[ISN] Hackers Find More Ways In

From: mea culpa (jerichoat_private)
Date: Sat Jun 06 1998 - 16:58:43 PDT

  • Next message: mea culpa: "Re: [ISN] Hackers Find More Ways In"

    Forwarded From: William Knowles <erehwonat_private>
    
    [Computerworld] (06/01/98) Data security managers at a 
    conference here last week were dismayed to hear of dozens 
    of new network hacks making the rounds, and some privately 
    acknowledged that they are grossly unprepared.
    
    The managers from three dozen Fortune 1,000 businesses - all
    under the cloak of anonymity - attended the New Hack Tour,
    sponsored by consultancy Cambridge Technology Partners, Inc.
     
    Peter Shipley, who performs "white-hat hacks" for KPMG Peat
    Marwick LLP in San Francisco, identified the following as
    some of the latest attacks:
    
    Firewalls that run on Windows NT and Unix servers can 
    let crackers break in to the underlying operating system 
    via the TCP/IP protocol.
    
    HotMail, the free Internet mail service, is almost always
    unencrypted, making it easy for hackers to get user account
    names.
     
    Vulnerabilities in the Internet Protocol let malicious
    hackers easily install network sniffers on networks they
    have compromised and, unbeknownst to the user, intercept
    corporate data traffic.
     
    New "Smurf" attacks send echo packets from the hacker's
    system to the victims via the broadcast address of a third,
    intermediate network with a forged return address. The
    network is flooded with packets until it slows or crashes,
    and it is difficult to trace the hacker.
    
    Also, Shipley said old hacker techniques such as "Dumpster
    diving" and "war-dialing" are increasingly popular.
     
    Dumpster divers pick through corporate garbage to find
    sensitive data such as passwords. War-dialing is the
    rapid-fire entry of user account names and passwords 
    until a match is found.
    
    "This just confirms my worst fears," said the manager of
    information security at a Boston-based firm with 60,000
    employees worldwide.
     
    That manager presented a detailed case study of her
    organization's security setup, which she acknowledged was
    seriously lacking. The security problems include too many
    user passwords (an average of 20 per user), outdated
    antivirus software, insufficient use of encryption and
    inadequate security staffing and budget.
     
    "Until we get a big hit that impacts our business, I suspect
    that I'll continue to go through 17 rounds of approval and
    30 meetings before I get more money for basic items like
    penetration testing," she complained. "Meanwhile, I pray a
    lot."
     
    Another security manager, at a multinational communications
    carrier, acknowledged that his firm's Internet connectivity
    "is outstripping any security measures I can install."
     
    Ray Kaplan, a white-hat hacker who works at Secure Computing
    Corp. in Roseville, Minn., said users can't eliminate all
    security breaches, but they can manage the risk with such
    measures as encryption, strong authentication for dial-in
    access and testing the security of firewalls.
    
    
    
    -o-
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:55:25 PDT