Once-feared hacker works the other side

[InfoSec News <isn () c4i org>]

http://www.siliconvalley.com/docs/news/tech/072182.htm

BY JAT GILL
Sunday Business 
Oct. 23, 2001 

LONDON -- Erik Bloodaxe, co-founder of the notorious Legion of Doom
group, was once one of the world's most feared hackers.

But since 1991, Erik has reverted to the name given him at birth --
the rather more prosaic Chris Goggans. And in a
poacher-turned-gamekeeper move, he has been working as a computer
security consultant -- protecting companies from hackers.

Anxiety over the risk of cyber-terrorism is high following the anthrax
attacks in the US. Meanwhile, two-thirds of UK businesses have
reported serious computer crime incidents in the past 12 months. The
annual cost to British industry from hacking is estimated at between
UKpound 2 billion and UKpound 3 billion.

Goggans says the internet is not the only way for criminals to launch
an electronic attack. Other networks may also be a way in. ``For every
entity, whether it be government or commercial, I would look at every
inroad that I could make,'' reveals Goggans.

``That would include internet connectivity, but also other public data
networks, especially if it's a financial organisation. They are often
hooked into Bloomberg or Reuters as well as some of the stock price
feeds, or other partners that sell mutual funds, insurance or anything
of that nature.''

These, according to Goggans, are potential targets for hackers.
Incoming dial-up phone lines are another favourite. When hooked to
unauthorised modems, incoming phone lines are probably the easiest
inroad to a company.

``That has pretty much been true for every company that I have done
assessment work on,'' Goggans says. Once inside a network, security
vulnerabilities are usually rife, he adds.

``I have worked on classified networks, civilian government networks,
major banks, energy companies, oil and automotive companies and the
internal network is always riddled with enough holes so that given
time, an attacker could take over most of the computing systems on
it,'' he says.

``When I do assessments on companies, I am averaging between 90
percent and 100 percent total compromise of every piece of networked
equipment on a company's network -- ranging from routers to
workstations.''

Perhaps surprisingly, the biggest of these internal holes does not
need expensive equipment to tackle it.

``As silly as it sounds, by and large the biggest problem is bad
passwords -- without a doubt,'' Goggans explains.

``Why bother exploiting vulnerabilities in operating systems when all
you have to do is type ``root'' when asked for the root password?''

The second biggest problem is operating systems and software that has
not been kept up to date with ``patches'' to close old security
weaknesses.

``There are so many different attacks. You point me to an operating
system -- if it is Solaris I will tell you seven ways of getting in.
If it is Microsoft I will tell you 10,'' he says casually.

Companies often leave themselves open to attack, he says. ``People
install their operating system once and then forget about it. That is
again, unfortunately incredibly prevalent.''

Many people fall into the bad habit of saying that a particular
machine is only a workstation, so it does not require proper security,
says Goggans.

``It doesn't matter to me if it is the secretary's workstation. I will
break into that and use it to get into the server she logs into, then
use that to get other accounts and into other servers. All it takes is
the one weak link in the chain and it doesn't matter what type of
system it is.''

Hackers are also becoming more sophisticated in the style and scale of
attacks they launch, for which Goggans blames the availability of
increasingly powerful computers and operating systems.

``Ten or 15 years ago the normal criminal could not afford a computer,
an operating system sufficiently powerful to construct complex attacks
and would not understand it even if they had the money.

``But now, given the availability of high-powered computers and
operating systems such as Linux for example, which is free, anybody
with $300 can build a highly complex computer system to start
constructing attacks.''

Goggans sounds a chilling warning for the potential for
cyber-terrorism. ``With a huge body of knowledge, such as all the
security sites on the internet to give you a kick-start, you can go
from being a complete novice to a rather formidable enemy in a matter
of months.''



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.