EXECUTIVE SUMMARY:
In 1998, a group of white hat hackers went before to Congress to warn that the internet was not secure. Now on their ‘reunion tour’ 20 years later, not much has changed.
During that visit in May 1998, Congress was told that any one person in the group of seven visitors could take down the internet within 30 minutes. Assessing the landscape today, the group known as L0pht asserts that even though the technologies have changed, the fundamental issues remain.
The Washington Post reports that L0pht surfaced several issues in its present-day visit to Congress.
- Border Gateway Protocol hijacking is an exploit that interferes with how routers communicate with one another and direct web traffic. It’s an issue that could take have taken the internet down back then and still exists today.
Quoting Weld Pond, one of the L0pht hackers, The Washington Post writes, “We’re still building new technology like cryptocurrency and blockchain, with all its promise of being secure, on old network foundations.” He added, “We keep building new things on old infrastructure that never seems to get fixed.” - Lack of prioritization–People choose convenience over security. Case in point: The article we published this week about President Trump’s lax security regarding mobile phones.
Quoting Kingpin, another hacker from the group, The Washington Post writes, “He’s basically choosing to live with the risk of having a hacked phone because he feels the convenience is more important than security. The fact that the president, who’s possibly the most targeted person in the world, doesn’t want to trade his phone, makes you really think about, ‘Is anybody else going to do that, and why should they?’” - Threats are more diverse today, as are the cybercriminals. When L0pht appeared before Congress the first time, the hackers were mainly kids trying to earn a reputation. Now the cybercriminals are often associated with international crime rings and nation-state motivations.
Weld Pond told The Washington Post, “Back then the threat was the teenage hacker….It was like, ‘Yeah, they’re kind of ankle-biters’… Now it’s nation-states. So every vulnerability got a lot more risky.” - The federal government needs to be more proactive. Standards, certifications, and protections have not been set or enforced in any robust kind of way. The group’s argument is that guidelines have been based more on subjective viewpoint versus data that illustrates strong cybersecurity.
Quoting Mudge, one of the other hackers from L0pht, The Washington Post writes, “Where’s the equivalent of the National Transportation Safety Board crash test results (for software)?” Noting that cybersecurity is a public safety issue, Mudge added, “So why has this been almost entirely left to the free market to secure and make safe?”
For the most part, the issues raised this week by L0pht are not much different from the hearing 20 years ago. At that time, the group told Congress that relying on companies to police themselves was futile. Now, L0pht is urging the government to step up and take action.
Get the full story at The Washington Post.
