Bill Hancock and the Exodus Internet Posse
In 1850, Alan Pinkerton resigned from the Chicago police force to found a private detective agency, a police force for hire, whose quarry included Robert LeRoy Parker and Harry Longabaugh---also known as Butch Cassidy and the Sundance Kid. One hundred fifty years later, another posse-for-hire is pursuing a different kind of bad guy, one who doesn't hold up banks, but stalks cyberspace. The posse is called the Cyber Attack Tiger Team
- Exodus traces the term "tiger team" to Burma, where it referred to people who hunted a tiger that had been menacing a village. The term also refers to a group hired to test security facilities by trying to breach them. While CATT does not pre-test a facility for vulnerability, it does respond quickly when security is breached.)
Based in Santa Clara, California, Exodus is best known as a web hosting service, whose massive data centers house row upon row of web servers. Over the past few years, Exodus has added complimentary services for its customers, of which security was an obvious addition. Obvious, because attacks are on the rise. Researchers at the University of California, San Diego, say that some 4,000 denial-of-service attacks take place each week. One recent victim was the Computer Emergency Response Team (CERT) Coordination Center-a major clearinghouse for tracking viruses. (An interview with CERT's Incident Response Team appeared in the August 2000 Pacific Connection.) Attrition.
Security problems are mounting on the Internet because one need no longer be a programming genius, or a programmer, to wreak havoc, because a rich assortment of tools is available on the Web, free of charge. Bruce Schneier, author of Secrets & Lies: Digital Security in a Networked World, says that despite new products, technologies and research, the situation has gotten much worse. He maintains that the Internet is too complex to secure. What you need is old fashion vigilance of the type that Pinkerton would still recognize. "One of the problems with the Internet is that we are living in a society of warlords," Schneier told The New Yorker magazine. "If laws matter in America, maybe they don't in Amsterdam or North Korea or Belgrade. We have been doing security for 2000 years, and the best stuff we have come up with is alarms and guards."
And so Schneier's company, Counterpane Internet Security, has developed an intrusion detection solution that is used by CATT. In other words, Counterpane is supplying an alarm, while Exodus is providing the guards. Members of Exodus's Internet posse have worked for the FBI and the U.
Overseeing the effort is Bill Hancock, Exodus senior vice president of security and chief security officer. He began his career in 1974 as a Naval cryptographer for the National Security Agency. In 1979, he moved to the private sector where he has designed and re-engineered more than 4000 networks on behalf of clients like NASA (the U.
When Hancock learned this story would appear in Japan, he began speaking in rapid-fire Japanese, a language he learned, along with Japanese martial arts, growing up in Osaka with his Navy family. He has since returned to Japan, as he puts it, "many, many, many times."
You began working for the U.
S. government, as did many of your staff. Can you actually get more accomplished in private enterprise?
You can. The laws of any specific country usually restrict what you are allowed to do outside the borders of that country. For instance, we have folks that work for us that are former FBI and Secret Service people. They were limited by U.
How much of computer crime is international?
A great deal of it. Very serious hackers usually come from outside the United States. You get a lot of scriptkiddies and people like that in the U.
How much of it is in Asia?
Funny you should ask. This week [in early May] the predominance of it is coming from Asia. There's a large-scale attack under way by the Hacker's Union of China and their confederates, who are attacking sites all over the United States. Right now there's at least a hundred of them that have been defaced, some totally destroyed
- In the first week of May 2001, more than 9,000 sites were defaced.
What about in Japan?
In Japan, most of the activity is from anti-government type groups. But the large threat within Japan is about to happen with new versions of browsers coming out, which can translate automatically from Kanji to English and English to Kanji. One of the things that prevents a Japanese website from being attacked right now is that most hackers speak English and can understand an English-speaking website---but they don't understand Kanji. When the browser changes and allows that to happen, then the target for opportunity changes as well.
Let's talk about your security team at Exodus. What are their backgrounds?
We get people with a great deal of expertise from a lot of different places---both government and commercial. We have people with very direct academic experience. We have people with government experience on the military side, and government experience on the law enforcement side. We have people that are from countries all over the world. We have folks with experience in the British military, in the Japanese police department, and Japanese defense, as well as from academia in Asian countries.
How scattered are they geographically?
We are located in eight countries. We have more than 40 data centers, with security people at all of them.
You employ a former prosecutor. Is that because you actually go after perpetrators in court?
That decision is made on a case-by-case basis. But if we are going to prosecute in court, there are very specific rules you must follow to collect and save evidence in order for your case to hold up. Having a former federal prosecutor on staff is extremely valuable. This particular prosecutor---Mitch Dembin---has a great deal of experience in cyber law and, in fact, helped author some of the laws. He worked for the Feds where he went after some of the more pre-eminent hackers, including Kevin Mitnik. Mitch gives us a great deal of guidance when we're going after an actual prosecution to ensure that we don't taint evidence or kill a trail of evidence that might be necessary for prosecution.
