Quantcast
Subscribe to magazine

Hackers Say They Hack for Our Sake

'Deceptive Duo' says they are simply trying to draw high-level attention to flaws in national security.

Linda Rosencrance, Computerworld

  • 0 Yes
  • 0 No

A pair of hackers who has been penetrating U.S. government computer systems across the country said they're trying to call attention to vulnerabilities in national security.

But analysts said they're probably nothing more than publicity seekers.

On April 24, the hackers, who call themselves the Deceptive Duo, said they "started their mission" of breaking into both government and private-sector computer systems. In an e-mail interview with Computerworld, they said their purpose was "to expose the lack of security within our government and other critical cyber components."

They said they have hacked into classified and nonclassified systems, including those operated by the office of the Secretary of Defense, the Space and Naval Warfare Systems Command, the Defense Logistics Agency, Sandia National Laboratories, NASA Jet Propulsion Laboratories, Midwest Express Airlines, and a number of banks.

"We had access to data and Web servers which included things such as pictures from Operation Restore Hope [expanded peacekeeping operations in Somalia in the early 1990s] to the personal details of Department of Defense employees," they said.

Password Problems

The hackers said they breached the systems in two ways: They got in through Microsoft's SQL servers, which they said have a default password to login. Some system administrators didn't change the default password when their databases were implemented and their systems went live, the duo said. They also got in through a NetBIOS Brute Force attack, a method in which the hackers repeatedly try to guess passwords to gain entry into a system that could exploit the NetBIOS protocol and allow access to sensitive data.

"Once information was acquired, we targeted an appropriate Web site to post the screenshots at. For instance, we posted the Defense Logistics Agency database on a Web site of the Office of the Secretary of Defense," the hackers said in their e-mail.

Richard Williamson, a spokesperson for the Space and Naval Warfare Systems Command, acknowledged that hackers gained access to the system through SQL because the agency had failed to change the default password and administrator's user ID.

"We're embarrassed. We didn't change it. We made a mistake," he said.

Williamson said the pair didn't get access to any classified information. "It was information any taxpayer is entitled to," he said.

For Security's Sake

The hackers, who wouldn't reveal their ages, said they believed breaking into computer systems was the only way to get system administrators to take action to improve security.

"We must take drastic means for them to take this seriously," they said. "When notifying a system administrator, the situation often times will get brushed away like it was nothing."

The hackers said they have received e-mails from various system administrators of the penetrated computers and they fully cooperate with them in creating a more secure environment for their systems.

"If we did not, our mission would be incomplete," they said.

Gathering Information

Screenshots of the information obtained by the Deceptive Duo, including bank databases with customers' personal information and bank account numbers, were posted at a security Web site.

Another database screenshot posted at the same Web site showed names, passport numbers, and other personal information apparently gleaned from the U.S. Department of Defense's Defense Logistics Agency.

Lisa Bailey, a spokesperson for Milwaukee-based Midwest Express, confirmed the pair hacked into the airline's computer system but only gained access to customer profiles.

"What they hacked into was not manifest information or anything like that," she said. "There was no credit card information [taken]."

Eric Hemmendinger, an analyst at Aberdeen Group in Boston, says that although he doesn't know much about the Deceptive Duo, he believes they are probably "publicity hounds."

Charles Kolodgy, an analyst at IDC, in Framingham, Massachusetts, agrees. He says he didn't believe the pair was on a mission to improve security.

"I think there might be a business reason behind this," he says. "Maybe they're trying to sell security products. And they probably just have too much time on their hands."

Jennifer DiSabatino of Computerworld contributed to this report.

Computerworld
For more enterprise computing news, visit Computerworld. Story copyright © 2007 Computerworld Inc. All rights reserved.

  • Recommend this story?
  • 0 Yes
    0 No

Print 65% more pages than with refilled inks. Trust Original HP Inks. Hit Print Reliably.

Featured APC Accessories For Your System
10% Off Entire Cart at Online Store

  • APC Back-UPS ES Safeguards your equipment from damaging surges and spikes that travel along your utility & data lines.
  • APC SurgeArrest Performance Highest level of protection for your professional computers, electronics and connected devices, as well as provides surge protection.

People who read this also read:

  • 2007 Microsoft Office Suites Comparison This paper compares and contrasts four suites of the 2007 Microsoft Office system: Microsoft Office Standard 2007, Microsoft Office Professional Plus 2007, Microsoft Office Enterprise 2007 and Microsoft Office Ultimate 2007. This paper is intended to help organizations understand the applications and capabilities offered, and to identify the suite that best fits their needs.
  • Windows Vista Migration: The Business Proposition It's not so much a matter of "if" but "when" for most organizations regarding migration to Windows Vista. Laying the groundwork now for this migration can yield higher ROI than waiting until later. This Computerworld Technology Briefing explains it all.

PC World's Marketplace