This article can also be found in the Premium Editorial Download "Information Security magazine: Trustworthy yet? An inside look at what's changed after a year of Microsoft Trustworthy Computing."
Download it now to read this article plus other related content.
On a recent Saturday night, my girlfriend and I were perched at the bar waiting for our table when we overheard a "hacker" trying to impress his date.
He was a man in his early 40s, wearing a faded purple oxford shirt with a paisley lining over a maroon turtleneck. With each drag of his Marlboro, he exposed his gapped and rotting smile. The object of his attention was a moderately attractive woman who looked as bored as George Bush at a physics lecture.
Despite his nerdy confidence, he probably sensed that things weren't going well. To jumpstart the conversation, he launched into a story about his hacking prowess. This immediately caught my attention. Over the din, I caught a few gems from his boasts.
- "I've hacked a high school just to see if I could do it without leaving any tracks. And I've hacked a few friends' Web pages just for fun. I was just messing around with them."
- "Hardly anyone knows you can hack Microsoft," he said, raising the tempo of his bragging.
- "I could make a lot of money hacking. I could steal $80 million, $90 million, $100 million, but it just isn't worth it."
Needless to say, she was about as impressed as I was. About 20 minutes later, I spied them leaving...in separate cars.
The Pentagon has ordered its networks locked down and public-facing Web sites sanitized of any information that's potentially beneficial to enemies or terrorists. It's probably a good idea, considering the war on terrorism is now a year and a half old and an invasion of Iraq appears imminent.
Truly Free Kevin
Don't be surprised if you suddenly start receiving e-mail from Kevin Mitnick.
My favorite hacker turned shill has been a good boy during his three-year probation, so the government is compelled to end his banishment from cyberspace.
From where I sit, the probation period's end couldn't have come at a better time for Mitnick. He's red hot.
Mitnick's best-selling book (at least by geek standards), The Art of Deception, has catapulted the former phreaker from "cyber-enemy No. 1" to almost legitimate pseudo-infosec expert. He's now a much-sought commodity on the speaking circuit. Companies are paying for his "professional" advice. And security vendors are becoming less timid about using him to endorse their products.
A bright future? Perhaps. But I'm betting that his 15 minutes ticks off faster than his handlers can spin his new persona. Besides, he'll always remain the most detested hacker in the infosec old guard's clubhouse.
Stating the Obvious
Normally, I pay attention when noted infosec author Simson Garfinkel has something to say. But his latest study on recoverable information from discarded hard drives has me nominating him for my new "Stating the Obvious" award.
Over the last two years, Garfinkel and Abhi Shelat bought 158 hard drives on eBay and from secondhand computer stores. Despite numerous warnings to cleanse hard drives before discarding, the pair was able to recover data from 69 drives, of which 49 had significant "personal information."
What did they expect to find? After all, these hard drives mostly came from home users, who are known for their security savviness.
Gobbling Up Attention
Those zany hackers in the Gobbles Security Group did it again. They convinced the infosec elite that they were developing a P2P worm on behalf of the Recording Industry Association of America (RIAA) to combat copyright abuses.
RIAA was quick to dismiss Gobbles' claims, but the security community's embarrassment took a little longer to wear off since many raced to comment on the new "threat."
Unabashedly, Gobbles admitted the hoax was a ploy to garner attention. "The only excuse we can offer for our immaturity is that we like fame," the group told Wired.
Enjoy your fame, Gobbles, and give my regards to Chicken Little.
About the author:
Lawrence M. Walsh is managing editor of Information Security.
This was first published in April 2011