[ISN] Q&A: Reverse hacker describes ordeal

From: InfoSec News (alerts@private)
Date: Tue Feb 27 2007 - 22:12:17 PST


http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9011832

By Jaikumar Vijayan
February 26, 2007
Computerworld

A New Mexico jury recently awarded Shawn Carpenter $4.3 million in a 
wrongful termination lawsuit against his former employer Sandia National 
Laboratories.

The former network intrusion detection analyst was fired in January 2005 
after he shared information relating to an internal network compromise 
with the FBI and the U.S. Army. Sandia alleged that Carpenter had 
inappropriately shared confidential information he had gathered in his 
role as a security analyst for the laboratory.

Carpenter said he had done so only for national security reasons. He 
said his independent investigations of a May 2004 breach had unearthed 
evidence showing that the intruders who had broken into Sandia's 
networks belonged to a Chinese hacking group called Titan Rain that also 
had attacked other sensitive networks and stolen U.S. military and other 
classified documents.

Carpenter until last Friday worked with the U.S. Department of State's 
Cyber Threat Analysis Division. He is currently a principal research 
analyst at NetWitness Corp., a start-up headed by Amit Yoran, former 
director of the National Cyber Security Division of the Department of 
Homeland Security. In this interview conducted via e-mail, Carpenter 
talks about the case.


What's your reaction to the verdict?

It is almost a guarantee that Sandia will appeal and drag it out for 
years. They don't have any incentive to resolve the case, as the 
taxpayers are footing the bill. Besides the cadre of attorneys they 
already have on staff, they hired a local firm, Bannerman & Williams, to 
assist them in the litigation.

We've indicated our willingness to negotiate over the course of the 
suit, but they expressed no desire to talk. The one offer they made at a 
settlement conference ordered by the court was so pathetic that it 
wouldn't have even covered a few months of my legal expenses. All along, 
I wanted my day -- OK, week and a half -- in court, and to have the 
opportunity to tell a jury my side of the story.

Since Sandia is an "at will" employer -- and they regularly remind you 
of this if you press issues -- people fear for their jobs. Of the 
several hundred colleagues I worked with during my career there, a grand 
total of two still talk to me -- even after the verdict. My friends in 
computer security that are still working there think their phones are 
tapped by Sandia counterintelligence, and are terrified to even call me 
from home. We clearly demonstrated for the jury that it is an 
environment of fear, created expressly to keep the employees in line.


What prompted you to conduct that independent investigation into the 
Sandia intrusion in the first place?

As a network intrusion detection analyst, I regularly used similar 
"back-hacking" techniques in the past to recover stolen Sandia password 
files and retrieve evidence to assist in system and network compromise 
investigations.

We were able to better defend our networks as a direct result of the 
intelligence we gained. I authored in-depth analyses of these intrusions 
that were sent for reporting and educational purposes to the Department 
of Energy's (DOE) Computer Incident Advisory Capability (CIAC), 
investigators at the DOE Inspector General (IG), Sandia 
Counterintelligence, DOE Cyber Counterintelligence, Sandia IT management 
and my entire department. Even to a novice, it was obvious after reading 
the analyses how intelligence was gleaned on the adversaries.

For example, phrases substantially similar to this were used in my 
reports: "I used their credentials to access the systems in Brazil and 
China, identify their hacking tool caches, and [pulling] down all of 
their tools, e-mails and other information to aid in their 
identification." Numerous exhibits of these activities were presented at 
trial for the jurors. In a meeting with them after the verdict was 
rendered, even the less cyber-savvy folks understood what the e-mails 
represented.


What were you hoping to achieve through this investigation?

My objective started out with a purpose similar to the other 
investigations I engaged in while at Sandia. The difference in this 
instance was that the rabbit hole went much deeper than I imagined.

In late May of 2004, one of my investigations turned up a large cache of 
stolen sensitive documents hidden on a server in South Korea. In 
addition to U.S. military information, there were hundreds of pages of 
detailed schematics and project information marked "Lockheed Martin 
Proprietary Information Export Controlled" that were associated with the 
Mars Reconnaissance Orbiter. Ironically, Sandia Corp., the private 
company that manages Sandia National Laboratories, is a subsidiary of 
Lockheed Martin Corp. It was this discovery that prompted my meeting 
with [supervisors] and when I was told that "it was not my concern." 
Later, I turned it over to the U.S. Army and the FBI and helped 
investigate how it was taken and where the path led.


