Please adjust the frame on the left to read the following story to avoid using the stroll bars at the bottom.
You know they're coming at you.
Can you stop them?
Hackers,Terrorists, and Spies
Techno-metal thumps like a fibrillating heartbeat as a sea of people
wearing black clothing, cell phones, and headsets flows through
Manhattan's timeworn Puck Hall. Here, for two days in August, 800
hackers and hacker wannabes have chucked the anonymity of their chat
groups and E-mail to gather and talk shop. Many of these young people
fit the stereotype of the pasty-skinned nerd who stays glued to his
computer night after night. But many more are hard-core, sporting
elaborate tattoos, long stringy hair, and bizarre body piercings.
This is Hope97, where the elite denizens of cyberspace come to share
hacker lore and tricks of the trade in their perennial cat-and-mouse
game with IT security chiefs and law enforcement agencies the world
over. Near the entrance of Puck Hall, a makeshift network springs up
from stacks of hard drives, circuit boards, and laptops. It takes
agility to walk here without tripping over the cables snaking across
the aged oak floors. But the two-dozen young men connected to this
network are too busy to notice the clutter around them. Instead, they
sit mesmerized by the messages scrolling up their monitors. They peer
intently as the data feed whizzes by, as if they might discover some
secret formula from the jumble of coded messages. In truth, they are
merely testing their skills against another group of hackers nearby
who have launched a "denial of service" attack to bring their
opponents' network to its knees. This time, at least, it's just a
game.
The Hacking Psyche
Mostly under the age of 25, hackers are talented, bored, obsessive --
and organized. Thousands of them have banded into groups like the
L0pht, KOS, HackerZ, Alt.2600 or CyberJihad. Some are 'white hat'
(good) and some 'black hat' (evil). By the hacker code of ethics,
white hat hackers agree to refrain from causing damage, and even pay
penance for their trespasses by reporting security leaks to their
victims. Some go so far as to develop patches for the very holes they
exploited. This group represents the majority of hackers who, through
self-policing, provide a rogue form of security and quality testing at
no cost to vendors and their customers. Black hatters, on the other
hand, are frequently malicious, unleashing dangerous viruses, crashing
servers, defacing Web pages, and even waging information warfare
financed by business competitors and foreign governments.
Whatever their motives, hackers consider the Internet their domain,
and any company using it as an interloper. They do their best work
between the hours of midnight and dawn. Their basements brim with
servers, routers, T-1 lines, and workstations -- equipment every bit
as powerful as the tools used by the companies and governments trying
to stop them. For a hacker, the ultimate goal is to 'gain root' in a
targeted system, and with it the power to explore, manipulate and in
some cases steal the information assets they find there. In most
cases, the only reward they seek is the admiration of their peers.
They post their exploits at hacker sites around the Web, which then
spread like wildfire. Within hours of a posting, hundreds of hackers
are testing the attack themselves.
Posted on the Web are enough pages documenting custom-made hacker
tools and procedures to wallpaper the Pentagon. They may contain
step-by-step instructions on how to break into a Cisco router, or how
to exploit ActiveX through its Red Button test tool, or an easy way to
gain root through old send-mail programs, or how to disable a Web
server in minutes with E-mail bombs like UpYours, Avalanche, or
Kaboom.
Be Afraid, Be Very Afraid
Think this doesn't affect you? Think again. "There's no Fortune 500
company that hasn't been hacked, I don't care what they tell you,"
says a burly 24-year-old hacker who answers to the name of Veggie.
Firewalls? As easy to get through as a screen door. Encrypted data?
Last June a group of hackers quickly cracked the much-vaunted 56-bit
key code using relatively simple brute force techniques. The hack came
just five weeks after RSA Data Security invited the attack in the hope
of proving its encryption impervious to such assaults. And virus
scanners? New viruses are popping up so fast that virus scanner
vendors can't hope to keep up with them.
While the majority of hackers are relatively harmless, their exploits
are nonetheless chilling. If they can break in so easily, who else is
slipping past security? The truth is that every company using the Web
-- especially those with significant trade secrets or IT assets -- is
probably under constant attack from a range of sources, including
competitors, foreign governments, industrial spies, disgruntled
employees, terrorists, and black hatters up to no good. Indeed,
according to the 1996 Ernst & Young Information Security Survey,
industrial spies working for business competitors are a top threat to
corporate secrets, second only to disgruntled employees. And the
majority of the information being hacked -- some 82% -- is of interest
to both foreign and domestic competition, according to the San
Francisco-based Computer Security Institute (CSI).
