[ISN] Hackers Join Homeland Security Effort

[InfoSec News]

http://www.washingtonpost.com/wp-dyn/articles/A20226-2004Sep14.html

By Adam Tanner
Reuters
Sept 14, 2004

IDAHO FALLS, Idaho -- Jason Larsen types in a few lines of computer
code to hack into the controls of a nearby chemical plant. Then he
finds an online video camera inside and confirms that he has pumped up
a pressure value.

"It's the challenge. It's you finding the flaws," he said when asked
about his motivation. "It's you against the defenders. It comes from a
deep-seeded need to find out how things work."

Larsen, 31, who wears his hair long and has braces on his teeth, is a
computer hacker with a twist. His goal is not to wreak havoc, but to
boost security for America's pipelines, railroads, utilities and other
infrastructure, part of a project backed by the Idaho National
Engineering and Environmental Laboratory.

Sponsored by the U.S. Department of Energy, the Idaho lab last month
launched a new cyber security center where expert hackers such as
Larsen test computing vulnerabilities. Spread across 890 square miles
in a remote area of eastern Idaho, INEEL gives experts access to an
entire isolated infrastructure such as the one Larsen hacked into.

"I don't think people have an understanding of what could be the
impact of cyber attacks," Paul Kearns, director of INEEL, told
Reuters. "They don't understand the threat."

In recent months, U.S. security officials have warned that the nation
is not prepared against cyber terrorism.

"I am confident that there is no system connected to the Internet,
either by modem or fixed connection, that can't be hacked into," said
Laurin Dodd, who oversees INEEL's national security programs.

He added that only a computing system totally isolated from the
outside, such as that used by the Central Intelligence Agency, would
be immune to hacking.

Another problem is that many once-isolated systems used to run
railroads, pipelines and utilities are now also accessible via the
Internet and thus susceptible to sabotage.

"More and more of these things are being connected to the Internet, so
they can be monitored at corporate headquarters," said Dodd, INEEL's
associate lab director. "It is generally accepted that the August
blackout last year could have been caused by that kind of activity."

"Most people think risk in this area is not going to result in
thousands of deaths," he continued. "If somebody could wreak havoc in
the financial system by getting into computers and as a result people
lost confidence in the financial system, that could be pretty
consequential."

Added lab director Kearns: "That's what al Qaeda is all about."


PUZZLING OUT THE CODE

Steve Schaeffer in INEEL's cyber security lab was recently asked to
decode a General Electric designed system.

"My test was to subvert that guy's system in some manner," he said.  
"It only took about two months before we had enough information to
affect the protocol to affect operations."

"If they can dial into the system, guess what, so can I."

Lab officials emphasize that such hacking occurs within INEEL's own
facilities rather than at real-life entities outside. The Swiss
engineering group ABB recently signed an agreement to become INEEL's
first cybersecurity customer to test their actual vulnerabilities.

INEEL officials tell of a recent visit by an Idaho utility executive
who declared his system had no problems. By the end of their
demonstration, the shaken executive was asking for a comprehensive
review of his firm.

In another incident, INEEL's Larsen entered a U.S. agency in
Washington D.C. and hacked into its computer system with a simple
hand-held computing device, much to the surprise of officials there, a
lab official said. Larsen declined to discuss the episode.

When it comes to Larsen's background, there is a fair amount that he
and his superiors prefer not to discuss. To gain the skills he has,
one must have experience in the nebulous world of hacking.

"This is one of the few places where it is legal to give people those
kind of challenges," said Robert Hoffman, head of INEEL cyber security
who hired Larsen. He said he was impressed that Larsen had written his
first computer code at age 13.

"I learned my hacking back when it was a cool thing," said Larsen as
he spoke of computing in the pre-Internet days. He wore a black T
shirt with the inscription "Stop laughing, computers are cool now."

INEEL officials say the lab would not hire anyone who had committed
criminal acts and added they must obtain security clearances. "How do
you know that your wife is not going to clean our your bank account?"  
Schaeffer said. "You just trust people and you do background checks."

The Idaho cyber security effort is part of the Department of Homeland
Security's efforts to boost defenses against possible attacks of all
kinds. INEEL seeks a delicate balance between encouraging key parts of
the U.S. economy to boost their cyber security without inspiring any
nefarious acts.

"What you don't want to do is increase the threat by advertising what
you can do. I think dirty bombs is one example," INEEL's national
security head Dodd said.