|
|
http://www.informationweek.com/security/showArticle.jhtml?articleID=190400435
By Sharon Gaudin
InformationWeek
July 17, 2006
After 20 years in computer security, including 11 in the financial
services industry, Karl Kasper is being vilified as a dangerous man.
Over the past month, in the trial of former UBS PaineWebber system admin
Roger Duronio, Kasper has been attacked by the defense because of his
background as a computer hacker and his role in UBS's investigation of the
attack. The lawyer for Duronio, defending him against charges that he
sabotaged UBS PaineWebber's trading network four years ago, asserted that
hackers can't be trusted to do a credible investigation. Kasper says the
defense team is just desperate. (A verdict is expected this week.)
Regardless of the outcome, Kasper's involvement in the case raises anew
important questions about whether ex-hackers should be hired for their
information security expertise.
Kasper got involved with UBS PaineWebber days after the "logic bomb" was
detonated. UBS hired his company, @Stake, to conduct the initial forensic
analysis. Kasper has impressive security credentials. He helped found
@Stake and has testified in front of a Senate committee about security
issues; he's since left @Stake and works as a VP in IT security at
JPMorgan Chase, not the first financial services firm at which he's
worked. Still, he's being haunted by his time as a member of the L0pht, a
hacker group that achieved star status in the 1990s.
The defense in the Duronio trial made much of the fact that in the
computer industry, Kasper goes by the pseudonym John Tan. Is that akin to
a writer using a pen name--Kasper treats it as more of a marketing brand
name--or is it a sign of something devious below the surface of business
suits and board meetings?
It's a question that has been asked before as hackers left their black
T-shirts and ponytails behind and entered the mainstream to cash in on
their technical savvy. As they worked away in their cubicles, many people
forgot they had once poked at systems and applications, looking for flaws
that would leave people and companies open to attack. Many still do those
same kinds of penetration tests, only now they do it for a regular
paycheck and a 401(k).
Back in their hacker days, did any of them ever use the holes they found
to break into systems, peek at private information, or even cause damage?
In some cases, yes. But it's unfair and inaccurate to say they all did.
Having hackers work at computer security companies or as IT consultants
generally elicits one of two responses: It's the smartest thing you can
do, or what the hell are you thinking?
"It's generally a bad idea to bring in old hackers because they have
habits that are hard to break," says Alan Paller, director of research at
security researcher the SANS Institute. Yet when it comes to dissecting a
possible computer crime scene, Paller sees value. "Somebody who has broken
into computers is more likely to see the evidence of a break-in," he says.
"For forensics, when they are tightly managed, it's a great idea.'' Still,
Kasper's involvement with the L0pht would raise extra questions in
Paller's mind about giving him access to production systems and live data.
There's a clear distinction between hackers and computer criminals, even
if that's not widely recognized, says Jeff Moss, director of Black Hat
(owned by CMP Technology, publisher of InformationWeek), which runs
computer security conferences and training events. "You have good hackers
and bad hackers, just like you have good plumbers and criminal plumbers,"
says Moss, who describes as "totally silly" the trial jabs at Kasper.
"They say John Tan is an evil hacker, yet he's never been arrested or
charged with anything."
Threat or Scapegoat?
Indeed, Kasper hasn't ever been charged with writing malware, damaging a
computer network, or even penetrating an unsuspecting system. On the
contrary, he has spoken at the SANS Institute and at several universities,
including the MIT Summer Security Camp.
Yet Chris Adams, the defense lawyer in the Duronio trial in federal court
in Newark, N.J., pinned much of his client's defense on calling into doubt
any backup tapes, coding, and mirror images that Kasper touched. Much of
Duronio's future is riding on whether a jury believes that a hacker--black
or white hat--is a bad person, capable of accidentally or intentionally
undermining an investigation. Jurors were still deliberating the case late
last week. (Look for the latest trial updates at InformationWeek.com.)
Kasper says he protected all the evidence he handled and did a responsible
job investigating the March 4, 2002, attack, which deleted all files from
nearly 2,000 servers at the company. But he admitted that @Stake at times
had to convince some clients that there was nothing to worry about. "It's
something @Stake had to fight," Kasper says. "It's a very knee-jerk
reaction. Unless you hire people with a deep understanding [of systems and
security], what are you getting?"
The L0pht's reputation certainly contributes to the mystique. The group, a
seven-man fraternity, held tech jobs during the day and met in a warehouse
at night to challenge their hacking skills. They spent much of their time
amid an assortment of hard drives, cables, and empty pizza boxes trying to
exploit security flaws in widely used operating systems and software
packages. L0pht members weren't known for wreaking havoc on company
systems. They promoted themselves as a consumer watchdog group, the Robin
Hoods of tech, exposing and fixing hidden flaws.
