http://www.wired.com/news/technology/0,1282,10713,00.html

   Hacker Raises Stakes in DOD Attacks
   by James Glave 
   3:18pm  4.Mar.98.PST
  
   Analyzer said that when he compromises a site's security, he always
   leaves a "trojan horse," or back door, that will allow him to return.
   He establishes this trojan by leaving a "sniffer" program running.
   Such programs capture the keystrokes of a legitimate user, who may
   enter passwords or other information for later retrieval by Analyzer.

[A trojan is a program that appears to do one thing, but does something
 completely different. A back door is typically a modification of an
 existing program which is given an additional 'feature' that allows
 future access. These mods are typically as low key as possible, and are 
 not advertised when the modified program runs. A sniffer does capture the 
 login and  password information of users (as well as all keystrokes sometimes),
 but typically logs that information to the local system. So to get to
 that information, one must have another way back on to the system.
 Mr. Glave is confusing his terms.]
   
   Vranesevich said that he attempted to trace Analyzer in his own chat,
   which was going on at the same time as the one between Analyzer and
   Wired News, but that the hacker had telnetted, or tunneled, through
   13 different servers, and covered his tracks by deleting log files at
   each of those boxes.

[There is no way Vranesevich had the authority to legally backtrack through
 those 13+ systems. If he did so illegally, are we to believe that he
 is such an accomplished hacker that he can target 13 specific sites
 like that, and compromise each in a 90 minute time frame? No. So the 
 claim of '13' is completely fabricated.]


=-= Original Article =-=


   Hacker Raises Stakes in DOD Attacks
   by James Glave 
   3:18pm  4.Mar.98.PST

   An 18-year-old hacker living somewhere outside the United States claims to have high-level access to
   as many as 400 unclassified government and military computer systems, and also claims to be the tutor
   of the two California teenagers implicated in recent attacks against federal networks.
   
   An expert on US military computer vulnerabilities said claims made by the hacker, who goes by the
   name Analyzer, are plausible.
   
   "[Defense Department Web servers are vulnerable] enough for me to get access to one system," Analyzer
   said. "From there, I get the rest."
   
   The hacker communicated with Wired News in a 90-minute interview Tuesday night over Internet Relay
   Chat - a global network of real-time chat servers. He said that he has been concerned that the FBI,
   in rousting two Northern California teenagers, is targeting the wrong people.
   
   "I just don't want them to hang the wrong person," said Analyzer, who characterized the two youths as
   his "students" and said they were merely working from one of his site password lists.
   
   Analyzer declined to disclose his nationality or name, but did state that he is a former computer
   security consultant and supporter of the Israeli Internet Underground. Other sources described the
   group as a low-profile group of malicious hackers, primarily based in Israel.
   
   Analyzer said that he has obtained root - or administrator-level - access to scores of government Web
   servers, including those at Howard Air Force Base in Panama, the NASA Shuttle Web, and Lawrence
   Livermore National Laboratory in California.
   
   Further, Analyzer said he had installed "trojans" at the sites, an operation that gives him a
   back-door account and the highest-level root access into networks, even after the root password has
   been changed. Analyzer used one such trojan when he altered the NetDex ISP site Tuesday and announced
   his involvement in the recent attacks.
   
   Analyzer said that he has seen classified materials, which he described only as "research" that he
   "didn't bother to read." When pressed for specifics, in another interview, he cited a work schedule
   of security guards at a NASA facility that had been carelessly left in a personal directory on a
   public Web server.
   
   In several recent interviews, system administrators have stated that sensitive information is usually
   physically isolated, or compartmentalized, from public Web servers. Thus, hacking a Web server and
   defacing a Web page is not considered a serious breach of classified information.
   
   Inside the DOD Network
   
   The Defense Department is increasingly moving more administrative information - such as personnel
   records - online, using a military Intranet called NIPRNET, or Non-Classified Internet Protocol
   Network, according to Pam Hess, editor of the Defense Information and Electronics Report.
   
   Hess, who reports on the state of defense-information security for an audience of mostly federal
   government personnel, broke the original story on 13 February that prompted John Hamre, deputy
   secretary of defense, to disclose that government computers were under attack.
   
