http://www.wired.com/news/technology/0,1282,10713,00.html Hacker Raises Stakes in DOD Attacks by James Glave 3:18pm 4.Mar.98.PST Analyzer said that when he compromises a site's security, he always leaves a "trojan horse," or back door, that will allow him to return. He establishes this trojan by leaving a "sniffer" program running. Such programs capture the keystrokes of a legitimate user, who may enter passwords or other information for later retrieval by Analyzer. [A trojan is a program that appears to do one thing, but does something completely different. A back door is typically a modification of an existing program which is given an additional 'feature' that allows future access. These mods are typically as low key as possible, and are not advertised when the modified program runs. A sniffer does capture the login and password information of users (as well as all keystrokes sometimes), but typically logs that information to the local system. So to get to that information, one must have another way back on to the system. Mr. Glave is confusing his terms.] Vranesevich said that he attempted to trace Analyzer in his own chat, which was going on at the same time as the one between Analyzer and Wired News, but that the hacker had telnetted, or tunneled, through 13 different servers, and covered his tracks by deleting log files at each of those boxes. [There is no way Vranesevich had the authority to legally backtrack through those 13+ systems. If he did so illegally, are we to believe that he is such an accomplished hacker that he can target 13 specific sites like that, and compromise each in a 90 minute time frame? No. So the claim of '13' is completely fabricated.] =-= Original Article =-= Hacker Raises Stakes in DOD Attacks by James Glave 3:18pm 4.Mar.98.PST An 18-year-old hacker living somewhere outside the United States claims to have high-level access to as many as 400 unclassified government and military computer systems, and also claims to be the tutor of the two California teenagers implicated in recent attacks against federal networks. An expert on US military computer vulnerabilities said claims made by the hacker, who goes by the name Analyzer, are plausible. "[Defense Department Web servers are vulnerable] enough for me to get access to one system," Analyzer said. "From there, I get the rest." The hacker communicated with Wired News in a 90-minute interview Tuesday night over Internet Relay Chat - a global network of real-time chat servers. He said that he has been concerned that the FBI, in rousting two Northern California teenagers, is targeting the wrong people. "I just don't want them to hang the wrong person," said Analyzer, who characterized the two youths as his "students" and said they were merely working from one of his site password lists. Analyzer declined to disclose his nationality or name, but did state that he is a former computer security consultant and supporter of the Israeli Internet Underground. Other sources described the group as a low-profile group of malicious hackers, primarily based in Israel. Analyzer said that he has obtained root - or administrator-level - access to scores of government Web servers, including those at Howard Air Force Base in Panama, the NASA Shuttle Web, and Lawrence Livermore National Laboratory in California. Further, Analyzer said he had installed "trojans" at the sites, an operation that gives him a back-door account and the highest-level root access into networks, even after the root password has been changed. Analyzer used one such trojan when he altered the NetDex ISP site Tuesday and announced his involvement in the recent attacks. Analyzer said that he has seen classified materials, which he described only as "research" that he "didn't bother to read." When pressed for specifics, in another interview, he cited a work schedule of security guards at a NASA facility that had been carelessly left in a personal directory on a public Web server. In several recent interviews, system administrators have stated that sensitive information is usually physically isolated, or compartmentalized, from public Web servers. Thus, hacking a Web server and defacing a Web page is not considered a serious breach of classified information. Inside the DOD Network The Defense Department is increasingly moving more administrative information - such as personnel records - online, using a military Intranet called NIPRNET, or Non-Classified Internet Protocol Network, according to Pam Hess, editor of the Defense Information and Electronics Report. Hess, who reports on the state of defense-information security for an audience of mostly federal government personnel, broke the original story on 13 February that prompted John Hamre, deputy secretary of defense, to disclose that government computers were under attack. Hess said that NIPRNET is physically separate from the Defense Department's classified network, which is called SIPRNET, or Secret Internet Protocol Network. It is NIPRNET, the nonclassified network, that has recently been the subject of the systematic and organized attack, Hess said. "The military is moving toward a network-centric idea and they are using the Internet as a means of entering into some of their systems," Hess said. "There are tons of places where you need a login and an ID to get in, but if you get past that, you are all set." Hess added that the security of those Web sites has been spotty, because the infrastructure has not been in place to thoroughly patch security holes in server software. "The Air Force has recently embarked on an accelerated program to do base network control centers at all 108 bases," Hess said. "Some of those have around-the-clock monitoring, but most of them don't." Hess said that some of those bases download their logs, which record all network activity, every 24 hours to the Air Force Information Warfare Center at Kelly Air Force Base. There, a system called ASIM, for Automated Security Incident Measurement, looks for suspicious activity. "ASIM doesn't have an automatic alarm capability," said Hess, "but they are working on putting it in." Hess said that the process of constantly watching and upgrading security on Defense Department servers has fallen on the shoulders of low-level system administrators who were essentially enlisted men, and that no channel has been in place to notify commanders of incidents. Following the recent incidents, that situation is changing. "That guy doing the patches now has to answer to somebody," said Hess. "Before they were just kind of putting [security advisories] on a Listserv, where maybe you noticed it and maybe you didn't." Military Passwords and Back Doors John Vranesevich, founder of the computer security group AntiOnline, said that during a separate interview with Analyzer, the hacker told him that he had obtained a schedule of security guards at a NASA facility. In Tuesday's interview, Analyzer furnished Wired News with passwords that he said would gain root access at various government Web sites. He described his motivation as simply "challenge." Analyzer said that when he compromises a site's security, he always leaves a "trojan horse," or back door, that will allow him to return. He establishes this trojan by leaving a "sniffer" program running. Such programs capture the keystrokes of a legitimate user, who may enter passwords or other information for later retrieval by Analyzer. Analyzer said he usually does more good than bad in hacking into site, because he patches security holes. He said that he usually only draws attention to a site's poor security by, for example, defacing its Web page, when he encounters a hostile system administrator. "I hate when [system administrators] trying (sic) to became overconfident ... try to be God," he added, in broken English. Last Thursday, deputy secretary of defense John Hamre said that in recent weeks, U.S. government networks had been the subjects of the most sophisticated and organized attacks to date. The following day, federal agents descended on the two teens in Cloverdale, California, who use the aliases Makaveli and TooShort. Following publication of an interview with Makaveli yesterday, Analyzer came forward to identify himself as Makaveli's tutor, and challenged investigators to find him. Vranesevich said that he attempted to trace Analyzer in his own chat, which was going on at the same time as the one between Analyzer and Wired News, but that the hacker had telnetted, or tunneled, through 13 different servers, and covered his tracks by deleting log files at each of those boxes. Finding Analyzer will likely be a tricky proposition - according to Hess, the government has been looking for him for a long time. "I am doing my best in hiding," said Analyzer, who added that he fears for his life. Based on his own Internet Relay Chat conversation with Analyzer, Vranesevich believes that English is not the hacker's native language. Analyzer said that federal investigators "usually are clueless," and that eight months ago agents were looking for him, prior to the current investigation. He added that a friend told him the FBI has a warrant that possibly includes his alias and photograph. Authorities may have a hard time catching him in the act, however. Analyzer said that he was about to retire from his hacking career, "cos i had too much i am bored with it," he said. When asked what he would do next, he replied that he had not yet decided but that he was considering working for the "other side." Earlier in the conversation, Analyzer said that he used to work as a security consultant, but that he had been fired for breaking into his company's bank accounts. An FBI spokesperson declined to comment on the investigation. Check on other Web coverage of this story with NewsBot