Information Security News mailing list archives
Zap P and the Hackstoppers
From: William Knowles <wk () C4I ORG>
Date: Tue, 22 Aug 2000 04:00:48 -0500
http://www.guardianunlimited.co.uk/uk_news/story/0,3604,356746,00.html Computer buffs aim to wipe out image as website defacers and security hoaxers Richard Adams Monday August 21, 2000 Blackpool's traditional holiday attractions of roller coasters, candy floss and Mr Bernard Manning and the Page Three Stunnas had some unusual competition yesterday: computer hacking. While the stag and hen night parties who prowled the streets the previous night were recovering from over-indulgences in places like Slappers nightclub, a team of hackers from London was tackling the Data and Network Security Council conference's annual Hack the Flag competition - using their skills to break into a computer and seize a small text file, and defend it against all-comers. "Any method with the exception of physical theft/violence is allowed," according to the rules, including "social engineering", the term hackers use for interaction with humans rather than machines. "Bribing other team members is allowed." This might sound like the sort of event that gives computer security experts nightmares. In fact, a large group of them were sitting in the same part of the seaside hotel, listening to speakers calling on the government to do more to protect the UK's infrastructure from cyber-terrorists. "We aren't worried about the people in this room, we're more worried about people like Saddam Hussein," organiser Jonathan Wignall told the conference. Mr Wignall, chairman of the Data and Network Security Council, an independent body, is one of a small band of unpaid computer professionals concerned about lax computer security in Britain and campaigning to get the government to act. "We're not talking about Big Brother here. We're talking about having the tools and information available to help us," Mr Wignall said. The organisers want the government to take the threat of "information warfare" seriously, by funding a hotline allowing computer users to warn of virus or hacking attacks, a sort of Hackstoppers along the lines of Crimestoppers. In the longer run they think a government agency is needed to anticipate security weaknesses, and guard key parts of the UK's infrastructure, such as utilities and the government, from possible attacks. The respectable side of the conference sits slightly uneasily alongside the droves of hackers that attend, many of them teenagers in black t-shirts bearing weird inscriptions. But it is hard to tell the hackers from the pros, who wear the same gear and speak the same language. The only difference is in their ages, and even then, not by much. Even the conference t-shirt - black, of course - highlights the contradiction of mixing the hackers and the hacked: on the front is the source code for the I Love You email virus that caused so much havoc with computer users this year. And the annual sandcastle building competition on Saturday was won by a schematic diagram of a US encryption algorithm that technically made the export of Blackpool beach illegal outside of the US. The pub quiz that evening looked much like any other except that the prizes included CD-roms of the Linux computer operating system. In the bar afterwards two of the professionals, both network security operators for IT firms, admitted they were there partly for fun, and partly to keep an eye on what the younger "freelances" are up to. One couple works for an internet service provider in Cambridge, but would not say which one. "We made a decision before we came not tell anyone. It's nothing personal," said one of them, one of only three women attending. Almost everyone at the conference eschewed their given names, preferring their colourful "handles" or computer nicknames, such as JamJar. "Giving away your real identity on the internet is giving away powerful information," said Zap P. But an unspoken role on the conference agenda is to bring the fringe elements of the hacking community on board, and steer them away from being "black hats" - the malicious hackers responsible for website defacement and security breaches - to become "white hats," who use their skills towards making cyber-space a safer place. Notorious While most attending the conference were probably in the white hat brigade, a few were more notorious members of Britain's hacker community. "If you can't influence these people then you can forget about getting Britain to be number one in the world's e-commerce," said Mark, one of the organisers, who works for a US computer maker. "These are the people who in 10-20 years time are going to be writing software and setting up companies. If you put them in jail or force them to emigrate, then it's a brain drain. Why is Silicon Valley full of British expatriates?" So far this year Data and Network Securities has notified nearly 300 web sites of what it calls "major security flaws". Its most alarming discoveries in recent weeks have been the vulnerabilities in a large number of government websites, including the Foreign Office, the Treasury, the Cabinet Office, and the No 10 Downing Street site, and serious flaws in armed forces web sites. The group recently discovered a bug in the website of National Savings that was more than two years old. National Savings simply pulled the plug on its site. The thank-you's the council has received include an email sent last Wednesday by the Cabinet Office's national infrastructure security co-ordination centre and a letter from Nicole Fontaine, president of the European parliament, asking DNS to get in touch "to discuss the conditions in which the European parliament can call on your expertise." Cyberpirates intent on internet celebrity The raiders * Kevin Mitnick, the hackers' hero, shot to fame as the first computer criminal to have his face on an FBI most wanted poster. His latest spell in jail was a five-year sentence for fraud related to breaking into the systems of several multinational corporations. He was released in January on the condition that he did not have any contact with a computer. * In March a Welsh teenager allegedly stole information from more than 26,000 credit card accounts across Britain, the US, Japan, Canada and Thailand, and published the details on the internet. FBI agents and British police raided the home of Raphael Gray, 18, in Clynderwen, Pembrokeshire, and arrested him and a friend. He has been charged with 10 counts of downloading unauthorised information. * In 1998 Washington revealed that an Israeli hacker called "the Analyser" was responsible for "the most systematic and organised attempt ever to penetrate the Pentagon's computer systems". He turned out to be Ehud Tenenbaum, 18, who had planted a list of his own passwords in the Pentagon system and passed them to other hackers. * In 1997 the son of a fraud squad detective walked free from a court in London after charges of breaching the security of the US air force were dropped. Three years earlier Mathew Bevan, then 19, and a friend, Richard Pryce, 16, used the internet to gain access to several US military bases. Pryce was fined 1,200 after admitting similar offences. The raids * Hotmail, Microsoft's free email service, was hacked into last September, exposing the correspondence of more than 40m users. A group calling itself Hackers Unite posted a web address with details of how to access any Hotmail account. The service was shut down for five hours. * The "ILOVEYOU" computer virus, launched this year from the Philippines, brought chaos to networks across the globe, costing billions of pounds worth of damage. It spread by sending itself to addresses in recipients' email address books. Once opened, the the virus downloaded more dangerous software from a remote website, renamed files and redirected internet browsers. The love bug was the latest in a string of increasingly potent and fast-spreading viruses. Melissa, which replicated itself by email, is thought to have infected 1m computers and caused 5m of damage. * The Department of Trade and Industry has twice been prey to hackers, once in 1996 and again this year when a DTI computer was programmed to reroute email. The Home Office investigated nine cases of hacking last year, one of which was the leaking of the Macpherson report on the Stephen Lawrence murder inquiry. The Northern Ireland office investigated seven. In August 1996 hackers ran up a 1m phone bill for Scotland Yard, but did not access files. * In 1997 hackers got into the Yahoo! website, replacing the homepage with a ransom note demanding the release of their hero, Kevin Mitnick. Unless the demand was met, the note said, a virus would be released in all Yahoo! users' computers. The company dismissed the threat as a hoax, but the "Free Kevin" slogan continued to appear on other hijacked sites. Simon Bowers *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Zap P and the Hackstoppers William Knowles (Aug 22)