Learn about diversity at ASEE
ASEE would like to acknowledge the generous support of our premier corporate partners.



Cyber Protector

How a grad student foiled the penetration of a hospital's computer system.

UP CLOSE: ROBERT WESLEY MCGREWIn the 1992 movie Sneakers, Martin Bishop (Robert Redford) leads a crew of computer hackers who break into client companies to expose security weaknesses. Imagine a 2010, digitally advanced version of Bishop and you have Robert Wesley McGrew, a computer science doctoral candidate at Mississippi State University. This "white hat" hacker alerts the world to software vulnerabilities that endanger physical plants and critical infrastructure.

McGrew made headlines in the United States and Britain last year after disclosing several chinks in software put out by General Electric. Observing the program's interactions with a computer file system and network, for instance, he determined that it stored administrator passwords using only a simple encryption algorithm. With a reverse algorithm, a hacker could decode the passwords and run amok with administrator privileges.

Another discovery - maybe McGrew's biggest yet - sprang from his practice of tracking online public forums where "black hat" hackers boast about the latest website they've defaced or information they've stolen. These often young "script kiddies" sometimes find their mistakes mocked on McGrew's blog. Stung by one such critique, a young man who went by the moniker XXxxImmortalxxXX called to demand that McGrew "take down that post." When McGrew refused, the youth uttered a meek "Oh, OK. Well, thank you, sir." But he stayed in touch and in late June 2009, sent McGrew a startling message: He claimed to have penetrated a hospital heating, ventilating, and air conditioning (HVAC) system.

With a little prodding, XXxxImmortalxxXX forwarded three photo links confirming that, indeed, this was no "script kiddie" stunt but a potentially serious health threat. "You don't see it every day," McGrew remembers thinking. Besides indoor comfort, a hospital's HVAC system controls storage temperatures for sensitive medicines.

The images were stored in a user folder labeled "ETA Radio," and McGrew knew XXxxImmortalxxXX had recently joined a hacking group called the Electronik Tribulation Army. Poking around on the Web, he determined that the ETA's leader, not XXxxImmortalxxXX, had actually posted the images and might be the real hacker.

McGrew spent the next several days compiling as much information as possible on the leader, who went by the alias GhostExodus. His methods were more old-school Sherlock Holmes than latter-day cyber sleuth. "I simply kept good notes and drew connections between various things I found: E-mail addresses, social networking accounts, videos, usernames, forums, etc.," he says.

In a moment that "felt very CSI," he pieced together a home IP address for the hacker after downloading a GhostExodus YouTube video. Examining the clip frame by blurry frame, he picked up barely readable digits that he then matched to an address with the help of a domain-name search.

More digging turned up a YouTube video the hacker had posted of himself attacking the hospital's system for checking in patients. Set to the theme from Mission: Impossible, the video appears to show him using a thumb drive to install botnet client software that would connect the hospital system to a network of hacker-controlled, infected computers. ETA websites and video advertised a GhostExodus scheme to enlist this network in a coordinated "denial of service" attack, flooding other machines with so much activity that they would cease to function properly. It would come July 4 - days away.

McGrew alerted the FBI, submitting several DVDs' worth of evidence. On June 26, agents arrested an Arlington, Texas, man they alleged was GhostExodus and whose name, coincidentally, differs from McGrew's by one letter. Suspect Jesse William McGraw, a night security guard at the Carrell Clinic Hospital in Dallas, had used his access to hack into the hospital system, the FBI charged. His trial is pending.

As a reminder of the vulnerabilities inherent in much of our infrastructure, the case has far-reaching significance, says Ray Vaughn, McGrew's Ph.D adviser. A similar scenario, he warns, could place "a criminal agent inside a nuclear power plant as a custodian."

But has the white-hat hacker himself ever dabbled in any black hat activity? "Nothing you can print," McGrew says.

David Zax is a freelance writer currently based in New York.




© Copyright 2010
American Society for Engineering Education
1818 N Street, N.W., Suite 600
Washington, DC 20036-2479
Telephone: (202) 331-3500