MSNBC Interview

This is a representation of someone's thought. Thoughts cannot be owned or controlled. You may modify this thought as you see fit. many have attempted to censor the thoughts and ideas of this writer, none have succeeded. ...nor will they ever.

Please provide your overall assessment of security in the Internet. Are there particular types of sites that typically have poor security? Most sites have extremly poor security, and I know of no site, including financial institutions, which are hack-proof. The technology simply does not exist. The real weak link in the security of the internet is the people on it. A good hack could be used by a government to usurp a stock exchange, bring down a powergrid and cause a blackout, open the gates on a dam, or bring transportation to a halt. These are extreme examples, but within the realm of possibility. The United States used hackers against East Germany during the cold war, again in Grenada, and once again in Desert Shield. I assume that hackers have been, and always will be, used to prelude and assist military operations. The term is "Information warfare". On a smaller scale, hackers may be used by one corporation against another, or by any organization at all to serve it's own purposes. I will show you how MSNBC could theoretically be hacked so that a competing news organization might get the "scoop". Power in the information age does not stem from land, might, or wealth. Now more than ever, knowledge is power. Fortunately, there are things that may be done to protect ourselves. What techniques are most commonly used to gain access to web sites and can they effectively be prevented by good security? Well, hmmmmm. First let me say that a website isn't hacked. It is the server that is hacked. Let's say that I wanted to hack your account at (michael.brunker@MSNBC.COM), what are some possible logins? Brunker, michael, mbrunker, and j-michb, are all possibilities. But I would try everything until I got it. Let's assume that I could NOT find your login. I would go through every account at MSNBC until I got into one of them. Eventually, somewhere along the line, someone will blow it for you. Because even though I have access to the wrong account, it would be enough access to find your login. I might go through your office or home trash. I might talk someone at MSNBC into giving it to me. You have to assume that I would at least get your login. Ok, now I have your login, you still have your password. I would launch a dictionary attack on your account. If you are using any normal "word" that could be found in a dictionary as your password, I would be in. If not, I would use a brute-force attack, which will try every combination of letters, numbers and spaces (which were not already tried in the dictionary attack) up to about 8 or nine digits. If that didn't work, I would begin to attack your server. Chances are that your server has software bugs that I could exploit, they all do. There are several other methods that can be used. I hate to say this, but you should also assume that I will also get your password. By this time I would probably have enough information to hack any account at MSNBC that I liked. This is called "owning" a system. At this point I could change the MSNBC webpage. People say "If they want in, they will get in." when referring to home security, the same may be said for computer security. Ok, once I was into your account, discounting the obvious, what can I do? Do you use the same password anywhere else? Your bank account? Online services? Many people have so many passwords to juggle around they use the same password everywhere. If I find out that you frequent a protected site, it might have been easier to hack a less secure site, and get your password that way. There are many possibilities. I think you get the idea. What about sites over which financial transactions are conducted? Are they generally impregnable, as the companies running them would have consumers believe? They are not bulletproof. I recently had to go to my own bank to complain about the security used in the online banking features. When they put me in touch with the tiger team, they were surprised to find how even a minor glitch in how paperwork was handled could potentially cause so much trouble. Humans are the weak link, and always will be. You can have all the the encryption and passwords in the world, but untrained or disguntled workers will always cause problems. Remember how they used to have those carbons with all the credit card info on them? The bank could be doing a great job, but a merchant, or other middleman could always blow it for somebody. Studies show that a high percentage of hackers are either disgruntled employees or insiders putting their knowledge of the company computer system to their advantage. Do you agree with this conclusion? Yes, but I assume that these studies are referring to criminal hackers. To do a hack properly almost always requires some kind of inside information. The easiest way to get it, obviously, is if you are already