Sign me up.
Clearly written by a technologically illiterate PHB. Any good security person worth his/her salt can think like the bad guy and knows hackers tools. They also know the difference between what the term "hacker" really means and what the knucklehead who wrote this ad thinks it means.
who's the good guys? who are the bad ones?
are you sure?
will it be the same tomorrow?
don't trust the gov and DO NOT WORK FOR THEM. you will regret it, either now or later. time has proven that.
"its a trap!"
(sorry)
--
"It is now safe to switch off your computer."
...they would be the only people with any ethics in the department. ^^
Any sufficiently advanced intelligence is indistinguishable from stupidity.
Your question is your answer.
You'll find, even in the happiest secure network, there can be a security hole.
Think of this. It shouldn't happen, but I know it has. You have two networks jacks on your wall. One is green. One is red. Unclassified machines can be plugged into the green one. Classified machines an be plugged into the red one. A user who's annoyed that he can't be on both with the same machine, yet has two network interfaces on his PC plugs into both.
Now, your nice secure network has a compromise. If that unclassified machine, on the unclassified network, becomes compromised, they have a nice portal into the classified network.
Just because your network doesn't have any connections to the outside world, doesn't mean you shouldn't treat it as if it has a public IP on the Internet.
What's happened more times than is funny is, some user decides he needs a wireless connection to his laptop, so he can put his laptop on another desk without an extra wire going to it. Since he's just a user, and picked up the AP at a retail store, he may not have set up security. "I'm 10 stories up in a secure building, I have nothing to worry about." Yup, nothing to worry about, until someone sits in the next building with a high gain antenna, and stumbles on the fact that there's an open AP begging for them to come in. Stores have been bitten by this. Schools have been bitten by this. Even banks have. Plenty of companies have had the same problem.
I found a school once that did this. I found their printers very quickly. I installed the drivers for the printer, and printed a simple note. "Your network has an unencrypted access point on it. It is allowing anyone to access your network. Please call your network security administrator to correct this."
I found a casino in Las Vegas did the same thing several years ago. I couldn't get in from outside, but from a legitimately purchased hotel room, I found I had access to every display board in the casino. I logged enough traffic to see how it worked. When I got home, I got a hold of the network security admin for the casino. I sent him the logs, the floor I was on, and exactly what I did. He thanked me for finding the mistake and not taking advantage of it. He said it was fixed within hours of my report. I'm sure it was an oversight when someone else did the install, and no one had ever looked at it as an outside hacker inside the building. Who would bother hack the casino network from a room in the hotel in Las Vegas. Oh ya, and DefCon was 3 months away. :) The only reason I was looking was, they didn't provide internet access in the rooms, and I was hoping to pick up an AP in the lobby or somewhere that was available for guests. Unfortunately, they didn't have one that I could reach the Internet with. No email for 3 days. :)
Always be a good guy. Never be a bad guy. If you find a problem, report it with details. Trust me, the guy who would have gotten fired over it would prefer to know about the problem first so he can fix it.
Serious? Seriousness is well above my pay grade.
an internal Microsoft job posting for a malware/security research position was done this way.
Hiring manager sends out an email, with an ip address, says there is a chat server listening on a port with a buffer overrun vuln in it. In n days he'll start reading over the resumes left in c:\ on the machine.
My opinions are my own, and do not necessarily represent those of my employer.
And the DHS will look up and shout "Save our Internets!"
And I'll look down and lol "QQ moar n00b."
Is it really that hard to essentially blacklist entire countries?
Do we really need remote access from .ru, .cn, and .ua? (just to name a few)
FedNet...would you like to know more?
Hiring gang members to be part of a vice squad? Don't get me wrong, I'm all for hiring black hats for security jobs, as they can often be the best for the job, the problem is keeping a close watch on the few that would double cross if the rewards were good enough. If I were them I'd try and recruit those that are finding vulnerabilities and reporting them, rather then prosecuting them which too often happens.
The musings of just another geek and his junk.
