[ISN] Dispatches from the hacker wars

From: mea culpa (jerichoat_private)
Date: Mon Nov 16 1998 - 13:05:44 PST

  • Next message: mea culpa: "[ISN] Seven Firewalls Fit for Your Enterprise"

    Forwarded From: James Lovato <jlovatoat_private>
    
    http://www.nwfusion.com/news/1116hackers.html
    
    Dispatches from the hacker wars
    By Ellen Messmer
    Network World, 11/16/98
    
    Most IS professionals don't want to talk about the times they've been
    hacked. Some fear it gives their competitors, or other hackers, insight
    into their network. Others don't want to give hackers the attention they
    so desperately seek. And some are simply embarrassed. 
    
    After dozens of requests, we found five people willing to tell us what it
    is like when the hackers start sneaking in. 
    
    No longer a game
    
    As a teenage hacker, Manny Berrios loved to break into organizations'
    networks out of a passion for adventure. But now, in his mid-20s and vice
    president of IT at a growing Web-based game service called ActionWorld,
    hackers have become his round-the-clock headache. 
    
    Network security logs tell Berrios that hackers are constantly probing for
    holes in ActionWorld's Web servers, which are based on Microsoft's
    Internet Information Server 4.0. They also enjoy shooting down his server
    farm, housed in New York, with denial-of-service attacks in the middle of
    the night;  these immediately set off Berrios' beeper. Ironically, these
    hackers are often ActionWorld's own online game customers - all part of
    the youthful crowd that lives and plays on the 'Net. And if they discover
    your network's vulnerabilities, they'll trash everything they can. 
    
    "I spend 50% of my time baby-sitting these machines,"  laments Berrios. As
    a former hacker, Berrios still has a few hacker friends. 
    
    "They're doing it for the sheer thrill of exploring," he notes. "Now that
    I'm on this side of the fence, it makes me edgy. I know the reality of it.
    Nothing is 100% secure. Everything is simply an obstacle, and their
    exploits are changing so rapidly that you have to keep putting up new
    obstacles." 
    
    If a hacker manages to get past one obstacle, say by breaching
    ActionWorld's public Web server, he's usually stopped in what's popularly
    called the "demilitarized zone" between firewalls. When that happens,
    Berrios will try to track down the would-be intruder with the help of an
    ISP. 
    
    "One time it was a 13-year-old kid, and we called him and talked to him
    just to scare him a little," Berrios says. 
    
    Far more nerve-racking are encounters with hard-core hackers out for
    criminal gain. A similar situation happened a year ago when someone broke
    in through ActionWorld's Microsoft Remote Access Server - apparently
    because the preconfigured "guest account"  setting shipped with the server
    hadn't been disabled by ActionWorld's staff. 
    
    This criminally minded hacker exploited the vulnerability to gain access
    to ActionWorld's resources, and from there, he staged attacks on other
    organizations, accessed pornography sites and dealt in stolen credit
    cards. 
    
    This little crime wave got the New York City Police Department and the
    Federal Bureau of Investigation involved - and these agencies initially
    seized on ActionWorld as the suspect. After some explaining, the online
    gaming firm spent a month working with law enforcement officials to
    collect data on the hacker's activities so they could nab him. But in the
    end, the hacker eluded them. "This was a sophisticated break-in," Berrios
    says. "This person was very good at it." 
    
    Berrios says he knows from direct experience that hard-core criminals are
    on the rise in the hacker community, which traditionally has preferred to
    view itself as a bunch of adventurous free spirits out to have fun. 
    
    In fact, hackers are now getting paid to try to steal proprietary
    corporate data or military secrets, some claim. "Most hackers are kids,
    but there are professional hackers, the experienced ones. They're going
    where the money is," Berrios says. 
    
    Universities exposed
    
    No organization, not even a school as technically savvy as the
    Massachusetts Institute of Technology, is immune from the hacker menace.
    "We're working with the FBI right now to try to catch a hacker," says Jeff
    Schiller, network manager at MIT, where a troublemaker has been looking at
    password-protected student files stored on servers at the university. 
    
