This article can also be found in the Premium Editorial Download "Information Security magazine: Unwrapping Windows Server 2003: An exclusive first look at Microsoft's new OS."
Download it now to read this article plus other related content.
If what Jan Hruska says is true about hackers, we may have wasted years of effort and millions of dollars in defending against virus writers.
In an interview with the Reuters news service, the CEO of antivirus vendor Sophos described the average virus writer as male, 14-34, obsessed with computers and unable to get a date. (This also describes a large number of security pros, which may explain why Hruska's comments sparked a rather lively debate. But I digress.)
Assuming Hruska is correct, wouldn't a more proactive approach to the virus problem be hooking up these pathetic souls with a date?
Here's the pitch, a reality show--on Fox, of course--"The Hacker Dating Game." You drag a bunch of pimply-faced hackers out of their mother's basements, give them a clean X-Files t-shirt and set them up with beautiful young women.
Imagine, TV cameras would follow skin-pierced geeks and their playmates as they go to nightclubs, fine restaurants, skiing in Aspen and scuba diving in the Caribbean. Did I mention there will be hot tub scenes?
Since Americans love human train-wreck TV shows, a number of copycats will appear on competing networks. ABC could have "I Want to Marry a Phreaker." NBC could air "Married by Def Con." And CBS could schedule "LoveLetter Chronicles" between "CSI" and "CSI: Miami." MTV will jump into the fray by having Ozzy Osbourne hack his delinquent brood's e-mail ("Sharon! What's the bloody @#*%! password?").
OK, I know what you're thinking. Where would you find these women? After all, we're not talking about Joe Millionaire. Well, what about all those adoring Russian women we hear about via spam?
Virus Targets Virus Writers
If you don't like my idea for a hacker reality show, perhaps you'll appreciate another attempt at warding off virus writers and hackers--infecting them with malware.
The yellow suits over at Symantec report finding a social-engineering worm that's specifically designed to trick hackers and malware writers into downloading it. When script-kiddies go trawling for new tools via KaZaA, eDonkey and Morpheus, they find Cydog, a slick worm that promises all sorts of malicious goodies.
Once installed on a hacker's machine, Cydog disables AV programs and firewalls, and then deletes all critical files. Neat trick.
CERT: You Have a Leak
The leaks of an unreported Sun Microsystems vulnerability and a Kerberos flaw can't be good news for Carnegie Mellon's CERT Coordination Center or the proponents of responsible disclosure.
Someone going under the nym "Hack4life" posted both undisclosed vulnerabilities on Bugtraq's Full Disclosure list before remedies were available. In the Sun case, the posting came just a few days before scheduled, while details on the Kerberos encryption flaw weren't slated for release until June.
Neither CERT, nor those who discovered the bugs (eEye Digital Security for Sun and MIT for Kerberos) knows how Hack4life obtained the information. CERT believes a subscriber to its advance intelligence service or one of the affected vendors is responsible for the leak. Another possibility is that a hacker breached a third party with access to the data.
Hack4life is promising to release more undisclosed vulnerabilities--on a weekly schedule. This, he said on a Bugtraq posting, will give hackers time to exploit holes. Stay tuned.
Shot Messenger Recovers
When Stefan Puffer warned Harris County (Texas) court officials of security problems with their wireless network, they did what any Longhorn would do--they shot the messenger.
Puffer may have been shot, but he wasn't dead. A jury acquitted him of charges of unauthorized computer access and causing more than $5,000 damage. Jurors said they didn't believe prosecutors' arguments that Puffer, who once worked in the county's IT department, intended to do any harm and only wanted to inform officials of the security gaps.
Indeed, Puffer discovered that the court system's digital pants were hanging round its ankles while benignly demonstrating war-driving techniques to a newspaper reporter. Lesson here: Lift the brim of your 10-gallon hat and look at who's offering help before you shoot...er...charge him.
About the author:
Lawrence Walsh is managing editor of Information Security.
This was first published in April 2003