Public safety can benefit when bad hackers go good
Leading computer security firm McAfee recently released a report on the hacking allegedly originating in China of corporations and government organizations. Targets included corporate networks, the International Olympic Committee, the U.N. secretariat, a U.S. Energy Department lab and a dozen U.S. defense firms. The report, “Revealed: Operation Shady RAT,” is an investigation of targeted intrusions during the last five years.
Cyber attacks are real. And it’s not major U.S. targets that are vulnerable. Small- and medium-sized first-responder agencies are as well. Last weekend, the Cape Girardeau (Mo.) County Sheriff’s Department found itself among the more than 70 law-enforcement agencies that were cyber-attacked by an infamous global group of hackers known as Anonymous. The group stole massive amounts of confidential information, according to reports.
To learn more about the threat of cyber attacks on government agencies, I spoke with Gregory Evans, who claims that the FBI put him on their Top 10 list for computer hackers in 1996 after hacking into law-firm and phone-company records, such as AT&T’s.
Evans is a mercurial figure in the world of cybersecurity. Since going legit, he has been used as a source by numerous respected news organizations, including CNN, the New York Daily News, Bloomberg News and United Press International. His firm claimed it was the cybersecurity consultant for the Atlanta Hawks and Atlanta Thrashers*. But he also has been accused by the hacker community of allegedly plagiarizing material that appears in several books that he has authored.
Evans is the founder of LIGATT Security, which offers hackers-for-hire to discover weaknesses in computer networks. Cyber attacks are a huge threat “to the world,” he said, pointing to a Symantec report that claimed such crime has surpassed drug trafficking as a criminal money-maker. For example, in April, Rogelio Hackett Jr. of Lithonia, Ga., pleaded guilty to having made more than $36 million in fraudulent charges on stolen credit cards via hacking major retail outlets.
Evans knows all about hacking high-profile targets. When he got “in trouble for hacking,” he had hacked AT&T and MCI/Sprint, hitting them up for more than $1 million a week. “They never knew because, the bigger the company, the easier it is to hide inside their networks,” Evans said.
Most domestic hackers target companies, while rouge countries focus their efforts on national security by targeting public facilities — from transit systems to the smart grid. We don’t hear much about it, though, “because the government isn’t reporting it is because they don’t want the mass media to turn around and say we aren’t safe,” Evans said.
Indeed, there are numerous liabilities. From air-traffic control to transportation systems, hackers can hide in networks and practice their mischief in simple ways, like changing street lights from red to green or manipulation digital road sign to read “Zombies Ahead,” because governments are running programs over unsecured or vulnerable wireless networks, Evans said.
However, those groups who attack U.S. government networks more likely are from foreign nations, as domestic hackers do it mostly for fun or money, Evans said. And the attacks can be sophisticated. He used as an example the alleged U.S.- and Israeli-built Stuxnet computer virus, a sophisticated cyber attack that shut down an Iranian nuclear facility’s entire network and now is known as a super weapon.
“What’s stopping someone from doing that to us,” Evans warned, specifically mentioning China’s attacks on U.S. targets as well as on Google in December 2009 — which allegedly was done by Chinese high-school students.
One way to fight the cyber war is to hire real hackers to look into public-safety networks to determine vulnerabilities. Evans said instead of throwing hackers in jail, the U.S. should recruit them to ensure networks are secured from foreign attacks — especially in light of the smart-grid evolution and the potential for a public-safety broadband network. An IT administrator can’t do the job, he said.
“The government needs to give hackers jobs instead of having them working in the kitchen,” Evans said. “We need to give them a laptop and monitor them and have them try to hack into our transportation and energy facilities. We need to tap into that great talent.”
My conversation with Evans was a bit unnerving. In the government’s defense, agents are recruiting at hacker events like the DEF CON conference, where kids learn to hack. But should the threat of cyber war be an issue that should be addressed before we build out a nationwide public-safety network? If we put all our eggs into that basket, does it leave us open to an attack that potentially could shut down emergency communications for police, fire and federal first-responder agencies? It’s a scary thought. But it is a real threat.
What do you think? Tell us in the comment box below.
*Updated 8/23/2010
Editor’s note: According to Tracy White, senior vice president of sales and marketing, and chief sales officer for the Hawks and the Thrashers: “In 2009, we entered into a marketing partnership agreement with Liggatt Security. Part of the agreement called for Liggatt to provide services to our IT department. Shortly after the agreement was signed, we mutually agreed to dissolve the agreement and as a result, Liggatt Security never actually provided any services to our IT department.”
