Back in the late eighties, when Laura Chappell was asked by her then-employer, Novell, to take a look at a product called LANanalyser, little did she know this would spark a career in cybercrime.

"Novell gave me free reign to plug-in wherever I wanted to, and I realised that I could make a packet, I could send it out on the network and I could unload the LAN driver off the server without ever touching it", Chappell says nostagically. This then led to the realisation that she could -bring a server down without ever touching it" and without -alarms or alerts that could catch what I was doing," says Chappell.

While this knowledge could easily have led a younger Chappell down the path to what she refers to as the -dark side", or malicious computer hacking (known as cracking), she chose to pursue a different career. Decades later, she has moved on from Novell and established a career as an expert and consultant in protocol analysis, a segment of network security. Courted by organisations such as Cisco, Novell, IBM, as well as the FBI, Chappell has made a name for herself in an arena she enjoys.

And while, as she says, -there is no such thing as a secure network, or a secure operating system", Chappell is doing her best to make sure the organisations she works with are able to protect themselves from vulnerabilities and attacks.

ZDNet Australia spoke with Laura Chappell about cyber threats for 2002, how script kiddies and junior hackers can bring down your network, why there is safety in grey hair, and how to train hackers without losing them to the 'dark side'.

What is the greatest challenge facing the uptake of effective security?

I think it is the education of the IS [Information Security] teams out there--the folks that are running these networks--and getting management to understand how important it is for these people to monitor their communications properly. It really isn't rocket science, they can do it, and the return on investment is enormous.

Companies put all this money into intrusion-detection systems, throw all this money at virus protection and firewalls. They need to look at their IS staff and start throwing some money into getting these people trained to monitor, and understand, how to read the logs and the packets, as well as how to monitor a little more proactively on these networks.

So, you are arming IS teams with the tools to prevent attacks proactively rather than reactively?

Attempting to prevent them, certainly, because I can go into a company's network and tell them "if I were going to attack you, this is where I would attack you and I would send one single packet out and it would kill 25 systems". They could actually look at what their vulnerabilities were at the packet level, straight down from the communications level, but they could also set up some triggers and alarms so that if somebody else was trying to do that, they would be alerted.

I like to go into a company, sit down with the local team and tell them absolutely everything I know. I turn them all into sponges and fill them in on everything I can possibly teach them, make it very understandable, give them a standard set of rules to follow, go through and analyse the network with these people standing right behind me. There are no secrets.

Do you find any obstruction to this approach? Since it has often been said that Information Security staff are often knowledge-hoarders, do you find that the team members don't 'play well together'?

Yes I do. When you first walk in, usually you end up with the router team sitting on one side of the table, with the client team on the other side of the table, and then you have the infrastructure/calling group at another spot and then you get the server group. They are all so set with these huge boundaries and it's a task sometimes to break those boundaries down. I speak to each of them on an equal footing and explain that they can focus in their area, but they've got to realise when the issue is a shared issue with another group. A lot of it is attitude.

While you are training IS staff to recognise malicious attacks in order to protect against them, do you also worry about providing these same people with the ammunition--in this case, knowledge--to conduct attacks in the future?

If I am in a room of hackers and I have just discovered a new way to break into a system, I am probably not going to share that. It's a fine line, it's a double-edged sword, there is nothing you can do about that.

When I go to some companies, I'll sit in a room, maybe training fifty IS people, and these guys--and I use the term "guys" being generic--are all very good at what they do. They are so sharp on all these different areas and here is this new area you are bringing to them. You'll see one in the room and look at them and think that they could easily be on the dark side.

They are so easy to spot and the funny thing is a lot of times, I'll be running my analyser on the instructor side, and I'll be setting it up for different hacks--to look and see if anyone executes them--and watch the students start hacking each other. You can only watch them and think, -stay on the good side".

Can you be held responsible for their actions if they were to jump to the -dark side" and instigate a malicious attack?

No, you really can't. It's all about education. I wish the vendors would focus more on education. It's unbelievable to think that Microsoft could release an operating system with a hole the size of an F18, you know it's unconscionable, it's terrible.

Where do you expect cybercrime to be focused during 2002?

There are two trends that I think we are seeing now. In the past, most of the attacks were coming from the inside, and I think this has really shifted now to the outside. Firewalls are much more important now, because the attacks aren't primarily from the inside against the insider, most of the attacks are now from the outsider.

The other trend is that denial of service (DoS) attacks are up. People spend so much time looking at some other security issues--for example, you look at somebody with an 802.11 wireless network and they are so afraid of the encryption algorithms being unsecure, in that people can break in with the encryption algorithm. Well, it is so easy to walk into a company and just pull down the whole wireless network, just from a denial of service attack.

