# 94-21

Contents


        Deliver Me from Hack Attack


The Discovery Channel aired a one-hour program last week entitled "Hack     
Attack".  I viewed the program, and several days later reviewed the videotape 
I had made.  The following comments represent my post-Christmas Grinch          reaction.

        1.  The program should have been subtitled "The Winn Schwartau Hour".
Mr. Schwartau, a security consultant/vendor and the author of "Information
Warfare", appears throughout the program to highlight threats facing 
information systems.  His emphasis is on intentional human actions to degrade
system performance and security.  At no time does Mr. Schwartau or the
narrator of the program present any credible or meaningful discussion on
controls or countermeasures to address these computer threats. 

        2.  The first of four distinct segments looks at Emmanuel Goldstein's
defense of hackers, in particular Phiber Optic (Mark Abilene), who received
a one year sentence for a variety of actions discussed over Risks Forum and
other Internet discussion groups.  The interview with Mr. Abilene takes place
in prison where he asserts that he did nothing wrong, but that he is the
victim of making too much knowledge available to others.  "They", he asserts,
cannot stand to have knowledge disseminated.  At no time do we have anyone
involved in the actual investigation or prosecution comment on the specifics
of the case--only Mr. Abilene and Mr. Goldstein speak to this matter.

        3.  There is a wonderful interview with two employees of Price       
Waterhouse who are involved in penetration testing.  In their GQ suits complete
with suspenders, they discuss "demon dialers" and password cracking programs
as part of their customer service support.  The moderator observes that the 
Price Waterhouse penetration attacks have always been successful against their
clients.  While this has generally been the experience of many other penetra-
tion or "tiger teams", could you imagine a Price Waterhouse advertising
campaign in the vein:  "Price Waterhouse--All of our Clients Can Be Had!"

        4.  The second segment wanders into the field of telephone card and
credit card fraud, with on-the-scene action of "numbers" being sold and used
on the streets of New York.  There are some subtle comments on the basic
insecurity of cellular telephones with several police and corporate security
types presenting rather reasonable countermeasures.

        5.  The third segment returns to computer hacking.  As the narrator
scolds a site for allowing too much information to be known about itself,    
one of several "reconstructions" takes place.  One then sees a computer
screen where the "reconstructed hacker" has issued the finger command on a
site with a Navy domain address.  The standard "finger" output is apparently
at the heart of "too much" information.  I suppose the producers of the
program were unaware of the whois NIC database and others.  After the "finger"
output, one sees the output from a "showmount" command on the same host.  While
the narrator does not comment on the output, one can see that "everyone" can
mount several file systems on the host.  Without any discussion on the problem
associated with permitting "everyone" to mount a file system, the narrator
comments on the ability of the "hacker" to become root and gain complete
control of the system.  There is no reference to the method of the attack nor
to the fact that it has been well-documented in the public domain.

        6.  The final segment attempts to summarize the first three, but
adds an additional threat of industrial espionage with emphasis on foreign
government collection activities.  There is an interview with a CEO of a West
Coast firm who discusses a case in which an employee is alleged to have
provided proprietary software to the government of China.  The employee's
attorney is then interviewed to dispute the charges while his client sits
silently next to him.  Mr. Schwartau returns with some final observations on
the vulnerability of the United States financial systems to malicious attack.
Many of you may remember that the General Accounting Office issued several
reports years ago on security vulnerabilities associated with the Federal
Reserve system, with the stock market computers, and with electronic commerce
in general.  Neither Mr. Schwartau nor the producers mention such work.

I give the program a C- grade.  


[Disclaimer:  Information Systems Security Updates represent the
opinions and views of the author, not his employer.  Recipients
are free to quote all/parts of the ISSU with credit/blame to the
author.]