Or SeeFee or SuFu or whatever it's called now. Haxx0rz -- Elite hacker Jason St. Phibes and his crew of one rotund recluse, one hot babe genius, and one socially awkward but lovable nerd tackle laptop-wielding Muslims who would threaten our homeland's data and stuff.
"What could possibly go wrong?"
They don't want to hire them, they want to catch them.
Anyone stupid enough to show an interest will be repaid by having their background and their "back" proctoscoped by the Feds.
No ethical hacker would ever work for the DHS.
I used to work for NetQoS. I no longer do, but want to keep the excellent karma attached to this account.
I think the only real skill the hackers will need to master is being able to get the users, tenured civil servants and their bosses, to stop being security risks. You can't just throw money at this problem thinking that good code will be the end all be all solution. Social engineering is going to remain the #1 way to get stuff done. I say #1 only because practically anybody can do it, no technical skills required at all.
"Common sense will be the death of us all"
You want to keep your system safe from hackers? Don't put it on the public internet. Problem solved.
But no, they'll waste millions on this. Some people will take advantage and build lucrative "careers" with it. Other snake oil salesmen will get their start in life.
When I got home, I got a hold of the network security admin for the casino. I sent him the logs, the floor I was on, and exactly what I did. He thanked me for finding the mistake and not taking advantage of it.
You are very, very, very lucky that he did not report to his management.
The casino is very lucky to have a smart network administrator like him.
---
Trust me, the guy who would have gotten fired over it would prefer to know about the problem first so he can fix it.
You are still very lucky that he didn't let anyone else know. He probably had Caller ID on his office phone. Also, he was able to retrieve Internet email from you.
My only questions: How did you manage to get through all the receptionists/secretaries, and how did you assess that he's smart and non-idiotic?
Security clearances aren't classified. They are prerequisites to have access to classified material, but the clearances themselves aren't. So if you had a TS clearance, sure we could know. You'd be free to tell us if you liked. You couldn't tell us about the classified material you saw, of course, but the clearance itself would be no secret at all.
As a practical matter there's no way to keep such a thing a secret due to the nature of the SSBI. More or less what they do is talk to everyone you've ever known, and in various cases talk to people they've known. They tell people the reason too, because they ask questions such as "Do you think this person could be trusted with national secrets?"
I've known more than a few people with security clearances and it was never any kind of secret. It wasn't like they'd walk up and say "Hi my name is Bob, I have a clearance," but if it came up in conversation or you asked they'd be happy to tell you.
I can see it now. "Ethical Hackers" working for "Diligent Bureaucrats" under the direction of "Honest Politicians"... Things are gonna be just great!
You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
... an obvious oxymoron.
But... the future refused to change.
Private The Plague reporting for duty, sir!
If you quote this signature there'll be 72 copies of Windows ME waiting for you in Heaven.
Actually, I know that.
A lot of computers come with a second NIC, so it's not inconceivable for a cable to be plugged in.
I'm sure they do plenty of proper security. But...... Do we all live in a perfect world? No.
I buy lots of used networking equipment. One piece of equipment in particular was still fully configured for a 3 letter agency. No, not an intelligence agency, a slightly more annoying and less dangerous one. I pulled the config, send it off to a friend that works at the DOD, and wiped it out. I was reselling it, and I always sell equipment with a clean config. He told me "this was a security breach, I have to send it to my superiors." I told him no problem. They can interview me about what I found. I actually expected the knock on my door where they'd interview me for a few hours. It never happened. I held onto the piece for several weeks, rather than just getting it out the door. It wasted floor space, but didn't change my profit, so I didn't care.
But.... That piece of equipment should have NEVER left the facility as it was. It contained passwords, credentials for various things, labels for what was attached to each interface. Information on their routes, etc, etc, etc. It was very nicely done, except for the fact that I got my hands on it.
I asked my friend a year later if he had heard anything about it, just after I received another piece of equipment that was previously owned by a Fortune 500 company in the same condition (full config). Actually, it's currently listed in the top 10 companies in the US. Since I don't particularly care about that company, and the information wasn't particularly sensitive, I just wiped it.
