[ISN] Cracking the Code

From: mea culpa (jerichoat_private)
Date: Wed Mar 17 1999 - 07:36:17 PST

  • Next message: mea culpa: "[ISN] Smashing The Stereotype Of The Villainous Hacker"

    MARCH 22, 1999 VOL. 153 NO. 11
    Cracking The Code
    The dress code is business casual--no jeans allowed, not to mention
    pierced noses. It's the first day of class--hacking class--and the
    instructors, smartly attired in matching corporate polo shirts, point at
    screens full of code and step-by-step directions on how to hack a host
    computer. "Get this:  No username, no password, and we're connected," says
    one. "I'm starting to get tingles. They're going to be toast pretty
    quick." Geekspeak, at least, is still de rigueur. 
    In the world of corporate espionage, a company's host computer is the
    mother lode, which means that protecting it is vital. That's the goal of
    Extreme Hacking, one of a growing number of counterhacking courses that
    teach perfectly respectable people the how-tos of cracking their own
    networks so they can better protect them. "We're kind of wearing the white
    and black hats at the same time," says Eric Schultze, the Ernst & Young
    instructor who gets tingles from an exposed password file. 
    How easy is it to hack? If these guys can teach a novice like me how to
    break through a firewall, I figure, then all our networks are in trouble.
    Guess what? All our networks--at least, the ones without encryption keys
    or extremely alert administrators--are in trouble. Why? Because this is
    the information age, and the average computer gives up far too much
    information about itself. Because a network is only as strong as its
    weakest user. And because the most common log-on password in the world,
    even in non-English speaking countries, is "password." With users like
    this, who needs enemies? 
    How big a problem is this in the real world? "Rarely is there a moment
    when a hacker isn't trying to get into our networks," says a senior
    Microsoft executive. "People go looking for that weak link."  Recently
    hackers found a backdoor through a user in Europe--an administrator, no
    less--with a blank password. This allowed the hacker root access--the
    ability to change everyone else's password, jump onto other systems and
    mess up the payroll file. 
    In our first class, we have no problem rooting around in the Web servers
    of a top Internet company.  We find three open ports on the firewall and a
    vulnerable mail server. "This network is a f___ing mess," says a
    classmate. "We need to have a word with these people." 
    Over the next few days, any faith I had in the security of the world
    around me crumbles. Think your password is safe because it isn't
    "password"? If it's in the dictionary, there is software that will solve
    it within minutes. If it's a complex combination of letters and numbers,
    that may take an hour or so. There is software that will hijack your
    desktop and cursor--and you won't even know about it.  Hacking doesn't
    require much hardware; even a Palm Pilot can do it. What protection do you
    have?  "Minimize enticements," say the teachers. If you don't want to be a
    victim of information rape, in other words, don't let your network give
    out so many details to strangers. 
    Old-school hackers scoff at the notion that businesses can stop them.
    "Corporations can't teach hacking," says Emmanuel Goldstein, editor of the
    hacker quarterly 2600. "It has to be in you."  Perhaps. But if a few more
    firms learn to avoid becoming toast, that's no bad thing. END
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:21:07 PDT