Computer security expert gives advice on protection from hackers

[InfoSec News <isn () C4I ORG>]

http://www.startribune.com/stOnLine/cgi-bin/article?thisSlug=BYTE02&date=02-Oct-2000

Published Monday, October 2, 2000
Sherri Cruz / Star Tribune

Hackers, crackers and sniffing, oh my.

That was the topic of conversation at last Thursday's e-business
seminar put on by the Minnesota High Tech Association at the Radisson
Hotel South in Bloomington.

The message: Everyone is vulnerable.

Mike Noer, vice president of marketing for IterSec Communications
Inc., a St. Paul-based computer security company, gave the 30 or so
people in attendance a rundown on what to expect from hackers. He also
made a hacker's job seem somewhat easy.

The driving force for hackers usually isn't malice, but rather
curiosity. Most hackers are young males, and some are harmless. It's
the so-called "crackers" who are more malicious. However, a
distinction between the two usually isn't made except in hacker
culture.

Corporate computer systems are susceptible to hackers for a variety of
reasons, Noer said. For one, when most people install software -- now
raise your hands if you've done this -- they opt for the defaults as
opposed to customizing. Hackers are familiar with systems, so using
defaults just makes a hacker's job easier.

Strong-sounding firewalls aren't so protective either. Firewalls block
certain users, but they also let others in. "And that's the problem,"
Noer said.

Many ways to get passwords

Once inside a system, hackers have a number of ways of getting user
names and passwords. One technique called "sniffing" lets the hacker
search the network for the "root" and the "administrator," which is
where that information lies.

Other ways of getting user names and passwords include "dumpster
diving," which means going into the company's trash and looking for
private information. Hackers, posing as employees, also can get useful
information from receptionists and other front-end personnel, he said.

But fear not. Noer suggests ways to protect passwords: Don't write it
on a Post-it Note, change it every 30 days and, for Pete's sake, don't
pick one from the Klingon dictionary, or any dictionary for that
matter. Choose a password that uses characters such as #, * or $.
Those passwords take a lot longer to crack, he said.

So, let's say the hacker has made it to your server. This is where the
fun begins -- for the hacker, anyway. It's there where he or she can
manipulate Web pages and even shut a site down.

The Hacker News Network, an organization, called 1999 an "exciting
year" for hacking. Some of the pages hit included media outlets such
as the Associated Press; government sites such as NASA, the U.S.
Senate and the Federal Energy Regulatory Commission, and Internet
sites such as Yahoo.

E-commerce sites beware: Hackers can obtain vitals such as customer
credit card information even if the site has been designated "secure."

"Amazon.com is not really secure," Noer offered.

And he speaks from experience.

"I bought one thing off Amazon and [his credit card number] got
stolen," he said. When someone buys something online with a credit
card, the data is encrypted for security as it travels from a
consumer's PC to a business' PC. But a hacker has better ways to spend
his time than cracking encrypted code, so he goes straight to the
company's server, where all the information is stored. Once a hacker
is on the company's server, he can get just about any kind of
information he wants.

Other ways hackers can bring a business to its knees include
generating corporate news releases that say your stock is lousy and
"e-mail spoofing."

Essentially, spoofing is sending an e-mail under the guise of someone
else, which is amazingly easy with the widely used Windows NT
operating system. But it's relatively easy to trace the real sender,
or at least the computer the person used, because each computer is
assigned a unique "IP" address. The return IP address attached to the
e-mail identifies the sending computer. The tougher part is finding
the person who sent the e-mail.

But spoofing is tame compared with the "Ping of Death," which "gags"
the computer with information and brings down the system.

Remember the Gilligan model

Scary stuff, but there are ways to be safer. "Unplug your computer, go
back to fax machines, forget it. It's over," Noer joked.

"Corporate assets are like anything else you put a lock and key to,"
he said.

Noer likens corporate security to the TV show "Gilligan's Island." The
Professor is the systems administrator. He's hardworking, smart but
never gets the big picture of how to get off the island.

Then there is Gilligan, who represents the employees who don't change
passwords and leave laptops in airports. "There's a little Gilligan in
all of us," he said.

Next is the Skipper. The Skipper is senior management. He's smart.
"He's our enabler." But he sometimes doesn't get it and doesn't
allocate the resources to secure the system. Management first must buy
into the idea that a secure system is necessary, Noer said.

But most of all, Noer said, the point to remember about security is,
"Security is a journey, not a destination."

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".