In February 1999, members of the L0pht reported finding a vulnerability in
Windows NT. The flaw would allow any NT user to take administrator-level
control of the computer. The group alerted the public and Microsoft, which
released a security advisory and a fix. But while they were issuing alerts
for software flaws and painting themselves as white hats, they also issued
L0phtCrack, a password-cracking tool for Windows NT. At the time,
L0phtCrack was believed to be one of the most widely distributed hacking
tools. However, it also could be used to benefit a company's IT
department. In fact, Microsoft advised customers in a 1998 security
bulletin to consider evaluating a tool such as L0phtCrack to check the
quality of users' passwords.
Does any of this make Kasper, or any of the other members of the L0pht,
part of the "murky underworld of cybercrime," as the defense called them
repeatedly throughout the trial?
When a reporter put the question to him, Kasper laughed at the suggestion.
''I don't see them calling me to the stand," he said. "I'd say the Senate
and the White House wouldn't have invited us in if we were that shady.''
Plagiarism Raised As Another Issue
Someone else in the forensics community who wasn't called to the stand was
Michael Michalowicz, a partner at Protiviti, the company the Duronio
defense team hired to do its forensics investigation. Kevin Faulkner, a
senior consultant with Protiviti, did the investigation and acted as a
defense witness in court. Michalowicz is his supervisor, reviewing
Faulkner's forensics analysis and signing off on his ultimate report.
Michalowicz was on the defense's potential witness roster but he never was
called to the stand. Faulkner did take the stand. He was the defense's
first of only two witnesses called. Once the government had a chance to
cross-examine Faulkner, the prosecutor quickly began questioning the
forensics investigator about his boss. After asking Faulkner about
Michalowicz's level of participation in the case, Assistant U.S. Attorney
Mauro Wolfe directly asked him if he knew his boss had plagiarized an
article.
The judge wouldn't allow the evidence into the case but the prosecution
was pointing to the fact that Michalowicz had an article, entitled Data
Forensics--In Search of the Smoking Gun, published by the Boston College
Law School: Intellectual Property and Technology Forum in March 2005. A
longer version of the same article, similarly entitled Data Forensics--The
Smoking Gun May be a Click Away, was published in the New Jersey Law
Journal on Sept. 13, 2004 with the byline Paul G. Lewis.
While Michalowicz's article was longer than Lewis', they were highly
similar. The first sentence in the Lewis article reads: "The term 'data
forensics' suggests a high-tech process reserved only for cases centered
around proprietary technology." The first sentence in the Michalowicz
article reads: "The term 'data forensics' sounds like a high tech process
reserved only for those select cases encompassing proprietary technology."
The second sentences are identical. The similarities--or outright
duplicate phrases--continue throughout the pieces.
When questioned about it, a spokesperson for Protiviti said the article is
the property of the company so any of Protiviti's partners can put their
name on it. She said the article was the "intellectual property of the
firm."
But that begs the question of whose ideas they are and why Michalowicz
would have an article published under his own name when it had been
published under someone else's name a full year earlier. In a court case
where the reliability and trustworthiness of the security companies
involved came into such dramatic play, such a move might make the waters
even murkier.
Name That Hacker
In the current trial, defense attorney Adams repeatedly pointed out that
Kasper used the Tan pseudonym when dealing with U.S. Secret Service agents
investigating the attack on UBS. He even signed official forensic
documents, such as chain-of-custody documents for evidence, as John Tan.
Greg O'Neil, the lead Secret Service agent on the case, testified during
the first weeks of the trial that he hadn't been aware until late 2004 or
early 2005 that John Tan was not his real name. "He lied to you about the
most basic information," Adams asserted during O'Neil's cross examination.
Kasper says he was up front with the Secret Service about the fact that he
uses two names and would be going by John Tan during the UBS
investigation. He says he made a point of bringing it up during his first
meeting with Secret Service agents. O'Neil testified he was out of the
office the day of that meeting and was brought in for subsequent meetings.
Brand Name
"When we get involved [in investigations], we use the pseudonyms," Kasper
says, "but we're open and more than willing to share our real identities."
Kasper, who says he even has credit cards under his Tan name, began using
the pseudonym when he was in the L0pht, which tested various products and
offered critical reviews. It was a way to protect his employer at the time
(a financial institution that he declined to name) from vengeful tactics
by IT vendors in the event they were angered by unfavorable reviews.
Now, the name has market value. "The public works that I put out in the
security field were under my pen name, and my Senate testimony was under
my pen name," he points out. "There definitely was a brand name in it.
When we were building @Stake, part of the idea was to retain the brand
name we built up in the L0pht. There was absolutely no recognition for the
real names, so we stuck with the brand."
Kasper also rebutted the defense's suggestions that evidence he handled
can't be trusted. He says he kept the evidence safe, using
government-rated classified document containers to lock it away. @Stake
also maintained chain-of-custody documents and used video surveillance to
monitor the main entry to the company's office, labs, and document
containers.
The jury's decisions should shed some light on what tech industry
outsiders think of people like Kasper. Is prodding software for security
flaws while operating under an assumed name grounds for lifelong
suspicion--or front-line training that's perfect for investigating real
criminals?
Copyright 2005 CMP Media LLC
_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com