Information Security News mailing list archives
Broadband Could be Hackland
From: William Knowles <wk () C4I ORG>
Date: Mon, 23 Oct 2000 21:10:59 -0500
http://www.wired.com/news/technology/0,1282,39235,00.html by Farhad Manjoo 2:00 a.m. Oct. 23, 2000 PDT Recently, Steve Gibson, an independent software developer in Southern California, received a call from the FBI. "Apparently, some hacker was getting into people's computers and posting notes on their Windows desktops," Gibson said. "The notes were telling people that their computer was insecure, and that they should go to GRC.com. So the FBI said, 'Steve, did you do this?'" It seemed like a reasonable question. Gibson's GRC.com offers a popular service called "Shields Up!," which tests your computer's vulnerability to attack. Companies have been known to employ guerrilla tactics to get attention. But Gibson didn't do it. The FBI's note-posting hacker was apparently benevolent -- trying to show people, by violating the sanctity of their Windows desktop, that their computer could easily come under attack. Obviously, all hackers aren't such goody-goodies. And now, say Gibson and other security experts, the playground in which hackers can romp is rapidly expanding, thanks to the very thing that has been hyped as revolutionizing the Internet: broadband. Consumers with high-speed connections to the Internet, like those provided by DSL and cable modems, are surfing at their own risk unless they take pains to protect their computers, said Frank Prince, an analyst at Forrester Research. Prince said that because broadband consumers are online for long periods of time, and because their computers have a constant IP address during an online session, they are prime targets for malicious activity. The worst part of the situation, said Gibson, is that most consumers aren't aware that broadband connections are making their computers insecure. "People have this vague uneasiness about security," he said. "They know that there are 'hackers' out there, and people are worried, but they don't know they have to do anything." But it's precisely the consumers who need to do something, he said: "Nobody else is taking responsibility for this right now. It's just like the anti-virus problem -- only end-users can solve it." Forrester's Prince agreed. "Security (in broadband) is a real, if at yet largely unrealized, problem," he said. But broadband providers say that the service they provide to their users is safe -- though they do concede that consumers who are especially concerned about safety should install security software to protect their computers. "Our consumer customers get dynamic IP addresses," said Sean Danes, a spokesman for Pacific Bell DSL, a large DSL provider. With a dynamic IP address, a computer's "location" on the Internet is periodically changed, thereby decreasing the chance of attack. "This adds a level of additional security, and we encourage DSL users to 're-authenticate' every once in a while to get a new IP address," Danes said. Richard Holden, a director of product development at the cable modem provider Excite@Home, also pointed to security measures that his company takes to make consumers safe. "For example," he said, "as part of the installation process for @Home, we always turn off a computer's file sharing." But Holden also said that the media have been giving this situation more attention than it deserves. "The fear created in consumers' minds is actually greater than the risk that exists," he said. "If a customer operates the computer in a safe manner, there shouldn't be any problem." Holden added that only if people are using their computers to store sensitive information will extra security software be necessary. Neither Pacific Bell nor Excite@Home provide their customers with such software. Each company's officials said, though, that they would help its users install the software if they required it. Forrester's Prince rejected Holden's argument that only some users need to make their computers secure. "Have you ever clicked the button that says 'Save this password?'" he asked, suggesting that an unsafe connection leaves the virtual keys to anything from online bank accounts to stock portfolios open to a hacker's snooping. Prince said that while shutting down file sharing increases a computer's safety, by no means does it make it "secure." He said that a hacker could still easily set up a Trojan application on a computer to serve up its files. The solution for users, Prince said, is to take security into their own hands, by purchasing a security agent called a "personal firewall." A personal firewall on a computer acts just like a doorman on Park Avenue: It lets in only the traffic you've previously OK'd, and tells everyone else to buzz off. Sam Curry, a security architect at the software firm McAfee, which makes one such personal firewall, said that while he is "obviously biased," he thinks that everyone with a broadband connection needs to look into getting a personal firewall. Curry suggested that the frenzy of hacker attacks on large sites that occurred earlier in the year and were perpetrated through a so-called "distributed denial-of-service attack" could be repeated using at-risk home computers. In a DoS attack, a hacker invades a network of computers, puts them under his control, and then forces them to send out thousands of packets of information to a specified site. The site becomes overloaded and crashes. In the past, the computers that were taken over by hackers were large servers at universities, but those institutions log their traffic, which makes it easier to trace the attack back to an individual. A less traceable attack on a large site could conceivably involve a network of vulnerable home computers, which don't log their network traffic, Prince said. The hacker "would have to take over 10,000 of these computers instead of 500 large servers," he said, "so it means more work for them, but I don't doubt that we'll see it. "Sooner or later, there is no question that someone will have marshaled a large number of private computers to be used in a high-profile attack," he said. "Then we'll have to go back to (the broadband providers) and ask them what happened." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Broadband Could be Hackland William Knowles (Oct 24)