How are they getting in? Through remote dial-ins, hidden modems, or
poorly configured routers. And, thanks to the meteoric rise of
Web-based computing, they're increasingly exploiting poorly configured
Internet connections, application servers, electronic mail, and Web
servers. Late last year, Dan Farmer, author of the network security
testing tool Satan, probed some 2,200 high-profile Web sites at banks,
federal institutions, newspapers, and the like. He found that
two-thirds of them had serious vulnerabilities. He found that most
firewalls and other protective measures were largely ineffective, and
that of the 2,200 sites he probed, only three detected his activities
and contacted him to ask what he was doing.
"Corporate America is very naive," says Modify, a 25-year-old who
started hacking gaming codes on a Commodore 64 at age 10. "Most of
those people think 'out of sight, out of mind.' They're dead wrong.
And, if they're hooked up to the Internet, it's all over."
With threats like this, it's no wonder some companies aren't joining
the stampede to the Internet. One organization, the $1.2 billion Blue
Cross/Blue Shield of the National Capital Area, has managed thus far
to keep most of its 2,000 in-house users off the Internet. To maintain
tight security, Blue Cross ships traffic to other franchises across a
virtual private network, and manages strict access controls through
tightly defined RACF parameters. RACF is a well-regarded security tool
for mainframes, which have long provided the greatest security.
But maybe not for long. As more and more end users acquire Web-based
access to legacy data on the mainframe, even big iron may become
vulnerable. "There are a lot of mainframe-enabled business
applications coming up that are going to force me to open up the
firewall to the Internet," says Peter Gost, manager of
telecommunications and IS security at Blue Cross/Blue Shield. That
scares him to the point that he's taking a year to plan his security
strategy.
Gost's data center hosts a database containing all the insurance
records of the nationwide Federal Employee program, which must be
accessed by the 70 other Blue Cross franchises and numerous medical
facilities that need insurance information on Federal employees. His
biggest problem is that he has no control over the security measures
being taken by the other Blue Cross plans that will ultimately connect
to his network via the Internet. "The other plans are doing whatever
they want," he says. "There's no standardization and the tools don't
interoperate. If worst comes to worst, I may have to standardize and
require each plan to spend 20 grand on a single brand of firewall
before I let them in."
While no external Internet access is allowed into the dedicated
network, a few key employees, whose jobs require it, are allowed
backdoor access to the Web -- and that makes Gost and company
vulnerable. They have no virus checker to scan for incoming E-mail or
Java and ActiveX applet-born viruses. Their only protection is a
written policy directing the handful of users not to download attached
.exe files, the most common hosts of viruses. "We have gotten some
viruses from the Internet via E-mail, no question about it," says Sam
Bennett, director of IS. "Most have been harmless, like the [Word
Concept] virus that makes it a pain to save Microsoft Word files as
documents. We did get some viruses that would wipe out a C drive, but
we caught and deleted them before anybody got hit."
Bennett's staff is currently evaluating a virus scanner from Secure
Computing Corp. -- and none too soon. Viruses are beginning to pop up
in Java and ActiveX applets everywhere. While Java applets themselves
are secure because their functions are executed in a self-contained
sandbox inside a Java Virtual Machine, they can be exploited as
carriers when developers start opening the sandbox so the applets can
communicate with other applications, according to Clay Ryder, chief
analyst for Zona Research.
"When the applet's out of the sandbox, I could write a rogue
application in Java that deletes files, perhaps even the boot sector.
Outside the Java sandbox, you could code an applet to delete
everything on a hard drive," says Ryder. Applet security, he says, can
only be controlled if Java applets are used in conjunction with
ActiveX, by passing through the authenticating component of the
ActiveX object model.
"Not anymore," retorts Modify, as he sips from a bottle of Evian in a
coffee shop at a Maryland shopping mall. "Here's a new one I just got
yesterday that makes ActiveX security invalid," he says, revealing a
new hack perfected by one of his colleagues. "Microsoft doesn't know
about it yet." He reaches into an expandable folder and pulls out two
printed pages describing how to push the ActiveX control to the
browser and drop the security level from 'high' to 'none' by touching
certain buttons while descending through several HTML pages. He reads
the instructions aloud, then smiles. "It works."
NT Hot, Unix Not
Hackers these days loathe everything Microsoft. For years they've
tested their prowess on Unix boxes, posting successful hacks at hacker
hangouts around the Web. Now, they're beating up on NT. "Everyone
wants Microsoft right now," Veggie explains, "because Microsoft has
been incredibly arrogant about their security. They won't even admit
there are any problems."
