- WASHINGTON, DC--A panel of U.S. senators stared in shock as members of a group
of "white-hat" hackers calling themselves LOpht Heavy Industries
described how they could cripple the entire Internet in 30 minutes, unplug
the Federal Reserve from Wall Street, or mangle the global positioning
satellite system.
-
- Backing up LOpht's dire warnings to the
Senate Governmental Oversight Committee on Monday was a report by the General
Accounting Office that was released during the hearing. The report warns
of major flaws in Federal Aviation Administration traffic control systems
and weaknesses in State Department computers that could give unauthorized
access to spies.
-
- "The FAA is ineffective in all critical
areas," says the GAO report, and is "in violation of its own
[security] policy." The report, unusually blunt for government assessments,
says FAA systems lack good physical and computer security and that the
FAA is not following its own rules for improving the systems.
-
- The verdict also is bleak for the State
Department, where the GAO found that the foreign policy division's computers
are "vulnerable to access, change, disclosure, disruption or even
denial of service by unauthorized individuals."
-
- LOpht members--who use pseudonyms such
as Brian Oblivion, Mudge, Weld Pond, Kingpin, Space Rogue, Stefan Von Neumann,
and Tan--told the Senate committee that the Internet was not designed to
handle today's multimedia traffic or support vital systems for banking,
water, electrical power, and air traffic control.
-
- Last year, the GAO reported there are
an estimated 250,000 attempted break-ins on military and government computers
each year, and of the small portion that are detected, two-thirds are successful
in some way.
-
- Responding to the threat, the Federal
Bureau of Investigation launched in February the National Infrastructure
Protection Center to coordinate hacking prosecutions. In January, a presidential
commission reported that the government needs private industry to help
protect its systems and vice versa.
-
- Private companies including Microsoft
and Novell occasionally cooperate with freelancers like LOpht to improve
their software. "We have a high opinion of LOpht's work," says
Ed Muth, a group product manager at Microsoft who develops security for
the company's programs.
-
- In one well-publicized success last year,
LOpht identified a flaw in Windows NT that made it possible to decode an
entire registry of user passwords in 26 hours, a task that Microsoft claimed
would take more than 5000 years.
-
- Microsoft incorporated LOpht's suggestions,
Muth said. "Computer science attracts a lot of extremely bright people
who are interested in pushing the edge, and Microsoft greatly benefits
from the positive and helpful attitude of people like LOpht."
-
- LOpht members described some of the methods
hackers use.
-
- Kingpin said that relatively inexpensive
equipment can capture stray signals emitted by a computer monitor from
up to 200 meters away, allowing an eavesdropper to read what is being typed.
-
- Stefan Von Neumann said that users of
new high-speed cable-television modems can use encryption to protect their
Internet messages, but one misconfigured computer in the ring can "reflect"
the entire group's communications to an eavesdropper. LOpht members said
a common weakness of banking and power systems is their modem or Internet
links designed for emergency repair access. With even fleeting access to
such a system, hackers can leave a "trap door" for later access
before they are detected.
-
- "Many of the problems that contribute
to the lack of security are extremely simple," Mudge said, such as
the surprisingly common practice of using the word "password"
for a password.
-
- Part of the vulnerability of the Internet
to such attacks is the relatively primitive design of the backbone that
supports the whole network, he added. Designed in the early stages of the
Cold War for scientists and researchers to exchange simple messages and
data, "the Internet is being asked to do things it was never designed
to do."
-
- Space Rogue said the software industry
should adopt the practice regularly used by auto manufacturers of sending
a letter to car owners, notifying them of a free recall if a serious flaw
is found.
-
- "A software company will try to
hide a problem until forced to go public," said Space Rogue.
-
- One of LOpht's tactics is to quietly
notify a manufacturer of a problem, and if the company refuses to fix it,
to publicize it, posting the problem on its Web site to force the company
to fix the problem before malicious hackers exploit the flaw.
-
- One method of curbing the hacking problem
that the senators considered is to make manufacturers, which claim their
systems are secure, liable for damage done or business lost due to a hacker.
-
- But software makers assert that this
is a bad idea. "There is nothing that is truly secure," said
Michael Simpson, director of marketing for Novell. "You would see
a lot of companies not going into the business to solve problems, and if
companies are scared to go into business, that doesn't help anyone."
|
Sightings HomePage