The Next Wave: Wireless Hackers
By C.J. Kennedy, Tue May 08 00:00:00 GMT 2001

With today?s inexpensive yet sophisticated mobile devices accessing corporate intranets, many hackers see a golden opportunity: Mobile devices = disposable lock picks.


Looking for some extra pocket money? Why not steal the secret formula to Viagra from Pfizer? The steps are easy:

1: Visit the Russian Password Crackers website at Password-Crackers.com. At the top of the list of hacking programs is LOphtCrack+2.521, a Windows 2000 password cracker and free download.

2: Download LOphtCrack+2.521 to your PC.

3: You’re on your way. But plan to be a little smarter than the average hacker. After you get their password using your PC, dial in to Pfizer with your Pocket PC. Then you can throw it away in a corner garbage can at the corner of 57th and Madison. Bingo - you’re untraceable.

This scenario sounds like something from a movie, but in today’s cyber-security world it’s reality. “Using wireless devices to break into systems is the next evolutionary stage in hacking,” says Narender Mangalem, Director of Security Strategy at VIGILANTe, whose SecureScan web-based assessment service uses 15 different tools to verify a site’s defenses for both B2B and B2C commerce.

Mangalem added, “It is definitely a problem. These devices are being used for defacement, to steal identities or data, and for the staging point of the attack. This is multi-level. Especially in Europe where the wireless infrastructure is more sophisticated.”

Imperfect defense


It’s too early to get solid numbers about the growth of wireless hacking, but hacking itself is on the rise. The 2001 FBI/Computer Security Institute Computer Crime and Security Survey reported that 40% of their 538 responding corporations had detected systems penetration (up from 25% in 2000) and 38% had detected denial of service attacks (up from 27% in 2000). In the same study 85 percent of IT staff at corporations and government agencies had detected some form of computer security breach in the past 12 months, and 64 percent acknowledged financial losses as a result.

As I write this, hackers from China and the U.S. are engaged in a “hacking war”; breaking into each other’s government sites at will. Patrice Rapalus, director of the Computer Securities Institute, says, “There are new and different attacks coming everyday. But a lot of organizations are not funding adequate defenses. They feel [purchasing cyber security] is like funding earthquake insurance in California. You know it is going to happen, but the companies are assessing if cyber security is worth paying for.”

One company that is spending the money for computer security is Pfizer. Their security assessor, Predictive Systems, is a 6 year old network infrastructure consulting firm made up of ex-information security officers, ex-network administrators, and ex-software writers who now make their livings as professional hackers. In addition to Pfizer, Predictive Systems clients include Bear Sterns and J.P. Morgan Chase. Ed Skoudis, Vice President of Security Strategy for Predictive Systems says, “We are called in for 2-3 significant security breaches a month.” Upon being notified of a cyber security problem, Predictive Systems deploys their crack R.E.A.C.T. team (Rapid Emergency Action Crisis Team), a crew of techies who can be dispatched to any point on the globe within 24 hours.

“Hypothetically,” says Ed Skoudis. “If someone did break into the Pfizer system we’d first analyze the server logs for machines getting on their system. Many companies don’t use a logging server, and then we can’t catch them. If you use a stolen account to log in, or it is a free account or anonymous account, it’s going to be hard to trace. Wireless devices add another dimension difficulty. In many of those cases we’d have to turn it over to traditional law enforcement.”

So wireless hacking is the perfect crime. Except, in the U.S., law enforcement means the FBI. And President Bush’s 2002 budget has given the FBI $3.5 billion, an 8 percent increase over 2001, which the budget states is "primarily to combat terrorism and cybercrime through a combination of additional personnel and the development and deployment of new technical capabilities."

A press spokesperson for the FBI hotline explained the penalties of hacking included up to ten years for the first offense and up to twenty years for the second, under title 18 section 1030(a)5A of the U.S. code. Untraceable? Maybe. But rent “The Untouchables” to see what you’ll be up against.

