2005-01-12

Kevin Mitnick eat your heart out: Some jaw-dropping tales of hacking

Someone get the movie rights to this, we've got a real-life blockbuster on our hands: Kevin Poulsen of SecurityFocus reports today that a hacker had access to one or more T-Mobile servers for over a year, with complete access to innumerable accounts and data therein, including one of a Secret Service agent that exposed confidential information on ongoing investigations. This is the most spectacular hacking story I've ever read, with the Secret Service serving as both the victim and investigator, and even ties in with the AOL leak of 92 million email addresses investigated last year. What is especially disturbing is that, once again, it looks like someone convicted of hacking is being handed a career in Information Security. Supposedly, the Secret Service is offering leniency to the hacker for his help in other investigations. It's an interesting angle on the old problem of jail overcrowding: why not just hire people when they break the law? In all seriousness, it is all too often that high-profile virus writers and hackers get employed by agencies or security companies, while people involved in lower-profile and lower-impact incidents are punished severely under the auspices of "terrorism" according to the USA Patriot Act. Not only have these people proven they can't be trusted, this certainly isn't discouraging others from hacking. The message here is, hacking will land you in jail, but only if you don't have good hacker-fu.

A second revelation today involved GMail. Specially-crafted email messages reportedly will cause the contents of memory (which may include anything from other emails to usernames and passwords) to be delivered to the attacker in an email in their inbox. For months I've been ridiculed by my associates for not trusting GMail and sticking to my own home server, so this is a bit of vindication for me, but is bad news in general. In Google's defense, they have some of the biggest brains in the industry, so I'm sure this will be resolved quickly and will be the exception rather than the norm.

This last tidbit, irony and all, is from SANS NewsBytes:

--Hacker Gets Data on 32,000 Students and Staff at George Mason University
(11 January 2005)
A hacker compromised a Windows server and gained access to social security numbers and other private information of thousands of students and staff at George Mason University. The university is one of the Centers of Excellence in Information Security designated by the US government.
(link)

The sad part is that this undermines confidence in the government's Centers of Excellence in Information Security, even though such education programs are institutionally separate from the administration of the universities involved.

1 comment:

Anonymous said...

That's not surprising about the university. Universities are one of the biggest sources of beuacracy in the world - the thought that one department would talk to or trust another isn't new. Hell how many civil engineers did we have at UD and yet they still had building problems. Or why don't English majors proof read my papers? etc. It's just status quo.
-livingston