From: InfoSec News (isnC4I.ORG)
Date: Wed Apr 11 2001 - 02:11:40 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.wired.com/news/technology/0,1282,42945,00.html

by Farhad Manjoo
2:00 a.m. Apr. 10, 2001 PDT

SAN FRANCISCO -- Almost every day, Internet news sites break stories
about newer and ever-more-dangerous breaches in computer security. But
unless the story involves a virus named after a good-looking tennis
star, it probably won't make the national news.

This worries Kevin Poulsen, a former hacker who now works as the
editorial director of SecurityFocus.com. He was one of the speakers at
the RSA Conference, a gathering of security professionals being held
here this week.

Poulsen said that because several of the biggest hacking stories don't
make the headlines, the public is mostly ignorant about what's been
hacked, and what companies are doing to bolster security.

He cited last June's hack of the University of Washington Medical
Center -- in which the admissions records of 4,000 hospital patients
were stolen -- as a story that didn't make as big a media splash as it
should have.

"The hospital didn't report the hack," Poulsen said, "and since law
enforcement wasn't notified, nobody knew about it until the hacker
himself contacted me. He was frustrated that they weren't doing
anything to track him down."

That's one of the problems in the world of computer security: Many
companies aren't inclined to report break-ins. Poulsen said that in
some instances companies don't know the extent of the damage, and thus
aren't even sure it's a serious enough breach to be reported to the
authorities. Other times, companies just might not want the negative
publicity.

After he reported the story on SecurityFocus many months after it had
occurred, other media picked it up, but they missed the most important
aspect, Poulsen said: "If it hadn't been for the hacker, we wouldn't
have known anything. There could be any number of similar situations
that we don't know about."

But there has been relatively little press on this silence of the
hacked, said Poulsen.

There have also been few stories on hackers who have tried to take
over entire pieces of network infrastructure, like the electric grid
or the phone system. In the mid-1990s, for example, a group of hackers
called the "Phonemasters" stole thousands of calling card numbers and
broke into the systems that route telephone calls.

They managed to break into the Equifax credit-reporting databases, and
also got access to the power grid and the air-traffic control system.

"And since so many things are done through the phone system, these
kinds of hacks can be very dangerous," Poulsen said. "And even if your
computer security is very good, you can't do very much without
electricity -- as you guys in California are finding out." The
Phonemasters case was only reported as it neared its very last stages
-- after the FBI spent four years hunting down the group and the
hackers had been convicted.

Another trend that has gone largely unreported is how easy it is to
bring down computer networks these days. Tech sites have spent a lot
of virtual ink on stories about virus-making kits like the VBS Worm
Generator, but the national media haven't noted the situation.

"(Hackers) are producing very clean, easy-to-use interfaces -- and
these interfaces are making hacking look legitimate," Poulsen said.
New Applications like SubSeven and Share Sniffer put a nice face on
breaking into other people's computers, and Poulsen fears that the
clean image could make cracking a kind of national sport.

"I was at a conference last year where they were showing a robot that
painted graffiti on the sidewalk," Poulsen said. "(The exhibitors)
would grab passersby and give them a chance to try it -- and they
found that more than half of these people who wouldn't otherwise do
graffiti would write with this robot. That's because the effect of
what they were doing was masked by the interface."

Now, it's pretty clear why some computer security stories -- like the
Anna Kournikova virus -- make headlines, while most equally important
stories are ignored: They're not very sexy.

Poulsen noted that in Hollywood and on TV, computer experts are still
treated as side-show freaks, and another under-reported story is that
most shows and films about hackers are pretty bad.

"They made a movie about Kevin Mitnick, which wasn't released in the
U.S. I had to go to Amazon.fr to get a DVD of it. And I have to say --
they made the right decision in not releasing it here," he said.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERVSecurityFocus.com with a message body of
"SIGNOFF ISN".

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]