Midwest Express hackers cause a stir

[InfoSec News <isn () c4i org>]

http://www.msnbc.com/news/748369.asp?0si=-

By Richard Thieme
THE BUSINESS JOURNAL OF MILWAUKEE
May 6, 2002

The self-proclaimed "Deceptive Duo" that hacked into Midwest Express
Airlines' intranet say their goal was to embarrass the airline, which
is part of the nation's transportation infrastructure and therefore
essential to homeland defense.

THE HACKERS, in an e-mail interview, said penetrating the Midwest
Express computer server - from which they stole customer and user
profiles, names, e-mail addresses, and passwords - was "easy" and the
airline should have a secured site. They said the methods they used
are well-known in the hacker community and mostly likely similar to
those of terrorists. The incursion was designed to emulate a real
terrorist attack, they said.
      
"It should not be this easy to gain access to supposedly secure
networks," the duo said. "But system administrators are doing exactly
the opposite of what they should be doing."
       
The Deceptive Duo - hacked into the Midwest Express server that is
used to test new features for the airline's Web site and then posted
evidence of their break-in on their own Web site and the Web site of
the U. S. Space & Naval War Systems Command.

The identity of the hackers thus far has eluded Midwest Express
management and a Chicago computer security firm the airline hired.  
However, sources confirmed that the parties responding to e-mail
questions from The Business Journal were at the same e-mail address as
the hackers.
       
The hackers did not access or compromise any other data such as
credit-card information, said Lisa Bailey, a spokeswoman for Midwest
Express. The airline's management learned of the security breach April
22, said Bailey.
       
The airline asked the hackers to immediately remove their posting from
the duo’s Web site, and they complied, said Bailey. The Navy removed
the posting as soon as it was detected.

SECURITY CONSULTANTS
       
The airline changed all customer passwords, not just those that were
compromised, and is working with computer security consultants to
evaluate the security of Midwest Express' computer system, Bailey
said.

Midwest Express executives were not particularly embarrassed by the
incident, Bailey said.
       
"But we do realize that that the test server was not as secure as we
thought and we are doing whatever we need to do to be sure the
information is secure moving forward," she said.
       
Midwest Express does not plan to prosecute the intruders, but Bailey
noted that government and military sites were also attacked and the
Federal Aviation Administration has indicated its intention to
prosecute. FAA officials could not be reached for comment.

The airline is focused on using the intrusion to strengthen its
security measures.
       
"It is a potential threat for us and our customer data, and we want to
be sure it does not happen in the future," Bailey said. The airline
plans to review its site security continuously, assess vulnerabilities
and change passwords, Bailey said. The hackers offered, via e-mail to
Midwest Express, to assist in fixing the flaws they discovered, but
the airline declined, Bailey said.
       
The hackers said they were motivated to intrude on the sites of
Midwest Express and other corporate and military sites to demonstrate
that the U.S. infrastructure is still vulnerable to terrorists even
after Sept. 11. Midwest Express and other corporate targets were
apparently chosen at random.
       
When asked whether they might achieve their objectives by privately
notifying system administrators of vulnerabilities rather than
boasting of their intrusion on other sites, they said they tried that
with no success.
      
"We've tried subtle ways of informing them, but it seems to take
drastic means before they will realize the severity of this," the
hackers said. "Unfortunately, it takes action to get a reaction."
       
NO CONTACT

Bailey disputed that version of events. She said the hackers did not
contact Midwest Express before posting evidence of their conquest of
the airline's computer system.

"If we'd been contacted prior to posting, we would've obviously acted
very quickly," Bailey said.

The hackers said they entered the Midwest Express server by guessing
right on an elementary security password - they typed a default
password commonly used by Microsoft Corp. The duo merely had to access
the corporate intranet, then enter the default password to gain entry
to the database. The airline uses Microsoft SQL, a standard language
for performing tasks on the data base, they said.
       
The hackers said they found flaws in the server page scripts that
allowed them to view information that should have been accessible only
by authorized Midwest Express insiders. The hackers said they
discovered other unauthorized logins, which suggested that other
hackers may have been there before them.
       
However, Bailey said the airline found no evidence of other hacker
entries or flaws in its server scripts.
       
The duo threatened to continue their strategy for alerting the
guardians of the infrastructure.
       
They said Midwest Express was part of the first stage, which scanned
targets running on Microsoft products for widely known
vulnerabilities. The Department of Defense and other government
agencies need to focus on eliminating known vulnerabilities, they
said. (MSNBC is a Microsoft - NBC joint venture.)
       
"In general, we are telling our targets to do their jobs correctly,"
the hackers said. "Doing a system administration job correctly
includes researching, analyzing and fixing all known vulnerabilities."
       
Next, the duo intends to use more subtle methods.
       
They said they will attack targets on multiple operating systems "with
vulnerabilities that range from the widely known to the little known"
with the goal of controlling software "that a terrorist might use to
advantage."

The third and final leg of their strategy will expose "the most
dangerous but least likely scenarios," said the hackers.
       
Such vulnerabilities are not well known, making them difficult to
defend against in advance, they said.
       
       

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.