Feeds

The Hackers Who Broke Windows

Delirium

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

The Last Stage of Delirium, the hacking group that laid open nearly every version of the Windows operating system last week, could use a little sleep, writes Deborah Radcliff of SecurityFocus. Since going public with the RPC buffer overflow bug that some are describing as the worst Windows security hole in history, the group has been caught in a media frenzy.

The hubbub has been just as bad as when, in April, 2001, LSD broke Argus Systems' PitBull security software in a contest for $50,000 in cash. (After the media glare faded, the team was stiffed for $43,000 of the prize money.) Then, as now, the work and its media aftermath kept them up at night when they'd rather be home with their families, said Tomasz Ostwald, one of the four founders of LSD, during a phone interview at 9:00 at night, Poland time. "This has been going on for three weeks. We had to work all weekend, even Sunday," he said with his thick Polish accent. "We're still taking at least two media calls a day."

Delirium was dreamed up in 1996 by four security engineers who'd just graduated the master's of computer science program at Poznan University of Technology in Western Poland. Now all between the age of 27 and 28, they manage the security infrastructure for an academic and scientific supercomputing center in the university town of Poznan, where they all live. They also do security engineering consulting and penetration testing for other clients.

By night, they crack software.

Their day jobs are not to be confused with the work they do with LSD, says Ostwald. And even though they liken themselves to other hacking groups such as the Cult of the Dead Cow, don't call the LSD members hackers: They'd like you to call them security engineers instead.

But in the truest sense, these engineers are indeed hackers. What's different between their non-profit group and a number of earlier code cracking groups is the way they conduct themselves. Along with their technical skills, these researchers possess unusual business and media savvy, say their peers.

"The LSD team always seems to find problems in critical core technologies," says Chris Wysopal, director of research and development for @stake, Inc., in Cambridge, Mass., which also does vulnerability testing on software applications. "They handle themselves professionally with the technology community and are able to span the cultural and language barriers between Poland and the U.S."

The LSD's research is also impeccable (for example, a 50-page paper that exposed implementation vulnerabilities of Java) -- far better than anything produced by the l0pht, the hacking group that grew up to become @stake, Wysopal adds.

Exploit Controversy

But LSD hasn't completely escaped criticism. In March, the group put itself at the center of a controversy when it released exploit code for a Sendmail vulnerability discovered by Internet Security Systems.

"As a security vendor, we don't think it's good business to post exploit code because it enables bad guys to break into systems," says Chris Rouland, vice president of ISS's X-Force team in Atlanta.

Ostwald says the group decided to release the Sendmail exploit code because ISS was overstating the threat posed by the bug. "When a threat is overestimated, it makes it hard to perform appropriate risk management. So we put the exploit code out for testing and proved that the threat was not as serious as the vendors claimed," Ostwald says.

Off the record, at least one security company now criticizes LSD for not posting exploit code for the Windows RPC bug. "How do you prove the bug without the code?" the source said. But because the bug affects so many of the Windows operating systems, releasing the exploit code would not have given IT managers enough time to patch, counters Ostwald. Wysopal agrees. "If [they] released the code to the Windows buffer overflow attack too soon, we'd have another SQL Slammer on our hands," says Wysopal.

Besides, people are already developing the exploit code anyway, says Tim Mullen, CIO of AnchorIS.Com, and a SecurityFocus columnist. And Rouland says ISS had developed exploit code four hours after news of the bug was released to the public.

When they're not trapped between the proverbial rock and hard place of releasing or not releasing exploit code, LSD members are generally praised -- even by ISS -- for the way they conduct themselves professionally. The group now enjoys even-handed relationships with vendors. That wasn't always the case, says Ostwald. "In the past two years, we've observed improvements in the way software and anti-virus vendors respond to our findings."

Delirium contacted Microsoft's security response center through its Secure@Microsoft.com address on June 27, says Stephen Toulouse, security program manager for Microsoft's response center.

"From our standpoint, the entire process with them [LSD] was completely professional. And we appreciate them not posting the exploit code to give our customers a fair chance to install the patch," Toulouse says.

If there's one niggling problem with the group's image, it's their name. Ostwald says he can't remember how they came up with "The Last Stage of Delirium." "But lately," he says. "We've been thinking we should change it."

© SecurityFocus logo

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.