    Stopping hackers is particularly hard in a university setting such as MIT,
    where students balk at anything that restricts user access to the
    Internet. 
    
    "It's impossible to establish a security policy,"  concedes Schiller, who
    says MIT doesn't use a firewall for student access to the dormitory LANs
    because the school's technical culture rejects these types of controls. 
    
    Schiller berates hackers as "idiots" who bring down servers as they
    stumble around from machine to machine. 
    
    MIT is hardly the first university to have to cope with hackers.
    Universities have long been exploited as hacker proving grounds. Stanford
    University earlier this month disclosed that stolen passwords "sniffed" by
    hackers - apparently based in Sweden and Canada - gave the intruders
    access to 4,500 e-mail accounts. 
    
    Hitting close to home
    
    Sometimes hackers are more than just idiots; they're terrorists. That's
    according to Seminole, Fla., security consultant Winn Schwartau, who says
    hackers are now e-mailing death threats to him, his family, his staff and
    even his neighbors. "Extortion, murder and kidnapping threats," is how
    Schwartau describes the message content. 
    
    Why? Perhaps because Schwartau has been vocal against hacker exploits,
    speaking out at conferences, such as DefCon, where hackers anonymously
    intermingle with law enforcement officials. 
    
    During the past month, Schwartau has also started hosting a
    Microsoft-sponsored Internet radio program, airing daily at noon, on which
    he interviews hackers on www. thecyberstation.com. 
    
    Hackers, Schwartau says, have now managed to shut down his phone and
    electricity by fooling the utilities and have also pulled stunts such as
    ordering hundreds of WebTV boxes to be sent to his house, purchased with
    other people's credit cards. 
    
    But according to Schwartau, the FBI isn't paying attention to his plight. 
    
    "That's because the FBI agents are convinced that I'm a hacker," Schwartau
    says, perhaps because he has been hobnobbing with hackers lately. 
    
    Global reach
    
    Other stories suggest the strange lengths to which corporations will go to
    to shut out hackers. 
    
    "I've had hackers bold enough to e-mail us while they were hacking the
    system, telling us there was nothing we could do to keep them out,"
    recounts Hewlett-Packard information security consultant Don Pipkin,
    author of Halting the Hacker, published by Prentice Hall. 
    
    Pipkin tells of an incident in which a hacker broke into the intranet of a
    major telecommunications company, which he declined to name, through the
    company's public Web server. HP's security division, called in to stop the
    intruder, closed up some of the security holes in the server and managed
    to trace the attacker to Pakistan. 
    
    Because nabbing this hacker seemed somewhat futile, HP asked the telecom
    firm how important it was to let the nation of Pakistan view its public
    Web server.  With the answer being "not very," the telecom firm quietly
    cut off that entire country's access to its Web server. 
    
    Beyond the 'Net
    
    The Internet, though, isn't the only medium that hackers can use to grab
    control of your network resources. Ed Simonson, president of TeleDesign
    management, a Burlingame, Calif., consultancy that conducts security
    audits, has witnessed some dazzling hacker exploits over the years. 
    
    Hackers are known to call corporate switchboards and demand to be
    transferred to "918," which gets them outside access to a long-distance
    line. "They'll also dial in to your voice mail and try to dial another
    extension," Simonson says. 
    
    Hackers also like to dial in to the maintenance ports of Rolm, Nortel
    Networks and Lucent PBXs that are used by service repairman. So it's
    important to ensure that a company using PBXs has installed third-party
    security software for the maintenance port. Such software is available
    from Microframe, Lima and other vendors, Simonson says. 
    
    "I have been in a PBX and seen two different hacks - two thefts - going on
    at the same time. Neither knew the other was there," Simonson recounts.
    "Hackers may never make more than two calls per day on your system, so you
    have to have a policy in place to review phone logs," he says. 
    
    If a hacker strikes, who has to pay the price? "The law says whoever
    controls the access, pays the bill,"  Simonson says. "For the most part,
    with a Centrex line, you're not responsible for paying the bill." 
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:11:30 PDT