Deceptive Duo on CNN

[{P²P}Apocalypse]

From CNN: http://www.cnn.com/2002/TECH/interne...idg/index.html

(IDG) -- A pair of hackers who have been penetrating U.S. government computer systems across the country say they're trying to call attention to vulnerabilities in national security.

But analysts say they're probably nothing more than publicity seekers.

On April 24, the hackers, who call themselves the Deceptive Duo, say they "started their mission" of breaking into both government and private-sector computer systems. In an e-mail interview with Computerworld, they say their purpose is "to expose the lack of security within our government and other critical cyber components."

They say they have hacked into classified and nonclassified systems, including those operated by the Office of the Secretary of Defense, the Space and Naval Warfare Systems Command, the Defense Logistics Agency, Sandia National Laboratories, the NASA Jet Propulsion Laboratory, Midwest Express Airlines and a number of banks.

"We had access to data and Web servers which included things such as pictures from Operation Restore Hope [expanded peacekeeping operations in Somalia in the early 1990s] to the personal details of Department of Defense employees," they say.

The hackers say they have breached the systems in two ways. One involved using Microsoft SQL servers, which they say have a default password to log in. Some system administrators didn't change the default password when their databases were implemented and their systems went live, the duo say. They also got in through a NetBIOS brute force attack, a method in which hackers repeatedly try to guess passwords to gain entry into a system that could exploit the NetBIOS protocol and allow access to sensitive data.

"Once information was acquired, we targeted an appropriate Web site to post the screenshots at. For instance, we posted the Defense Logistics Agency database on a Web site of the Office of the Secretary of Defense," the hackers say in their e-mail.

Richard Williamson, a spokesman for the Space and Naval Warfare Systems Command, acknowledges that hackers had gained access to the system through SQL because the agency had failed to change the default password and administrator's user ID.

"We're embarrassed. We didn't change it. We made a mistake," he says.

Williamson adds that the pair didn't get access to any classified information. "It was information any taxpayer is entitled to," he says.

The hackers, who wouldn't reveal their ages, say they believe that breaking into computer systems is the only way to get system administrators to take action to improve security.

"We must take drastic means for them to take this seriously," they say. "When notifying a system administrator, the situation often times will get brushed away like it was nothing."

The hackers say they have received e-mails from various system administrators of the penetrated computers and they have fully cooperated with them in creating a more secure environment for their systems.

"If we did not, our mission would be incomplete," they say.

Screenshots of the information obtained by the Deceptive Duo, including bank databases with customers' personal information and bank account numbers, were posted at a security Web site.

Another database screenshot posted at the same Web site showed names, passport numbers and other personal information apparently gleaned from the U.S. Department of Defense's Defense Logistics Agency.

Lisa Bailey, a spokeswoman for Milwaukee-based Midwest Express, confirms that the pair had hacked into the airline's computer system but says they gained access only to customer profiles.

"What they hacked into was not manifest information or anything like that," she says. "There was no credit card information [taken]."

Eric Hemmendinger, an analyst at Aberdeen Group Inc. in Boston, says that although he didn't know much about the Deceptive Duo, he believed they were probably "publicity hounds."

Charles Kolodgy, an analyst at IDC in Framingham, Massachusetts, agrees. He says he doesn't believe that the pair is on a mission to improve security.

"I think there might be a business reason behind this," he says. "Maybe they're trying to sell security products. And they probably just have too much time on their hands."

[KorpDeath]

Publicity seekers. hardy har har.

CNN- the entertainment news strikes again. This is hill-arious. Nothing like giving them what they want....

[RogueSpy]

The Deceptive Duo Strikes again.

[smirc]

But analysts say they're probably nothing more than publicity seekers.

Uh...isn't that the point, to draw publicity to the fact that these institutions have insecure networks. What are these "analysts" being payed for?

We're embarrassed. We didn't change it. We made a mistake.

Always nice to see someone with the guts to admit that they were wrong.

I think there might be a business reason behind this. Maybe they're trying to sell security products. And they probably just have too much time on their hands.

They've made no mention of wanting to sell anything. Where'd this come from?

While I don't really approve of their methods, the Deceptive Duo seems to be doing more good than harm. Why don't people try and work with these guys? It seems like they're working for a good cause. They shouldn't have needed to resort to these methods but some people just never listen.

[debwalin]

"I think there might be a business reason behind this," he says. "Maybe they're trying to sell security products. And they probably just have too much time on their hands."

I haven't seen any mention anywhere of them trying to sell anything, and if they were, it sounds like some of these guys might need it....lol.

I'd be afraid I'd wind up in jail after hacking the DoD website, but apparently this isn't a concern for these two.

One involved using Microsoft SQL servers, which they say have a default password to log in. Some system administrators didn't change the default password when their databases were implemented and their systems went live, the duo say.

In this case, simple stupidity is the issue, and if they don't have enough sense to change the default password, someone needed to bring it to their attention.

Deb

[JRoc]

It obviously doesn't matter to them requarding Jail. That right there MUST proove that they aren't out for publicity or they would worry about jail. They are obviously more concerned with their "mission" and not with the consequences.

[gstudios]

Now this is strange.
I just read the chapter in "Confessions about teenage Hackers" that dealt with the Deceptive Duo. And alot of what I read in that articles, looks like it was taken out of the book...

Perhaps i'm in a time warp?

[8*B@LL]

they sound pretty delusional to me...i mean their "mission"...a name like "the deceptive duo"...sounds more like a comic book to me than real life. i'd have to agree with the people who said they are probably just out for personal publicity. i mean how cool would it be to have YOUR handle splashing across websites like cnn.com(not by defacing it:-P), and even on TV? i know i would love it...course i wouldnt really like it to be associated with something that could land me in jail for extremely long periods of time.

on the other hand something seems kinda fishy about this...cant quite put my finger on what though...

[JRoc]

Yeah and it would be pretty funny for them to eventually be caught because of bragging rights to friends or something. Also, It is only a matter of time until there might be a reward out for them. Btw- Rumsford still hasn't said anything

[Specter6]

Seems to me a credible group or tandem of hackers trying to expose security flaws would use a different moniker than "Deceptive Duo".

"Deceptive" conjures up images of geeks in dark rooms swiping credit card info and whatnot.