http://asia.cnet.com/newstech/security/0,39001149,39031881,00.htm By Wayne Rash, Special to CNETAsia Wednesday, March 13 2002 1:52 AM Commentary: Just before I start writing, I look at the colorful blocks and jagged lines of the SETI at Home screen saver that runs on my workstation. SETI at Home is a distributed computing application that divides a massive signal processing problem into tiny segments and sends them to millions of computers worldwide. Since SETI's inception, many other distributed--or grid--computing projects have begun work, and vendors such as Sun, IBM, and Compaq have jumped into the fray. One particular project, however, has nefarious intentions. A worldwide hacker confederation is quietly setting up a global, real-time, peer-to-peer grid of processing power to crack encryption--especially passwords--used in commerce. Cracking passwords is not an easy task; you need a huge amount of computing power to get results. Grid computing, however, gives hackers the horsepower they need in an unprecedented way. Here's how it works: Hackers send clients into your system via a worm, or through any other site that's been hacked or intentionally set up to run programs on your PC remotely. Or, a user downloads a screensaver from any of the sites that let you share computing assets. After the clients are inside users' machines, they lend processing power to the encryption-cracking effort. The hacker clients sniff the password and user IDs from a stream going to a commerce site. With all that processing power, it doesn't take very long to encrypt a password; you could crack the average seven-character password in about an hour if you had 160 computers working on it. Worse, these clients donít stop using resources when you start working; they take advantage of the real-time connections in a corporate environment and continue cracking. To guard your computing power, make sure your firewall is set to stop outgoing traffic on ports and by unauthorized applications. Use strong passwords (eight really random characters will do) and change them regularly. Also, deploy auditing software that will search for unauthorized applications--including those that may contribute to a hacker network. If you decide you donít mind contributing some of your computing resources, make sure you know whoís really behind the effort. SETI at Home is backed by the University of California at Berkeley, but not every backer is legitimate. Wayne Rash runs a product testing lab near Washington, DC. He's been involved with secure networking for 20 years and is the author of four books on networking topics. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Mar 13 2002 - 04:33:03 PST