Are you at liberty to disclose what sort of back-hacking you did?

Not at this point, but I will be able to discuss the activities in more 
detail at an unclassified level in the future.


What happened to all of the information that you uncovered relating to 
the Titan Rain operation? Has it been used in any way to deal with the 
problem of Chinese hackers?

All of the information and analyses I conducted and any conclusions I 
reached were given to the FBI. The information relevant to the U.S. Army 
was given to them. I cannot answer your last question because it likely 
encompasses classified information.


You claimed you never were given an opportunity to get the information 
you uncovered to the proper authorities at the other organizations. Why 
was that?

I attempted several times to find a Sandia channel to get the 
information to the organizations that were impacted. At the first 
meeting with my supervisor and the Sandia information security manager, 
[the supervisor] stated "we don't care about any of this. We only care 
about Sandia computers."

After I insisted that there must be a way to throw the information "over 
the fence" to Sandia's counterintelligence organization or other federal 
and military authorities, he said that I was forbidden from doing this, 
and that it "wasn't my job." A Sandia counterintelligence manager and my 
immediate supervisor recanted pages of their previously sworn deposition 
testimony and conceded that a meeting that they allegedly had with me to 
provide me with a channel to get the information to the proper 
authorities never happened.


Why do you think Sandia acted the way it did?

This was the first time that my activities uncovered evidence that 
entities outside Sandia were compromised, and data was being stolen. 
They were not willing to contact the proper authorities because outside 
law enforcement would certainly inquire about how the data was obtained 
-- bringing unwelcome scrutiny upon Sandia. It was a case of putting the 
interests of the corporation over those of the country.


What happened then?

During my last meeting with Sandia management, a semicircle of 
management was positioned in chairs around me and Bruce Held [Sandia's 
chief of counterintelligence]. Mr. Held arrived about five minutes late 
to the meeting and positioned his chair inches directly in front of 
mine. Mr. Held is a retired CIA officer, who evidently ran paramilitary 
operations in Africa, according to his deposition testimony.

At one point, Mr. Held yelled, "You're lucky you have such understanding 
management if you worked for me, I would decapitate you! There would at 
least be blood all over the office!" During the entire meeting, the 
other managers just sat there and watched. At the conclusion of the 
meeting, Mr. Held said, "Your wife works here, doesn't she? I might need 
to talk to her." [Editor's note: In court testimony, Held admitted using 
the word "decapitated" and that he wouldn't contest using the word 
"blood" although he didn't recall saying it. He also apologized for 
using those terms.]

Indeed, my wife did work there -- in Sandia's International Programs 
section, working on nuclear counter-proliferation, port and border 
security issues. In the context of that meeting, it was a chilling 
comment. Shortly after the meeting, which management described at trial 
as "a fact-finding session with Mr. Carpenter," my director showed up at 
my office, escorted me to the gate and stripped me of my badge. That was 
the last time I was ever at Sandia. [Carpenter's wife resigned and is 
now a White House fellow working as a special assistant to top-ranking 
government officials.]


How big of a threat do foreign hackers pose to secure government and 
military networks here in the U.S? What needs to be done about the issue 
and by whom?

A brief overview of open source press reporting for the past couple of 
years clearly indicates that there is a very serious threat posed by 
foreign hackers to U.S. infrastructure, government and military 
networks.

A great deal of the research and development for military programs and 
government projects is carried about by defense contractors; these 
corporations are attractive targets for skilled adversaries. The cyber 
realm is a unique environment that provides an appealing risk-to-benefit 
ratio, low chance of attribution and a minimal investment for 
adversaries to conduct sophisticated operations. Why spend millions on 
R&D when you can just steal it?


______________________________________
Subscribe to the InfoSec News RSS Feed
http://www.infosecnews.org/isn.rss



This archive was generated by hypermail 2.1.3 : Tue Feb 27 2007 - 22:22:08 PST