An Ex-Hacker Discusses Local Government IT Security
Twelve years after shutting down major sites like Yahoo, an ex-hacker is working to educate officials on securing their networks.
Local governments can be easy targets for hackers because they lack funding to protect their infrastructure. In many cases, security funding is made available only after a breach occurs. But just how easy is it to break into a local government site? According to Michael Calce, a hacker known as Mafiaboy in his youth, “it’s so easy it’s scary.”
In 2000, a 15-year-old Calce completely shut down Yahoo, the Web’s top search engine at the time, for almost an hour with a project he named Rivolta (“riot” in Italian). Rivolta was a denial of service attack, designed to overload servers to the point at which they completely shut down. He also brought down websites for CNN, Amazon, eBay and Dell.
Twelve years later, Calce works to educate executives whose infrastructure is vulnerable through presentations and his blog. Everyone, he says, is at risk. I spoke with Calce earlier this year about what local government can do to secure their networks in this edited transcript.
In a 2008 interview, you said you now work to protect the Internet from vulnerabilities. What are you doing these days?
As of right now, I find it of great importance to use my notoriety to help raise awareness with companies. I’ve been doing a lot of keynotes for IT conferences such as IT360 and Hitachi Data Systems.
I feel as though awareness is the key component to help win the battle with insecure infrastructures. A lot of these companies are completely unaware that they are at risk, so I feel an obligation to educate them. I also do some practical work from word of mouth to help secure companies. I haven’t gone public yet, but plan to do so in the upcoming year.
Why do you think hackers choose to exploit local government websites?
I think they choose to hack them because information is power. There is no telling what kind of information you can obtain from government networks. It’s also a great starting point for a hacker to infiltrate one government network and use something called a sniffer (a tool that collects all incoming and outgoing information on the compromised network) to obtain access to more government sites. Sometimes they get lucky and sniff a high-profile site, other times it can be coordinated. What I mean by that is they might have a specific target government site they want to access, but for whatever reason they can’t breach it using their arsenal of tools. They will then attempt to hack a subnet or a site they think is affiliated to the target so they can sniff and hope that someone from the hacked terminal logs into the site they cannot gain remote access to that site.
When looking at local government websites, what are the biggest vulnerabilities you see?
The biggest problem I see is that it’s accessible to anyone with an Internet connection. It’s almost as if the government should have its own private network. On another note, a big problem is that a lot of government sites use operating systems that are open to the public. If they want to narrow down the amount of infiltrations, they should only use custom operating systems with stripped kernels. Everything should be custom and never default. I remember when I was hacking I would run some scans on random IP blocks and came across some government sites that were vulnerable to public code. This, to me, is unacceptable and needs to be looked at. All government networks and systems should go through an intense screening process before being put online..
Can you explain what it means to use only custom operating systems with stripped kernels?
Most operating system source code is available on the Internet. A professional hacker can sift through the original source code, find vulnerabilities and write code to execute them. Plenty of government sites use [similar] operating systems, so it’s actually quite easy to gain access.
A stripped kernel means that when you press power on the computer and it initializes your operating system, it won’t start the default kernel. By default, the kernel will run plenty of services the government site might not even use, yet they might fall victim to an exploit for a service running from the default kernel. An example would be on boot up, the operating system will initialize an email Daemon [email managing software], yet the government site might not permit or use emails from the system whatsoever, yet they get exploited through it because it’s running.
How easy is it to hack into most local government sites?
To be quite honest, it’s so easy it’s scary. It’s also becoming increasingly easier with the amount of tools being made public. When I was hacking, a lot of exploits were kept secret. Zero-day exploits were only given to those who had serious contacts within the hacking community.
Can you elaborate on Zero-day exploits? How long does it typically take for them to be discovered or reported?
There are two types of exploits: public or private, a.k.a. Zero day. Basically public exploits are available in the wild and very easy to obtain with very little networking within hacking communities. You could easily Google “BackTrack,” an incredibly powerful modified operating system specifically catering to hackers, a preset desktop with tools and exploits ready to go. The fact is a lot of government systems are vulnerable to public exploits. Zero-day exploits are really an unknown variable. Sometimes they leak and eventually get patched. The scary part is some Zero-day [exploits] go unnoticed forever.
Who or what are the likeliest targets and why?
I’d say everyone is a target, simply because hackers can. Where there is a will, there is a way. Some hackers might come across a government site by sheer luck in an IP scan for an exploit, or there are hackers who specifically target government sites.
What relatively inexpensive things can local governments do to deter, prevent and protect against attacks?
Like I said earlier, they must keep it custom and not fall victim to default. It wouldn’t be too cost heavy to come up with an operating system that isn’t open source. Keep in mind this will only narrow it down — we will never completely resolve hacking issues. You have to realize why the Internet was created to understand that it’s impossible to fully secure it. Its intended purpose wasn’t meant to be used by the masses like it is today.
If the Internet’s original purpose was to exchange raw data among researchers, is it safe to say that the process by which information is exchanged is almost a welcome mat for hackers? And now that so much data is out there, the potential for breaches is limitless. Once an exploit is discovered and fixed, new ones are created and it’s a never-ending cycle.
The Internet was actually created by two separate entities. CERN Laboratories (Tim Berners-Lee) created the World Wide Web, which was built for exchanging raw data among researchers. Then you have the networking aspect that was created by the Defense Advanced Research Projects Agency. DARPA created the actual Internet. The thing is, it was meant to be kept as a private government network in the event that all other communications failed, they would have a means of contacting each other through some secret network known as the Internet. They never really incorporated many security protocols into the fundamental architecture because it was meant to be private and not a tool of mass commerce like it’s being used for today.
An original version of this Q&A is available at Government Technology.
We invite you to discuss and comment on this article using social media.