Hacking into wireless


Wireless devices themselves are vulnerable to hacking. Chris Wysopal, director of R&D at @stake, the cyber security company that bought LOpht, a notorious hacking gang, says, “In our lab we are constantly looking for vulnerabilities, and looking for ways to mitigate those vulnerabilities. We recently met with a member of the National Security Council to discuss the security issues of handheld devices that have infrared ports on all the time, like Palm Pilots. Members of the council were walking around with secrets in their handhelds. It is too risky in public. We showed him how someone could walk up and in a few seconds steal a password, even if the system was locked, and get data from the device.”

Stealing data isn’t the limits of cyber crimes that can be perpetrated by and on wireless devices. Bob Hansmann, Enterprise Product Manager at Trend Micro says, “We are looking at viruses that have been used for many years to create back doors, once in systems.” Trend Micro developed the antidote for the “I-Love-You” bug that overwhelmed corporate systems like Ford and IBM in 2000. Currently they are working with wireless infrastructure providers like Sprint, NTT DoCoMo, and British Telecom to scan for viruses being sent over email.

TrendMicro has already detected a dozen Palm viruses, half of a dozen EPOC (the smartphone operating system designed by Symbian) viruses, and another half dozen uses of a wireless device as a virus transmission mechanisms. Bob Hansmann says, ”In Japan someone created the 911 virus on a NTT DoCoMo web site. Messages were sent to cell phones, saying, “Here’s a hot link.” At the web page the mobile phone would download a script to call 911.”

Is anything safe anymore?


What is driving hackers to try every means to break into systems, including using wireless devices? Mangalem of VIGILANTe says, "The hacking trend has turned more sinister. First you had teenage kids defacing Web sites. But now hackers are interested in stealing money, identity theft, and creating credit card fraud."

Even in this economic slowdown financial transactions over the Internet are growing at an incredible rate. According to Forrester Research, all B2B revenues in 1999 totaled $43 billion, and are expected to reach $1.3 trillion by 2003, more than doubling each year. As for B2C transactions, primarily consumers using the Web to make purchases using credit cards, Forrester Research reported revenues of $8 billion in 1999, with projected growth of $108 billion by 2003. It is no wonder that cyber crime is on the rise.

Is anything safe? The good news is that at the current time wireless devices capabilities are too small to run password-cracking programs themselves - the more powerful code breakers use gigabytes worth of memory. “Writing small hacking programs is a lost art,” says Bob Hanson of TrendMicro. “The first PC’s had less memory than some handheld devices today. But when the memory of mobile devices grows, so will the problems. Functionality and popularity equals vulnerability.”

The other positive news is that wireless carriers limit the individuals on a system. Specifically, this means it is difficult for hackers living in Russia to get on an American wireless network. John Vranesevich, the founder of the seminal hacker website Antionline.com, and the "Sherlock Holmes of the Internet,” says, “Wireless devices may actually be considered safer because they limit the scope of who can use them.”

In January 2000, the FBI asked him for help when 300,000 credit card numbers from CD Universe were stolen and posted on the Web. Vranasevich continues, “Russian hackers are too overt, too organized. They are so out of hand and there is limited law enforcement help over there. If they can’t get on a system, it can only make that system safer.”

So who would catch me stealing Viagra?


As a sign of mobile hacking to come, Chris Wysopal of @stake says that Kevin Mitnick, the first hacker appear on a FBI “Most Wanted” poster and the inspiration for the movie “War Games” has been caught again after being let out of jail on January 26 2001. He was allegedly caught hacking using a cell phone and a laptop.

However, Chris Wysopal cautions against my plan to steal Viagra’s secret formula. “They had seventy agents tracking Mafiaboy,” he says. Mafiaboy is the hacker who shut down seven major websites with a denial of service attack, including Yahoo and eBay, in February of 2000. “That’s as much as they put on a team for a manhunt.”

Ed Skoudis of Predictive Systems concurs that there are other ways to catch cyber criminals than through cyber security, “The law enforcement will probably just trace the counterfeit Viagra back to its source - you.”

So much for being completely untraceable.

After spending the ninties working in a copper mine in Australia, managing a coffee shop, starting a literary journal, and teaching in the South Bronx, C.J. Kennedy started covering the wireless industry. C.J. is currently the senior staff writer for Unstrung.com, and has covered the industry for M-Business Magazine, The Wireless Developer Network, Wireless Business & Technology, Wireless Related, and The Industry Standard.