[ISN] Return of the Hack (Nasa)

From: mea culpa (jerichoat_private)
Date: Mon May 04 1998 - 18:17:13 PDT

  • Next message: mea culpa: "[ISN] Are Biometrics Hashable?"

    Forwarded From: Nicholas Charles Brawn <ncb05at_private>
    
    
    30Apr98 UK: SECURITY - RETURN OF THE HACK.
    
    Even Nasa's security measures aren't always enough to deter hackers.
    Sharon Smith outlines a problem that just grows and grows. 
     
    Like street muggings, computer hacking has become so ubiquitous that it is
    almost accepted as one of those unavoidable facts of modern life. It's a
    plague that, in theory at least, afflicts primarily the weakest. 
    
    But a couple of weeks ago, when some of the top US chief executives
    gathered for a security convention in Atlanta, the statistics must have
    made their hair curl. The figures underlined the vulnerability of even
    apparently secure computer systems to cyber attack. 
    
    Last year, the Pentagon was subject to 250,000 hacker attacks, while the
    annual cost of hacking to US industry is now reckoned to be a staggering
    $10 billion. 
    
    Worse still, it was revealed, there are now nearly 2,000 Web sites
    offering tips, tools and techniques to miscreants who, like mountaineers
    scaling Everest, want to conquer any and every system - if only because of
    the challenge it presents. 
    
    Kevin Mitnick, the supposed grandmaster of hackers, is languishing in jail
    awaiting trial on charges relating to nearly $30 million of alleged
    computer and telecoms fraud, but there is a queue of applicants waiting to
    follow in his footsteps. Among the more recent headline grabbers was an
    attack launched from the Internet last month that froze thousands of
    computers running Windows NT. Victims of the attack included 14 of the 15
    Web sites operated by Nasa, plus computers operated by the US military and
    by many universities. 
    
    The cyber attack crashed the computers by sending out a message which
    exploited a flaw in the NT operating system. Microsoft had issued a patch
    for the loophole in January, but the victims had not applied it, nor had
    they erected firewalls in front of their Web servers. 
    
    Another recent high-profile case involved two US teenagers who roamed
    through unclassified military Web servers using a server security hole. 
    Again, the Webmasters could have used well-known software patches to keep
    the hackers out. 
    
    The duo, who got on to the Internet using service provider Sonic, used
    what is known as the statd exploit, which was publicised on the Web in
    November 1997 and for which an advisory was issued in December. The
    exploit allows hackers to gain root access to Unix machines running Sun
    Microsystems' Solaris operating system. Once access has been obtained,
    hackers can install programs or delete Web sites. 
    
    In the UK, hacking exploits such as these do not surprise security
    experts, who warn that the threat will continue to grow in tandem with the
    Internet's own expansion. 
    
    Contrary to popular opinion, the problem will not necessarily be confined
    to the US. Industry observers say hacking is already a growing menace in
    the UK. 
    
    UK organisations, however, have been lulled into a false sense of security
    because computer attacks are not always publicised. Bill Brett, sales
    director at Hertfordshire-based IT services company Barron McCann,
    estimates there are thousands of hacking cases each year in the UK. 
    'Hacking is a bigger problem in the UK than companies realise, because the
    last thing a company wants everybody else to know is that they have been
    hacked into. 
    
    'It's embarrassing for them to admit that their IT system was not secure
    enough, and there is the fear that the hacker will return. You wouldn't
    advertise the fact that you'd had a burglary at your home, would you?' The
    real extent of UK hacking is difficult to gauge. 'Around 5% of our
    disaster-recovery cases are known to be due to people getting into company
    IT systems via the Internet,' Brett says. 'But the statistics could be
    even higher because we don't always know that hacking is the cause of a
    problem.'
    
    Outsiders hacking into company IT systems fall into one of two categories. 
    Experts say that 95% of cases are of hackers infiltrating systems merely
    to show how clever they are or to create havoc, as in the Windows NT
    incident in the US. 
    
