[ISN] With Friends Like This

From: InfoSec News (isnat_private)
Date: Tue Jul 09 2002 - 04:58:29 PDT

  • Next message: InfoSec News: "Re: [ISN] Bankrupt WorldCom called a security risk"

    By George V. Hulme
    July 8, 2002
    Meet Adrian Lamo. At 21 years old, Lamo is clean-cut and soft-spoken,
    his deliberate speech marked by a slight stutter. A short, thinly
    built, former vegetarian, he takes a seat facing the door at the South
    Street Diner in Philadelphia, picking at his chicken Caesar salad and
    keenly eying his surroundings as he explains why and how he does what
    he does. And that's hack into a business' network, alert the company
    to his actions, offer to help fix the problem for free, and, once the
    holes are patched, go public with the breach.
    Why he does this is a little less clear. "I've never made an argument
    that there's any particular right or moral principle that makes the
    exploration of private domains OK," he says. "I'm not saying it's
    right. It's what I do."
    That moral ambiguity belies the zeal Lamo brings to his mission. "I
    challenge [others] to find another way to get companies to take these
    issues seriously," he says. "To get AOL to admit to a widespread
    security problem isn't going to happen based on a few phone calls."  
    Two years ago, Lamo published on the Internet details about how
    hackers were taking advantage of a flaw in America Online's AIM
    registration server to hijack Instant Messenger accounts.
    Lamo's mission has led him to expose computer security flaws at
    companies such as Microsoft, The New York Times, WorldCom, Yahoo, and
    the now-defunct Excite@home. To publicize his work, he's often tapped
    ex-hacker-turned-journalist Kevin Poulsen as his go-between: Poulsen
    contacts the hacked company, alerts it to the break-in, offers Lamo's
    cooperation, then reports the hack on the SecurityFocus Online Web
    site, where he's a news editor.
    Lamo may be the most controversial hacker since Kevin Mitnick, who
    gained fame in the mid-'90s by breaking into the computer systems of
    high-tech companies and stealing proprietary software code. To the
    extent that Lamo brings a moral justification to his actions--and that
    people buy into that argument--he may be even more dangerous.
    Lamo claims he never intentionally interrupts service, and he doesn't
    sell, distribute, or destroy the data he accesses. "Destroying data is
    near sacrilege--it's like burning the last known copy of the Bible,"  
    he says. Still, unlawful entry into a private network is a
    misdemeanor. And if it could be proved that his digital trespassing
    caused $5,000 or more in damage to a company, even unintentionally,
    Lamo could face felony charges, says Mark Rasch, former head of the
    Justice Department's Computer Crime Unit, who prosecuted Poulsen and
    Mitnick. With a jump in the number of U.S. companies reporting
    downtime related to security breaches or espionage, according to
    InformationWeek Research's annual Global Information Security Survey
    (see story, p. 36), and the threat of cyberterrorism greater than
    ever, many business-technology managers and security experts have
    little tolerance for Lamo's tactics, even if they do raise awareness
    about lax corporate security.
    "If you're not invited, you shouldn't be there," says Diane Bunch, VP
    of IS at the Tennessee Valley Authority, who believes legislation
    against hacking and prosecution of hackers needs to be tougher. "It's
    like my house--if I didn't invite you in off the street, I don't
    expect to see you there," she says.
    Bruce Schneier, founder and chief technology officer of managed
    security services provider Counterpane Internet Security Inc., says he
    isn't impressed by the hacking-to-build-awareness argument. "It's like
    committing arson to build forest-fire awareness," Schneier says.  
    "There are other ways to build awareness."
    Executives at The New York Times, which was victimized by Lamo in
    February, would likely agree. The media company said last week it
    hasn't ruled out asking law enforcement to press charges against the
    hacker. "We're still exploring our options, and discussions with the
    authorities is one of those options," a spokeswoman says.
    Lamo accessed a database holding the personal information of 3,000 New
    York Times employees, as well as that of big-name editorial
    contributors such as Jimmy Carter and Robert Redford. He says he
    surfed in from the Web, scanned the Times' internal network, and found
    as many as eight open proxy servers. By viewing header information in
    an auto-reply E-mail, he found references to servers on the internal
    network and was able to hack into the database, logging himself on as
    an administrative assistant.
    Lamo claims he breaks into companies' networks using only an old
    Toshiba notebook that's missing seven keys, a Web browser, and rented
    network connections at Internet cafes or copy shops.
    Born in Massachusetts, Lamo moved around quite a bit growing up; he
    lived in Connecticut, Virginia, California, and even spent a few years
    in Colombia. Lamo dropped out of high school (he has a GED), and his
    computer skills are largely self-taught, beginning with peeking into
    the code of the role-playing adventure games he ran on his Commodore
    64 computer. Lamo says he's homeless, and spends his nights on
    friends' couches or squatting in abandoned buildings. He travels on
    foot or by Greyhound bus because "it's the last form of public
