Security Scene Errata

http://www.wired.com/news/technology/0,1282,10713,00.html

Hacker Raises Stakes in DOD Attacks
by James Glave
3:18pm 4.Mar.98.PST

Analyzer said that when he compromises a site's security, he always
leaves a "trojan horse," or back door, that will allow him to return.
He establishes this trojan by leaving a "sniffer" program running.
Such programs capture the keystrokes of a legitimate user, who may
enter passwords or other information for later retrieval by Analyzer.

[A trojan is a program that appears to do one thing, but does something
completely different. A back door is typically a modification of an
existing program which is given an additional 'feature' that allows
future access. These mods are typically as low key as possible, and are
not advertised when the modified program runs. A sniffer does capture the
login and password information of users (as well as all keystrokes sometimes),
but typically logs that information to the local system. So to get to
that information, one must have another way back on to the system.
Mr. Glave is confusing his terms.]

Vranesevich said that he attempted to trace Analyzer in his own chat,
which was going on at the same time as the one between Analyzer and
Wired News, but that the hacker had telnetted, or tunneled, through
13 different servers, and covered his tracks by deleting log files at
each of those boxes.

[There is no way Vranesevich had the authority to legally backtrack through
those 13+ systems. If he did so illegally, are we to believe that he
is such an accomplished hacker that he can target 13 specific sites
like that, and compromise each in a 90 minute time frame? No. So the
claim of '13' is completely fabricated.]

=-= Original Article =-=

Hacker Raises Stakes in DOD Attacks
by James Glave
3:18pm 4.Mar.98.PST

An 18-year-old hacker living somewhere outside the United States claims to have high-level access to
as many as 400 unclassified government and military computer systems, and also claims to be the tutor
of the two California teenagers implicated in recent attacks against federal networks.

An expert on US military computer vulnerabilities said claims made by the hacker, who goes by the
name Analyzer, are plausible.

"[Defense Department Web servers are vulnerable] enough for me to get access to one system," Analyzer
said. "From there, I get the rest."

The hacker communicated with Wired News in a 90-minute interview Tuesday night over Internet Relay
Chat - a global network of real-time chat servers. He said that he has been concerned that the FBI,
in rousting two Northern California teenagers, is targeting the wrong people.

"I just don't want them to hang the wrong person," said Analyzer, who characterized the two youths as
his "students" and said they were merely working from one of his site password lists.

Analyzer declined to disclose his nationality or name, but did state that he is a former computer
security consultant and supporter of the Israeli Internet Underground. Other sources described the
group as a low-profile group of malicious hackers, primarily based in Israel.

Analyzer said that he has obtained root - or administrator-level - access to scores of government Web
servers, including those at Howard Air Force Base in Panama, the NASA Shuttle Web, and Lawrence
Livermore National Laboratory in California.

Further, Analyzer said he had installed "trojans" at the sites, an operation that gives him a
back-door account and the highest-level root access into networks, even after the root password has
been changed. Analyzer used one such trojan when he altered the NetDex ISP site Tuesday and announced
his involvement in the recent attacks.

Analyzer said that he has seen classified materials, which he described only as "research" that he
"didn't bother to read." When pressed for specifics, in another interview, he cited a work schedule
of security guards at a NASA facility that had been carelessly left in a personal directory on a
public Web server.

In several recent interviews, system administrators have stated that sensitive information is usually
physically isolated, or compartmentalized, from public Web servers. Thus, hacking a Web server and
defacing a Web page is not considered a serious breach of classified information.

Inside the DOD Network

The Defense Department is increasingly moving more administrative information - such as personnel
records - online, using a military Intranet called NIPRNET, or Non-Classified Internet Protocol
Network, according to Pam Hess, editor of the Defense Information and Electronics Report.

Hess, who reports on the state of defense-information security for an audience of mostly federal
government personnel, broke the original story on 13 February that prompted John Hamre, deputy
secretary of defense, to disclose that government computers were under attack.

