Zap P and the Hackstoppers

[William Knowles <wk () C4I ORG>]

http://www.guardianunlimited.co.uk/uk_news/story/0,3604,356746,00.html

Computer buffs aim to wipe out image as website defacers and security
hoaxers

Richard Adams
Monday August 21, 2000

Blackpool's traditional holiday attractions of roller coasters, candy
floss and Mr Bernard Manning and the Page Three Stunnas had some
unusual competition yesterday: computer hacking.  While the stag and
hen night parties who prowled the streets the previous night were
recovering from over-indulgences in places like Slappers nightclub, a
team of hackers from London was tackling the Data and Network Security
Council conference's annual Hack the Flag competition - using their
skills to break into a computer and seize a small text file, and
defend it against all-comers.

"Any method with the exception of physical theft/violence is allowed,"
according to the rules, including "social engineering", the term
hackers use for interaction with humans rather than machines. "Bribing
other team members is allowed."

This might sound like the sort of event that gives computer security
experts nightmares. In fact, a large group of them were sitting in the
same part of the seaside hotel, listening to speakers calling on the
government to do more to protect the UK's infrastructure from
cyber-terrorists.

"We aren't worried about the people in this room, we're more worried
about people like Saddam Hussein," organiser Jonathan Wignall told the
conference. Mr Wignall, chairman of the Data and Network Security
Council, an independent body, is one of a small band of unpaid
computer professionals concerned about lax computer security in
Britain and campaigning to get the government to act. "We're not
talking about Big Brother here. We're talking about having the tools
and information available to help us," Mr Wignall said.

The organisers want the government to take the threat of "information
warfare" seriously, by funding a hotline allowing computer users to
warn of virus or hacking attacks, a sort of Hackstoppers along the
lines of Crimestoppers. In the longer run they think a government
agency is needed to anticipate security weaknesses, and guard key
parts of the UK's infrastructure, such as utilities and the
government, from possible attacks.

The respectable side of the conference sits slightly uneasily
alongside the droves of hackers that attend, many of them teenagers in
black t-shirts bearing weird inscriptions. But it is hard to tell the
hackers from the pros, who wear the same gear and speak the same
language. The only difference is in their ages, and even then, not by
much.

Even the conference t-shirt - black, of course - highlights the
contradiction of mixing the hackers and the hacked: on the front is
the source code for the I Love You email virus that caused so much
havoc with computer users this year. And the annual sandcastle
building competition on Saturday was won by a schematic diagram of a
US encryption algorithm that technically made the export of Blackpool
beach illegal outside of the US.

The pub quiz that evening looked much like any other except that the
prizes included CD-roms of the Linux computer operating system.

In the bar afterwards two of the professionals, both network security
operators for IT firms, admitted they were there partly for fun, and
partly to keep an eye on what the younger "freelances" are up to. One
couple works for an internet service provider in Cambridge, but would
not say which one. "We made a decision before we came not tell anyone.
It's nothing personal," said one of them, one of only three women
attending.

Almost everyone at the conference eschewed their given names,
preferring their colourful "handles" or computer nicknames, such as
JamJar. "Giving away your real identity on the internet is giving away
powerful information," said Zap P.

But an unspoken role on the conference agenda is to bring the fringe
elements of the hacking community on board, and steer them away from
being "black hats" - the malicious hackers responsible for website
defacement and security breaches - to become "white hats," who use
their skills towards making cyber-space a safer place.

Notorious


While most attending the conference were probably in the white hat
brigade, a few were more notorious members of Britain's hacker
community. "If you can't influence these people then you can forget
about getting Britain to be number one in the world's e-commerce,"
said Mark, one of the organisers, who works for a US computer maker.
"These are the people who in 10-20 years time are going to be writing
software and setting up companies. If you put them in jail or force
them to emigrate, then it's a brain drain. Why is Silicon Valley full
of British expatriates?"

So far this year Data and Network Securities has notified nearly 300
web sites of what it calls "major security flaws". Its most alarming
discoveries in recent weeks have been the vulnerabilities in a large
number of government websites, including the Foreign Office, the
Treasury, the Cabinet Office, and the No 10 Downing Street site, and
serious flaws in armed forces web sites. The group recently discovered
a bug in the website of National Savings that was more than two years
old. National Savings simply pulled the plug on its site.

The thank-you's the council has received include an email sent last
Wednesday by the Cabinet Office's national infrastructure security
co-ordination centre and a letter from Nicole Fontaine, president of
the European parliament, asking DNS to get in touch "to discuss the
conditions in which the European parliament can call on your
expertise."

Cyberpirates intent on internet celebrity


The raiders


* Kevin Mitnick, the hackers' hero, shot to fame as the first computer
criminal to have his face on an FBI most wanted poster. His latest
spell in jail was a five-year sentence for fraud related to breaking
into the systems of several multinational corporations. He was
released in January on the condition that he did not have any contact
with a computer.

* In March a Welsh teenager allegedly stole information from more than
26,000 credit card accounts across Britain, the US, Japan, Canada and
Thailand, and published the details on the internet. FBI agents and
British police raided the home of Raphael Gray, 18, in Clynderwen,
Pembrokeshire, and arrested him and a friend. He has been charged with
10 counts of downloading unauthorised information.

* In 1998 Washington revealed that an Israeli hacker called "the
Analyser" was responsible for "the most systematic and organised
attempt ever to penetrate the Pentagon's computer systems". He turned
out to be Ehud Tenenbaum, 18, who had planted a list of his own
passwords in the Pentagon system and passed them to other hackers.

* In 1997 the son of a fraud squad detective walked free from a court
in London after charges of breaching the security of the US air force
were dropped. Three years earlier Mathew Bevan, then 19, and a friend,
Richard Pryce, 16, used the internet to gain access to several US
military bases. Pryce was fined 1,200 after admitting similar
offences.

The raids


* Hotmail, Microsoft's free email service, was hacked into last
September, exposing the correspondence of more than 40m users. A group
calling itself Hackers Unite posted a web address with details of how
to access any Hotmail account. The service was shut down for five
hours.

* The "ILOVEYOU" computer virus, launched this year from the
Philippines, brought chaos to networks across the globe, costing
billions of pounds worth of damage. It spread by sending itself to
addresses in recipients' email address books. Once opened, the the
virus downloaded more dangerous software from a remote website,
renamed files and redirected internet browsers. The love bug was the
latest in a string of increasingly potent and fast-spreading viruses.
Melissa, which replicated itself by email, is thought to have infected
1m computers and caused 5m of damage.

* The Department of Trade and Industry has twice been prey to hackers,
once in 1996 and again this year when a DTI computer was programmed to
reroute email. The Home Office investigated nine cases of hacking last
year, one of which was the leaking of the Macpherson report on the
Stephen Lawrence murder inquiry. The Northern Ireland office
investigated seven. In August 1996 hackers ran up a 1m phone bill for
Scotland Yard, but did not access files.

* In 1997 hackers got into the Yahoo! website, replacing the homepage
with a ransom note demanding the release of their hero, Kevin Mitnick.
Unless the demand was met, the note said, a virus would be released in
all Yahoo! users' computers. The company dismissed the threat as a
hoax, but the "Free Kevin" slogan continued to appear on other
hijacked sites.

Simon Bowers



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".