    transportation that doesn't require a photo ID." He earns money from
    odd jobs, he says: When you "don't have rent or a car payment, you
    don't need much money to survive."
    Lamo contends that, from an IT standpoint, many companies ignore their
    most vulnerable points. Companies that patch only known software
    vulnerabilities, then simply scan their applications and networks for
    potential security holes, are missing the bigger picture, he says.  
    "They think if you have no known 'exploits' on your systems, they're
    secure," he says. "They're not. None of the intrusions I've been
    behind had anything to do with what would be called a known [software]
    exploit or vulnerability. It's more nebulous."
    His break-in at troubled telecom vendor WorldCom in December,
    accomplished by way of several misconfigured proxy servers, is an
    example. Companies establish proxy servers to let employees access the
    Internet. When set up properly, they're one-way streets. But proxy
    servers are easy to misconfigure, and many are brought online in open
    mode, letting outsiders connect to the network while hiding their
    point of origin.
    Once past a company's proxy servers and perimeter defenses, Lamo says,
    he's able to escape the notice of intrusion-detection systems. IDSs
    often have preconfigured definitions of anomalous activity, such as
    malformed packets and certain systems requests. "But when you have
    someone sitting at a Web browser looking at things the way an employee
    would look at them, that's not something that can be picked up by the
    IDS," Lamo says. "The IDS can't see a person's intent." With WorldCom,
    Lamo says he was able to view the names and Social Security numbers of
    thousands of its employees, as well as potentially cut services to
    most of the telecommunication provider's customers.
    What Lamo did is "no different than showing up at a company wearing a
    UPS uniform," says Counterpane's Schneier. "Of course you're trusted."  
    Companies that monitor only their front doors are prime targets for
    such attacks, Schneier says.
    After the break-in became known, a WorldCom spokeswoman said the
    company appreciated Lamo's drawing its attention to the problem and
    the help he gave the company one weekend to fix the flaws. A
    spokeswoman reached last week wouldn't comment further. Poulsen says
    that, like WorldCom, officials at Excite@home also "expressed
    gratitude for Adrian."
    At least one business-technology manager says there are worse things
    than to have a hacker such as Lamo break into his network. If someone
    "points out security holes and doesn't do any damage, I'd rather that
    happen than [the holes] be discovered by a competitor or terrorist,"  
    says the chief security officer at a Midwest consumer-goods
    manufacturer. "I could live without the media attention, but I'd
    personally be hard-pressed to call the police."
    Despite the talk by The New York Times of possibly going to
    authorities, no charges have been filed against Lamo for any of the
    incidents. Indeed, few companies are interested in seriously
    investigating computer breaches internally, says former federal
    prosecutor Mitch Dembin, who litigated a number of computer and
    high-tech crimes and now heads IT forensics company EvidentData Inc.  
    "My experience has been that unless the hackers do obvious damage,
    [companies] won't do anything," he says. "They patch and secure the
    holes and move on." It can take weeks and cost hundreds of thousands
    of dollars for an IT forensics company to determine the extent of a
    breach, put compromised systems through an extensive analysis, patch
    and close security holes, and conduct follow-up penetration tests.
    The costs of taking a hacker to court can be even greater, including
    the negative publicity and the very real threat of hacker retaliation.  
    Former FBI cybercrime investigator Charles Neal, now VP of managed
    security services at Exodus, a Cable & Wireless unit, says that only
    3% to 5% of the companies he works with during investigations choose
    to contact law enforcement. Only 18% of the U.S. businesses surveyed
    for InformationWeek Research's new security survey say they notify
    government authorities after a breach.
    The flip side of this moral equation may be that by not prosecuting
    Lamo, or hackers like him, companies are perpetuating the cycle and
    keeping the business community in general at risk. "It's a business
    decision," says EvidentData's Dembin. "It's not based on
    civic-mindedness." One security executive sees it as a resource issue.  
    "We may react by getting the FBI involved and eat up vast quantities
    of internal and federal law-enforcement and forensic resources," says
    the chief information security officer at a large midwest utility.  
    "That's resources taken away that could be used to investigate other
    serious threats against the infrastructure."
    Lamo contends that the threat of prosecution isn't going to make
    hackers go away. Some may be deterred, just as some will be deterred
    by companies' technical countermeasures. But "you can never eliminate
    the threat entirely," he says. He adds that companies may want to
    consider being tolerant of actions that may ultimately help them
    achieve better security. "There's no point in overtly ignoring one of
    the ways you can reduce" security threats, Lamo says, "just because
    you might embarrass your company from time to time."
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Jul 09 2002 - 08:26:31 PDT