    These incidents are serious enough for the organisations affected to be
    heavily inconvenienced, and they can lose money through wasted business
    time. But even worse are the 5% of attacks where hackers set out to crack
    passwords in order to alter, steal or erase data. Such acts threaten
    companies' livelihoods and even peoples' lives. 
    
    Bernie Dodwell, security products manager at Integralis, says: 'Once
    hackers have cracked a password, they are into a system with free range to
    do anything they want. If they know where a hospital's patient records are
    held, they can go in and change them. They can totally destroy businesses
    by altering or wiping out their data.'
    
    Attacks on Web sites, where mischievous hackers go in and alter
    information, are already commonplace. Richard Woods, a representative of
    Internet service provider UUNet Pipex, explains: 'They go in and muck
    around a bit, then go off again. But it can damage a company's reputation
    if obscenities or duff information are left on its Web site.'
    
    Cookies, or information about visitors to Web sites, are another popular
    target - hackers can tap into users' browsers to get cookie data. The
    technique has also been used by marketing companies intent on poaching
    potential customers from rivals, as well as companies aiming to convert
    visitors to their Web sites into customers. 
    
    The problem is exacerbated by the fact that the Internet and,
    increasingly, corporate IT systems are open systems as opposed to the
    closed architecture of the traditional mainframe environment. 
    
    'Security on the mainframe is very well developed because of the time it
    has been around, so it's difficult to crack mainframe security measures,'
    says Dodwell. 
    
    Unix, as a more open environment, is a different case altogether. Although
    security has improved with time, it is still not as good as for
    mainframes.  And Windows NT is not much better - it has a reputation of
    having little security because it is so new. The same applies to the
    Internet: it is such a recent and complex technological achievement that
    it, too, has caught many organisations unawares. 
    
    There is a third type of hacking danger - insider attacks by a company's
    own employees. Tony Martin, marketing director at router manufacturer
    Teltrend, explains: 'In larger organisations, during salary reviews, it
    has happened that employees interrupt financial transactions, change the
    amount allocated to them, complete the message and get a salary increase
    of 100% instead of 10%.'
    
    Experts agree there is no way yet to render a system totally foolproof. 
    But there are measures that organisations can adopt to make their systems
    secure enough to deter hackers. If an attack does take place, a system
    should be secure enough to enable a company to pick up the incident
    immediately and act quickly to prevent a return visit. 
    
    To prevent hacking in the first place, says Woods, organisations need to
    devise and implement security strategies. 
    
    'One of the biggest problems is that security experts are often not called
    in until after the horse has bolted. Companies think that if it hasn't
    happened to them yet, it's not going to,' he explains. 
    
    One of the most simple measures is almost universally the most neglected. 
    'Organisations don't change their passwords frequently enough,' says
    Brett.  'They forget that a lot of people have access to a password,
    including former employees who were sacked or made redundant and might be
    upset.'
    
    A few other precautionary measures should be enough to safeguard most
    corporate systems. The key to combating the problem is to treat like with
    like. Hackers are like any other sophisticated criminals: they take pride
    in their work, and are up to date with the latest equipment. It is vital
    to make sure the system's users do the same. They should know how to
    constantly maintain and review any security features. 
    
    One step is to implement sniffer software that can prevent intruders from
    reaching designated parts of the system. And Web sites should be monitored
    constantly, so any defacement can be immediately rectified.  Encryption,
    too, helps prevent interference with messages sent over the Internet and
    internal networks. 
    
    Disaster recovery also plays a part. Brett estimates that a mere 12 to 14%
    of UK companies have a recovery plan in place. If a company does become a
    victim of hacking, it is essential to have the necessary backup system so
    the program can be running again as quickly as possible. 
    
    'We can also examine the hacked system to find out where the holes were,'
    says Brett. 
    
    Protection against hackers is the number one priority, warns Dodwell.  Sad
    though it sounds, you should trust no one: 'There are going to be 300
    million users on the Internet by the end of 1999, and not every one of
    them will have no intention of going out to cause mayhem.'.
    
    COMPUTING 30/04/98 P56 
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:52:29 PDT