http://www.siliconvalley.com/docs/news/tech/072182.htm BY JAT GILL Sunday Business Oct. 23, 2001 LONDON -- Erik Bloodaxe, co-founder of the notorious Legion of Doom group, was once one of the world's most feared hackers. But since 1991, Erik has reverted to the name given him at birth -- the rather more prosaic Chris Goggans. And in a poacher-turned-gamekeeper move, he has been working as a computer security consultant -- protecting companies from hackers. Anxiety over the risk of cyber-terrorism is high following the anthrax attacks in the US. Meanwhile, two-thirds of UK businesses have reported serious computer crime incidents in the past 12 months. The annual cost to British industry from hacking is estimated at between UKpound 2 billion and UKpound 3 billion. Goggans says the internet is not the only way for criminals to launch an electronic attack. Other networks may also be a way in. ``For every entity, whether it be government or commercial, I would look at every inroad that I could make,'' reveals Goggans. ``That would include internet connectivity, but also other public data networks, especially if it's a financial organisation. They are often hooked into Bloomberg or Reuters as well as some of the stock price feeds, or other partners that sell mutual funds, insurance or anything of that nature.'' These, according to Goggans, are potential targets for hackers. Incoming dial-up phone lines are another favourite. When hooked to unauthorised modems, incoming phone lines are probably the easiest inroad to a company. ``That has pretty much been true for every company that I have done assessment work on,'' Goggans says. Once inside a network, security vulnerabilities are usually rife, he adds. ``I have worked on classified networks, civilian government networks, major banks, energy companies, oil and automotive companies and the internal network is always riddled with enough holes so that given time, an attacker could take over most of the computing systems on it,'' he says. ``When I do assessments on companies, I am averaging between 90 percent and 100 percent total compromise of every piece of networked equipment on a company's network -- ranging from routers to workstations.'' Perhaps surprisingly, the biggest of these internal holes does not need expensive equipment to tackle it. ``As silly as it sounds, by and large the biggest problem is bad passwords -- without a doubt,'' Goggans explains. ``Why bother exploiting vulnerabilities in operating systems when all you have to do is type ``root'' when asked for the root password?'' The second biggest problem is operating systems and software that has not been kept up to date with ``patches'' to close old security weaknesses. ``There are so many different attacks. You point me to an operating system -- if it is Solaris I will tell you seven ways of getting in. If it is Microsoft I will tell you 10,'' he says casually. Companies often leave themselves open to attack, he says. ``People install their operating system once and then forget about it. That is again, unfortunately incredibly prevalent.'' Many people fall into the bad habit of saying that a particular machine is only a workstation, so it does not require proper security, says Goggans. ``It doesn't matter to me if it is the secretary's workstation. I will break into that and use it to get into the server she logs into, then use that to get other accounts and into other servers. All it takes is the one weak link in the chain and it doesn't matter what type of system it is.'' Hackers are also becoming more sophisticated in the style and scale of attacks they launch, for which Goggans blames the availability of increasingly powerful computers and operating systems. ``Ten or 15 years ago the normal criminal could not afford a computer, an operating system sufficiently powerful to construct complex attacks and would not understand it even if they had the money. ``But now, given the availability of high-powered computers and operating systems such as Linux for example, which is free, anybody with $300 can build a highly complex computer system to start constructing attacks.'' Goggans sounds a chilling warning for the potential for cyber-terrorism. ``With a huge body of knowledge, such as all the security sites on the internet to give you a kick-start, you can go from being a complete novice to a rather formidable enemy in a matter of months.'' - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Oct 24 2001 - 01:40:26 PDT