- Two hackers who have been penetrating US government computer systems across the country say they're trying to call attention to vulnerabilities in national security.
But analysts say they're probably nothing more than publicity seekers.
On April 24, the hackers, who call themselves the Deceptive Duo, say they "started their mission" of breaking into both government and private-sector computer systems. In an email interview with Computerworld US, they say their purpose was "to expose the lack of security within our government and other critical cyber components."
They say they have hacked into classified and nonclassified systems, including those operated by the office of the Secretary of Defence, the Space and Naval Warfare Systems Command, the Defence Logistics Agency, Sandia National Laboratories, NASA Jet Propulsion Laboratories, Midwest Express Airlines and a number of banks.
"We had access to data and web servers which included things such as pictures from Operation Restore Hope [expanded peacekeeping operations in Somalia in the early 1990s] to the personal details of Department of Defence employees," they say.
The hackers say they breached the systems in two ways: They got in through Microsoft's SQL servers, which they say have a default password to login. Some system administrators didn't change the default password when their databases were implemented and their systems went live, the duo say. They also got in through a NetBIOS Brute Force attack, a method in which the hackers repeatedly try to guess passwords to gain entry into a system that could exploit the NetBIOS protocol and allow access to sensitive data.
"Once information was acquired, we targeted an appropriate website to post the screenshots at. For instance, we posted the Defence Logistics Agency database on a website of the Office of the Secretary of Defence," the hackers say in their email.
Richard Williamson, a spokesman for the Space and Naval Warfare Systems Command, acknowledges that hackers gained access to the system through SQL because the agency had failed to change the default password and administrator's user ID.
"We're embarrassed. We didn't change it. We made a mistake," he says.
Williamson says the pair didn't get access to any classified information. "It was information any taxpayer is entitled to," he says.
The hackers, who wouldn't reveal their ages, say they believed breaking into computer systems was the only way to get system administrators to take action to improve security.
"We must take drastic means for them to take this seriously," they say. "When notifying a system administrator, the situation often times will get brushed away like it was nothing."
The hackers say they have received emails from various system administrators of the penetrated computers and they fully cooperate with them in creating a more secure environment for their systems.
"If we did not, our mission would be incomplete," they say.
Screenshots of the information obtained by the Deceptive Duo, including bank databases with customers' personal information and bank account numbers, were posted at a security website.
Another database screenshot posted at the same website showed names, passport numbers and other personal information apparently gleaned from the US Department of Defence's Defence Logistics Agency.
Lisa Bailey, a spokeswoman for Milwaukee-based Midwest Express, confirmed the pair hacked into the airline's computer system but only gained access to customer profiles.
"What they hacked into was not manifest information or anything like that," she says. "There was no credit card information [taken]."
Eric Hemmendinger, an analyst at Aberdeen Group in Boston, says that although he didn't know much about the Deceptive Duo, he believed they were probably "publicity hounds."
Charles Kolodgy, an analyst at IDC, in Framingham, Massachusetts, agrees. He says he doesn't believe the pair is on a mission to improve security.
"I think there might be a business reason behind this," he says. "Maybe they're trying to sell security products. And they probably just have too much time on their hands."
Jennifer DiSabatino contributed to this report.