[ISN] Once-feared hacker works the other side

From: InfoSec News (isnat_private)
Date: Wed Oct 24 2001 - 00:17:06 PDT

  • Next message: InfoSec News: "[ISN] Further security guidance given"

    Sunday Business 
    Oct. 23, 2001 
    LONDON -- Erik Bloodaxe, co-founder of the notorious Legion of Doom
    group, was once one of the world's most feared hackers.
    But since 1991, Erik has reverted to the name given him at birth --
    the rather more prosaic Chris Goggans. And in a
    poacher-turned-gamekeeper move, he has been working as a computer
    security consultant -- protecting companies from hackers.
    Anxiety over the risk of cyber-terrorism is high following the anthrax
    attacks in the US. Meanwhile, two-thirds of UK businesses have
    reported serious computer crime incidents in the past 12 months. The
    annual cost to British industry from hacking is estimated at between
    UKpound 2 billion and UKpound 3 billion.
    Goggans says the internet is not the only way for criminals to launch
    an electronic attack. Other networks may also be a way in. ``For every
    entity, whether it be government or commercial, I would look at every
    inroad that I could make,'' reveals Goggans.
    ``That would include internet connectivity, but also other public data
    networks, especially if it's a financial organisation. They are often
    hooked into Bloomberg or Reuters as well as some of the stock price
    feeds, or other partners that sell mutual funds, insurance or anything
    of that nature.''
    These, according to Goggans, are potential targets for hackers.
    Incoming dial-up phone lines are another favourite. When hooked to
    unauthorised modems, incoming phone lines are probably the easiest
    inroad to a company.
    ``That has pretty much been true for every company that I have done
    assessment work on,'' Goggans says. Once inside a network, security
    vulnerabilities are usually rife, he adds.
    ``I have worked on classified networks, civilian government networks,
    major banks, energy companies, oil and automotive companies and the
    internal network is always riddled with enough holes so that given
    time, an attacker could take over most of the computing systems on
    it,'' he says.
    ``When I do assessments on companies, I am averaging between 90
    percent and 100 percent total compromise of every piece of networked
    equipment on a company's network -- ranging from routers to
    Perhaps surprisingly, the biggest of these internal holes does not
    need expensive equipment to tackle it.
    ``As silly as it sounds, by and large the biggest problem is bad
    passwords -- without a doubt,'' Goggans explains.
    ``Why bother exploiting vulnerabilities in operating systems when all
    you have to do is type ``root'' when asked for the root password?''
    The second biggest problem is operating systems and software that has
    not been kept up to date with ``patches'' to close old security
    ``There are so many different attacks. You point me to an operating
    system -- if it is Solaris I will tell you seven ways of getting in.
    If it is Microsoft I will tell you 10,'' he says casually.
    Companies often leave themselves open to attack, he says. ``People
    install their operating system once and then forget about it. That is
    again, unfortunately incredibly prevalent.''
    Many people fall into the bad habit of saying that a particular
    machine is only a workstation, so it does not require proper security,
    says Goggans.
    ``It doesn't matter to me if it is the secretary's workstation. I will
    break into that and use it to get into the server she logs into, then
    use that to get other accounts and into other servers. All it takes is
    the one weak link in the chain and it doesn't matter what type of
    system it is.''
    Hackers are also becoming more sophisticated in the style and scale of
    attacks they launch, for which Goggans blames the availability of
    increasingly powerful computers and operating systems.
    ``Ten or 15 years ago the normal criminal could not afford a computer,
    an operating system sufficiently powerful to construct complex attacks
    and would not understand it even if they had the money.
    ``But now, given the availability of high-powered computers and
    operating systems such as Linux for example, which is free, anybody
    with $300 can build a highly complex computer system to start
    constructing attacks.''
    Goggans sounds a chilling warning for the potential for
    cyber-terrorism. ``With a huge body of knowledge, such as all the
    security sites on the internet to give you a kick-start, you can go
    from being a complete novice to a rather formidable enemy in a matter
    of months.''
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Oct 24 2001 - 01:40:26 PDT