Forwarded From: Nicholas Charles Brawn <ncb05at_private> ["Everyone in the business relies on the X-Force". All I've seen from the 'x-force' group has been summaries of advisories and warnings about new exploits. I rely more on bugtraq and word of mouth than what i've gotten from them. - "...the world's largest team dedicated to exposing...". This I doubt. - "...unofficial King...". Erm, no. - Nicholas] 05Nov98 USA: HACKERS BEWARE. THIS MAN'S LIFE MISSION IS TO STOP YOUR FUN. By Tim Phillips. Tim Phillips meets the king of the cyber-police, Chris Klaus `CHRIS KLAUS? Bloody impressive. He walks the walk and talks the talk. And he's got a whackingly good team in the X-Force,' says Neil Barratt, the hacker-turned-Groupe Bull security consultant. `Everyone in the business relies on the X-Force.' At 25, Chris Klaus, chief technology officer for Atlanta-based Internet Security Systems (ISS), is the head of the 50 employees known as the X-Force, the world's largest team dedicated to exposing just how insecure the software that runs large companies is. This private army is the realisation of a dream for Klaus, who started ISS from his dorm room at Georgia Tech University. It's a dream that has made him a fortune of more than $100m, and unofficial King of the `White Hats', the techies who battle hackers. `There are a lot of snake oil salesmen in computer security,' adds Barratt, `but not ISS. It is the best of the bunch.' Only four years after Klaus made his first sale, 36 of the world's largest 50 banks are customers, as are 13 governments, not to mention the US Army, Nasa and Microsoft. Klaus is an unlikely king. With blond hair that doesn't sit straight and a baby face, if anything he looks younger than 25. He admits that he misses going out on his motorbike. And he talks in an American student argot that's more Keanu Reeves than Bill Gates. `When I discovered the Internet it was like, now I've found an interesting project,' he says, telling the story of ISS's second office: his grandmother's spare bedroom. `Then I got $1,000 for a sale from Italy - I thought, `Woo hoo, this is great, the software business is a very good business.' I thought earning $20,000 a year would be like awesome.' Now ISS sells software worth $9.4m every quarter and employs 350 people. It takes the security flaws that the X-Force's `ethical hackers' find in programs such as Windows NT. Then it sets its software package, Internet Security Scanner, to spot those flaws in the customer's network. ISS also sells a package that looks for the `footprints' of hackers, called RealSecure. Klaus, the child genius who `only wanted to join the National Security Agency - give me some instant noodles and I'm happy', has given himself a truly `awesome' challenge: create a network that guards itself. `The self-curing network' will spot hackers breaking in, sound the alarm, secure data and reconfigure itself to stop future attacks. Tom Noonan, the man Klaus snatched from an offer of a vice-presidentship at Oracle to be ISS chief executive, compares it to putting intelligent closed-circuit TV cameras around your firm's computers, then getting those cameras to catch the crooks. He says simply recording that an intrusion took place and telling your network manager - which is all ISS can do at the moment - isn't good enough. `Knowing your security was compromised yesterday is typically not what you want to know,' he adds. How dangerous are hackers? It is impossible to be sure as few companies ever admit security has been breached. `Customers aren't paying us to avoid intrusions. They are paying us to avoid 30 seconds on CNN, which is far more damaging,' says ISS product manager Mark Wood. Also, around two out of three security breaches have nothing to do with hackers - they are `inside jobs', by employees, which may go undetected for that reason. Yet we know that in the past few years, hackers have penetrated the CIA, the US Department of Commerce and the Labour Party. The FBI says computer-related security breaches rose by 250% in the past two years, and the US Computer Security Institute claims 64% of organisations had security breaches in 1997, up from 42% in 1995. In the UK, the consultants Business Information Security, in a survey for the DTI, reported one in four companies had experienced a `serious' breach. T he sad fact is, Barratt says, that many attacks are easily avoidable: the hacking tools are well-known, because they are openly posted on the Web by hacking groups such as L0pht Heavy Industries and The Cult of the Dead Cow (cDc). These basic tools are known derisively as `kiddie scripts' - but few networks are immune to them. `In the industry we are slightly ahead of the hackers,' Barratt explains. `But among users, the hackers are head and shoulders in front. By far the largest number of successful attacks are kiddie-scripters attacking holes that have been known about for months.' Klaus agrees: `Almost every company we have scanned has holes in their security.' He recalls his first major sale, when he demonstrated the Internet Security Scanner at Nasa; hundreds of those holes appeared immediately on what was supposedly a secure network. `The Nasa network administrator was like, `holy cow',' he laughs. But ISS cannot realise Klaus's dream of creating a self-healing network alone. It builds two types of products: one looks for security flaws, the other sounds an alarm. To succeed, they need to talk to the security devices installed on these networks. If ISS has the equivalent of CCTV, that CCTV needs to link to the locks on the network's doors. That's why two weeks ago ISS announced its biggest project yet: the Adaptive Network Security Alliance (Ansa). Members include computer builders like Hewlett-Packard and Compaq, telecomms firms like Nortel and Lucent, and around 40 other assorted security software providers, such as anti-virus companies, firewall vendors (the `moat' around a network that keeps out unauthorised users) and encryption experts. `There's a new trend in security,' says Eva Chen, chief technology officer of anti-virus specialist Trend Micro, an Ansa member. `As the Internet brought better communications to us, it also brought better communications to hackers and they can do much more. In our business, we now need to be good neighbours.' But this might not be enough, says Cult of the Dead Cow member Dr Mudge, who sometimes makes a living by hacking companies to test security. Many `security' devices make security worse, not better, he claims. ISS software might spot intruders, and it might lock the doors, but unless those locks are built properly, Klaus is doomed to fail. `The state of computer security tools is almost as bad as the state of computer security. Often the solutions are just as bad as the problems they solve,' he says. `If the machines were not running these security programs we might not have been able to compromise the systems.'. GUARDIAN 05/11/1998 -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:10:10 PDT