Forwarded From: James Lovato <jlovato@us.ibm.com>
http://www.nwfusion.com/news/1116hackers.html
Dispatches from the hacker wars
By Ellen Messmer
Network World, 11/16/98
Most IS professionals don't want to talk about the times they've been
hacked. Some fear it gives their competitors, or other hackers, insight
into their network. Others don't want to give hackers the attention they
so desperately seek. And some are simply embarrassed.
After dozens of requests, we found five people willing to tell us what it
is like when the hackers start sneaking in.
No longer a game
As a teenage hacker, Manny Berrios loved to break into organizations'
networks out of a passion for adventure. But now, in his mid-20s and vice
president of IT at a growing Web-based game service called ActionWorld,
hackers have become his round-the-clock headache.
Network security logs tell Berrios that hackers are constantly probing for
holes in ActionWorld's Web servers, which are based on Microsoft's
Internet Information Server 4.0. They also enjoy shooting down his server
farm, housed in New York, with denial-of-service attacks in the middle of
the night; these immediately set off Berrios' beeper. Ironically, these
hackers are often ActionWorld's own online game customers - all part of
the youthful crowd that lives and plays on the 'Net. And if they discover
your network's vulnerabilities, they'll trash everything they can.
"I spend 50% of my time baby-sitting these machines," laments Berrios. As
a former hacker, Berrios still has a few hacker friends.
"They're doing it for the sheer thrill of exploring," he notes. "Now that
I'm on this side of the fence, it makes me edgy. I know the reality of it.
Nothing is 100% secure. Everything is simply an obstacle, and their
exploits are changing so rapidly that you have to keep putting up new
obstacles."
If a hacker manages to get past one obstacle, say by breaching
ActionWorld's public Web server, he's usually stopped in what's popularly
called the "demilitarized zone" between firewalls. When that happens,
Berrios will try to track down the would-be intruder with the help of an
ISP.
"One time it was a 13-year-old kid, and we called him and talked to him
just to scare him a little," Berrios says.
Far more nerve-racking are encounters with hard-core hackers out for
criminal gain. A similar situation happened a year ago when someone broke
in through ActionWorld's Microsoft Remote Access Server - apparently
because the preconfigured "guest account" setting shipped with the server
hadn't been disabled by ActionWorld's staff.
This criminally minded hacker exploited the vulnerability to gain access
to ActionWorld's resources, and from there, he staged attacks on other
organizations, accessed pornography sites and dealt in stolen credit
cards.
This little crime wave got the New York City Police Department and the
Federal Bureau of Investigation involved - and these agencies initially
seized on ActionWorld as the suspect. After some explaining, the online
gaming firm spent a month working with law enforcement officials to
collect data on the hacker's activities so they could nab him. But in the
end, the hacker eluded them. "This was a sophisticated break-in," Berrios
says. "This person was very good at it."
Berrios says he knows from direct experience that hard-core criminals are
on the rise in the hacker community, which traditionally has preferred to
view itself as a bunch of adventurous free spirits out to have fun.
In fact, hackers are now getting paid to try to steal proprietary
corporate data or military secrets, some claim. "Most hackers are kids,
but there are professional hackers, the experienced ones. They're going
where the money is," Berrios says.
Universities exposed
No organization, not even a school as technically savvy as the
Massachusetts Institute of Technology, is immune from the hacker menace.
"We're working with the FBI right now to try to catch a hacker," says Jeff
Schiller, network manager at MIT, where a troublemaker has been looking at
password-protected student files stored on servers at the university.
Stopping hackers is particularly hard in a university setting such as MIT,
where students balk at anything that restricts user access to the
Internet.
"It's impossible to establish a security policy," concedes Schiller, who
says MIT doesn't use a firewall for student access to the dormitory LANs
because the school's technical culture rejects these types of controls.
Schiller berates hackers as "idiots" who bring down servers as they
stumble around from machine to machine.
MIT is hardly the first university to have to cope with hackers.
Universities have long been exploited as hacker proving grounds. Stanford
University earlier this month disclosed that stolen passwords "sniffed" by
hackers - apparently based in Sweden and Canada - gave the intruders
access to 4,500 e-mail accounts.
Hitting close to home
Sometimes hackers are more than just idiots; they're terrorists. That's
according to Seminole, Fla., security consultant Winn Schwartau, who says
hackers are now e-mailing death threats to him, his family, his staff and
even his neighbors. "Extortion, murder and kidnapping threats," is how
Schwartau describes the message content.
Why? Perhaps because Schwartau has been vocal against hacker exploits,
speaking out at conferences, such as DefCon, where hackers anonymously
intermingle with law enforcement officials.
During the past month, Schwartau has also started hosting a
Microsoft-sponsored Internet radio program, airing daily at noon, on which
he interviews hackers on www. thecyberstation.com.
Hackers, Schwartau says, have now managed to shut down his phone and
electricity by fooling the utilities and have also pulled stunts such as
ordering hundreds of WebTV boxes to be sent to his house, purchased with
other people's credit cards.
But according to Schwartau, the FBI isn't paying attention to his plight.
"That's because the FBI agents are convinced that I'm a hacker," Schwartau
says, perhaps because he has been hobnobbing with hackers lately.
Global reach
Other stories suggest the strange lengths to which corporations will go to
to shut out hackers.
"I've had hackers bold enough to e-mail us while they were hacking the
system, telling us there was nothing we could do to keep them out,"
recounts Hewlett-Packard information security consultant Don Pipkin,
author of Halting the Hacker, published by Prentice Hall.
Pipkin tells of an incident in which a hacker broke into the intranet of a
major telecommunications company, which he declined to name, through the
company's public Web server. HP's security division, called in to stop the
intruder, closed up some of the security holes in the server and managed
to trace the attacker to Pakistan.
Because nabbing this hacker seemed somewhat futile, HP asked the telecom
firm how important it was to let the nation of Pakistan view its public
Web server. With the answer being "not very," the telecom firm quietly
cut off that entire country's access to its Web server.
Beyond the 'Net
The Internet, though, isn't the only medium that hackers can use to grab
control of your network resources. Ed Simonson, president of TeleDesign
management, a Burlingame, Calif., consultancy that conducts security
audits, has witnessed some dazzling hacker exploits over the years.
Hackers are known to call corporate switchboards and demand to be
transferred to "918," which gets them outside access to a long-distance
line. "They'll also dial in to your voice mail and try to dial another
extension," Simonson says.
Hackers also like to dial in to the maintenance ports of Rolm, Nortel
Networks and Lucent PBXs that are used by service repairman. So it's
important to ensure that a company using PBXs has installed third-party
security software for the maintenance port. Such software is available
from Microframe, Lima and other vendors, Simonson says.
"I have been in a PBX and seen two different hacks - two thefts - going on
at the same time. Neither knew the other was there," Simonson recounts.
"Hackers may never make more than two calls per day on your system, so you
have to have a policy in place to review phone logs," he says.
If a hacker strikes, who has to pay the price? "The law says whoever
controls the access, pays the bill," Simonson says. "For the most part,
with a Centrex line, you're not responsible for paying the bill."
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Wed Nov 18 14:57:18 1998