Hacker group Deceptive Duo targets government and corporate sites all in the name of patriotism. The pair recently granted TechTV an email interview. Given the limitations of an email interview, the only way TechTV can confirm the Deceptive Duo's credibility is by contacting them using the email address they posted on the websites they defaced.
Below is the transcript of the interview:
TechTV: What are your goals?
Deceptive Duo: Our ultimate goal is to eliminate the threat of our US infrastructure being hacked by a foreign entity. Mission: Foreign Threat consists of multiple operations that are very complex and organized. By executing certain aspects of each operation, such as the defacements and the posting of sensitive data, we are forcing the system administrators of the networks we hacked, as well as the other system administrators who are witnessing these events, to secure their computers. We are giving them a glimpse of reality so that they can realize that the threat remains. We take stern action against them so that they take stern action with their computer environments.
When we target critical computer networks:
1. Our initial targets become secure. We often perform follow-up penetration tests and/or answer any questions a system administrator or official has about the break-in.
2. Everyone, not just those involved in managing computer networks, are witnessing a very real scenario, allowing them to think more in-depth about certain tasks that their organization, corporation, and/or agency must perform over the Internet.
3. Sensitive data is not leaked to foreign enemies. We do post information not always available to the public, but this information is not everything we have acquired. We balance out what we post on our defacements to stay loyal to the US and to prevent foreign enemies from gaining an intelligence advantage.
TechTV: What incited you to start hacking these networks?
Deceptive Duo: We are all bystanders to the lack of security. The incomprehensible fact of how truly insecure our entire infrastructure is came to us at the same time. We would often talk about computer security, but for some reason this matter came to us mutually. This is what created the duo. We knew that we had to take thorough and organized steps toward securing the infrastructure, one way or another. Otherwise a terrorist might take advantage of the vulnerabilities we remain susceptible to. If we didn't do this, and in the future we witnessed a cyberterrorist attack, we would feel extremely bad about ourselves.
TechTV: Technically, where is our security infrastructure most vulnerable?
Deceptive Duo: At this time we cannot accurately pinpoint the area of our infrastructure that is most vulnerable. We are still in the beginning of our mission and have only covered a small portion of our nation's computer networks. However, from what we have experienced, we would say the financial systems -- such as banks and certain areas within the Federal Reserve Board.
TechTV: Why do you think sys admins aren't adequately protecting their networks?
Deceptive Duo: In some cases it's because they aren't properly trained. We believe a system administrator needs to share the mindset of a hacker. Understand your opponent to defeat it. Another factor is possibly the lack of motivation. Oftentimes money is the source of motivation. Maybe some are underpaid or not treated fairly in the atmosphere that they must work within. Maybe they aren't aware of how critical their position in protecting computer networks is. There are many things to question, none of which anyone can accurately answer.
TechTV: Who do you feel poses the biggest cyberthreat to the United States? Do they have the skills to compromise our critical networks?
Deceptive Duo: We believe al Qaeda poses the biggest cyberthreat to the US. They have shown organization and determination against our country. They also have shown us that they are capable of utilizing computers for communications and storage.
We strongly believe they have the skills to compromise some of our critical networks. We have hacked into some classified and critical computer networks with very trivial exploits. We are in stage one of our mission, which is to locate and scan systems that are hosted by Microsoft products for widely known vulnerabilities. We are currently using simple exploits to emulate a terrorist attack as real as possible. It doesn't take extraordinary skill to do what we have been doing in the past few weeks. Al Qaeda can easily gain intelligence just as we have. It's just a matter of time before they use our own vulnerabilities and energy against us.
Hackers within China also pose a threat. They have hacked into some of our military systems in the past.
TechTV: How do you counter those who say you are just publicity hounds?
Deceptive Duo: There is nothing we can do to counter those whose assumptions are based around weak arguments. We brush it off and continue to execute our mission. We cannot let it bother us as it will take away from our focus. If we were in it for the publicity, prison time is quite the price to pay for attracting media attention to a name that keeps our real identities anonymous.
TechTV: What organizations have you hacked? (We know what other members of the media say, but we'd like your list.)
Deceptive Duo: We have hacked into classified and unclassified systems including those belonging to:
Defense Logistics Agency
Sandia National Laboratories (Warhead Monitoring Technology Program)
Federal Aviation Administration
Office of the Secretary of Defense
Midwest Express Airlines
Rio Grande Airlines
Saudi Arabian Airlines
NASA Ames Research Center
Department of Transportation
California Department of Transportation
NASA Jet Propulsion Laboratories
Space and Naval Warfare Systems Command
Uniformed Services University of the Health Sciences
Durango, Colorado Airport
South Bend Regional Airport
Southeast Iowa Regional Airport
National Institute of Standards and Technology
US Geological Survey
Peoples State Bank
Arkansas Community Banking Association
Bank of West Baton Rouge
Community Bankers Association of Kansas
Bank of Dumas
Merchants & Planters Bank
Merchants & Marine Bank
Madison Bank and Trust
The Evangeline Bank & Trust Company
Iowa Independent Bankers
IBanc Virtual Bank
Greers Ferry Lake State Bank
US Naval Reserve -- Air Systems Program
US Government Export Portal
Federal Housing Finance Board
Health Resources and Services Administration
TechTV: Many companies pay big money for penetration tests. Do you feel like you are giving them those tests for free? Do you tell the organizations how you penetrated their networks?
Deceptive Duo: In a way, yes, we are giving them free penetration tests. On the other hand, our penetration tests are being paid for with embarrassment. If we hack into one of their systems, we are going to expose it to the public. Also, these tests aren't under any nondisclosure contracts.
We fully cooperate with the system administrators in telling them how the break-in took place and how to prevent it. If we didn't, our mission would be incomplete. If they email us, we help them.
TechTV: What's the scariest thing you've discovered since you started hacking into high-profile networks?
Deceptive Duo: Divulging any information pertaining to the scariest intelligence we have gained could create a national security risk. However, a very scary issue is that a lot of our government computers are insecure.
TechTV: How long do you think you can work as "hactivists" before being caught?
Deceptive Duo: We try not to think about getting caught. It's of course a big factor in this all, but dwelling on it will only sidetrack us. We came into this willing to endure prison sentences. We are sacrificing ourselves for the sake of public safety. There is no definite answer to that question. If the government wants something bad enough, they'll get it one way or another.
If only they chose to secure their sites as much as they choose to track us down and put us in prison.
TechTV: What's your advice to sys admins overseeing critical networks?
Deceptive Duo: Thoroughly analyze, research, and defend against existing vulnerabilities. Adapt to the challenge and completely understand each aspect of it.