[ISN] Midwest Express hackers cause a stir

From: InfoSec News (isnat_private)
Date: Thu May 09 2002 - 00:07:47 PDT

  • Next message: InfoSec News: "[ISN] Top Argentine Court Wants Law Against Hackers"

    By Richard Thieme
    May 6, 2002
    The self-proclaimed "Deceptive Duo" that hacked into Midwest Express
    Airlines' intranet say their goal was to embarrass the airline, which
    is part of the nation's transportation infrastructure and therefore
    essential to homeland defense.
    THE HACKERS, in an e-mail interview, said penetrating the Midwest
    Express computer server - from which they stole customer and user
    profiles, names, e-mail addresses, and passwords - was "easy" and the
    airline should have a secured site. They said the methods they used
    are well-known in the hacker community and mostly likely similar to
    those of terrorists. The incursion was designed to emulate a real
    terrorist attack, they said.
    "It should not be this easy to gain access to supposedly secure
    networks," the duo said. "But system administrators are doing exactly
    the opposite of what they should be doing."
    The Deceptive Duo - hacked into the Midwest Express server that is
    used to test new features for the airline's Web site and then posted
    evidence of their break-in on their own Web site and the Web site of
    the U. S. Space & Naval War Systems Command.
    The identity of the hackers thus far has eluded Midwest Express
    management and a Chicago computer security firm the airline hired.  
    However, sources confirmed that the parties responding to e-mail
    questions from The Business Journal were at the same e-mail address as
    the hackers.
    The hackers did not access or compromise any other data such as
    credit-card information, said Lisa Bailey, a spokeswoman for Midwest
    Express. The airline's management learned of the security breach April
    22, said Bailey.
    The airline asked the hackers to immediately remove their posting from
    the duo’s Web site, and they complied, said Bailey. The Navy removed
    the posting as soon as it was detected.
    The airline changed all customer passwords, not just those that were
    compromised, and is working with computer security consultants to
    evaluate the security of Midwest Express' computer system, Bailey
    Midwest Express executives were not particularly embarrassed by the
    incident, Bailey said.
    "But we do realize that that the test server was not as secure as we
    thought and we are doing whatever we need to do to be sure the
    information is secure moving forward," she said.
    Midwest Express does not plan to prosecute the intruders, but Bailey
    noted that government and military sites were also attacked and the
    Federal Aviation Administration has indicated its intention to
    prosecute. FAA officials could not be reached for comment.
    The airline is focused on using the intrusion to strengthen its
    security measures.
    "It is a potential threat for us and our customer data, and we want to
    be sure it does not happen in the future," Bailey said. The airline
    plans to review its site security continuously, assess vulnerabilities
    and change passwords, Bailey said. The hackers offered, via e-mail to
    Midwest Express, to assist in fixing the flaws they discovered, but
    the airline declined, Bailey said.
    The hackers said they were motivated to intrude on the sites of
    Midwest Express and other corporate and military sites to demonstrate
    that the U.S. infrastructure is still vulnerable to terrorists even
    after Sept. 11. Midwest Express and other corporate targets were
    apparently chosen at random.
    When asked whether they might achieve their objectives by privately
    notifying system administrators of vulnerabilities rather than
    boasting of their intrusion on other sites, they said they tried that
    with no success.
    "We've tried subtle ways of informing them, but it seems to take
    drastic means before they will realize the severity of this," the
    hackers said. "Unfortunately, it takes action to get a reaction."
    Bailey disputed that version of events. She said the hackers did not
    contact Midwest Express before posting evidence of their conquest of
    the airline's computer system.
    "If we'd been contacted prior to posting, we would've obviously acted
    very quickly," Bailey said.
    The hackers said they entered the Midwest Express server by guessing
    right on an elementary security password - they typed a default
    password commonly used by Microsoft Corp. The duo merely had to access
    the corporate intranet, then enter the default password to gain entry
    to the database. The airline uses Microsoft SQL, a standard language
    for performing tasks on the data base, they said.
    The hackers said they found flaws in the server page scripts that
    allowed them to view information that should have been accessible only
    by authorized Midwest Express insiders. The hackers said they
    discovered other unauthorized logins, which suggested that other
    hackers may have been there before them.
    However, Bailey said the airline found no evidence of other hacker
    entries or flaws in its server scripts.
    The duo threatened to continue their strategy for alerting the
    guardians of the infrastructure.
    They said Midwest Express was part of the first stage, which scanned
    targets running on Microsoft products for widely known
    vulnerabilities. The Department of Defense and other government
    agencies need to focus on eliminating known vulnerabilities, they
    said. (MSNBC is a Microsoft - NBC joint venture.)
    "In general, we are telling our targets to do their jobs correctly,"
    the hackers said. "Doing a system administration job correctly
    includes researching, analyzing and fixing all known vulnerabilities."
    Next, the duo intends to use more subtle methods.
    They said they will attack targets on multiple operating systems "with
    vulnerabilities that range from the widely known to the little known"
    with the goal of controlling software "that a terrorist might use to
    The third and final leg of their strategy will expose "the most
    dangerous but least likely scenarios," said the hackers.
    Such vulnerabilities are not well known, making them difficult to
    defend against in advance, they said.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu May 09 2002 - 03:37:27 PDT