By the mid-1990’s the US intelligence agencies, especially the NSA, were beginning to wake up to a grim reality – the world was quickly becoming connected and the tools to connect that world were no longer confined to the government and universities, but now were in the hands of smart and very capable people outside of academia and government snoops.
In 1998, Richard A. Clarke, then Security Advisor the Clinton administration, took a quick flight from D.C. up to Cambridge, Massachusetts to meet with a team of hackers that would change forever, the way the US government looked at the world.
Clarke’s contact in Cambridge was to be a hacker known as “Mudge.” Mudge was the mouthpiece for a hacker group known as the L0pht. After about an hour of waiting patiently in a local bar, Clarke grew tired thinking Mudge got cold feet. As he started to get up from the table, the gentle next to him introduced himself as Mudge, who had been sitting beside Clarke the whole time. Not only was Mudge observing Clarke from afar, but so was the entire L0pht team: Brain Oblivion, tan, Kingpin, Weld Pond, Space Rogue, and Stefan Von Neuman, who later would drive right on through the gate of the NSA parking lot with nothing more than a salute!
After small talk, Mudge took Clarke to “the L0pht”, the second floor of a Cambridge warehouse where the L0pht team kludged and cobbled together an impressive arsenal of computing power capable of doing some serious damage if the team so desired.
Clarke left that night with more than an uneasy feeling. Though not a cyber security person himself, he knew damn well that if a group of college students and geeks could dumpster dive enough equipment to be a serious threat, so could a nation-state actor! Clarke invited L0pht to testify to Congress. Though Congress was certainly concerned, little changed in the way Congress went about its business but for the Department of Defense, FBI, CIA, and especially the NSA, the situation couldn’t have been bleaker – unfortunately, the prognosis has changed little.
Over the past decade, the offensive capabilities of nation-state actors has grown exponentially. China, Israel, and Russia all of whom have had robust offensive capabilities for years have become efficient and well manage espionage machines likely equal to that of the United States. Other countries are quickly catching up: Syria, Iran, and a rabble of former Soviet States, have formidable offensive expertise. It’s not just governments either, hacking tools and techniques are becoming so ubiquitous it is nearly impossible for anyone to keep up.
Of particular concern is the world’s critical infrastructure. The last couple of years has been earmarked with attacks on power plants, distribution systems, and even water treatment facilities. More recently, a report surfaced that the world’s Global Positioning System (GPS), the space-based navigational system the world’s relies on is now at risk of illegal jamming.
Experts have warned for years the GPS system is vulnerable to attack not just to jamming but to spoofing as well – though encryption is provided for the military’s use only. Great, but it won’t help the wave of new and next generation devices that will be part of the so-called Internet of Things (IOT).
The everyday devices that power our lives will soon be connected to the Internet – refrigerators, dish washers, in-home camera systems, and even the watering bowl for your dog will be connected to the web where Fido’s water can be refreshed by simply tapping an app on your cellphone. So who cares is a hacker gets my carpet wet? It’s a fair question, but if a hacker can exploit the insecure code on the dog’s watering bowl, it likely will act as a portal to more important areas of our life, like our bank accounts!
The real takeaway from the GPS jamming device and precisely what worried Richard Clarke on that fateful night in Cambridge, was the reality that offensive capabilities were being wrestled out of the realm, and control, of the spooks and the military. Simple jamming techniques have been used to disable key fobs, popular in today’s new automobiles. On a larger scale, jamming devices were used to steal a truck full of pharmaceuticals in Florida. Even the North Koreans are in on the act, recently jamming the GPS of about 280 South Korean vessels.
On a larger scale, jamming devices were used to steal a truck full of pharmaceuticals in Florida. Even the North Koreans are in on the act, recently jamming the GPS of about 280 South Korean vessels.
L0pht’s contributions to the history of the security of the United States shouldn’t be diminished by the fact that we have seemingly seen little progress. In fact, they should be applauded for taking the risk of going to D.C. in the first place, particularly in the late nineties where computer geeks were just that – geeks! Perhaps the team’s biggest contribution is killing the myth that only a well-funded government can wreak havoc; clearly, not true. Mudge knew it, Clarke knew it, and now we’re all waking up to this new reality.
Mudge knew it, Clarke knew it, and now we’re all waking up to this new reality.
Written by: Rick Gamache
Rick Gamache is a freelance writer with 25 years’ experience in the cyber security field. His past work includes the Managing Director of Wapack Labs, CIO of the Red Sky Alliance, and lead FISMA auditor for the US Navy’s destroyer program. Rick has written several high-level cyber and general risk reports with an emphasis on the Nordic countries, India, Russia, and Ukraine and has traveled extensively, speaking on strategic cyber threat intelligence matters as they relate global supply chains.
Twitter – https://twitter.com/thecissp
(Security Affairs – Information warfare, nation-state actors)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.