inside. In your opinion, what percentage of hackers are outright criminals seeking to rip off companies or steal credit cards, as opposed to those who do it as an intellectual challenge? Less than one percent. Most of the people in the newsgroups are all talk, and no action. In fact most are teenage children. If you read the newsgroups, you will occasionally see offers to pay money for hacking work. But they are seldom accepted. Most of the real hackers are just like me, hacking with permission to test someone's security, or at worse, doing pranks. A prank, to me is a LEGAL act, designed to annoy, not destroy, such as a mailbomb. Do you believe the law properly fails to differentiate between hacking with intent to steal something and hacking for fun and pleasure? YES. I think that United States laws are pretty fair. We hear a lot of whining about Kevin Mitnick and others who have been caught in the act. I only act as a computer security consultant now, but let me tell you, I had my day when I was younger. I never made the mistake of thinking that what I was doing was somehow ethical, moral, or legal. Make no mistake, hacking, as the term is used today, is illegal. It can be equated to trespassing, vandalism, or worse. I leave it in the hands of a judge to determine if there are special circumstances in each case. Will encryption virtually eliminate hacking by outsiders or merely limit it to a relatively sophisticated few? PGP encryption is the single most powerful thing that any computer user can do to protect thier data. That means PGP encrypting everything on the computer. Not just email. I'll give you an example below showing how you inadvertently gave me information which would assist me in hacking your computer, if that was something that I wanted to do. Had you encrypted your directory structure, I would not have the snippet of info that I have. To answer your question directly, the answer is yes. In fact, it already can, if used. How has the hacker community, if there is such a thing, changed in the last 5, 10 or 20 years? When I first started "hacking", 20 years ago, a computer hacker was just a computer hobbyist. The word "hacker" meant nothing more than that. We all knew each other back then too. Very few people had modems, I built mine myself. People really were not fully aware of what a computer was capable of doing. Hackers were really experimenters. About 1985 was when hackers began to be known as pseudo-criminals, with movies like "WarGames" beginning to create and feed a myth. At that time, real hackers were beginning to get real jobs as security consultants. Five years ago was just about the time that the internet began to really take off, it had been laying around, dormant, for years. Now it's mostly children who are wide-eyed at the thought of being a punky, skateboard riding, cyber-warriar. That type of hacker simply doesn't exist, at least I've never met one. But unfortunately, most of the people out there who call themselves hackers are children who are trying to fill that image. And they will eventually get into trouble. What is the general public’s single biggest misconception about hacking and hackers? That hacking is easy. Movies such as "Sneakers" and "Hackers" have glamorized the art of hacking. In reality a hack may take weeks, involve trips to the target's trash, usually involves phone calls, and a great deal of tedious, boring work. What is the most significant threat to the public good posed by hackers? The most significant threat to the public good is ignorance that can be exploited by hackers. Any sysadmin from any ISP would have enough knowledge to exploit the information that is contained right in your letter to me. The following information was all hidden in your document that you emailed to me. This is only a sample, and I would be happy to show you the whole thing if you like, but most of it will look like gibberish to you. I'm assuming that you did not know of it's existence, or you would have done something to hide it: C:\TEMP\AutoRecovery save of Document15.asd C:\WINNT\Profiles\j-michb\Personal\My Documents\Archletter.doc kylbill.doc ders.doc kyl.doc Interpol.doc INTERPOL.DOC 1fugitives.doc 1 FUGIT~1.DOC HOY.doc soundness.doc Microsoft Word Document MSWordDoc Word.Document.8 Knowing the names of some of your documents, and knowing a little about the directory structure of your computer can go a long way toward sniffing the net for your emails and intercepting information that you may be sending to people. A hacker hired by a competing news team could get the "scoop" by stealing info about your contacts. The same is true of anyone, anywhere who emails MS Word documents. But nobody knows that. Ignorance is the enemy, knowledge is the defense. Smoke signals, telegraph, messenger runners have all been "hacked", and it has always been due to the ignorance of the user about the methods of the hacker. People with the "hacker mentality" have been around since the beginning of time, and I don't think that will ever change. Archangel Wrath of God Hand Delivered