http://www.networklifemag.com/weblogs/securitychief/2005/007187.html By Deb Radcliff Network Life, 01/09/05 Last week, I interviewed a hacker named Geoff Shivley, whose experiences remind me of the hackers I encountered while researching the infamous hacker Kevin Mitnick for a best-selling book. Like other hackers I know, Shivley started young, in middle school. And he began with phones payphones, specifically--which he switched on and off and made ring with musical tones to impress his friends. This, ahem, skill, is called "phreaking." And like the others, he didn't stop there. Soon, Shivley was hacking everything electronic. In his southern California school, one of his favorite tricks was to leave class during silent reading, hack the vending machines, and return with a backpack full of sodas for the class. By 1995, Shivley moved on to computers. He bought books on Unix, Visual Basic and cryptography; he read 2600, a hacker quarterly published by Emmanuel Goldstein, one of the FBI.s most watched hackers. And Shivley started writing code. His goal: To unleash a new AOL hack different than AOHELL, FATE and others that wreaked havoc on the online service back in the mid-90.s. He started a hacking group called AOA, for America On Acid, and passed around his evil code, which could change home pages and kick people off Web sites. Shivley.s code was ultimately used by hundreds of hackers in a 1996 three-day riot against the entire AOL community dubbed the "Valentine's Day Massacre." "I was young, 13. I thought it was a game," says Shivley, now 22. "I didn.t realize the impact of what I was doing and hadn.t realized how powerful computers actually were.. That same year Shivley hacked his way into a Unix box at a Fortune 100 electronics manufacturer in Texas. He changed a master password and issued a "kill" command. That.s when he realized the server he.d shut down was the network entry point for the company.s hundreds of telecommuters, who he.d just locked out from doing any work. Because he changed the master password, it took the company three days to get the system back up and running. That.s when Shivley realized what he was doing was illegal. And, with the law cracking down on hackers like Mitnick and Kevin Poulsen, he began to worry that federal agents would come after him, too. "I started getting really scared," he says. "I realized that computers can cause a lot of damage." At that time, Shivley also spotted an odd, off-white van parked outside his house for three weeks. His phones started acting strangely, with the telltale clicking and phantom rings indicative of a wiretap. He and his friends spotted federal agent-types tracking them as they went to and from the Balboa, Calif., chapter of the hacking group Blacklisted 411, a hacking group that made 2600 look like milk toast. "I was freaking out," Shivley tells me in a phone interview from his hotel in Maui, where he was waiting for the waves to calm so he could surf. "I started imagining myself being pulled from my bed and placed under arrest." That.s when Shivley dismantled his computer, tossed his hard drive and RAM into the bay and gave away his disks and manuals.and started helping people instead. At 15, he became the go-to-kid for his entire neighborhood. Before long, he was doing consulting work as a computer administrator for a large Internet backbone provider. After school, he.d take the train up to Wilshire Blvd. in Santa Monica, putting in late-night hours just blocks away from the Federal Building where agents were putting together a case against Mitnick, finally in custody. At 16, Shivley started streamlining the company.s Linux, Windows, Cisco and Nortel equipment. He.d work late nights hardening the systems by changing insecure configurations, and removing unneeded shells (code groups) and low-level DNS (Domain Name Service), closing ports, removing unneeded administrative functions and recompiling the kernel to tighten and streamline his Linux systems. "Whenever a new virus or worm came out, my machines didn.t get hit. But others did. And everyone wanted to know why. At first, I couldn.t figure it out. But then it dawned on me. I thought I was just doing good system administration. Then I realized I was doing security,. he says. In 1999, with the help of his businessman father, Shivley started PivX (www.PivX.com), a company that patched vulnerabilities in Windows systems on a consulting basis. With funding from friends and family, in 2002, PivX developed its first product. After a year in beta testing at Boeing, Edison, Hundai and others, PivX released Qwik-Fix Pro, which makes temporary changes to the Windows operating system to plug the holes that let in malicious code. For example, by locking down the local zones, it closes innumerable command execution vulnerabilities targeting Internet Explorer. And by closing the RPC DCOM vulnerability, it locks out hundreds of worm variants that exploit RPC DCOM, a standard feature in Windows operating systems. PivX had $2 million in revenues in 2004 and has a 45-member staff made up of some of the brightest hacker minds in the world. Not bad for a surfer who carries a skateboard around on his back. Qwik-Fix Pro has been nominated by SC Magazine for best network security and best intrusion solutions. But it's the $49 home version that.s got me most excited. I installed in on my Windows XP machine three weeks ago and I can.t even tell it.s there. Which is exactly what.s needed for home network users who can.t understand the difference between a virus and a worm, why they should close vulnerable ports on their computers, or why unpatched browsers can let in viruses, worms, spammers and identity thieves. PivX makes me wonder whether I still need the half-dozen security programs bogging down my system. Maybe I don.t have to keep all those signature files for spyware, Trojans, viruses and worms. After all, there are hundreds, sometimes thousands of variants hitting a single vulnerability. "All you need to do is change a single byte in the attack code and the anti-virus vendors have to create another attack signature to protect against it,. Shivley says. .Some security programs can eat up 20 percent of your processing power this way." In contrast, closing vulnerabilities takes zero processing power because all it does is patch holes. And there.s no need for signature updates and software downloads. When a new vulnerability is discovered, it quietly patches that, too. I'm not ready to toss my traditional security yet. But I.m thinking, maybe, just maybe, there can be a simple answer to this security mess we've gotten ourselves into. _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/
This archive was generated by hypermail 2.1.3 : Fri Jan 14 2005 - 01:10:20 PST