[ISN] Hackers Beware: This Man's Life Mission is to Stop Your Fun

From: mea culpa (jerichoat_private)
Date: Thu Nov 05 1998 - 05:04:56 PST

  • Next message: mea culpa: "[ISN] World's Leading Info Security Experts Gather in Tucson"

    Forwarded From: Nicholas Charles Brawn <ncb05at_private>
    ["Everyone in the business relies on the X-Force". All I've seen from the
     'x-force' group has been summaries of advisories and warnings about new
     exploits. I rely more on bugtraq and word of mouth than what i've gotten
     from them.  - "...the world's largest team dedicated to exposing...".
     This I doubt.  - "...unofficial King...". Erm, no. - Nicholas]
    By Tim Phillips.
    Tim Phillips meets the king of the cyber-police, Chris Klaus
    `CHRIS KLAUS? Bloody impressive. He walks the walk and talks the talk. And
    he's got a whackingly good team in the X-Force,' says Neil Barratt, the
    hacker-turned-Groupe Bull security consultant. `Everyone in the business
    relies on the X-Force.' At 25, Chris Klaus, chief technology officer for
    Atlanta-based Internet Security Systems (ISS), is the head of the 50
    employees known as the X-Force, the world's largest team dedicated to
    exposing just how insecure the software that runs large companies is. This
    private army is the realisation of a dream for Klaus, who started ISS from
    his dorm room at Georgia Tech University. It's a dream that has made him a
    fortune of more than $100m, and unofficial King of the `White Hats', the
    techies who battle hackers. 
    `There are a lot of snake oil salesmen in computer security,' adds
    Barratt, `but not ISS. It is the best of the bunch.' Only four years after
    Klaus made his first sale, 36 of the world's largest 50 banks are
    customers, as are 13 governments, not to mention the US Army, Nasa and
    Microsoft.  Klaus is an unlikely king. With blond hair that doesn't sit
    straight and a baby face, if anything he looks younger than 25. He admits
    that he misses going out on his motorbike. And he talks in an American
    student argot that's more Keanu Reeves than Bill Gates. 
    `When I discovered the Internet it was like, now I've found an interesting
    project,' he says, telling the story of ISS's second office: his
    grandmother's spare bedroom. `Then I got $1,000 for a sale from Italy - I
    thought, `Woo hoo, this is great, the software business is a very good
    business.' I thought earning $20,000 a year would be like awesome.' Now
    ISS sells software worth $9.4m every quarter and employs 350 people. It
    takes the security flaws that the X-Force's `ethical hackers' find in
    programs such as Windows NT. Then it sets its software package, Internet
    Security Scanner, to spot those flaws in the customer's network. ISS also
    sells a package that looks for the `footprints' of hackers, called
    RealSecure.  Klaus, the child genius who `only wanted to join the National
    Security Agency - give me some instant noodles and I'm happy', has given
    himself a truly `awesome' challenge: create a network that guards itself.
    `The self-curing network' will spot hackers breaking in, sound the alarm,
    secure data and reconfigure itself to stop future attacks. Tom Noonan, the
    man Klaus snatched from an offer of a vice-presidentship at Oracle to be
    ISS chief executive, compares it to putting intelligent closed-circuit TV
    cameras around your firm's computers, then getting those cameras to catch
    the crooks. He says simply recording that an intrusion took place and
    telling your network manager - which is all ISS can do at the moment -
    isn't good enough. `Knowing your security was compromised yesterday is
    typically not what you want to know,' he adds.  How dangerous are hackers?
    It is impossible to be sure as few companies ever admit security has been
    breached. `Customers aren't paying us to avoid intrusions. They are paying
    us to avoid 30 seconds on CNN, which is far more damaging,' says ISS
    product manager Mark Wood.  Also, around two out of three security
    breaches have nothing to do with hackers - they are `inside jobs', by
    employees, which may go undetected for that reason.  Yet we know that in
    the past few years, hackers have penetrated the CIA, the US Department of
    Commerce and the Labour Party. The FBI says computer-related security
    breaches rose by 250% in the past two years, and the US Computer Security
    Institute claims 64% of organisations had security breaches in 1997, up
    from 42% in 1995. In the UK, the consultants Business Information
    Security, in a survey for the DTI, reported one in four companies had
    experienced a `serious' breach.  T he sad fact is, Barratt says, that many
    attacks are easily avoidable: the hacking tools are well-known, because
    they are openly posted on the Web by hacking groups such as L0pht Heavy
    Industries and The Cult of the Dead Cow (cDc). These basic tools are known
    derisively as `kiddie scripts' - but few networks are immune to them.  `In
    the industry we are slightly ahead of the hackers,' Barratt explains. 
    `But among users, the hackers are head and shoulders in front. By far the
    largest number of successful attacks are kiddie-scripters attacking holes
    that have been known about for months.' Klaus agrees: `Almost every
    company we have scanned has holes in their security.' He recalls his first
    major sale, when he demonstrated the Internet Security Scanner at Nasa;
    hundreds of those holes appeared immediately on what was supposedly a
    secure network. `The Nasa network administrator was like, `holy cow',' he
    laughs.  But ISS cannot realise Klaus's dream of creating a self-healing
    network alone. It builds two types of products: one looks for security
    flaws, the other sounds an alarm. To succeed, they need to talk to the
    security devices installed on these networks. If ISS has the equivalent of
    CCTV, that CCTV needs to link to the locks on the network's doors.  That's
    why two weeks ago ISS announced its biggest project yet: the Adaptive
    Network Security Alliance (Ansa). Members include computer builders like
    Hewlett-Packard and Compaq, telecomms firms like Nortel and Lucent, and
    around 40 other assorted security software providers, such as anti-virus
    companies, firewall vendors (the `moat' around a network that keeps out
    unauthorised users) and encryption experts.  `There's a new trend in
    security,' says Eva Chen, chief technology officer of anti-virus
    specialist Trend Micro, an Ansa member. `As the Internet brought better
    communications to us, it also brought better communications to hackers and
    they can do much more. In our business, we now need to be good
    neighbours.' But this might not be enough, says Cult of the Dead Cow
    member Dr Mudge, who sometimes makes a living by hacking companies to test
    security. Many `security' devices make security worse, not better, he
    claims. ISS software might spot intruders, and it might lock the doors,
    but unless those locks are built properly, Klaus is doomed to fail.  `The
    state of computer security tools is almost as bad as the state of computer
    security. Often the solutions are just as bad as the problems they solve,'
    he says. `If the machines were not running these security programs we
    might not have been able to compromise the systems.'. 
    GUARDIAN 05/11/1998
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:10:10 PDT