At their customers’ invitation, the Sandia Red Team has successfully hacked 35 out of 35 computer sites.
Over the past two years, a group at Sandia National Laboratories known informally as the Red Team has, at customer invitation, either successfully invaded or devised successful mock attacks on 35 out of 35 information systems at various sites, along with their associated security technologies.
Their work demonstrates that competent outsiders can hack into almost all networked computers as presently conformed no matter how well guarded, say spokespeople for the group, formally known as the Information Design Assurance Red Team or IDART.
Networked computers might include e-commerce, transmitted or Net-stored financial data (from credit cards, money-machine cards, and bank accounts), as well as medical data.
Sites investigated by Sandia's self-described "bad guys" include information systems from two very large corporations and several key government agencies, says team leader Ruth Duggan from the Red Team lab in a restricted area of Sandia, in Albuquerque, N.M, a Department of Energy national security laboratory.
"We found specific weaknesses in every system," Duggan says.
IDART was started in 1996 by Michael Skroch, now on assignment with DARPA (Defense Advanced Research Projects Agency). DARPA was one of the team's principal sponsors before Skroch was asked to join that organization as a program manager.
Mind-Set Of An Adversary
The Red Team's mode, says team member Ray Parks, is to "role-play the position of an adversary" - a point of view sometimes unexpectedly difficult for system designers to adopt.
While the Sandia group's actions are entirely legal, its adoption of an "outlaw" mind-set, combined with a willingness to do relatively deep analyses of ways an information system can be penetrated (whether through the Internet or by an insider), has helped test and develop concepts in security technology. Some of these concepts are so advanced they are not yet available in the marketplace.
The typical IDART group, which may consist of three to eight hackers, sometimes explains to clients in advance exactly how and when they will attack. System defenders have time to prepare specific, automatic, and even redundant defenses for their software, platforms, firewalls, and other system components. Yet results disconcert clients every time - their defenses are breached.
"Right now, information system defenders have a very difficult job," says Duggan. "Our goal is to improve the security of information systems to make the attacker's job difficult instead." But the group has a long way to go. "Fortified positions do take us longer to break in," she says, "but on the order of minutes, not hours."
"In the past, I've been a system defender," says longtime team member David Duggan. "It's frankly nice to be on the winning team." His guileless smile belies the chill of his words. "If I'm an intruder and I merge with background noise, how can you tell I'm there?"
The extraordinarily broad abilities of cyber attackers - from professional hackers to terrorists to state- and corporate-sponsored aggressors - to penetrate any system they desire can result in pilfered information, corrupted data, a change in the order of operations, or a flat denial of services. Any of these, to an individual, is an annoyance. To major corporations, they could result in billions of dollars misplaced or stolen, or in loss of reputation. In a medical or military emergency, an adversary who could intercept messages, corrupt data, and deny access to services could cause catastrophic damage.
To forestall such problems, the Red Team prefers to be called in on the design stage of a system, though it can attack a system already in place to ferret out weak points. "Our job is to understand how systems can be caused to fail, and then to help the customers improve the surety of their systems," says Sam Varnado, Energy and Critical Infrastructure Center director.
The Red Team participates in attacks that might range from a week to five months. The nature of the work can still raise hackles among defenders, who may sometimes fail to appreciate a friendly attacker. One group member tells clients to say to themselves, "The Red Team is my friend," and repeat it twice more when tempers grow short.