May 8, 1998
Recent cyber-attacks on the Pentagon have drawn worldwide attention to hackers. NewsHour correspondent Tom Bearden reports on today's cyber-threat.
COMPUTER: Shall we play a game?
ACTOR: Love to. How about global thermonuclear war?
TOM BEARDEN: That was Hollywood's nightmare back in 1983: A hacker breaks into a Pentagon computer and nearly starts a nuclear war.
ACTOR: Donnelly, take us off full alert. Somebody's playing a game with us.
TOM BEARDEN: This is the 1998 reality.
Cyber-attacks on the Pentagon.
JOHN HAMRE, Deputy Secretary of Defense: Back in the first part of February we started seeing unusual activity, where it was more systematic, and it--and it appeared to be more sophisticated.
TOM BEARDEN: Deputy Secretary of Defense John Hamre was worried about hackers who were attacking 11 unclassified computer systems at U.S. military bases and at a nuclear weapons research lab. The Defense Department said no classified systems were compromised, and the movie fantasy was never in danger of happening for real. Even so, the Pentagon was preparing to launch an attack on Saddam Hussein, and Hamre and others wondered if the computer attacks were connected to Iraq.
JOHN HAMRE: It's not immediately obvious where it's coming from. And these routes can go oversees multiple times, and so it gets very confusing initially. We--it took us a good deal of effort to try to track down.
TOM BEARDEN: On February 25th, as Hamre went public with his concerns, FBI agents conducted a highly publicized raid on the homes of two California teenagers alleged to be responsible for the Pentagon attacks and later followed the trail all the way to Israel, where three more teenagers were put under house arrest. A week after the Pentagon announced the attack on its computers thousands of university users across the country were tormented by a hacker assault that caused their machines to crash. Jeff Schiller is head of network security at MIT.
JEFF SCHILLER, MIT Network Manager: Although this particular attack was an inconvenience, it represented the ability. You know, it was like almost to say we can take you out anytime we want.
L0pht - A hackers think tank.
TOM BEARDEN: The hacker community found all the hoopla pretty amusing. This is the loft--L0pht in Internet terms and a real loft in an industrial building in Boston. Seven young men rent the space, which is crowded with discarded computers they retrieve from dumsters at MIT and put back into working order. They spend their working days as computer professionals, then gather at night to push the envelope.
LOPHT HACKER: We all basically do the exact thing 9 to 5 or 8 to 6 or whatever.
TOM BEARDEN: So what do you do at 6 to midnight?
STEFAN VON NEUMANN, L0pht HACKER: It's the off hours. It's the time spent here that we can push what we stumbled upon to a limit, to the extreme.
TOM BEARDEN: They've been described as a hacker think tank, brilliant crypto crackers and much worse. They do it mostly for the challenge, and what they've ferreted out is sometimes startling. They are proudest of creating software that exposes security flaws in Lotus software and Microsoft's most sophisticated operating system. They can also read private pager messages and intercept supposedly secure police communications, systems that are assumed to be encrypted. As for the Defense Department's computers, L0pht says the Pentagon knew about the vulnerability of its systems months before the attack.
WELD POND, L0pht Hacker: The thing that happened at the Pentagon, I mean, this thing was discovered by a hacker, was put up on a hacker Web site called Root Shell. Everyone in the world could download it. And it still, months later, the Pentagon didn't fix the problem.
HACKER: It's not tough. There are so many machines out there that are just wide open on the network.
TOM BEARDEN: Apparently, it's not too tough to commit crimes on those wide open networks either. The crimes range from simple mischief, like crashing operating systems, to credit card heists, to disabling airport control towers. Hackers in Russia even managed to steal $10 billion from Citibank.
JANET RENO, Attorney General: Because of its technological advancements, today's criminals can be more nimble and more elusive than ever before. If you can sit in a kitchen in St. Petersburg, Russia, and steal from a bank in New York, you understand the dimensions of the problem.
The government organizes a response.
TOM BEARDEN: Until recently, there was no coherent federal strategy to deal with violations of computer security. Each agency acted independently. The government is now beginning to organize a response. Attorney General Janet Reno recently announced the creation of the National Infrastructure Protection Center, or NIPC, housed at FBI headquarters. Its mission is to protect the computers that control the nation's critical infrastructures, like transportation, banking and finance, telecommunications, power plants, and vital human services, systems that are expected to come under constant and increasingly sophisticated attack. Michael Vatis is the new center's director.
MICHAEL VATIS, FBI National Infrastructure Protection Center: We've seen many, many instances of people getting into the various computer systems that control a critical infrastructure, such as the telecommunications node, or a banking system. We have not really seen the use by terrorist groups or hostile nation states, at least that we know about, where they've gotten into a system and sought to destroy it. But the potential is clearly there, because once you're inside a system, and you acquire root access, you can do anything you want.
