"Novell gave me free reign to plug-in wherever I wanted to, and I realised that I could make a packet, I could send it out on the network and I could unload the LAN driver off the server without ever touching it", Chappell says nostagically. This then led to the realisation that she could -bring a server down without ever touching it" and without -alarms or alerts that could catch what I was doing," says Chappell.
While this knowledge could easily have led a younger Chappell down the path to what she refers to as the -dark side", or malicious computer hacking (known as cracking), she chose to pursue a different career. Decades later, she has moved on from Novell and established a career as an expert and consultant in protocol analysis, a segment of network security. Courted by organisations such as Cisco, Novell, IBM, as well as the FBI, Chappell has made a name for herself in an arena she enjoys.
And while, as she says, -there is no such thing as a secure network, or a secure operating system", Chappell is doing her best to make sure the organisations she works with are able to protect themselves from vulnerabilities and attacks.
ZDNet Australia spoke with Laura Chappell about cyber threats for 2002, how script kiddies and junior hackers can bring down your network, why there is safety in grey hair, and how to train hackers without losing them to the 'dark side'.
What is the greatest challenge facing the uptake of effective security?
I think it is the education of the IS [Information Security] teams out there--the folks that are running these networks--and getting management to understand how important it is for these people to monitor their communications properly. It really isn't rocket science, they can do it, and the return on investment is enormous.
Companies put all this money into intrusion-detection systems, throw all this money at virus protection and firewalls. They need to look at their IS staff and start throwing some money into getting these people trained to monitor, and understand, how to read the logs and the packets, as well as how to monitor a little more proactively on these networks.
So, you are arming IS teams with the tools to prevent attacks proactively rather than reactively?
Attempting to prevent them, certainly, because I can go into a company's network and tell them "if I were going to attack you, this is where I would attack you and I would send one single packet out and it would kill 25 systems". They could actually look at what their vulnerabilities were at the packet level, straight down from the communications level, but they could also set up some triggers and alarms so that if somebody else was trying to do that, they would be alerted.
I like to go into a company, sit down with the local team and tell them absolutely everything I know. I turn them all into sponges and fill them in on everything I can possibly teach them, make it very understandable, give them a standard set of rules to follow, go through and analyse the network with these people standing right behind me. There are no secrets.
Do you find any obstruction to this approach? Since it has often been said that Information Security staff are often knowledge-hoarders, do you find that the team members don't 'play well together'?
Yes I do. When you first walk in, usually you end up with the router team sitting on one side of the table, with the client team on the other side of the table, and then you have the infrastructure/calling group at another spot and then you get the server group. They are all so set with these huge boundaries and it's a task sometimes to break those boundaries down. I speak to each of them on an equal footing and explain that they can focus in their area, but they've got to realise when the issue is a shared issue with another group. A lot of it is attitude.
While you are training IS staff to recognise malicious attacks in order to protect against them, do you also worry about providing these same people with the ammunition--in this case, knowledge--to conduct attacks in the future?
If I am in a room of hackers and I have just discovered a new way to break into a system, I am probably not going to share that. It's a fine line, it's a double-edged sword, there is nothing you can do about that.
When I go to some companies, I'll sit in a room, maybe training fifty IS people, and these guys--and I use the term "guys" being generic--are all very good at what they do. They are so sharp on all these different areas and here is this new area you are bringing to them. You'll see one in the room and look at them and think that they could easily be on the dark side.
They are so easy to spot and the funny thing is a lot of times, I'll be running my analyser on the instructor side, and I'll be setting it up for different hacks--to look and see if anyone executes them--and watch the students start hacking each other. You can only watch them and think, -stay on the good side".
Can you be held responsible for their actions if they were to jump to the -dark side" and instigate a malicious attack?
No, you really can't. It's all about education. I wish the vendors would focus more on education. It's unbelievable to think that Microsoft could release an operating system with a hole the size of an F18, you know it's unconscionable, it's terrible.
Where do you expect cybercrime to be focused during 2002?
There are two trends that I think we are seeing now. In the past, most of the attacks were coming from the inside, and I think this has really shifted now to the outside. Firewalls are much more important now, because the attacks aren't primarily from the inside against the insider, most of the attacks are now from the outsider.
The other trend is that denial of service (DoS) attacks are up. People spend so much time looking at some other security issues--for example, you look at somebody with an 802.11 wireless network and they are so afraid of the encryption algorithms being unsecure, in that people can break in with the encryption algorithm. Well, it is so easy to walk into a company and just pull down the whole wireless network, just from a denial of service attack.
One attack is very stealthy, you are going in and trying to steal somebody's encryption algorithms, the other way allows you to bring down the whole network. What you can do to a company with a DoS attack is unbelievable. So I think we need better detection of DoS attacks.
Is there a main group of offenders perpetrating denial of service attacks? Is a high level of knowledge necessary, or is this the domain of the script kiddies and the junior hackers?
It's the script kiddies and the junior hackers. It doesn't take a lot, and a lot of these shareware utilities enable these folk to go out and say "well I'll just try this one little attack. I'll do this and I'll set it to run overnight for the next four days, and I'll spoof my IP address and I'll just nail this one company.
The effects are devastating and a lot of companies don't even have the capability to try and find out where the problem is. It's ugly. Denial of service is hot right now.
Part two of this interview explores cyberterrorism threats and what Laura Chappell really thinks of security software vendors.
WHAT A LOAD OF CRAP
I would like to see a technical explanation of how this lady brings down 25 machines with one packet after 'unloading the LAN driver'.
Far from shattering the 'hacker myth' you are contributing to it with these ill-informed self proclaimed experts. Get some of the real 'professional hacker' types to write you an article instead of these clueless wannabes.