Hess said that NIPRNET is physically separate from the Defense Department's classified network, which
is called SIPRNET, or Secret Internet Protocol Network. It is NIPRNET, the nonclassified network,
that has recently been the subject of the systematic and organized attack, Hess said.

"The military is moving toward a network-centric idea and they are using the Internet as a means of
entering into some of their systems," Hess said. "There are tons of places where you need a login and
an ID to get in, but if you get past that, you are all set."

Hess added that the security of those Web sites has been spotty, because the infrastructure has not
been in place to thoroughly patch security holes in server software.

"The Air Force has recently embarked on an accelerated program to do base network control centers at
all 108 bases," Hess said. "Some of those have around-the-clock monitoring, but most of them don't."

Hess said that some of those bases download their logs, which record all network activity, every 24
hours to the Air Force Information Warfare Center at Kelly Air Force Base. There, a system called
ASIM, for Automated Security Incident Measurement, looks for suspicious activity.

"ASIM doesn't have an automatic alarm capability," said Hess, "but they are working on putting it
in."

Hess said that the process of constantly watching and upgrading security on Defense Department
servers has fallen on the shoulders of low-level system administrators who were essentially enlisted
men, and that no channel has been in place to notify commanders of incidents.

Following the recent incidents, that situation is changing.

"That guy doing the patches now has to answer to somebody," said Hess. "Before they were just kind of
putting [security advisories] on a Listserv, where maybe you noticed it and maybe you didn't."

Military Passwords and Back Doors

John Vranesevich, founder of the computer security group AntiOnline, said that during a separate
interview with Analyzer, the hacker told him that he had obtained a schedule of security guards at a
NASA facility.

In Tuesday's interview, Analyzer furnished Wired News with passwords that he said would gain root
access at various government Web sites. He described his motivation as simply "challenge."

Analyzer said that when he compromises a site's security, he always leaves a "trojan horse," or back
door, that will allow him to return. He establishes this trojan by leaving a "sniffer" program
running. Such programs capture the keystrokes of a legitimate user, who may enter passwords or other
information for later retrieval by Analyzer.

Analyzer said he usually does more good than bad in hacking into site, because he patches security
holes. He said that he usually only draws attention to a site's poor security by, for example,
defacing its Web page, when he encounters a hostile system administrator.

"I hate when [system administrators] trying (sic) to became overconfident ... try to be God," he
added, in broken English.

Last Thursday, deputy secretary of defense John Hamre said that in recent weeks, U.S. government
networks had been the subjects of the most sophisticated and organized attacks to date. The following
day, federal agents descended on the two teens in Cloverdale, California, who use the aliases
Makaveli and TooShort.

Following publication of an interview with Makaveli yesterday, Analyzer came forward to identify
himself as Makaveli's tutor, and challenged investigators to find him.

Vranesevich said that he attempted to trace Analyzer in his own chat, which was going on at the same
time as the one between Analyzer and Wired News, but that the hacker had telnetted, or tunneled,
through 13 different servers, and covered his tracks by deleting log files at each of those boxes.

Finding Analyzer will likely be a tricky proposition - according to Hess, the government has been
looking for him for a long time.

"I am doing my best in hiding," said Analyzer, who added that he fears for his life.

Based on his own Internet Relay Chat conversation with Analyzer, Vranesevich believes that English is
not the hacker's native language.

Analyzer said that federal investigators "usually are clueless," and that eight months ago agents
were looking for him, prior to the current investigation. He added that a friend told him the FBI has
a warrant that possibly includes his alias and photograph.

Authorities may have a hard time catching him in the act, however. Analyzer said that he was about to
retire from his hacking career, "cos i had too much i am bored with it," he said. When asked what he
would do next, he replied that he had not yet decided but that he was considering working for the
"other side."

Earlier in the conversation, Analyzer said that he used to work as a security consultant, but that he
had been fired for breaking into his company's bank accounts.

An FBI spokesperson declined to comment on the investigation.
Check on other Web coverage of this story with NewsBot