Shostack + Friends Blog Archive


Dubai banks hiring hackers (no word on if a drug test is needed)

Dubai, as Adam pointed out, is in something of a branding quandary. A hard line – some would say a retrograde and counterproductive line – on victimless crime doesn’t mix well with an image as a fun spot for the well-heeled.
Meanwhile, there’s this (from Emirates Business 24-7, retrieved 2/21/2008):

Dubai-based banks are recruiting former hackers to shore up their information security systems, said an information technology expert.
Addel Wahab Ahmed Mostafa, an IT consultant and chief of the technical committee at information company UAE Data Warehouse PM, said banks were hiring hackers in a bid to stay one step ahead of potential breaches.
Most of the big organisations are employing ex-hackers.
In Dubai banks are hiring hackers to protect themselves because how else do you protect yourself from hackers?
You must figure out the measures they use and use them yourself.
He said 60 per cent of hacking originated inside organisations or was carried out by former employees.

(emphasis mine)
I see a mixed message being sent here. And by the way, from the tone of the article it is clear the “ex-hacker” doesn’t mean “broke the law ten years ago”, so let’s not start that flame war.

2 comments on "Dubai banks hiring hackers (no word on if a drug test is needed)"

  • Iang says:

    Well, to take the devil’s advocate here, it is quite a poignant point, isn’t it? How do you stop phishing?
    One suggested method would be to hire security companies (that article touts some successes) but unfortunately those same security companies were complicit in strongly advising the original model for server-identity… that is now fully exploited by phishing. We have no way of telling if that lesson has been learnt by those companies (because there is no public examination of the failure), so what can we say about their wisdom in security, their current product, and whether they are helping their customers or their sales?
    You could hire hackers who are currently “up” on phishing. One big practical concern would be that they would very quickly get out of date. Then there is the question of bringing in criminals to tell you how to fight off criminals. Practically speaking, they might still be criminals, and you would be making their work easier, as insiders. I suspect the best defence here is to simply watch, monitor, and take the risks. Banks are expert in risk, it is their core business after all.
    Or, you could go to the browser companies and ask them to fix their interface. But that hasn’t worked either.
    Either way, a really tough question.

  • Tom says:

    Good article. I am also wondering what “ex-hacker” means? The term hacker to me means “a complimentary description for a particularly brilliant programmer or technical expert” (from Wikipedia). Most professional penetration testers would call themselves “hackers” yet most of them have probably never been arrested or charged with a crime. You can get the same type of skill set by hiring a “white-hat” hacker…perhaps this is what the media needs…a definition of white-hat vs. black hat hackers.

Comments are closed.