Last month, several former members of the hacker think tank L0pht Heavy Industries reunited back on Capitol Hill to talk about the progress of cybersecurity regulations. It was a poignant moment, given that the group was last together 20 years giving testimony to a Senate committee. While the group didn’t meet with any actual representatives this time around, they still had a lot to say. A poorly recorded stream can be found here of last month’s event.
Both in 1998 and last month, the group used their hacker names on their nameplates, which was done originally because many of them feared prosecution. Now, not so much: their given names were openly discussed. And while they traded jokes with each other about the progress of time, particularly with respect to relative hair length, there was a serious reason for the reunion. Back in 1998, they warned that computer networks were embarrassingly insecure and bragged that any one of them could take the entire Internet down in a few minutes, thanks to weaknesses in the core BGP routing protocols. In this week’s testimony, four of the group returned to say that while technology has improved, some things haven’t changed. The same BGP flaws were used in the MEWkit attack earlier this month. Joe Grand (Kingpin) said, “Nearly all of what we said 20 years ago still holds true. Yes, there have been improvements, but the general class of problems are the same.”
One of the group is Cris Thomas, a.k.a. Space Rogue, who for the past year has been working for IBM’s X Force Red Team. At the event last month, he said that “we have better visibility into our network endpoints, if we choose to gather it, and can make educated decisions about where to apply our limited resources…. Strong encryption is more prevalent, but we aren’t evenly applying the knowledge of how to make something secure.”
Thomas has been to the Hill frequently in the intervening years, mostly to brief Congressional staffers about technology and security issues. I spoke to him after the event to get more of his perspective. “Staffers influence the elected representative, so they help to make sure that the basic tech knowledge is available to them. I want the representatives to have this knowledge, because then they will make the right decisions. That is regardless of whether they agree with my point of view or not.” Last year, he escorted two Congressmen around the Defcon show floor, which was an interesting experience for all of them. Thomas and I spoke about how at the recent hearings with Mark Zuckerberg, “clearly there is an obvious knowledge gap with our elected officials, but they have to be experts in almost everything, so it isn’t fair to expect them to be knowledgeable in tech.”
Thomas recalled that there are others who were involved in the original L0pht activities besides the seven that originally came to the Hill: “There were many people in the Boston area that worked with us, came to our events, and contributed to our hacker space.” Once L0pht was acquired by @Stake, “we went out and hired all of our friends to come work with us.”
Did he imagine that he would be working at IBM back 20 years ago? “Even two years ago, I never thought I would.” At that time, he was happily working with Tenable, the folks behind Nessus scanner and other security tools. “But Steve Ocepek was the best manager that I have ever worked with, and when he asked me to come work for him at IBM, I took it seriously.” Since being at IBM, he has worked on improving the Red portal, which is used by customers to retrieve reports and schedule work for the team, as well as with another project on expanding their internship program. “There are not a lot of opportunities for offensive security positions at the college level, so we are ramping that up. That helps feed our employee pipeline, too.” Part of this effort is working with the Collegiate Penetration Testing Competition, a contest for college students to hone their skills.
IBM’s X-Force Red team is a very unusual effort, involving over a hundred active analysts that are hired to probe customer’s networks for vulnerabilities. It is probably the largest such group, and they think of themselves as the best-funded security startup in the world. “While there are many great niche players, there aren’t a lot of companies that play in IBM’s space that do offensive security on the scale that we do,” he told me.
The X-Force Red team hits all parts of the offensive program. “We just don’t do vulnerability assessment, which is what most folks think of when it comes to offensive security. We use both automated and manual tools, along with code review and physical security testing too.” In other words, they do what the hackers do. Physical security is perhaps the sexiest: it is where a team member tries to enter a company’s premises (after being hired by them, of course) and hack their network from the inside. He mentioned that recently a group of IBMers had tailgated their way into an office building of their customer, carrying a box of donuts along with their laptops and testing gear. They found an unoccupied conference room and placed the donuts on a table outside, along with a sign saying that they were doing network testing and will be there all week, so have a donut on us. “They were there all week, unchallenged, and were able to penetrate the network from the inside.”
On average, when they begin an engagement, members of the team quickly find a vulnerability, usually within a day or so. “We have never been to a client that we haven’t gotten into their network and found something serious. While it is depressing to think that holes are everywhere, it is a positive thing because we help our customers find and patch these holes and better secure their environments.” Thomas points out that hiring a Red team shouldn’t be an adversarial process, and X-Force Red strives to make it a cooperative process with the client.