Cyber Eye: Motive's murky, but the message is clear
- By William Jackson
- May 30, 2002
There is some dispute about the motives of two hackers who have been assaulting government computer systems this spring.
The Deceptive Duo boasts that they break into government and private databases in the name of national security, forcing fixes by drawing attention to weaknesses.
Observers suspect they are trying to sell security services or just seeking publicity.
Whatever the motive, the message is clear: Too many systems are still compromised by vulnerabilities that should have been patched long ago. These guys aren't rocket scientists. They log on to servers using default passwords and break in with brute-force attacks.
According to www.zone-H.org, a mirror site that tracks Web site defacements, the Deceptive Duo vandalized 52 sites between April 21 and May 5. Five sites were in .mil domains and 10 in .gov. Victims included the Geological Survey, the Energy Department's Sandia National Laboratories, and the Navy's Space and Naval Warfare Systems Center.
Defacing a Web site is a low-level hack stunt that earns scant respect from peers. But the duo added a twist. They claim to have broken into the sites' associated databases and posted the purloined data or system information as proof of their exploits. Some of the data apparently is at least sensitive if not classified, such as personnel records'including Social Security numbers'from the Naval Reserve.
The duo says they target critical infrastructure sites in both public and private sectors to demonstrate the low level of security. 'This proves that we are all still vulnerable even after 9-11,' they say in their postings. 'Tighten security before a foreign attack forces you to.'
The language is self-important. The advice, however, is solid.
The FBI and the SANS Institute of Bethesda, Md., have posted a list at www.sans.org/top20.htm
of the top 20 security holes that, if plugged, could end such attacks.
Documenting large systems and keeping the documentation up to date is never easy. What network services are turned on that shouldn't be? What security patches are missing? Take the time to find out, or there's a good chance the Deceptive Duo or somebody else will do it for you.
If you're lucky, your agency will only be embarrassed.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.