Ex-Hacker Mafiaboy Discusses Local Government Web Security

Last July, a hacker broke into Yellowstone County, Mont.’s website, prompting the county to disable the site. In September 2011, two men with alleged ties to the online activist group Anonymous were indicted for hacking into Santa Cruz County, Calif., computers in December 2010, causing the county website to go offline. And last November, the Gregg County, Texas, Tax Office was hacked by the Zeus Trojan, which uses a keystroke logging scheme to steal information. In that incident, bank routing numbers were hijacked to redirect $200,000 into a foreign bank account.

Even law enforcement sites are being targeted. Sheriff John Montgomery of Baxter County, Ark., said in August 2011 his office’s website was attacked by hackers and is among more than 70 law enforcement websites in several states that have been hacked.

Local governments are easy targets for hackers because they lack funding to protect their infrastructure. In many cases, security funding is made available only after a breach occurs. But just how easy is it to break into a local government site? According to Michael Calce, a hacker known as Mafiaboy in his youth, “it’s so easy it’s scary.”

Twelve years later, Calce has reformed, and works to educate and bring awareness to companies whose infrastructure is insecure. And everyone, he says, is at risk.

In a 2008 interview, you said you now work to protect the Internet from vulnerabilities — what are you doing these days?

As of right now, I find it of great importance to use my notoriety to help raise awareness with companies. I’ve been doing a lot of keynotes for IT conferences such as IT360 and Hitachi Data Systems.

I feel as though awareness is the key component to help win the battle with insecure infrastructures. A lot of these companies are completely unaware that they are at risk, so I feel an obligation to educate them. I also do some practical work from word of mouth to help secure companies. I haven’t gone public yet, but plan to do so in the upcoming year.

Why do you think hackers choose to exploit local government websites?

I think they choose to hack them, because information is power. There is no telling what kind of information you can obtain from government networks. It’s also a great starting point for a hacker to infiltrate one government network and use something called a sniffer (a tool that collects all incoming and outgoing information on the compromised network) to obtain access to more government sites. Sometimes they get lucky and sniff a high-profile site, other times it can be coordinated.

What do you mean by “coordinated”?

What I mean is they might have a specific target government site they want to access, but for whatever reason they can’t breach it using their arsenal of tools. They will then attempt to hack a subnet or a site they think is affiliated to the target so they can sniff and hope that someone from the hacked terminal logs into the site they cannot gain remote access to.

When looking at local government websites, what are the biggest vulnerabilities you see?

The biggest problem I see is that it’s accessible to anyone with an Internet connection. It’s almost as if the government should have its own private network. On another note, a big problem is that a lot of government sites use operating systems that are open to the public. If they want to narrow down the amount of infiltrations, they should only use custom operating systems with stripped kernels. Everything should be custom and never default. I remember when I was hacking I would run some scans on random IP blocks and came across some government sites that were vulnerable to public code. This, to me, is unacceptable and needs to be looked at. All government networks and systems should go through an intense screening process before being put online.

Can you explain what it means to use only custom operating systems with stripped kernels?

I mean that most operating system source code is available on the Internet so that a professional hacker can sift through the original source code and find vulnerabilities and write code to execute them.

Can you also elaborate on government sites being vulnerable to public code? What does that mean and how can that vulnerability affect governments?

Plenty of government sites use these operating systems, so it’s actually quite easy to gain access. Stripped kernel means that when you press power on the computer and it initializes your operating system, it won’t start the default kernel. By default, the kernel will run plenty of services the government site might not even use yet they might fall victim to an exploit for a service running from the default kernel. An example would be on boot up, the operating system will initialize an email Daemon, yet the government site might not permit or use emails from the system whatsoever, yet they get exploited through it because it’s running.

For lack of a better way to state this, how easy is it to hack into most local government sites?

To be quite honest, it’s so easy it’s scary. It’s also becoming increasingly easier with the amount of tools being made public — when I was hacking, a lot of exploits were kept secret. Zero-day exploits were only given to those who had serious contacts within the hacking community. (Zero-day exploits are fresh code for exploits that haven’t been reported yet.)

Can you elaborate on Zero-day exploits? How long does it typically take for them to be discovered or reported?

There are two types of exploits: public or private, a.k.a. Zero day. Basically public exploits are available in the wild and very easy to obtain with very little networking within hacking communities. You could easily Google “BackTrack” an incredibly powerful modified operating system specifically catering to hackers (system penetration software), a preset desktop with tools and exploits ready to go. The fact is a lot of government systems are vulnerable to public exploits. Zero-day exploits are really an unknown variable. Sometimes they leak and eventually get patched. The scary part is some Zero-day [exploits] go unnoticed forever.

Who/what are the likeliest targets and why?

I’d say everyone is a target, simply because hackers can. Where there is a will, there is a way. Some hackers might come across a government site by sheer luck in an IP scan for an exploit, or there are hackers who specifically target government sites.

What relatively inexpensive things can local governments do to deter, prevent and/or protect against attacks?

Like I said earlier, they must keep it custom and not fall victim to default. It wouldn’t be too cost heavy to come up with an operating system that isn’t open source. Keep in mind this will only narrow it down — we will never completely resolve hacking issues. You have to realize why the Internet was created to understand that it’s impossible to fully secure it. Its intended purpose wasn’t meant to be used by the masses like it is today.

If the Internet’s original purpose was to exchange raw data among researchers, is it safe to say that the process by which information is exchanged is almost a welcome mat for hackers? And now that so much data is out there, the potential for breaches is limitless — once an exploit is discovered and fixed, new ones are created and it’s a never-ending cycle?

The Internet was actually created by two separate entities. CERN Laboratories (Tim Berners-Lee) created the World Wide Web, which was built for exchanging raw data among researchers. Then you have the networking aspect that was created by DARPA. The Defense Advanced Research Projects Agency created the actual Internet. The thing is, it was meant to be kept as a private government network in the event that all other communications failed, they would have a means of contacting each other through some secret network known as the Internet. They never really incorporated many security protocols into the fundamental architecture because it was meant to be private and not a tool of mass commerce like it’s being used for today.