TOM BEARDEN: A key part of the new FBI center's mission will be to act as a national clearinghouse for tracking and responding to security violations in both the government and private industry. A presidential commission wants to go even further. It recommends the establishment of a White House office to oversee an unprecedented government industry collaboration to shield critical computers from outside interference. Commission Chairman and Retired General Robert Marsh says the problem deserves that level of attention, because an attack in one area could quickly ripple through interconnected systems across the country.
ROBERT T. MARSH, President's Commission on Critical Infrastructure Protection: We were not attuned to the growing interdependencies of the infrastructures. The information technology networks have been linked together in such a fashion that you can contemplate cascading failures from one system into another. And, in fact, a well-engineered effort to do serious harm would, in fact, try to exploit those interdependencies
TOM BEARDEN: But is the government overreacting? The hackers at L0pht think the government's highly public alarm may be deliberate; that the Pentagon and the other agencies are pursuing a different agenda.
Is the government using "scare" tactics?
L0PHT HACKER: I look at it as the Pentagon trying to get money from Congress. And the only way they can get money from Congress is to scare 'em.
TOM BEARDEN: Can hackers working from personal computers at home really pose a serious threat to national and commercial security? L0pht thinks it's possible. They've encountered perhaps twelve genius-level hackers in the online world and say six of them should be feared. MIT's Schiller says that another group of people called "crackers" are responsible for much of the recent computer mischief. He says crackers are the bottom feeders of the computer underground, people who don't have a deep understanding of computers and networks like real hackers. Crackers attack computers using software written by other people to break into networks mostly for bragging rights.
JEFF SCHILLER: The problem we have with crackers is for the most part they're young, they're almost always male, between the ages of maybe fifteen and twenty-five. They're usually socially maladjusted. They're people who have discovered they can hide behind the apparent anonymity of a computer screen and take on a whole new life. You know, the short frail kid can be he-man on the Internet. And that's very different from the very intellectually focused, almost geniuses that helped build the Internet.
TOM BEARDEN: One of the places that crackers are able to find attack software is L0pht's own Internet site. L0pht publishes their software there not to make it easy for the less technically capable to attack other people's computers but to force software vendors and network operators to close the holes in their security.
L0pht HACKER: It's almost like, you know, groups like us are sort of a defacto, sort of "Consumer Reports," these kinds of things.
TOM BEARDEN: They say when the vulnerabilities become public, people react and fix the problem. Otherwise, they have a tendency to ignore.
WELD POND, L0pht Hacker: It should be full disclosure, and we just let the world know when we find a vulnerability. And we found that by doing that the vulnerability gets fixed pretty quickly.
Hackers as consultants.
TOM BEARDEN: Big software vendors and even the Pentagon increasingly are consulting with hackers to find out where their security can be breached. Microsoft even invited L0pht to dinner last year. But not everyone agrees that letting the whole world know which systems can be penetrated is a good policy. These are the offices of CERT, the Computer Emergency Response Team, at Carnegie Mellon University in Pittsburgh. It was established in 1988 to help private industry and government deal with the then new problem of Internet security. It's the precursor of the new FBI center. Tom Longstaff heads research and development at CERT. He says L0pht's disclosure method too often ends up as a "how to" manual for crackers to break into a site.
TOM LONGSTAFF, Computer Emergency Response Team: There are many people who have a lot of technical expertise out there, and some of them use the technical expertise to develop fixes and work-arounds and understand better and contribute better to the computer security community. There are other folks out there who, no matter what they call themselves, are writing attack scripts. The attack scripts, if they're given out and automate difficult attacks, really benefit the lowest common denominator of the intruder community.
TOM BEARDEN: CERT's policy has been to solicit confidential reports from companies whose systems have been breached and to work behind the scenes to develop fixes, which are then published. CERT says confidentiality is key because many companies are very hesitant to admit their systems have been compromised, for fear of making their customers nervous. If the new FBI center is to work industry would have to be willing to disclose those security breaches to the government, something many are very reluctant to do. But L0pht says the whole idea of a central clearinghouse for computer security simply won't work, that information moves much too quickly and much too freely for any one agency to have any real effect.
L0PHT HACKER: The net doesn't work that way and information doesn't flow through one centralized point. You know, if that one centralized point disappears or if it hits a bottleneck, it'll go around it.
TOM BEARDEN: For now, though, there is no centralized point. The FBI center is just getting off the ground. And the Presidential Commission's proposal for a White House office is stalled, leaving the government's efforts to respond to computer security threats still fragmented.