With Friends Like This

[InfoSec News <isn () c4i org>]

http://www.informationweek.com/story/IWK20020705S0017

By George V. Hulme
July 8, 2002

Meet Adrian Lamo. At 21 years old, Lamo is clean-cut and soft-spoken,
his deliberate speech marked by a slight stutter. A short, thinly
built, former vegetarian, he takes a seat facing the door at the South
Street Diner in Philadelphia, picking at his chicken Caesar salad and
keenly eying his surroundings as he explains why and how he does what
he does. And that's hack into a business' network, alert the company
to his actions, offer to help fix the problem for free, and, once the
holes are patched, go public with the breach.

Why he does this is a little less clear. "I've never made an argument
that there's any particular right or moral principle that makes the
exploration of private domains OK," he says. "I'm not saying it's
right. It's what I do."

That moral ambiguity belies the zeal Lamo brings to his mission. "I
challenge [others] to find another way to get companies to take these
issues seriously," he says. "To get AOL to admit to a widespread
security problem isn't going to happen based on a few phone calls."  
Two years ago, Lamo published on the Internet details about how
hackers were taking advantage of a flaw in America Online's AIM
registration server to hijack Instant Messenger accounts.

Lamo's mission has led him to expose computer security flaws at
companies such as Microsoft, The New York Times, WorldCom, Yahoo, and
the now-defunct Excite@home. To publicize his work, he's often tapped
ex-hacker-turned-journalist Kevin Poulsen as his go-between: Poulsen
contacts the hacked company, alerts it to the break-in, offers Lamo's
cooperation, then reports the hack on the SecurityFocus Online Web
site, where he's a news editor.

Lamo may be the most controversial hacker since Kevin Mitnick, who
gained fame in the mid-'90s by breaking into the computer systems of
high-tech companies and stealing proprietary software code. To the
extent that Lamo brings a moral justification to his actions--and that
people buy into that argument--he may be even more dangerous.

Lamo claims he never intentionally interrupts service, and he doesn't
sell, distribute, or destroy the data he accesses. "Destroying data is
near sacrilege--it's like burning the last known copy of the Bible,"  
he says. Still, unlawful entry into a private network is a
misdemeanor. And if it could be proved that his digital trespassing
caused $5,000 or more in damage to a company, even unintentionally,
Lamo could face felony charges, says Mark Rasch, former head of the
Justice Department's Computer Crime Unit, who prosecuted Poulsen and
Mitnick. With a jump in the number of U.S. companies reporting
downtime related to security breaches or espionage, according to
InformationWeek Research's annual Global Information Security Survey
(see story, p. 36), and the threat of cyberterrorism greater than
ever, many business-technology managers and security experts have
little tolerance for Lamo's tactics, even if they do raise awareness
about lax corporate security.

"If you're not invited, you shouldn't be there," says Diane Bunch, VP
of IS at the Tennessee Valley Authority, who believes legislation
against hacking and prosecution of hackers needs to be tougher. "It's
like my house--if I didn't invite you in off the street, I don't
expect to see you there," she says.

Bruce Schneier, founder and chief technology officer of managed
security services provider Counterpane Internet Security Inc., says he
isn't impressed by the hacking-to-build-awareness argument. "It's like
committing arson to build forest-fire awareness," Schneier says.  
"There are other ways to build awareness."

Executives at The New York Times, which was victimized by Lamo in
February, would likely agree. The media company said last week it
hasn't ruled out asking law enforcement to press charges against the
hacker. "We're still exploring our options, and discussions with the
authorities is one of those options," a spokeswoman says.

Lamo accessed a database holding the personal information of 3,000 New
York Times employees, as well as that of big-name editorial
contributors such as Jimmy Carter and Robert Redford. He says he
surfed in from the Web, scanned the Times' internal network, and found
as many as eight open proxy servers. By viewing header information in
an auto-reply E-mail, he found references to servers on the internal
network and was able to hack into the database, logging himself on as
an administrative assistant.

Lamo claims he breaks into companies' networks using only an old
Toshiba notebook that's missing seven keys, a Web browser, and rented
network connections at Internet cafes or copy shops.

Born in Massachusetts, Lamo moved around quite a bit growing up; he
lived in Connecticut, Virginia, California, and even spent a few years
in Colombia. Lamo dropped out of high school (he has a GED), and his
computer skills are largely self-taught, beginning with peeking into
the code of the role-playing adventure games he ran on his Commodore
64 computer. Lamo says he's homeless, and spends his nights on
friends' couches or squatting in abandoned buildings. He travels on
foot or by Greyhound bus because "it's the last form of public
transportation that doesn't require a photo ID." He earns money from
odd jobs, he says: When you "don't have rent or a car payment, you
don't need much money to survive."

Lamo contends that, from an IT standpoint, many companies ignore their
most vulnerable points. Companies that patch only known software
vulnerabilities, then simply scan their applications and networks for
potential security holes, are missing the bigger picture, he says.  
"They think if you have no known 'exploits' on your systems, they're
secure," he says. "They're not. None of the intrusions I've been
behind had anything to do with what would be called a known [software]
exploit or vulnerability. It's more nebulous."

His break-in at troubled telecom vendor WorldCom in December,
accomplished by way of several misconfigured proxy servers, is an
example. Companies establish proxy servers to let employees access the
Internet. When set up properly, they're one-way streets. But proxy
servers are easy to misconfigure, and many are brought online in open
mode, letting outsiders connect to the network while hiding their
point of origin.

Once past a company's proxy servers and perimeter defenses, Lamo says,
he's able to escape the notice of intrusion-detection systems. IDSs
often have preconfigured definitions of anomalous activity, such as
malformed packets and certain systems requests. "But when you have
someone sitting at a Web browser looking at things the way an employee
would look at them, that's not something that can be picked up by the
IDS," Lamo says. "The IDS can't see a person's intent." With WorldCom,
Lamo says he was able to view the names and Social Security numbers of
thousands of its employees, as well as potentially cut services to
most of the telecommunication provider's customers.

What Lamo did is "no different than showing up at a company wearing a
UPS uniform," says Counterpane's Schneier. "Of course you're trusted."  
Companies that monitor only their front doors are prime targets for
such attacks, Schneier says.

After the break-in became known, a WorldCom spokeswoman said the
company appreciated Lamo's drawing its attention to the problem and
the help he gave the company one weekend to fix the flaws. A
spokeswoman reached last week wouldn't comment further. Poulsen says
that, like WorldCom, officials at Excite@home also "expressed
gratitude for Adrian."

At least one business-technology manager says there are worse things
than to have a hacker such as Lamo break into his network. If someone
"points out security holes and doesn't do any damage, I'd rather that
happen than [the holes] be discovered by a competitor or terrorist,"  
says the chief security officer at a Midwest consumer-goods
manufacturer. "I could live without the media attention, but I'd
personally be hard-pressed to call the police."

Despite the talk by The New York Times of possibly going to
authorities, no charges have been filed against Lamo for any of the
incidents. Indeed, few companies are interested in seriously
investigating computer breaches internally, says former federal
prosecutor Mitch Dembin, who litigated a number of computer and
high-tech crimes and now heads IT forensics company EvidentData Inc.  
"My experience has been that unless the hackers do obvious damage,
[companies] won't do anything," he says. "They patch and secure the
holes and move on." It can take weeks and cost hundreds of thousands
of dollars for an IT forensics company to determine the extent of a
breach, put compromised systems through an extensive analysis, patch
and close security holes, and conduct follow-up penetration tests.

The costs of taking a hacker to court can be even greater, including
the negative publicity and the very real threat of hacker retaliation.  
Former FBI cybercrime investigator Charles Neal, now VP of managed
security services at Exodus, a Cable & Wireless unit, says that only
3% to 5% of the companies he works with during investigations choose
to contact law enforcement. Only 18% of the U.S. businesses surveyed
for InformationWeek Research's new security survey say they notify
government authorities after a breach.

The flip side of this moral equation may be that by not prosecuting
Lamo, or hackers like him, companies are perpetuating the cycle and
keeping the business community in general at risk. "It's a business
decision," says EvidentData's Dembin. "It's not based on
civic-mindedness." One security executive sees it as a resource issue.  
"We may react by getting the FBI involved and eat up vast quantities
of internal and federal law-enforcement and forensic resources," says
the chief information security officer at a large midwest utility.  
"That's resources taken away that could be used to investigate other
serious threats against the infrastructure."

Lamo contends that the threat of prosecution isn't going to make
hackers go away. Some may be deterred, just as some will be deterred
by companies' technical countermeasures. But "you can never eliminate
the threat entirely," he says. He adds that companies may want to
consider being tolerant of actions that may ultimately help them
achieve better security. "There's no point in overtly ignoring one of
the ways you can reduce" security threats, Lamo says, "just because
you might embarrass your company from time to time."




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.