Have you ever considered hiring a reformed hacker?
Absolutely not. Never. Because customers are putting their total trust in us to keep them safe. You cannot possibly trust somebody who has been on the dark side of the law. So as a result of that we do not hire them. We do not hire them as consultants. We do not bring them in for any purpose whatsoever.
Realistically, what is the penalty for hacking?
In the United States, if you have over $5,000 of provable damage it becomes a felony. Once it's a felony, then there's all kinds of law that kicks in.
What has been the longest someone has stayed in jail for hacking?
There's a couple of people that have been in jail for eight and nine years. Mitnik was only in jail six years on the first offence, and then four the second time around.
What does the sentence depend on?
It's the damage. It's the effectiveness of the prosecution. It's the harm to any human beings that might have been involved. Most people that get prosecuted for computer hacking end up in a minimal security prison, if they do go to jail. The typical situation is one to two years. Those that have stayed longer are usually chronic cases that have had to go back more than once.
In the Philippines, the love letter virus never led to prosecution because the Philippines claimed there was no law prohibiting that. Was that an anomaly?
That's more normal that you think. A good example is that, in the United States until just two years ago, someone could legally steal your identity. It was only two years ago that a law was passed saying it is illegal for someone to perform identity theft. So even modern countries are still lacking in a lot of areas of cyber law to protect individuals and companies.
Are most crimes about vandalism or theft?
Eighty percent of the attacks we see are what I'd call "clogging attacks." There's nothing terribly damaging about them except you might get shut down for a little while. These attacks typically do not steal any services. The perpetrators run simple tools to accomplish the attack. I always tell people it's very much like a one-year-old clogging the toilet. All it requires is a plastic truck and a load of toilet paper. The after-effects can be rather devastating, especially if it overflows and you have to clean up the room and replace wallpaper. So even a very simple attack with a very simple tool can end up with a very large amount of damage under some conditions.
And the effects can be devastating to some companies if they are attacked long enough. One statistic on the Internet is that if you are shut down more than four days, you will never come back again. Almost every company that has been shut down more than four days never makes it back up as a company again.
Are you referring to dot.
Correct. Or even if the e-commerce component of a larger company were shut down, that component might die away.
Because the credibility of the company goes away?
Credibility goes away, the company cannot survive the public relations issues, and in some cases the attack results in lawsuits and revenue loss.
What about the other 20 percent of crimes that are thefts? Are people going after corporate information on an extranet, or are they typically going after credit card numbers?
There's a variety of motives. You'll find that credit card numbers are typically used by organized crime. They figure also that if you charge $10 on each credit card and have three million credit cards to choose from, the amount won't appear on the fraud detection software at the credit card companies. You can make yourself an enormous amount of money by not getting greedy. That's one example.
The other ones are typically industrial spies going after specific competitive information on behalf of clients.
The latter would seem to be a growth industry as internal nets and extranets merge.
Theft of credit cards is a good example of why encryption between client and server won't solve all the problems.
That's very true. Credit card theft is a good example of what happens when back-end systems are not properly secured.
Are you personally concerned when using an e-commerce site?
Absolutely. I'm very careful about who I do business with. I usually do business only with very large companies where I'm familiar with their security.
Is there any branding that's going on? Will Exodus brands sites as secure by Exodus?
We just started with a new technology that Exodus has developed, called WebSec, that will provide customers and website operators a level of assurance that their site is secure, while offering an insurance policy with a given insurance broker.
You've re-engineered some 4,000 corporate systems. What do corporate nets do wrong?
Almost without exception, the problem with most networks is that they start out small and grow ad hoc. As a result, the network is not well planned, doesn't have strategic value, and ends up becoming a piecemeal conglomeration of networking components. Those types of networks eventually have to be re-engineered from the bottom up because they are not designed well for performance or reliability.
What are the smart dot.
coms doing right?
In terms of security, they understand the need for customer privacy and back-end security, as well as the need provide a level of assurance to the customers. That means that the customer can have a safe computing experience knowing that their personal information is being properly safeguarded.
You talk about the importance of providing an emergency response. What does that mean?
It's like having the fire department nearby, just in case. We operate what's called an instant response team-we call it the Cyber Attack Tiger Team. The purpose is very simple: respond to the fire. If there's a major problem with a server, or a hacker breaches a site, the Cyber Attack Tiger Team jumps into action and basically puts out the fire.
That's the analogy. How does it actually work in terms of what you actually do?
We have about 45 practitioners that are highly experienced response people, many with a law enforcement background. If you have a contract with us, we will put intrusion detection equipment on your site and put intrusion detection software on specific servers, depending on what service you purchase. All that technology then will let us know when something weird is going on, enabling us to jump on it with the proper expertise, usually before you know anything is going on.
