Information Security News mailing list archives
Computer security expert gives advice on protection from hackers
From: InfoSec News <isn () C4I ORG>
Date: Mon, 2 Oct 2000 02:39:42 -0500
http://www.startribune.com/stOnLine/cgi-bin/article?thisSlug=BYTE02&date=02-Oct-2000 Published Monday, October 2, 2000 Sherri Cruz / Star Tribune Hackers, crackers and sniffing, oh my. That was the topic of conversation at last Thursday's e-business seminar put on by the Minnesota High Tech Association at the Radisson Hotel South in Bloomington. The message: Everyone is vulnerable. Mike Noer, vice president of marketing for IterSec Communications Inc., a St. Paul-based computer security company, gave the 30 or so people in attendance a rundown on what to expect from hackers. He also made a hacker's job seem somewhat easy. The driving force for hackers usually isn't malice, but rather curiosity. Most hackers are young males, and some are harmless. It's the so-called "crackers" who are more malicious. However, a distinction between the two usually isn't made except in hacker culture. Corporate computer systems are susceptible to hackers for a variety of reasons, Noer said. For one, when most people install software -- now raise your hands if you've done this -- they opt for the defaults as opposed to customizing. Hackers are familiar with systems, so using defaults just makes a hacker's job easier. Strong-sounding firewalls aren't so protective either. Firewalls block certain users, but they also let others in. "And that's the problem," Noer said. Many ways to get passwords Once inside a system, hackers have a number of ways of getting user names and passwords. One technique called "sniffing" lets the hacker search the network for the "root" and the "administrator," which is where that information lies. Other ways of getting user names and passwords include "dumpster diving," which means going into the company's trash and looking for private information. Hackers, posing as employees, also can get useful information from receptionists and other front-end personnel, he said. But fear not. Noer suggests ways to protect passwords: Don't write it on a Post-it Note, change it every 30 days and, for Pete's sake, don't pick one from the Klingon dictionary, or any dictionary for that matter. Choose a password that uses characters such as #, * or $. Those passwords take a lot longer to crack, he said. So, let's say the hacker has made it to your server. This is where the fun begins -- for the hacker, anyway. It's there where he or she can manipulate Web pages and even shut a site down. The Hacker News Network, an organization, called 1999 an "exciting year" for hacking. Some of the pages hit included media outlets such as the Associated Press; government sites such as NASA, the U.S. Senate and the Federal Energy Regulatory Commission, and Internet sites such as Yahoo. E-commerce sites beware: Hackers can obtain vitals such as customer credit card information even if the site has been designated "secure." "Amazon.com is not really secure," Noer offered. And he speaks from experience. "I bought one thing off Amazon and [his credit card number] got stolen," he said. When someone buys something online with a credit card, the data is encrypted for security as it travels from a consumer's PC to a business' PC. But a hacker has better ways to spend his time than cracking encrypted code, so he goes straight to the company's server, where all the information is stored. Once a hacker is on the company's server, he can get just about any kind of information he wants. Other ways hackers can bring a business to its knees include generating corporate news releases that say your stock is lousy and "e-mail spoofing." Essentially, spoofing is sending an e-mail under the guise of someone else, which is amazingly easy with the widely used Windows NT operating system. But it's relatively easy to trace the real sender, or at least the computer the person used, because each computer is assigned a unique "IP" address. The return IP address attached to the e-mail identifies the sending computer. The tougher part is finding the person who sent the e-mail. But spoofing is tame compared with the "Ping of Death," which "gags" the computer with information and brings down the system. Remember the Gilligan model Scary stuff, but there are ways to be safer. "Unplug your computer, go back to fax machines, forget it. It's over," Noer joked. "Corporate assets are like anything else you put a lock and key to," he said. Noer likens corporate security to the TV show "Gilligan's Island." The Professor is the systems administrator. He's hardworking, smart but never gets the big picture of how to get off the island. Then there is Gilligan, who represents the employees who don't change passwords and leave laptops in airports. "There's a little Gilligan in all of us," he said. Next is the Skipper. The Skipper is senior management. He's smart. "He's our enabler." But he sometimes doesn't get it and doesn't allocate the resources to secure the system. Management first must buy into the idea that a secure system is necessary, Noer said. But most of all, Noer said, the point to remember about security is, "Security is a journey, not a destination." ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Computer security expert gives advice on protection from hackers InfoSec News (Oct 02)