We're only talking about maybe 2% of the equipment that has passed through my hands.
The moral is.... In a perfect world, things work exactly as expected. Security protocols are followed to the letter. In the real world, mistakes happen more often than you'd like to know.
I know I'm an ass about protecting my data. I never resell hard drives from my own network. I make very sure configs are wiped on anything taken out of service. If it's sitting in storage, it's a blank slate. It's not laying around with the old config on it. People thought I was nuts for retaining a box of hard drives for several years. I recycled some internally, but once they were too old/slow/small for use they were worthless to me, but entertaining. Have you ever popped the cover off a hard drive just so you could dig grooves in the platters with a screwdriver? :) It makes an awful noise, but it's good for demonstrating to someone who hasn't how a hard drive works. Well, until it's destroyed. :) I like the forged rings inside too. They bounce very nicely off of concrete floors. The platters themselves make good but slightly dangerous frisbees. :)
Serious? Seriousness is well above my pay grade.
Watch for a report from Melissa Hathaway, who is leading the effort. The linked .pdf is from GAO and was published 10 March.
I think the line about the "guard at the door" and "metal detectors" was the first indication that the AC has absolutely no idea what (s)he is talking about.
Yeah, like if that hole had let you somehow win the jackpot at the progressive slots, you wouldn't have been seriously tempted to take the money and destroy the wireless card with the incriminating MAC address...
I already applied. No response. I have to wonder if it's for the same reason that Intelius wouldn't let me run a background on myself. There's something mysterious in my file(s) that make me either interesting to talk to, or too boring. I try not to think too much about it. :)
Serious? Seriousness is well above my pay grade.
If an ethical hacker would go work for the DHS it would be like dividing by 0 - the universe would end. LOL. Besides, the DHS doesn't know shit about cybersecurity - its a big word they like to throw around to sound important. They should leave this sort of work to the pros at DoD or NSA. Though no ethical hacker would work at those places either - at least not willingly. LOL.
Everyone is ethical, even investment bankers. What's important is are the ethical values a person has.
What they probably mean is they search for people who share their ethical values.
Besides the biggest threat to network security commonly are decisions made by non technical people. If somebody says they want a secure system, but still insists on having Star Office or Microsoft Office or any of those bloated error prone software packages which don't actually do anything for you, you cannot take him seriously.
Oh Oh pick me I got a great idea don't tie critical infrastructure into a unsecured Internet dumb ass's!!!
From the report "Expert panel members stated that actions to increase the number of professionals with adequate cybersecurity skills should include (1) enhancing existing scholarship programs (e.g., Scholarship for Service) and (2) making the cybersecurity discipline a profession through testing and licensing." Recommendation 2 is really worrying since this will add to the increasing nonsensical lineup of licensing joining the usual culprits like CISSP, CISA and "fill your certification of choice"here
This just looks like an easy way to get a list of suspects.
Nope.
Know why?
Because I'm not very good at being a bad guy. I know how to do it. I also know I'd get caught.
Serious? Seriousness is well above my pay grade.
I think most applicants, if not all, would get screened out as they apply for a top-secret clearance. This is one of the prime reasons the government is filled with slothful overweight bureaucrats that are inept at doing their job (IMHO). From my prior-service military active-duty experience, computer shops were half-staffed with civilians. None of the military could really do anything and were in a sinking hole of lack of experience. The civilians would get expensive off-site training, as it made no sense to train the military, as they "would leave the military anyways". Also, they "are already trained". Right, a 16-week course at some military base after basic training makes you a fully-trained expert. Rant on vicious circle over.
So let me get this straight. They want the best hackers in the country to walk right up to their front door and say, "here I am".
Over the last 10 years the tone has been if you even express knowledge in this area, let alone demonstrate capabilities, they do everything possible to lock you up. Considering the erratic and back-stabbing behavior of the current administration I can't imagine that this will be a good career move.
Even if it is a great move and they pay you big bucks, you can probably never leave. If you quit, then you are out of their control. But now they know who you are.
Either way, unless you make this a lifetime commitment, you are screwed.