   Hess said that NIPRNET is physically separate from the Defense Department's classified network, which
   is called SIPRNET, or Secret Internet Protocol Network. It is NIPRNET, the nonclassified network,
   that has recently been the subject of the systematic and organized attack, Hess said.
   
   "The military is moving toward a network-centric idea and they are using the Internet as a means of
   entering into some of their systems," Hess said. "There are tons of places where you need a login and
   an ID to get in, but if you get past that, you are all set."
   
   Hess added that the security of those Web sites has been spotty, because the infrastructure has not
   been in place to thoroughly patch security holes in server software.
   
   "The Air Force has recently embarked on an accelerated program to do base network control centers at
   all 108 bases," Hess said. "Some of those have around-the-clock monitoring, but most of them don't."
   
   Hess said that some of those bases download their logs, which record all network activity, every 24
   hours to the Air Force Information Warfare Center at Kelly Air Force Base. There, a system called
   ASIM, for Automated Security Incident Measurement, looks for suspicious activity.
   
   "ASIM doesn't have an automatic alarm capability," said Hess, "but they are working on putting it
   in."
   
   Hess said that the process of constantly watching and upgrading security on Defense Department
   servers has fallen on the shoulders of low-level system administrators who were essentially enlisted
   men, and that no channel has been in place to notify commanders of incidents.
   
   Following the recent incidents, that situation is changing.
   
   "That guy doing the patches now has to answer to somebody," said Hess. "Before they were just kind of
   putting [security advisories] on a Listserv, where maybe you noticed it and maybe you didn't."
   
   Military Passwords and Back Doors
   
   John Vranesevich, founder of the computer security group AntiOnline, said that during a separate
   interview with Analyzer, the hacker told him that he had obtained a schedule of security guards at a
   NASA facility.
   
   In Tuesday's interview, Analyzer furnished Wired News with passwords that he said would gain root
   access at various government Web sites. He described his motivation as simply "challenge."
   
   Analyzer said that when he compromises a site's security, he always leaves a "trojan horse," or back
   door, that will allow him to return. He establishes this trojan by leaving a "sniffer" program
   running. Such programs capture the keystrokes of a legitimate user, who may enter passwords or other
   information for later retrieval by Analyzer.
   
   Analyzer said he usually does more good than bad in hacking into site, because he patches security
   holes. He said that he usually only draws attention to a site's poor security by, for example,
   defacing its Web page, when he encounters a hostile system administrator.
   
   "I hate when [system administrators] trying (sic) to became overconfident ... try to be God," he
   added, in broken English.
   
   Last Thursday, deputy secretary of defense John Hamre said that in recent weeks, U.S. government
   networks had been the subjects of the most sophisticated and organized attacks to date. The following
   day, federal agents descended on the two teens in Cloverdale, California, who use the aliases
   Makaveli and TooShort.
   
   Following publication of an interview with Makaveli yesterday, Analyzer came forward to identify
   himself as Makaveli's tutor, and challenged investigators to find him.
   
   Vranesevich said that he attempted to trace Analyzer in his own chat, which was going on at the same
   time as the one between Analyzer and Wired News, but that the hacker had telnetted, or tunneled,
   through 13 different servers, and covered his tracks by deleting log files at each of those boxes.
   
   Finding Analyzer will likely be a tricky proposition - according to Hess, the government has been
   looking for him for a long time.
   
   "I am doing my best in hiding," said Analyzer, who added that he fears for his life.
   
   Based on his own Internet Relay Chat conversation with Analyzer, Vranesevich believes that English is
   not the hacker's native language.
   
   Analyzer said that federal investigators "usually are clueless," and that eight months ago agents
   were looking for him, prior to the current investigation. He added that a friend told him the FBI has
   a warrant that possibly includes his alias and photograph.
   
   Authorities may have a hard time catching him in the act, however. Analyzer said that he was about to
   retire from his hacking career, "cos i had too much i am bored with it," he said. When asked what he
   would do next, he replied that he had not yet decided but that he was considering working for the
   "other side."
   
   Earlier in the conversation, Analyzer said that he used to work as a security consultant, but that he
   had been fired for breaking into his company's bank accounts.
   
   An FBI spokesperson declined to comment on the investigation.
   Check on other Web coverage of this story with NewsBot