Ed Note: In April, a cracker group known as World of Hell defaced the Web site of the Colorado Department of Tourism. Over the weekend of June 9 and 10, the group defaced a Virginia Web site run by the states Department of Information Technology. That same weekend, the group also hit Clearwater, Fla.s Web site - twice. A couple of days later, World of Hell cracked Vermonts home page and the Texas Lotterys Charity Bingo Divisions Web site. Web sites of the departments of transportation in Georgia and Idaho were hit on June 13.
According to Safemode.org, a Web site that mirrors defaced Web sites and pages, World of Hell has been linked to 160 defacements at press time.
When the Virginia site was hit, World of Hell left both a Web site address and an e-mail address. Government Technology then e-mailed the group to raise the idea of an e-mail interview, and several members of the cracking group, who identified themselves only by their screen names, ultimately agreed to answer a series of questions about what they do, their rationale and their perspective on computer security. Government Technology also contacted another cracking group, PoizonB0x, which was in the news at the same time as World of Hell. PoizonB0x zapped a handful of Internet-security Web sites to make the point that security experts fall victim to crackers, too. The interviews were done via e-mail and comments are printed exactly as they were received.
Despite popular belief, World of Hell member Dawgyg said his cracker team isnt looking for personal information when they hit a government site.
"I am doing this to show how insecure Windows NT and [Suns Solaris] are," he said.
Up|4|grabs, the World of Hell member who wrote the HTML script that defaced Virginias site, said most crackers, although engaging in criminal activity, dont like to run the risk of stealing information.
"For the most part, little damage is done," said up|4|grabs. "If people are after data like credit cards, they usually decide not to deface the site, because then it is more likely for the system admin to know that data was taken."
PoizonB0xs leader, DC, also expressed little interest in the information on government Web sites.
"I remember the first time I owned a .gov site; a really long time ago," DC said. "I looked through all the texts there and I remember I even uploaded something. Then, after that, I tried to download something, but that info wasnt very interesting."
The crackers interviewed said they crack sites merely because its possible, and government sites are often more vulnerable than private-sector sites.
"[Governments] dont take the time to secure their sites," Dawgyg said. "I have owned some gov sites with exploits that have been public for over two years and the admins still did not secure for this exploit. Generally, private computers are better secured because the people are paranoid."
Its all a matter of what interests crackers, said Shawn Hernan, team leader of the CERT Coordination Centers Vulnerability Handling Group. The CERT Coordination Center is focused on Internet security and is located at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University.
"There are large numbers of intruders who scan the Internet more or less indiscriminately looking for any vulnerability they can find, or systems that are vulnerable to well-known exploits," Hernan said. "If you have a system on the Internet that contains a vulnerability thats known to the intruder community, you will eventually be compromised - they dont care what box they compromise; theyre just interested in gaining access to some computer."
Battening the Hatches
Given the community of crackers who are ready, willing and able to hit any site thats not secured, can governments protect themselves?
Although system administrators and CIOs might think their Web sites are protected, the dynamic aspects of computer security means that just as problems are patched, new vulnerabilities crop up, said Dan Mayer, CIO of Clearwater, Fla., who had the unenviable chore of cleaning up after the citys official Web site was attacked by World of Hell twice in June.
Add to that the speed of modern communications and crackers have a recipe for striking any number of vulnerable sites.
"With the Internet and with the exchange of information [and] the number of hackers out there testing firewalls and other software fortifications for holes; its just a matter of time before they find another trick to get in and then share that with several thousand fellow hackers," Mayer said. "The thing to do is to be redundant and be diversified in the types of defenses you use. Use a software firewall; use a hardware firewall; go with different manufacturers."
Mayer said Clearwater will likely institute a quarterly or biannual review to assess its defenses against intrusions and to make sure there are no loose ends.
But governments, along with the private sector, often face a resource crunch when it comes to securing Web sites, said Scott Fairholm, director of Virginias Department of Information Technology.
"As you move from upgrade and patch-to-patch, hackers are going to move from upgrade and patch-to-patch with you," Fairholm explained. "Its an evolving process. We try to stay one step ahead, but - there are a lot of people out there with a lot of free time on their hands, and we dont have the kind of free time that other people do."
Fairholm, like Mayer, had the job of cleaning up after World of Hell defaced a mirror of the states official Web site in June.
"As we move into doing more and more things online, you will see more and more incidences of people trying to get into government systems," he warned. "I expect to continue to have attempts on our systems."
Fairholm said keeping up with the latest versions of software and patches is perhaps the best way to safeguard a Web site, along with trying to crack your own site to gauge where weaknesses are.
"If were aware of all of our vulnerabilities, we can patch those quickly," he said. "You cant stand still in this environment."
Despite the best efforts of systems administrators and CIOs, crackers arent convinced governments can secure their systems.
"No computer is unhackable/uncrackable," said up|4|grabs. "There will always be holes, it just depends on the amount of time a person is willing to put into breaking into a computer."
Crime and Punishment
The crackers interviewed didnt seem worried about getting caught, despite being under investigation. Crackers know that jurisdictional issues hinder local or state law enforcement agencies in their attempts to track perpetrators of computer-related crimes.
"I personally am being investigated for my [Virginia] state defacement along with the other 17 I have done," said World of Hells Dawgyg. "I dont think the government has the knowledge to trace us; at least not at the state level. They will need to get the federal government in this if they [want to] catch us."
Another World of Hell member, Cowhead2000, said that he, Dawgyg and Messiah-X together have hit at least 25 state sites.
"I do not think anyone will get raided or be in any real trouble, because most of the [World of Hell] members are out of this country entirely, and most members are smart enough to delete logs, clearing most evidence of who compromised the box," up|4|grabs explained. "I have legal access to a few boxes in other nations, Asia, South America and Russia, therefore making it very difficult at all to trace me."
Cowhead2000, who said he is 15 years old, claimed members of World of Hell live in the United States, South America and the Middle East.
The crackers interviewed for this story seem to enjoy what they do, and perhaps that is their main motivation - but they do have other reasons.
PoizonB0xs DC said the relative ease of cracking sites keeps him coming back for more.
Other crackers see themselves performing a valuable role, though systems administrators might not agree.
"We just want to show how poorly their computers are secured," said Dawgyg. "We dont do this to cause damage or harm, which is why, in most cases, we even back up the original Web site for the admin of the site so all is not lost. The media today has given hackers/crackers a bad name. All we are doing is exploring the Internet and computers. I feel it is no different from when Columbus explored the world. We are all just trying to learn more about what we like."
This rationale is echoed by up|4|grabs. "When I hack Web sites, I usually look for big domains and will e-mail the admin when the box is compromised on how to secure it," he said.
There is also a certain amount of prestige in attacking sites, the crackers said.
"I just gain a little bit more respect from the hacker underground," said Dawgyg.
CERTs Hernan said that during his five and a half years at CERT, hes been constantly surprised at what crackers are capable of doing and how much time they devote to finding potential vulnerabilities.
"Some of the code that intruders write to exploit vulnerabilities is really quite clever," he said. "Theyve found very subtle interactions between different software components and taken advantage of those interactions to suit their purposes. They go to all this tremendous work of trying to understand just how these individual components interact and how they can best take advantage of that.
"[But] they dont generally write high-quality, robust exploits, and that sort of works to our advantage," he continued. "Most of the things that intruders use are barley beyond the proof-of-concept stage, although what theyve discovered in principle is very sophisticated. Its as if theyve spent all the effort necessary to discover time travel, and then used it to go backwards in time to get the daily [lottery] numbers to win $500. In one respect, its quite impressive to see what theyre able to figure out. In another respect, why are they bothering?"
Given the amount of time some crackers devote to their activities, it doesnt seem likely they will give up their vocation easily. Cracking will continue, and, according to its Web site, World of Hell is looking for some "experienced new members."