Not true, says Microsoft's Enzo Schiano, group product manager for
Windows NT server, who adds, "We have been extremely committed." In
response to escalating attacks on NT, Microsoft has set up an
emergency response team of more than 20 engineers to monitor hacker
news groups and read hacker-submitted messages that come in through an
inbound alias, [3]secure@Microsoft.com. Hacks are tested, then
addressed with patches or other fixes, which are posted on Microsoft's
Security Web site for customers to download.
At Hope97, the preoccupation with Microsoft was most apparent during
back-room tutorial dedicated to teaching attendees how to hack NT with
a tool called L0phtCrack. L0phtCrack was developed by a team of
hackers-turned-consultants in the organization called the L0pht
(pronounced "loft"). Mudge, a 28-year-old L0pht member, speaks
excitedly about the war on NT during the presentation. Here, he
introduces the improved L0phtCrack 1.5 designed to get around
Microsoft's SYSKEY patch to L0phtCrack 1.0. The new tool uses a brute
force attack that tests every possible combination until it finds the
duplicate passwords stored in NT's LAN Manager network operating
system. When it finds a password -- which is only a matter of time --
L0phtCrack 1.5 returns it to the hacker. The only protection, says
Mudge, is for Microsoft to dump its LAN Manager which, he suggests,
won't happen anytime soon. Microsoft has responded to L0phtCrack by
posting an enhancement that allows users to turn off their LAN
Managers. Unfortunately, this is not a realistic solution for most NT
users. The reason: LAN Manager can only be removed from networks that
are solely based on NT.
Despite its technical limitations, most of NT's vulnerabilities are
due to human errors, says David Kozlowski, assistant VP of technical
operations for American Credit Indemnity (ACI), which insures $70
billion in business equipment. Kozlowski runs a pure Microsoft shop,
with NT and Windows operating systems and the SQL Server database. He
takes pains not to overlook the simple but obscure, like deleting the
original administrator password put in for set-up and configuration.
For additional security, Kozlowski builds security controls, such as
application log-ins, passwords, and rotating encryption, directly into
ACI's applications, all of which are developed in-house.
Take Down
Another popular hacker method is the denial-of-service attack, the
most common being Ping of Death and E-mail bombing. Ping of Death
attacks send excessive pings containing very large packets to routers
or servers, which become overloaded and shut down, thus denying
service to users of those network segments. Flood mail attacks
overload the E-mail server, with the same results. A ping flood can
also overload and shut down a firewall server in the same way. With a
firewall server down, a hacker can freely enter and roam the network.
An older, but still common, way to pass through firewalls is with IP
spoofing -- faking a trusted IP address, which the server will
identify and allow entry. "The only way to protect against these flood
attacks and IP spoofing is by turning the ping response off on the
[firewall] box or not allowing certain IP addresses to connect," says
Modify.
Most hackers begin with the obvious. "Open doors" they call them --
modem pools or open ports that have escaped the network manager's
attention, or unfiltered routers or holes that have been punched in
the firewall by the system administrator to allow easier access to
certain network traffic.
Indeed, many security lapses could be avoided if senior managers had a
thorough knowledge of their network's configuration. Michael Smith,
director of network infrastructure for the New York City-based Home
Box Office (HBO), uses a map of his network that resembles the
intersecting freeways and city streets of Gotham. Smith uses
Compuware's EcoScope network management tool instead of a security
tool to map the network and monitor traffic from its entry point on
through to its destination. Recently, this mapping feature revealed
that HBO's link to Comedy Central was allowing unrestricted access to
their network, and pointed Smith's staff to a Cisco router with
misconfigured filters. "The most exciting thing is not that we have
secure ID boxes and access lists -- it's the fact that we have a
monitoring tool that keeps the checks and balances going, that shows
who's using what and when," Smith notes.
Even with the best of tools and policies, bulletproof security is
probably unattainable. High costs, changing networks and software
versions, incomplete security tools, and the growing pool of ingenious
and dedicated hackers prohibit this. The best that IS security chiefs
can hope for is to minimize their risk to acceptable levels.
Ironically, one place they can turn to for help is the hackers
themselves, many of whom are happy to share their insights. Modify,
who has a legitimate day job as a systems administrator, offers some
advice to his IS counterparts who are faced with fending off security
breaches. "Go through your system reports thoroughly each morning and
evening," he advises. "Update your software and keep on top of
security issues. Have some penetration testing done and keep your
employees up-to-date on password selection, telephone policy, and
log-offs. Security is always evolving, so don't fall behind, because
if you do, then you are going to get hit."