A pair of hackers who have been penetrating US government computer
systems across the country said they are trying to call attention
to vulnerabilities in national security.
On 24 April, the hackers, who call themselves the Deceptive Duo,
said they started their "mission" of breaking into both government
and private-sector computer systems "to expose the lack of security
within our government and other critical cyber components".
They said they have hacked into classified and non-classified
systems, including those operated by the office of the Secretary of
Defense, the Space and Naval Warfare Systems Command, the Defense
Logistics Agency, Sandia National Laboratories, NASA Jet Propulsion
Laboratories, Midwest Express Airlines and a number of banks.
"We had access to data and Web servers which included things such
as pictures from Operation Restore Hope [expanded peacekeeping
operations in Somalia in the early 1990s] to the personal details
of Department of Defense employees," they said.
The hackers said they breached the systems in two ways. They got in
through Microsoft's SQL servers which, they said, have a default
password to login. Some system administrators did not change the
default password when their databases were implemented and their
systems went live, the duo said.
They also got in through a NetBIOS Brute Force attack, a method in
which the hackers repeatedly try to guess passwords to gain entry
into a system that could exploit the NetBIOS protocol and allow
access to sensitive data.
"Once information was acquired, we targeted an appropriate Web site
to post the screenshots at. For instance, we posted the Defense
Logistics Agency database on a Web site of the Office of the
Secretary of Defense," the hackers said.
Richard Williamson, a spokesman for the Space and Naval Warfare
Systems Command, acknowledged that hackers gained access to the
system through SQL because the agency had failed to change the
default password and administrator's user ID.
"We're embarrassed. We didn't change it. We made a mistake," he
said.
Williamson said the pair did not get access to any classified
information. "It was information any taxpayer is entitled to," he
said.
The hackers said they believed breaking into computer systems was
the only way to get system administrators to take action to improve
security.
"We must take drastic means for them to take this seriously," they
said. "When notifying a system administrator, the situation often
times will get brushed away like it was nothing."
The hackers claimed they have received e-mails from various system
administrators of the penetrated computers and that they fully
co-operated with them in creating a more secure environment for
their systems.
Screenshots of the information obtained by the Deceptive Duo,
including bank databases with customers' personal information and
bank account numbers, were posted at a security Web site.
Another database screenshot posted at the same Web site showed
names, passport numbers and other personal information apparently
gleaned from the US Department of Defense's Defense Logistics
Agency.
Lisa Bailey, a spokeswoman for Midwest Express, confirmed the pair
hacked into the airline's computer system but only gained access to
customer profiles.
"What they hacked into was not manifest information or anything
like that," she said. "There was no credit card information
[taken]."
However, some analysts are unconvinced by their mission to improve
security, and believe that the pair are nothing more than publicity
seekers.