Page 1 of 5 123 ... LastLast
Results 1 to 10 of 46

Thread: summer intern is a known hacker

  1. #1

    summer intern is a known hacker

    I just learned that my company has hired a student intern for the summer to do some work in the IT department. This student is currently being prosecuted for hacking a national chain store's network and stealing credit card numbers. This makes me a bit nervous since the majority of security related tasks fall in my lap. Have any of you found yourself in a situation where a known hacker (cracker, etc) was given access to your internal network? How have you handled this?

  2. #2
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Monitor the hell out of him, everything he does. One slip-up, and send him packing.

    Cheers:
    DjM

  3. #3
    Banned
    Join Date
    Sep 2001
    Posts
    521
    Why would your company ever hire a hacker w. a file? Doesnt your company have enough sense to do $9.99 background checks?

    And if the kid is being prosecuted i would hope that he is smart enough to not do anything like that in the future otherwise its definate long term jailtime for him

  4. #4
    Senior Member
    Join Date
    Jul 2003
    Posts
    634
    Im not an employer or anything of the like so i havent been faced with this problem but he probably has skills far greater than his peers that just listen in class, im not saying what he did was right far from it!

    He should probably be keep under close watch although you should make it clear that if he does stuff he's out, although i dont know whether that will have much affect...

    i2c

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Let's start by locking him to the absolute minimum rights you can for him to do his job. Let's lock his login to specific workstations. Let's not allow him any admin priviledges... please.... Let's sit him down on day one with the person that employed him and yourself and lay it all out..... Tell him he's watched, monitored, logged and the first time he does something you don't fully understand he's out, period, whether he has a viable explanation or not.... Out!

    Then apply the monitoring......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    Why the hell would your company hire him? I mean, obviously your company know's this and out of all the other applicant's (I would assume there's more) you guy's choose the dude with the record? Definitely restrict his priv's and sit down with this dude. Oh, and to answer your question:

    Have any of you found yourself in a situation where a known hacker (cracker, etc) was given access to your internal network?
    No. Never, and it'll never happen either. Case in point, make the internship very tight.
    Space For Rent.. =]

  7. #7
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,018
    I definately agree with restricting his activities a little...but aren't we making some assumptions about his actual abilities? It's entirely possible that he just downloaded some nifty little apps, and happened to stumble onto a vulnerability, national chain or not. After all, he did get caught??

    /me playing devil's advocate

  8. #8
    What happened to "innocent until proven guilty"? Watch him and give him a chance to follow the right path.

  9. #9
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    This is probably the worst advice I shall ever give in my life?

    1. I presume that HR are aware?..............is there a policy on persons with pending prosecutions? if not, there should be.........suggest that? HR directors are good at covering their a$$es?

    2. I know you hate Finance, but to tip off the beancounters will be a favour they owe you?

    I certainly would not employ someone with a pending criminal offence charge against him?


    IT must not give him access rights to anything other than the coffee machine and the trash cans............NO computer access........If you have problems with this, I suggest that maybe you talk to any director who is not his Father or Uncle....better include in-laws?

    Problems...........shop to auditors...........external ones, but if you have internal ones, talk to them now.

    My thoughts, and would save a 30-06 round?

    Hey, then he gets a job throwing trash or whatever..........if the prosecution fails he should be able to sue, and won't have to work to get the money?

  10. #10
    Banned
    Join Date
    Jul 2001
    Posts
    1,100
    Greetings All:

    Originally posted here by groovicus
    but aren't we making some assumptions about his actual abilities? It's entirely possible that he just downloaded some nifty little apps, and happened to stumble onto a vulnerability, national chain or not. After all, he did get caught??
    It's not an individual's "ability" that one has to worry about, it's their "intent".

    Originally posted here by ttau
    What happened to "innocent until proven guilty"?
    As far as I'm concerned, he can be innocent somewhere else. Once the specter of suspicion has been raised, I wouldn't want them anywhere near any information system that I was in charge of.


    I take a different approach to this situation than most others that have given you advice. If the company that you work for wants to play parole officer to the neighborhood's juvenile delinquents, so be it. That is out of your control. However, I would make it very clear, IN WRITING, that as the individual in charge of information security, you have the strongest concerns and reservations about their decision to employ a known security threat. Also make it clear that you can not be held responsible for the integrity of the corporation's data and information systems as long as he is in the company's employment.

    If the company isn't going to cover its ass, at least you can make sure that you cover your own.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •