Deceptive Duo Preys On Poor Security Practices

Most cyberattacks could be avoided if companies paid closer attention to IT security and learned from past mistakes. That's the message conveyed by Gartner research director Richard Mogull in a security report published last week that quickly got the attention of two hackers who call themselves the Deceptive Duo. The pair, who've spent the past two weeks breaking into government and other critical infrastructure networks and defacing Web sites in the name of "national security," promptly set about defacing a Gartner Web site maintained by an Australian hosting company.

Targets of the duo have included servers from Sandia National Laboratories, the U.S. Geological Survey, and Bottom Line Technology. The hackers generally exploit known vulnerabilities and administrative mistakes to get into the networks. Such attacks would be harder if organizations maintained better security policies and procedures, but that doesn't seem to be happening: The Gartner report predicts that about 90% of cyberattacks through 2005 will continue to exploit security flaws for which fixes or preventative measures exist.

Security professionals agree that the problem is widespread, even if they don't like the tactics the Dynamic Duo uses to call attention to the issue. "This is illegal and these guys should be thrown in jail, but it does show a kind of malaise out there when it comes to security," says one security professional at a large financial-services company who asked not to be identified for fear of becoming their next target.

Earlier last week, the pair hacked into a server at the U.S. Geological Survey, posting a screen shot from a USGS database that included employee names and passport numbers. A spokesman says the employee data had previously been stored on a protected system, which was then reassigned as an unsecured print server, but that the employee information was never cleaned off the hard drive. The Gartner report cited poor security governance as one reason organizations are vulnerable to cyberattacks.

The pair also defaced a number of regional banks' public Web sites, which primarily included marketing materials. They apparently used a remote-management tool to gain access to a Microsoft Internet Information Services server run by ibanks.org, which hosts the banks' Web sites, says Robert Alsbury, owner of Bottom Line Technology and co-founder of iBanks Inc. In addition to the defacement, the pair got their hands on a small data file holding the names and Social Security and checking-account numbers of 18 people who participated in a trial Web-payment system that ibanks.org was floating.

William Crowell, president and CEO of security firm Cylink Corp. and former deputy director of the National Security Agency, says such actions may not have the effect the hackers say they want. "Yes, it does increase the awareness of certain net admins and CIOs," he says, "but I don't think it's getting the attention of CEOs and boards, who are focused on business performance and revenue production."