[ISN] Think like a hacker

InfoSec News isn at c4i.org
Fri Jan 14 03:15:05 EST 2005


By Deb Radcliff 
Network Life, 01/09/05 

Last week, I interviewed a hacker named Geoff Shivley, whose
experiences remind me of the hackers I encountered while researching
the infamous hacker Kevin Mitnick for a best-selling book. Like other
hackers I know, Shivley started young, in middle school. And he began
with phones payphones, specifically--which he switched on and off and
made ring with musical tones to impress his friends. This, ahem,
skill, is called "phreaking."

And like the others, he didn't stop there. Soon, Shivley was hacking
everything electronic. In his southern California school, one of his
favorite tricks was to leave class during silent reading, hack the
vending machines, and return with a backpack full of sodas for the

By 1995, Shivley moved on to computers. He bought books on Unix,
Visual Basic and cryptography; he read 2600, a hacker quarterly
published by Emmanuel Goldstein, one of the FBI.s most watched
hackers. And Shivley started writing code. His goal: To unleash a new
AOL hack different than AOHELL, FATE and others that wreaked havoc on
the online service back in the mid-90.s. He started a hacking group
called AOA, for America On Acid, and passed around his evil code,
which could change home pages and kick people off Web sites. Shivley.s
code was ultimately used by hundreds of hackers in a 1996 three-day
riot against the entire AOL community dubbed the "Valentine's Day

"I was young, 13. I thought it was a game," says Shivley, now 22. "I
didn.t realize the impact of what I was doing and hadn.t realized how
powerful computers actually were..

That same year Shivley hacked his way into a Unix box at a Fortune 100
electronics manufacturer in Texas. He changed a master password and
issued a "kill" command. That.s when he realized the server he.d shut
down was the network entry point for the company.s hundreds of
telecommuters, who he.d just locked out from doing any work. Because
he changed the master password, it took the company three days to get
the system back up and running.

That.s when Shivley realized what he was doing was illegal. And, with
the law cracking down on hackers like Mitnick and Kevin Poulsen, he
began to worry that federal agents would come after him, too.

"I started getting really scared," he says. "I realized that computers
can cause a lot of damage."

At that time, Shivley also spotted an odd, off-white van parked
outside his house for three weeks. His phones started acting
strangely, with the telltale clicking and phantom rings indicative of
a wiretap. He and his friends spotted federal agent-types tracking
them as they went to and from the Balboa, Calif., chapter of the
hacking group Blacklisted 411, a hacking group that made 2600 look
like milk toast.

"I was freaking out," Shivley tells me in a phone interview from his
hotel in Maui, where he was waiting for the waves to calm so he could
surf. "I started imagining myself being pulled from my bed and placed
under arrest."

That.s when Shivley dismantled his computer, tossed his hard drive and
RAM into the bay and gave away his disks and manuals.and started
helping people instead.

At 15, he became the go-to-kid for his entire neighborhood. Before
long, he was doing consulting work as a computer administrator for a
large Internet backbone provider. After school, he.d take the train up
to Wilshire Blvd. in Santa Monica, putting in late-night hours just
blocks away from the Federal Building where agents were putting
together a case against Mitnick, finally in custody.

At 16, Shivley started streamlining the company.s Linux, Windows,
Cisco and Nortel equipment. He.d work late nights hardening the
systems by changing insecure configurations, and removing unneeded
shells (code groups) and low-level DNS (Domain Name Service), closing
ports, removing unneeded administrative functions and recompiling the
kernel to tighten and streamline his Linux systems.

"Whenever a new virus or worm came out, my machines didn.t get hit.  
But others did. And everyone wanted to know why. At first, I couldn.t
figure it out. But then it dawned on me. I thought I was just doing
good system administration. Then I realized I was doing security,. he

In 1999, with the help of his businessman father, Shivley started PivX
(www.PivX.com), a company that patched vulnerabilities in Windows
systems on a consulting basis. With funding from friends and family,
in 2002, PivX developed its first product. After a year in beta
testing at Boeing, Edison, Hundai and others, PivX released Qwik-Fix
Pro, which makes temporary changes to the Windows operating system to
plug the holes that let in malicious code. For example, by locking
down the local zones, it closes innumerable command execution
vulnerabilities targeting Internet Explorer. And by closing the RPC
DCOM vulnerability, it locks out hundreds of worm variants that
exploit RPC DCOM, a standard feature in Windows operating systems.

PivX had $2 million in revenues in 2004 and has a 45-member staff made
up of some of the brightest hacker minds in the world. Not bad for a
surfer who carries a skateboard around on his back. Qwik-Fix Pro has
been nominated by SC Magazine for best network security and best
intrusion solutions.

But it's the $49 home version that.s got me most excited. I installed
in on my Windows XP machine three weeks ago and I can.t even tell it.s
there. Which is exactly what.s needed for home network users who can.t
understand the difference between a virus and a worm, why they should
close vulnerable ports on their computers, or why unpatched browsers
can let in viruses, worms, spammers and identity thieves.

PivX makes me wonder whether I still need the half-dozen security
programs bogging down my system. Maybe I don.t have to keep all those
signature files for spyware, Trojans, viruses and worms. After all,
there are hundreds, sometimes thousands of variants hitting a single

"All you need to do is change a single byte in the attack code and the
anti-virus vendors have to create another attack signature to protect
against it,. Shivley says. .Some security programs can eat up 20
percent of your processing power this way."

In contrast, closing vulnerabilities takes zero processing power
because all it does is patch holes. And there.s no need for signature
updates and software downloads. When a new vulnerability is
discovered, it quietly patches that, too.

I'm not ready to toss my traditional security yet. But I.m thinking,
maybe, just maybe, there can be a simple answer to this security mess
we've gotten ourselves into.

More information about the ISN mailing list