I picture guys with pagers available at any time.
There's guys with pagers, and there's also people on staff. Every one of our data centers has at least two security people that are there 24x7 [24 hours, seven days a week] to help deal with instant response.
Why did you decide to sell your company to Exodus?
As a smaller company, we'd gone just about as far as we could. We had a very good reputation, many large customers, and very good market penetration. But we needed infrastructure to take the next jump in security, providing outsourcing services and other things you'd normally want to provide in that end of the business. Exodus has more than 40 data centers worth of infrastructure, which provides us an enormous amount of growth potential.
How is it that you learned to speak Japanese?
I spent nine years in Japan when I was a child. My father was in the Navy. I was in Osaka. Then I started practicing Japanese-based martial arts when I was four years old, and I've been back to Japan many, many, many times since then.
You've authored 29 books on security. Is there that much to say?
The last book was 704 pages, so I think so. The books focus on different technologies, different topics, different subjects. The most recent is a kind of college textbook on everything you ever wanted to know about networking but were afraid to ask.
Where is security headed? What are the broader trends?
One of the most important trends is that public key infrastructure [PKI] is going to be a big, big deal starting the end of this year. Think of public key infrastructure as comparable to networking. Networking encompasses this enormous range of technologies and capabilities. PKI is very much that way for security. PKI will encompass digital signatures, certificates to authenticate people, single sign-on capabilities-all done with strong authentication and encryption capability.
Has the problem up to now been a lack of standards?
It has been a couple of things. There's been a total lack of standards, and there still are only about three. The second problem has been adoption of security as a valid business model for companies to operate within. A lot of people don't think they need it; they don't see the value in it until something bad happens. Then you find out very quickly what, as Mitch, our prosecuting friend, likes to say: five frivolous lawsuits will pay for all of your security.
The other thing is that most management has gone from being totally unenlightened about security to understanding it, especially as some horrible things have happened to some very high-profile managers. A good example was when the son of the CEO of Adobe was kidnapped in Kazakhstan about two years ago. That just emphasizes the problem of personal security. We have situations where identity theft has happened, where Bill Gates' credit card number has been stolen. When you start getting a lot of that stuff, a lot of CEOs and COOs start asking what should we be doing to go back and protect ourselves.
Simultaneously, countries have been issuing laws around privacy and the control of information about users. When you add all that up, that also contributes to the awareness and the need to implement security.
Does public key encryption also stand to launch a new business sector
There's no question about it. There's a company right now that's working on a really interesting technology that implements strong authentication at the BIOS level on a PC. That would not be possible without something called a device authority that can authenticate the device when it traverses a firewall. So just that one basic concept introduces a whole new set of technologies to go back and back it up.
Is the whole idea of authentication of signatures also a Pandora's box in that it opens the door to more forgeries?
Yes, but if it's strong authentication, you'd have to do it in a cryptographically sound way, which is not trivial. By having a device authority with a cryptographically sound methodology, there's no way for that to go back and be spooked.
I never understood the US. law that said digital signatures were legal-but didn't define a legal digital signature.
The law just opens the door. It simply says that digital signatures are legal without trying to describe the technology. However, in the United States we have the Healthcare Practices Act, which among other things defines what a signature actually looks like. A lot of the healthcare and insurance companies have been implementing that particular version of a digital signature and have asked for various standards organizations to endorse it as the main digital signature standard: so we don't end up with 12 different signature servers out there.
When I was over in Japan three weeks ago, they had just adopted a new law making digital signatures legal in Japan. It's very close to our law. It does not describe what a signature is other than it is a legal way to transfer information.
Anything else you'd say to Software Design programmers?
For a programmer in Japan, it is very critical for you to learn about how to do security programming to insure that your website doesn't get broken into. The number one way to crack a website is to exploit poor or weak code. The number one way programmers can protect their company and their site is to understand security programming techniques. The firewall is not the answer. With firewalls, even if you block everything off, you still have to open up Port 80 to get to the website. If you have poor code when you arrive, then the firewall will not stop an attacker from killing the website. The only thing that stops the attacker is good programming practice, and that requires knowledge.
If good programming practice is not a firewall and not an algorithm, is it a set of guidelines?
It's a set of guidelines, a methodology in which you use certain programming techniques with certain languages to insure that you don't leave a hole open. A good example is CGI scripts. There are certain things that you might program in a CGI script that would actually allow you to execute commands directly through the scripting engine, as opposed to the scripting engine being locked down. Thus, the way that you program something within CGI scripting could have a dramatic effect on whether a server is open or not.
Would you say that for most people the way to get these skills is a matter of reading books, going to courses?
Reading books and just downloading things off the Internet. There's over 400,000 pages of hacker information available from the Internet today. Three years ago there was only about 10,000 pages.
So the information for the bad guys should be read by the good guys?
Yes, and the information for the bad guys is readily available.