BBC Homepage World Service Education
BBC Homepagelow graphics version | feedback | help
BBC News Online
 You are in: Business
Front Page 
UK Politics 
Market Data 
Your Money 
Business Basics 
Talking Point 
In Depth 

Friday, 24 March, 2000, 18:02 GMT
Outdoing the hackers

By BBC News Online's Iain Rodger

Imagine a team of people spending all their time thinking up ways of hacking into corporate computer networks.

Ernst & Young was here...

Calling-card left by E&Y "tiger team"

Now imagine them, Mission Impossible-style, breaking into the inner sanctum itself - the main computer room.

These teams actually exist and, more remarkably, they work largely from within the big firms of accountants.

Known as "tiger teams", their brief is to find the holes in the security of their corporate clients before criminal hackers do.

Brick trick

Jan Babiak is head of Ernst & Young's IT security practice. She told me how one of her firm's tiger teams broke into the computer room of a major North American client, deposited a brick marked "Ernst & Young was here" and left again undetected.

They then contacted the firm's bosses and said: "Come and see what we've done."

What a great job, don't you think? Kind of James Bond without the disincentive of being shot at. But, of course, it's not quite as simple as that.

The best you can ever hope for is to be one step ahead of the hackers.

Ken Cukier, Red Herring magazine

Most of the time, the teams are methodically trying to crack passwords to find a chink in the armour of supposedly secure sites.

Chris Potter, partner in charge of similar operations at Pricewaterhouse Coopers, said his 50-strong UK team mainly tries to replicate the techniques of illegal hackers to probe here and there until weaknesses are identified.

Physical break-ins would be rare, he said, and used only when the client had agreed it was appropriate.

Jan Babiak also stressed the importance of not being alarmist: "The smartest thing to do is to understand your risks."

Then, she said, you can develop cost-effective responses that deal with the risk in a way that "delivers good value to shareholders". Now there's the accountant speaking.

How it's done

Often using people with backgrounds in military espionage, tiger teams (the name is derived from the American armed forces) use all kinds of tricks to ply their trade.

Ken Cukier, international editor of Red Herring magazine

For example, they might mount an attempt to hack into a company round the corner via servers dotted all over the world, making it virtually impossible to detect where the attack is coming from.

As the idea is to find the weaknesses in even the most sophisticated security, a wide range of techniques might be used, from wire-tapping to cracking passwords.

A small programme might be secreted on the target system which records and transmits keystrokes from given terminals. On the basis that the password is typed within the first 40 keystrokes, it is then relatively easy to find.

But, as Chris Potter says, the biggest weaknesses are usually not in the technology but in the "human element", and this is where the other side, known as "social engineering" comes in.

In one case, a female member of a tiger team used the age-old weapon of tears to persuade an employee of a target client to give her password details.

In another, a visit to an office masquerading as a cleaner was used to obtain information about personal belongings placed around work terminals. Some Arsenal football club pictures were enough of a clue to make cracking the employee's password easy work.

Making robust systems

Having identified the weaknesses, the team then gives advice on how to change the security system to make it more effective, or even design a system specifically for the client.

Ken Cukier, international editor with technology magazine Red Herring, says the tiger teams provide an essential service in developing robust IT infrastructures.

The business is certainly growing fast - Ernst & Young's team has quadrupled in size in two years.

But Mr Cukier says the talents needed to design a secure system and break that security are not the same, so there needs to be a three-pronged approach to get the best results.

He says the tiger teams are great for checking that a system works, but that they tend to rely on long experience of established technques.

Bright young things

This can miss out the new ways of hacking being thought up by bright young things messing about with cutting-edge technology on the fringes of Silicon Valley.

Many of them do not want to work for multinational firms and have been founding their own internet start-ups, realising that they have highly marketable skills.

Mr Cukier says combining the tiger teams with the bright young things, along with awareness of the need for constant monitoring of how hacking techniques are changing, produces the best results.

He says: "The best you can ever hope for is to be one step ahead of the hackers."

Search BBC News Online

Advanced search options
Launch console
See also:

16 Feb 00 | Sci/Tech
Special report: The web under attack
11 Feb 00 | UK
A - Z: Hack attack
10 Feb 00 | Business
Beating the hacker attack
24 Mar 00 | Business
US leads internet fraud sweep
09 Feb 00 | Sci/Tech
FBI investigates net sabotage
14 Feb 00 | South Asia
Indian 'cybercops' to deter hackers
11 Jan 00 | Business
Fresh web security scare
07 Jan 00 | Americas
US crackdown on cyber-terrorism
02 Jan 00 | Business
Hacker targets Lloyds site
Internet links:

The BBC is not responsible for the content of external internet sites

Links to more Business stories are at the foot of the page.

E-mail this story to a friend

Links to more Business stories