Contents
About this project
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Postscript, March 1997
Postscript, January 2000

Monday, 20 January 1997: Interview with Comport

"I believe hackers are merely endemic of the real problems that our economic and technical infrastructure face today. Hackers have shown the chinks in the electronic armor. ...They have penetrated the establishment's technocastle and crossed the moat with little resistance. They have shown that the walls that protect our resources are not as solid as the managers of the information would have us believe. ...This is not a defense of hacking activities, but one could certainly make a case that hackers have made us aware of issues about which we might otherwise be blithely ignorant."

— Security Consultant Winn Schwartau in "Information Warfare", 1996.

In contrast to many of his colleagues, Comport has no secrets to hide. His name is Chris Hollander, he lives in Queens, and he is a 20-year old student at Baruch College, where he has a part-time job as computer systems administrator.

Baruch College is part of the City University of New York. Its computers are on a sub-network of the larger CUNY computer network that give students, staff and faculty their access to e-mail and the World Wide Web. The system is also the home to several city government Web pages, including those of Public Advocate Mark Green and City Comptroller Alan Hevesi.

Using a simple World Wide Web browsing program, Hollander was able to exploit a weakness in the CUNY system, and obtain the passwords of every user on the entire system.

"People make such a big deal over hackers rewriting Web pages. I had the information right there to do just that, and I got it using an elementary hacker attack," Hollander said. He informed his boss of the security bug and it was fixed, but he said such tricks are the sort of thing that hackers cut their teeth on.

The weakness on the CUNY system involved a protocol developed for the Web called CGI (for Common Gateway Interface). It retrieves information stored in a computer database that is constantly being updated or changed, and automatically presents it on the Web, eliminating the need for a human being to type the information in HTML (Hypertext Markup Language), the primary language of Web pages. For example, Web pages that constantly update weather information use CGI to check the latest temperature readings stored on one computer and transfer them to a Web page. The CUNY system also used a program called PHF that allows a user to search the CGI information for specific key words.

"I entered a search on the Alta Vista search engine for pages that use CGI and PHF and it stopped counting at 13,000 systems that are exploitable using that weakness. There's been a security advisory out on that since 1995," he said.

Such a weakness can be used by a hacker to "root the system" which means to achieve root-level access — the highest level of access on any computer system. Ideally, root access is reserved only for senior technicians and system administrators. When a serious technical glitch occurs on a system, root access allows a tech to pinpoint the problem and fix it without first having to jump over security hurdles. Hollander said getting root access to a system is seen as a challenge to many hackers, many of whom never do anything with the privilege once they achieve it.

"The goal is not the pound (#) sign prompt that you get when you gain root. It's the things you do that get you there. ...I've talked to people who root three systems a day. To anyone using an ISP I would say it's not just likely, it's a sure thing that someone has rooted that system. ...Every night someone comes into the chat rooms on IRC (Internet Relay Chat) as root from one of the big service providers," Hollander said.

Michael Erde is head of security for Interport Communications, one of New York's largest ISPs. Interport's business clients include Hearst Publishing, World Wide Diamond Source, S.C. Johnson Wax, Edelman Public Relations, Sotheby's Auction House and The New York Observer. He said that simply appearing as "root" on an IRC channel doesn't prove anything.

"Those users may not have root access at all on that system. They may have just taken advantage of some relatively innocuous hole or in the IRC program or something that it interfaces with," he said.

Source: Information Week (1996)

But he did acknowledge that it is not uncommon for service providers have their systems compromised. He subscribes to an email "mailing list' on which ISP administrators compare notes and solutions to security problems.

"For example on one of the mailing lists I subscribe to, it isn't uncommon for someone to say he suspects or knows he has been rooted, and is seeking help from the members of the list," Erde said.

And if rooting is as common as Hollander claims, is it something that ISPs try to hide from their customers? Erde doesn't think so.

"Most ISPs are traditionally tight-lipped on security stuff because they don't want to invite hack attempts," he said.

Erde was the only representative of a New York ISP to return messages for this story. Representatives at Panix, and Internet Channel did not return phone and e-mail messages.

"I can understand why people don't want to discuss this type of stuff. To be honest, I only do it grudgingly," he said.

While a growing number of government and private organizations are relying increasingly on the Internet and organizational intranets to exchange important information and other vital business functions, studies are showing an almost shocking lack of computer security measures.

A 1996 survey of 1,300 information security officers conducted by the trade magazine Information Week and Ernst and Young Information Security found that more than half of the companies surveyed suffered a financial loss related to lapses in information security during the previous two years. More than one-quarter of those companies said their losses amounted to more than $250,000, and in some cases $1 million or more.

• 63 percent of the respondents attributed the losses to computer virus outbreaks;
  
• 33 percent cited malicious acts by disgruntled employees or former employees;
  
• Only 17 percent of the companies surveyed blamed the losses on people from outside the company.

Source: Information Week (1996)

Of the companies that monitor Internet activity inside and outside their organization, one-quarter reported they had experienced attempts to break into their systems via the Internet.

Statistics like this are no surprise to Hollander. "Everyone and their mother is putting a box on the Internet these days and they have no reason to be there. There are so many bugs in Unix besides PHF. If they just install the Unix software straight out of the box and don't even bother to look at what they're installing on their system, they're just opening the door to an attack. That is where 90 percent of the security holes come from, people installing things and not knowing what they're doing," he said.

Information security lapses in the corporate world are exactly the kind of thing that Winn Schwartau, president of Interpact Inc., a Florida-based electronic security firm, and editor of the book "Information Warfare" is trying to educate people about. Schwartau said that despite the capabilities of some hackers, they are not the menace that some people would like to believe.

Winn Schwartau, Author, Information Warfare

"Hacking is good. It has contributed immeasurably. Hackers are an early-warning system for cyberspace, and most people have no clue what is really going on. If you look at what these teenagers are able to do with no money and a typical home computer, then take that capability put behind it some kind of financial or political agenda, then you've suddenly got some serious problems," he said.

One contributor to Schwartau's book, Michael Devost, goes so far to suggest that some hackers should be embraced as a national resource. Devost described one case in which a hacker, while looking for the credit history of former President Ronald Reagan, discovered one individual credit card held by 700 people, each of which had no credit history. He soon realized that he had found the names and addresses of people in the Federal Witness Protection Program, and promptly informed the FBI of the security hole.

Schwartau said he talked several FBI agents into giving a presentation at a recent hacker convention in Las Vegas. "By and large the crowd loved it. The question most often asked of the guys was 'Can I work for you?' I think that many of the better hackers, not the wanna-bes, but the really good hackers want security jobs. ...The most common way that security administrators are hired in the private sector is the Hey you method.' They find people within the organization who really don't know anything, and put them in charge of computer security," he said.