Commercial, public, and government infrastructures are at risk of an "Electronic Pearl Harbor." In 1997, government computer systems' vulnerability was demonstrated in Operation ELIGIBLE RECEIVER. During this exercise, thirty five hackers hired by the National Security Agency launched simulated attacks on key DoD information systems. Among their actions, the hackers obtained super user access to over 36 computer systems using easily available techniques and tools. ELIGIBLE RECEIVER highlighted poor security practices used in DoD computer systems and the DoD's inability to detect, assess, and respond to intrusions in a timely manner.
There have been scare tactics for years. Is all this real, or is it just an attempt to increase the budgets of certain agencies within the U.S. Government? It's a little of both, of course. The important thing is that there IS a threat, and that we are uniquely positioned to answer that threat.
We are uniquely positioned within the Defense (and Other) industry to offer solutions. After surveying the field for competition a short while ago, I discovered that there is not only a desparate need to protect against actual (as opposed ot perceived) threats, but that there are very few entities capable of fulfilling the claims that they make on their websites, and at conferences.
The market for Intrusion Detection Systems, and for Penetration Testing is so large, that even if all the companies making claims could fulfill them, there are still only about 10% of the necessary bodies to do the work. Let's start with a few definitions.
In years past, the computer underground was a scattered group of people, a few here, and a few there, mostly joined together via various bulletin boards and mailing lists. Seven years ago, the granddaddy of all underground conferences got its start. A young bulletin board operator, Jeff Moss (aka Dark Tangent, or DT) decided to have a big blow-out in Las Vegas, where all the folk who'd been on the bulletin board could get togetther, swap stories, and finally meet in person.
In July 1999, I attended the seventh of these conferences, where I was less frightened than in years past, and more impressed with the fact that even breaking into computer systems has become big business. But don't think that hiring the bad boys is always a good thing.
In 1998, things became more interesting. The big splash of the conference was Back Orifice, a Trojan horse aimed at WinTel machines. The promise at the time was that Windows NT was just around the corner, but it took until this year for that to happen. Back Orifice, a play on the Micro$oft product Back Office, is a trojan that allows the person on the other end absolute control of your computer. It (like many others, including NetBus) does not allow any privileges that the tools system administrators currently use to administer NT/98/95 machines, except that an administrator is probably not the one who installed it for you. However, just like anything else, it doesn't get there without the user making a mistake.
Most people believe that viruses are the big danger, but it's been my experience that the biggest problems with viruses have been the hoaxes, which take up far more time and resources than any virus I know.
The biggest problems today are general exploits against buggy operating systems, not viruses, and not even trojans. If you can directly exploit a known problem in an operating system, you don't need any help from the user. You are just in. Recently, this past december, a test of most of the internet was run, and the number of machines vulnerable due to unpatched bugs, and other simple configuration errors pointed out that most systems that are vulnerable, are vulnerable through naivete and poor planning.
When you look at the field of possibilities, the view never ends. I maintain a page of interesting sites, with commentary, and the updates never end. Just look at the number of sites that are affiliates of Hacker News Network -- wow, that's a lot of sites!
Remember that script kiddies represent a 1000 pairs of hands for every accomplished hacker writing code or publishing info on exploits. To that end, we are proposing a multi-year effort whose main thrusts will be to offer answers where we can, and when we can.
Last modified: Sun Oct 31 20:57:34 PST 2004