^macro[html_start;He stays a step ahead of hackers;He stays a step ahead of hackers; stays, step, ahead, hackers] ^macro[pagehead;img/library.gif] ^macro[leftcol] ^macro[centercol;

He stays a step ahead of hackers

Source: Contra Costa Times
By Ellen Lee
Date: December 23, 2003

Cybercrime LIVERMORE - Growing up on a ranch near Farmington, William Orvis protected cattle from predators. Now he defends the Energy Department's computers, keeping intruders and Internet attacks at bay.

Orvis is one of the "good guys" in the growing battle against cybercrime. Self-taught, he joined the Energy Department's Computer Incident Advisory Capability group, based at the Lawrence Livermore Laboratory, in the late-1980s to respond to the then-fledging onslaught of Internet security attacks. In his 10-plus years there -- he is the only remaining member from the original team, one of the first of its kind in the nation -- he has tracked intruders who have dared to break into the Energy Department's computers.

On the side, he also "busts" Internet hoaxes. The creator of one of the earliest Web sites to debunk Internet urban legends, Hoaxbusters (http://hoaxbusters.ciac.org), Orvis logs them by category on a Department of Energy site. There are the too-good-to-be-true giveaways of Outback Steakhouse gift certificates just for forwarding an e-mail to friends. Or the little girl with cancer whose dying wish is to enter the Guinness Book of World Records for receiving the most greeting cards. Or, in a variation, the little girl who is missing and her frantic parents need the public's help to locate her.

"This poor little girl has been missing for a long time," Orvis said. "She has every disease in the book."

Some are real pleas from parents, which have since taken a life of their own on the World Wide Web. "People will change the date (and details), just to start it around again," said Orvis, shaking his head.

Orvis is a bespectacled, soft-spoken man with a cowboy's tan mustache and occasional jeans, boots, jacket and Resistol hat. After helping birth calves and fix farm equipment at his family's ranch, he later studied physics and astronomy at the University of Denver.

He describes himself as a "puzzler" who enjoys solving a good mystery, hunting down clues left behind by an intruder and using them to stay a step ahead, or digging down to the origins of an Internet myth. Along the way, he has picked up knowledge of several programming languages, dozens of operating systems and hundreds of software programs, even writing books on them. "He's kind of a cowboy techie," said his wife, Julie Orvis, a member of Livermore's school board.

A former nuclear physicist at the Livermore lab, he first encountered a computer virus during the 1980s, when a bug made its way into laboratory Macintoshes through infected computer disks. His curiosity aroused, he asked for a copy of the virus and, somewhat to his supervisor's chagrin, studied it during his lunch breaks.

Using his knowledge of software, gleaned from his modeling work in physics, he wrote a program that detected the virus, removed it and inoculated the computer. He then published it in a newsletter for his colleagues, which prompted CIAC to contact him about joining the team.

Internet security attacks have become more sophisticated, automated and harmful since then, with scores of businesses such as Symantec, creator of the Norton Anti-Virus products, forming to combat the problem. Cybercrime cost North American businesses some $4 billion in losses this year, according to TruSecure, nearly double that of last year.

Orvis estimates that he has personally analyzed some 400 different malicious codes, such as the recent Blaster and Slammer attacks, and has monitored thousands more since he joined the CIAC team. But much of his recent energy has been spent on preventing and sniffing out the intruders breaking into the Energy Department's more than 80,000 computers at 175 sites.

This spring, an intruder sneaked into several hundred computers, installing "rootkits" on computers at universities, businesses and government offices throughout the United States. The rootkit allowed the intruder to enter the computers undetected, access and alter files at will and use a "keyboard sniffer" to capture everything that computer users typed, including passwords and user names. Users discovered the problem and alerted CIAC when they saw records indicating they had logged into the computer at certain times, when they, in fact, had not.

Over the course of a week and a half, Orvis led a team that traced the break-ins from computer to computer across the globe, mapping out the hacker's path. He combed through pages and pages of computer logs until he figured out the secret of the attacks: Each time the intruder entered the system, a 22-character packet, a series of codes that computers use to send information, appeared. It was the intruder's key to open the computer's back door. Orvis developed a program to scan the network and detect machines that had been compromised.

"It takes a bit of creativity," said Kathryn Knerler, the operations manager for CIAC who has worked with Orvis for several years. "It's thinking like a hacker. That's what he does very well. He'll take something they've modified and he'll modify it for good purposes."

Orvis has even caught the bad guys in the act, alerting an attack's intended victim minutes before it was to occur.

He does not know what happens to most of those behind the break-ins after he turns the evidence over to law enforcement. He suspects one of them turned out to be a notorious Bay Area former FBI informant and computer security consultant, Max Butler, a.k.a. "Max Vision" and "The Equalizer," who turned around and infiltrated a series of government computers a few years ago. He was subsequently caught, tried and sent to prison.

During the mid-1990s, Orvis and his colleagues were deluged with calls about the Good Times virus, which, according to an e-mail warning, if accidentally downloaded would wipe out the computer's hard drive. The virus turned out to be a hoax, and led Orvis to set up a Web site devoted to cataloguing and explaining the hoax in an effort to stem the flood of calls. Now he spends a few hours each week, often on his lunch breaks, rooting out the latest tall tale making its way through e-mail messages.

He doesn't believe most of what he reads on the Internet, instead going straight to the source to verify that the story is false. But occasionally, he has discovered ones that turn out to be true. Dogs really can get sick eating a certain kind of mulch that uses chocolate in its ingredients. And Outback Steakhouse really did send a convoy of steaks, shrimp and onions to troops in Afghanistan last year.

"Son of a gun," he said after he called the restaurant's corporate offices and verified it. "It was real."

Original article

^macro[showdigestcomments;^uri[];He stays a step ahead of hackers]

] ^macro[html_end]