Security Corner

Hacking the hackers

- by greg kaufman -

Recently, a group of cyberhackers attacked the computer system of a large American financial services company. The hackers launched a "war-dialing" attack targeting every number on the company's corporate telephone exchange. They initially got past the firewall through a lone modem attached to a networked desktop, whose owner - ever dedicated to the company - thought she'd "save the IT department some time" and installed it herself without telling anyone.

The cybercriminals were able to subvert the network's internal security system, and place Trojan Horse programs (back door entryways) into key systems. Using these entryways to access the network at will, the hackers promised to "hose the network" and make the company's name public unless a large sum was paid. Unable to detect all of the entry paths being exploited, and facing a security and PR nightmare, the company was about to capitulate, when one of the junior network engineers suggested they try calling REACT instead.

Don't react; REACT

REACT is an emergency incident response team managed and operated by Global Integrity Corp., a subsidiary of Science Applications International Corp. (SAIC). The team provides continuous threat and vulnerability information to their corporate clients and is on-call 24 hours per day and 7 days per week. In the event of a malicious IT system attack, REACT can deploy a team of experienced engineers and analysts to immediately help prevent damage, restore a company's IT operations to a secure level, and gather evidence for criminal prosecution if requested.

In the case above, the REACT team was dispatched and upon arrival installed sophisticated monitoring equipment to capture all network traffic, allowing the hacker's entry points to be quickly pinpointed. Next, the team scanned the system for any unusual code and correlated the multiple attack paths being utilized by the criminals. Finally, they installed specialized software to reestablish the integrity of the network and stop the attack. Tight control over the company's network was maintained during this final phase to ensure that the criminals did not shut down the victim's system. Subsequently, Global Integrity designed a new security architecture for the victim's network, significantly reducing the risk of future attacks. The hackers, meanwhile, disappeared.


In addition, Global Integrity provides a corporate brand protection service called DETECT. On behalf of corporate clients, DETECT staffers regularly search thousands of Internet sources, including the WWW, Usenet News, Internet Relay Chat, bulletin Board services (BBSs), news service feeds, hacker publications and groups, and public e-mail list servers, looking for any mention of a particular client's name, products, or services. If a serious threat is found, DETECT staff send a FLASH report to a designated company representative, together with a recommended course of action. In addition, DETECT issues routine quarterly reports to indicate the level of cyberspace "noise" related to any particular client.

A recent case involved an insurance company in the US. The DETECT team found a news group posting from a hacker known by Global to be a legitimate threat. This individual had posted the telephone number, user ID, and password for an Arizona PBX switch on the Internet. When the DETECT team investigated, they realized that the telephone exchange belonged to the Western Region Customer Services Office of a Global Integrity client. The client's head office was immediately contacted, who then shut down the telephone switch until system security could be confirmed.

The Internet and electronic media are great tools for sharing ideas and managing business activities. Yet, hackers continue to find new vulnerabilities. Just last month, the MELISSA e-mail attachment virus caught many organizations off-guard, and last September, The New York Times website was hacked, with the intruders replacing the Times' homepage with pornographic images and a manifesto supporting jailed cyberhacker Kevin Mitnick.

DETECT and REACT in Japan

In Japan, SAIC, and more recently, Global Integrity Corp., has been working with a variety of Japanese customers for over ten years. Global Integrity works closely with PTS to jointly offer the DETECT and REACT services in both English and Japanese. PTS information protection specialists are supported by Global Integrity and are now available for local support on a 24 x 7 basis. Today's technology is developed to such a degree that people with malicious intent no longer need lurk in dark corners or steal briefcases in order to get their hands on sensitive documents, and hackers continue to penetrate corporate networks, launch denial of service attacks, and post malicious and slanderous messages. And if you find it is your company that is the next victim, don't panic! Remember REACT and DETECT can help you hack the hackers.

For consulting on corporate security policies, Network Assessments and testing, contact Greg Kaufman via e-mail at: .

Back to the table of contents