Def Con III report Companies face lawsuits for network security lapses By Elinor Mills

September  1995

Mail this article to a friend

Executives focused on keeping costs down are overlooking the need for software that will prevent or minimize the risk of network break-ins, said Robert Steele, who was also a Marine Corps intelligence officer and now does consulting. As a result, those executives will eventually be held liable and stockholders will sue them for failing to secure the networks, he said.

"The value of proprietary information is being eroded," Steele said.

Def Con III is the third annual gathering of tribes in the user, vendor, security, and intelligence communities. The informal mission of Def Con is to discuss computer security issues in an open forum. Approximately 470 attendees visited this year's Def Con.

A spokesman for a company that sells security software said his firm's clients recognize the risk of negligence.

"Corporate executives and officers of publicly traded companies are aware that their fiduciary responsibility extends to protecting their information assets," said Tommy Ward, strategic applications manager for Digital Pathways of Mountain View, CA. "The real assets of America are in electronic storage."

Some companies even go so far as to cover up network break-ins so they won't be fingered, according to Ward who added, "Banks are especially guilty of this."

Interest in security began to surge after the Computer Emergency Response Team, a government-corporate consortium that monitors Internet security, sent out an advisory Feb. 3, 1994, warning users to replace static passwords with one-time passwords, which change with each log-in, because there had been "concerted, massive attacks throughout the world."

"Corporations and organizations are essentially paying lip service to security," said Craig Alesso, marketing director at Secure Computing Corp. in Roseville, MN, which released version 2.0 of its Sidewinder applications-level Internet firewall software the week before the conference.

"Our customers are more concerned about competitors getting information, or mistakes internal users may make" by inadvertently releasing information, Alesso said.

To improve its product, Secure Computing is unofficially enlisting computer hackers, oft-maligned experts at penetrating networks, as beta testers. The company has created a challenge site on the Internet and encourages hackers to break through. Anyone successful -- none to date -- gets bragging rights and an MA-1 flight jacket.

Former CIA spy Steele sees hackers as potential renegade heroes in the quest for network security and said they are a "major national resource" because they force systems administrators to tighten networks.

"Hackers are not the poison, they're the antidote," he told the crowd of mostly hackers. "They're pushing the envelope ... They're making the systems healthier."

Social engineering
At other Def Con III venues, attendees swapped tips on how to crack computer networks and evade arrest, and the keynote speaker discussed the need for maintaining the privacy of individuals via encryption.

The US National Security Agency cites terrorism concerns in favoring inferior technology -- specifically, the Clipper Chip, which gives government officials a key to decrypt encoded data -- over superior technology that enables only the recipient to decrypt data, said Bruce Schenier, an author and president of Counterpane Systems, an Oak Park, Ill., consulting firm specializing in computer security.

As a result, the US government bans the export of products containing any but the weakest encryption software. Such law undermines US businesses, as well as the notion of encryption itself, Schenier said.

"US companies can choose to cripple their products or ignore the international marketplace," he said.

Encryption software must be universally used to be effective, Schenier suggested. "For cryptography to be successful, it has to be ubiquitous, to protect the important and the trivial," he said. "Cryptography is the great equalizer in the world. It makes my stuff just as secure as the government's."

Certain organizations and government agencies are recognizing the benefits of the technology in areas other than electronic mail. The states of Utah, California and Colorado are considering adopting legislation to authorize digital signatures, the Internal Revenue Service is preparing to allow citizens to file tax returns electronically using such signatures and the American Bar Association is drafting model legislation governing encryption, Schenier said.

"Hackers are not the poison,
they're the antidote."

Other countries deal with information privacy differently. In France, citizens accept laws that require them to give police a key to decrypt their data, whereas Canadian officials created a privacy advocacy bureau to make sure that agencies and organizations don't infringe on anyone's right to privacy, he said.

From other parts of the conference:

• Susan Thunder, a self-proclaimed hacker, told the Def Con III crowd how to use social engineering or "psychological subversion" to get passwords and other sensitive information from company employees. Hackers posing as new or temporary employees can be particularly successful, she said. In addition, she recommended dumpster diving, or rummaging through trash, to find out more about a company and its computer system.

  In one possible scenario, Thunder suggested a hacker calling a worker in data processing and asking for a new password, claiming that someone saw it being typed in. The hacker, posing as a worker from data processing, then calls the employee whose password is being used and informs the worker of the new password as part of a routine security measure.

  Conscientious hackers can then mischievously remind employees about the need to guard their passwords. "I get off on giving a little lecture on security while I'm compromising it," she said.

• In a popular session entitled "Hacking Sucks!" Stephen Cobb, an author and consultant who works at the National Computer Security Association, played devil's advocate. Cobb said that hacking is wrong because it violates people's right to privacy, increases the cost of computers and communications, deters computer usage, and is illegal. Listeners politely disagreed, citing the surge in Internet use and instances of unlawful government invasion of privacy.

• In another heavily attended session, self-proclaimed hacker "Deth Vegetable" discussed why "The media sucks!" Vegetable once posted a file to the Internet that explained how to make explosives. Two boys were injured allegedly attempting to follow the recipe ("I don't know how they could have gotten it wrong"), and he was vilified in news reports, he said. Vegetable, who posted his "anarchist writings" a decade or so ago, said he was harassed by CBS for an interview following the Oklahoma bombing in April.

• Celebrities at the conference included a few Hollywood producers, including Larry Lasker, who wrote the screenplays for "Sneakers" and "War Games." The producers were conducting research for a film on hackers that they are plotting. They found plenty of fodder, particularly in the juvenile set. One quick-fingered 14-year-old, tracked down by a private investigator because his parents said he ran away to attend Def Con, would be a natural as "The Littlest Hacker."

  Also enjoying celebrity status was Sun employee Dan Farmer, the creator of SATAN (Security Analysis Tool for Auditing Networks) software that probes Unix networks for security weaknesses.

• Among the activities here were midnight rounds of "Hacker Jeopardy," a hack radio broadcast in which enterprising attendees jammed a local radio station, and a "Spot-The-Fed" contest, in which the keen-eyed winners and their government counterparts received "I spotted the fed!" and "I am the fed!" t-shirts.

• Other features were raffles for a hard drive, a cellular telephone, a package of "HACKS" breath mints from the UK and a set of keys that purportedly unlock a cafeteria on the Microsoft Corp. campus in Redmond, Wash. Lucky attendees also netted software, including Portuguese and Danish language versions of Windows 95 software developer kits, and modems, all of which were thrown into the air throughout the conference.

• A constant theme at the conference was the idea that people, not computers or technology, are the weak link in security. A hacker named Glitch told a friend about lax security at the Las Vegas airport. He described a sign next to a door that gave explicit instructions on how to enter, including the keys to press and a secret four-digit number, a relatively small combination to crack for someone accustomed to breaking complex computer code.

  "It would take me all of five minutes to get in," Glitch said. "That's the thing about most computer stuff. People are stupid!" -- Elinor Mills IDG News Service, San Mateo Bureau

Resources

• Central Intelligence Agency
  http://www.odci.gov/cia
• Clipper Chip discussion
  http://cpsr.org/dox/program/clipper/clipper.html
• Computer Emergency Response Team
  ftp://cert.org/
• Def Con III home page
  http://www.defcon.org/
• National Security Agency
  http://www.nsa.gov:8080/
• National Computer Security Assoc.
  http://www.ncsa.com/
• National Computer Security Resource Clearinghouse
  http://first.org:80/

If you have technical problems with this magazine, contact webmaster@sunworld.com

URL: http://www.sunworld.com/swol-09-1995/swol-09-def.html
Last modified: