Recently when headlines all around the world have reported about another spectacular hacking attacks of LulzSec or Anonynmous group, we all started to wonder – is data security and personal privacy may really exist in the network? If the Pentagon, CIA, and global corporations like Sony – which have enough money and huge teams of specialists to protect confidential information – cannot feel safe, then who can?
For sure you remember Kevin Mitnick. He was formerly the most wanted computer criminal in United States history and was the subject of two movies and dozens of books. But actually he did not do anything spectacular, so all the fuss surrounding his arrest now seems to be a storm in a teacup in comparison to the arrogant attacks which we observe today. When most programmers speak about the hackers feats, they often express more admiration for their infiltration skills than outrage at the consequences. Of course, until the time when their organization becomes the target of an attack. That is why admins seem to be a bit more reserved…
So this begs the question: do we consider hackers as criminals or rather like heroes?
Is it because the most of the famous hacks were generally done in the name of some “big” idea, not for personal gain? If you look back in time you will notice that the most spectacular attacks were carried out in the name of free speech like Anonymous hacker group vs the Church of Scientology, or to fight corporate dominance just as it does LuzSec or just to show the weak points in the systems to help companies fix them. So from the image of malicious and ruthless geniuses they are suddenly transformed into warriors for justice and heroic “hacktivists”. In this scenario, who is wearing a “black hat”, and who the white one? If we look closely at the most famous past and recent hacker attacks, will we be able to say that the ends justified the means?
So do you know how expensive someone’s curiosity or fun can be?
In 1999, after Jonathan James’ intrusion we all learned that even servers of the United States Department of Defense cannot be safe. This sixteen-year-old boy installed a backdoor into a Defense Threat Reduction Agency server and broke into military computers. Jonathan intercepted thousands of confidential messages, log-in information, and $1.7 million worth of software belonging to NASA that controlled the living environment on the International Space Station. It seems impossible, but yes – he really did it! This destructive attack caused NASA to shut down their computer network for over three weeks. Checking and repairing the system cost NASA $41,000! This was what can be described as unauthorized access to resources – an admin’s worst nightmare.
What for one man is a nightmare, for another can be an amusement!
The Yahoo! administrators were certainly convinced of this when in 2000 a teenager called MafiaBoy carried out a distributed-denial of service attack (DDoS) resulting in the complete shutdown of their servers for several hours. Calling it the “Rivolta” project, MafiaBoy (a.k.a. Michael Calce) also attacked the servers of CNN, eBay, Dell, and Amazon and grounded them too. Mind you that back then Yahoo! was the most popular search engine and the second most popular website on the internet, which puts into perspective how damaging this attack was. The losses incurred as a result of his attacks were estimated at over $1.7 billion! Why did he do it? He claimed that he had enough of Yahoo! domination of the internet. So fortunately for Yahoo!, Google acquired this position a long time ago…
Curiosity killed the cat… and 2,000 computers for 24 hours!
Probably you do not suspected that even UFOs could be the reason for the attack on your server. So you will be surprised! Between February 2001 and March 2002, a 40-year-old systems administrator performed the biggest military computer hack of all time! Gary McKinnon – known as “Solo” broke into 97 US Army, Navy, Air Force, and Department of Defense computers, as well as 16 computers at NASA. The US authorities say he deleted critical files from operating systems, which shut down the US Army’s Military District of Washington network of 2,000 computers for 24 hours, and deleted US Navy weapons logs. “Solo” was also accused of copying data, account files and passwords onto his own computer. The reason he gave authorities for the attacks? A desire to obtain evidence for the existence of UFO and super technologies hidden from the public. His actions resulted in losses amounting to $700,000 – which included the cost of tracking and correcting the problems. But what is the most intriguing part of this story? He claimed to have found what he was looking for…
We don’t have to look much farther for another important security lesson. In February of 2002, a man known as “Homeless Hacker” Adrian Lamo sat at a Kinko’s copy shop exploring the New York Time’s database on his eight-year-old Toshiba. Once inside, he found a very sensitive list of personal information about contributors and op-ed writers. The list included a lots of celebrities and several important people such as UN weapons inspector Richard Butler and former National Security Agency head Bobby Inman. He was able to see their phone numbers, home addresses, payment history, and even the personal notes about their experience and editorial temperament. Lamo also got access to The New York Times’ LexisNexis account. Fortunately for the NY Times he didn’t delete this important data, but just added himself to the list of experts… giving his full name and cell phone number. He also wrote about his credentials in the ‘expertise’ column: “computer hacking, national security, communications intelligence”.
Why did he do it? He said that he just wanted to show how easy it was…
Is it still a cold cyberwar?
So another amazing demonstration of his power was displayed when this (then 20-year-old) hacker, who had already carried out attacks on companies like AOL, Excite@Home, Yahoo! and Microsoft, broke into WorldCom. Lamo found the keys to WorldCom’s resources on open internet proxy servers. There he found the WorldCom human resources system with a list of names and matching social security numbers for 86,000 employees. Having this access, he was able to change an employee’s password and access to his or her payroll records, including information like their salary, bank account numbers, emergency contacts and direct deposit instructions. But, most importantly, this access gave him the possibility to modify the employee’s bank account, and send their paycheck to his own account. Fortunately he didn’t…but what if?
This year, the hacker group Anonymous wasn’t so gracious for Sony. As a result of Sony’s legal action taken against a hacker called GeoHot, who was accused of breaking into the PlayStation Network, Anonymous announced what we can surely describe as a cyberwar in protest over this lawsuit. As a result of “oopsony” attacks, the personal data of 100 million registered users of the Sony PlayStation Network was stolen and Sony was forced to shut down the services for a long time to check and fix the system. Sony admitted that 12.3 million account holders had credit card information on the system, including 5.6 million in the U.S, which caused a real panic among PSN players all around the world. But even the exclusion of services was very destructive. During the downtime 77 million registered users of the network were not able to get access to their accounts, buy any movies and games and of course play online.
There is always someone who will need your DATA!
And it does not matter whether we are dealing with someone else’s curiosity, fun or revenge. Nowadays information is the most precious good and powerful weapon against people and companies. So how can we still ignore any dangers lurking on the network? Can anyone afford it? And does anyone still believe that a firewall is enough of a barrier. Of course, every security professional will say that there is no unbreakable code, and you cannot be sure that 100% of your system is secure. Therefore, every factor which increases data safety in the face of danger should be welcomed. When you go on vacation, and you close all the doors and lock all the locks, you don’t leave an open window in the basement, right? So why do most companies just set up firewalls and hope that data will be safe while their employees have unrestricted and unprotected access to corporate resources? It should be a standard, but in most companies data is not shared in a secure way. It’s surprising, but such great tools as FTPS, SFTP or HTTPS secure protocols are still mainly used by banks. And what about tools like the WORM which can protect us in case somebody deletes crucial information?
Most of the above-described hackers admitted that they were shocked at how easily they got into a corporate network. Sometimes just a small gap – like a basement window slightly open, allowed them to easily penetrate the entire system and cause great harm. McKinnon (Solo) said that he found many machines without appropriate password or even firewall protection. So, he simply broke into them…Unfortunately the option of authorized access to drives and resources is still not used by many companies. What with a bit of smarts, a fifteen-year-old computer maniac can quickly turn against them!
But now everyone’s gaze is shifting to Facebook after the newest statement from Anonymous. After the attacks on Sony they don’t seem to be resting in their laurels, and they announced that on November 5th the biggest social network “will be destroyed”. Although a few days later Anonymous denied that they really intends to do this… but is there anyone who still doubts in their ability to make it?