One attack is very stealthy, you are going in and trying to steal somebody's encryption algorithms, the other way allows you to bring down the whole network. What you can do to a company with a DoS attack is unbelievable. So I think we need better detection of DoS attacks.

Is there a main group of offenders perpetrating denial of service attacks? Is a high level of knowledge necessary, or is this the domain of the script kiddies and the junior hackers?

It's the script kiddies and the junior hackers. It doesn't take a lot, and a lot of these shareware utilities enable these folk to go out and say "well I'll just try this one little attack. I'll do this and I'll set it to run overnight for the next four days, and I'll spoof my IP address and I'll just nail this one company.

The effects are devastating and a lot of companies don't even have the capability to try and find out where the problem is. It's ugly. Denial of service is hot right now.

Part two of this interview explores cyberterrorism threats and what Laura Chappell really thinks of security software vendors.

Cyberterrorism: threat or hype?

I think some of it is hype. I think a lot of what is going on in terms of the increased numbers is just via natural growth and a natural progression. I don't believe that there are huge plots going on left and right. I think a lot of it is the little guys, the individuals, that we have to watch out for, rather than the organisations. If you have one bad apple out there...well there are a lot of stinking apples out there, individuals, and it's amazing--the power of one. The power of one has a different meaning on the Internet; you know one person that can take down an eBay, one person that can take down a Bank of America.

And that 'one' seems to be becoming increasingly younger.

That's right, you are much safer with a person with grey hair (she says laughing).

In terms of these attacks, and others where the perpetrator has been caught, do you think that the penalties have been appropriate?

It's been a mixed bag as to how the US is handling it. It's like one of those things where we are just at the beginning of it, so we don't have all our laws set to handle it. I don't think that the legislature, or judicial system is really set for what we've got.

Our justice department isn't savvy enough, our jury isn't savvy enough and we're not handling out appropriate penalties in all cases. So we have definite issues in the Justice Department and these big, high profile cases really bring out, even further, what some of our weaknesses are.

Is another by-product of these cases the panic and fear they instill in the average Internet user?

It's a huge fear. I mean, my mother will not charge anything on the Internet [to her credit card]. She's read all the stories, all the horror stories of everything going on.

Is the IT industry in a position to combat this fear? How can it achieve a level of consumer-understanding that will allay fears and promote usage?

I think it's education, education, education. If we can put some things in perspective, like out of the Internet transactions, how many of those are actually bogus transactions or illegal transactions? People have a tendency to sensationalise one instance, but let's look at overall. It's incredible the amount of traffic that goes through the Internet, and the amount of transactions.

Have you noticed a trend towards an increase in attacks, or cybercrime activity?

CERT [Computer Emergency Response Team] shows the number of incidents reported to CERT have more than doubled from 21,756 in 2000 to 52,658 in 2001. More than doubled in just one year!

Could you offer any explanations for this increase? Could it be attributed to the education of the masses in both practicing and identifying cybercrime?

Unfortunately, you can't take that number by itself, because you don't know how the Internet has grown in comparison, how many people have that level of knowledge and have learned to hack.

But the number of emergency calls has not increased.

Any reason for that?

It could be because more people know where to go, and how to react--where to go for the information. Instead of calling CERT, they know to go immediately to the vendors and find out how to fix the problem. It might be that certain vendors have done a better job educating people on where to go when the real problems crop up.

Do you think vendors are playing an important role in education of security issues and vulnerabilities?

No. I think they're terrible. I think there are vendors out there who don't care that they have vulnerabilities. I think there are vendors out there that, if you tell them what the vulnerability is, they'll just shove it under the rug and hope it doesn't get spread around. It's only publicity that brings them to the point of fixing the problem.

Does that include Microsoft, even though it has recently highlighted a new security strategy?

If Microsoft does take the role where it says it is not going to release a product until it's secure...it will be interesting to see what the timeline is for development.

What they ought to do is just hire some of these really strong hackers, and bring them into the testing loop. Say, "we get usability tested so we know our users like that button looking green. Next week, we'll have a security test."

Because the majority of the security community does that anyway?

They do. Microsoft is just a huge target, it's just walking around with a huge target on it all the time.

Laura Chappell is presenting a series of cybercrime workshops in Australia in 2002. For more information, visit www.frontend.com.au.

Copyright © 2009 CBS Interactive, a CBS Company. All Rights Reserved.
ZDNET is a registered service mark of CBS Interactive. ZDNET Logo is a service mark of CBS Interactive.