From: believer@telepath.com Subject: IP: Hackers-turned-consultants see business boom Date: Sat, 19 Sep 1998 11:53:29 -0500 To: believer@telepath.com Source: Fox News - AP On guard now, hackers-turned-consultants see business boom 11.00 a.m. ET (1501 GMT) September 19, 1998 By Chris Allbritton, Associated Press NEW YORK (AP) — The hacker calling himself Mudge pushed his long hair back, scratched his beard and stared at the computer screen. He knew there was something wrong with the data traffic he was watching, but what was it? A week earlier, Mudge and his fellow hackers in their hangout known as the L0pht — pronounced "loft'' — had acquired some software that was supposed to let computers talk to each other in code. But as Mudge watched the data he realized someone else was doing the same and maybe even decoding it, which shouldn't happen. "So you are saying that you're using DES to communicate between the computers?'' Mudge recalled asking representatives of the software maker. Yes, they said, they were using DES, a standard encryption method that for years was considered virtually uncrackable. But this wasn't DES, thought Mudge. It's almost as if... Whoa. He blinked and felt the adrenaline kick in. This wasn't secure at all. In fact, the encoding was only slightly more complex than the simple cyphers kids did in grade school — where "A'' is set to 1, "B'' is set to 2, and so on. The company was selling this software as a secure product, charging customers up to $10,000. And yet, it had a security hole big enough to waltz through. Instead of exploiting this knowledge, Mudge confronted the company. "You realize there isn't any secure or 'strong' encoding being used in your communications between the computers, don't you?'' he asked. "Well...'' "And that you claimed you were using DES to encrypt the data,'' he pressed. "That will go in the next revision.'' Mudge is a "real'' hacker — one who used to snoop around the nation's electronic infrastructure for the sheer love of knowing how it worked. His kind today are sighted about as often as the timberwolf, and society has attached to them the same level of legend. Like the wolf, they were once considered a scourge. Law enforcement and telecommunication companies investigated and arrested many of them during the late 1980s and early '90s. Today, many elite hackers of the past are making a go at legitimate work, getting paid big bucks by Fortune 500 companies to explore computer networks and find the weak spots. And none too soon. The void left by the old hackers has been filled by a new, more destructive generation. So today, Mudge — who uses a pseudonym like others in the hacker community, a world where anonymity keeps you out of trouble — wears a white hat. As part of L0pht, the hacker think tank, he and six comrades hole up in a South End loft space in Boston and spend their evenings peeling open software and computer networks to see how they work. When they find vulnerabilities in supposedly secure systems, they publish their findings on the World Wide Web in hopes of embarrassing the companies into fixing the problems. A recent example: They posted notice via the Internet of a problem that makes Lotus Notes vulnerable to malicious hackers. A Lotus spokesman said the company was aware of the flaw but it was extremely technical and unlikely to affect anyone. The hackers at L0pht have made enemies among industry people, but they command respect. They were even called to testify before the U.S. Senate Committee on Governmental Affairs in May. Why do they publish what they find? "If that information doesn't get out,'' Mudge replies, "then only the bad guys will have it.'' The "bad guys'' are the hacker cliche: secretive teen-age boys lurking online, stealing credit card numbers, breaking into Pentagon systems, and generally causing trouble. One of L0pht's members, Kingpin, was just such a cad when he was younger, extending his online shenanigans to real-world breaking and entering. Today, L0pht keeps him out of mischief, he said. "We're like midnight basketball for hackers,'' said Weld Pond, another member. Malicious hacking seems to be on the rise. Nearly two out of three companies reported unauthorized use of their computer systems in the past year, according to a study by the Computer Security Institute and the FBI. Another study, from Software AG Americas, said 7 percent of companies reported a "very serious'' security breach, and an additional 16 percent reported "worrisome'' breaches. However, 72 percent said the intrusions were relatively minor with no damage. American companies spent almost $6.3 billion on computer security last year, according to research firm DataQuest. The market is expected to grow to $13 billion by 2000. Government computers are vulnerable, too. The Defense Department suffered almost 250,000 hacks in 1995, the General Accounting Office reported. Most were detected only long after the attack. This is why business booms for good-guy hackers. Jeff Moss, a security expert with Secure Computing Inc., runs a $995-a-ticket professional conference for network administrators, where hackers-cum-consultants mingle with military brass and CEOs. "I don't feel like a sellout,'' said Moss, who wouldn't elaborate on his hacking background. "People used to do this because they were really into it. Now you can be into it and be paid.'' News reports show why such services are needed: — Earlier this month, hackers struck the Web site of The New York Times, forcing the company to shutter it for hours. Spokeswoman Nancy Nielsen said the break-in was being treated as a crime, not a prank. The FBI's computer crime unit was investigating. — This spring, two California teen-agers were arrested for trying to hack the Pentagon's computers. Israeli teen Ehud Tenebaum, a k a "The Analyzer,'' said he mentored the two on how to do it. The two Cloverdale, Calif., youths pleaded guilty in late July and were placed on probation. — Kevin Mitnick, the only hacker to make the FBI's Ten Most Wanted list, was arrested in 1995, accused of stealing 20,000 credit card numbers. He remains in prison. A film called "TakeDown,'' about the electronic sleuthing that led to Mitnick's capture, is in the works. Comments protesting Mitnick's prosecution were left during the hack of the New York Times Web site. — In 1994, Vladimir Levin, a graduate of St. Petersburg Tekhnologichesky University, allegedly masterminded a Russian hacker gang and stole $10 million from Citibank computers. A year later, he was arrested by Interpol at Heathrow airport in London. "Lemme tell ya,'' growled Mark Abene one night over Japanese steak skewers. "Kids these days, they got no respect for their elders.'' Abene, known among fellow hackers as Phiber Optik, should know. He was one of those no-account kids in the 1980s when he discovered telephones and computers. For almost 10 years, he wandered freely through the nation's telephone computer systems and, oh, the things he did and saw. Celebrities' credit reports were his for the taking. Unlimited free phone calls from pilfered long-distance calling card numbers. Private phone lines for his buddies, not listed anywhere. And the arcane knowledge of trunk lines, switches, the entire glory of the network that connected New York City to the rest of the world. But Abene's ticket to ride was canceled in January 1994, when, at age 22, he entered Pennsylvania's Schuylkill Prison to begin serving a year-and-a-day sentence for computer trespassing. The FBI and the Secret Service described him as a menace. The sentencing judge said Abene, as a spokesman for the hacking community, would be made an example. © 1998 Associated Press. All rights reserved. ----------------------- NOTE: In accordance with Title 17 U.S.C. section 107, this material is distributed without profit or payment to those who have expressed a prior interest in receiving this information for non-profit research and educational purposes only. For more information go to: http://www.law.cornell.edu/uscode/17/107.shtml ----------------------- ********************************************** To subscribe or unsubscribe, email: majordomo@majordomo.pobox.com with the message: (un)subscribe ignition-point email@address ********************************************** www.telepath.com/believer **********************************************