Source: Networking+ 
April 98
'HACKED OFF WITH COMPUTER CRIME'

In 1989, John Austen, former head of the Computer Crime Unit of Scotland Yard
and now security advisor to the British Government, tracked down three
members of a group of five hackers that, in less than two years, had
broken into 68,000 different systems, accumulating 7GBytes of data.

[68,000systems / 5people = 13,600systems_per_person
 13,600systems_per_person / 5 systems_per_hour = 2720hours
 2720 hours / 24hours_per_day = 113days

 So that means these 5 people were hacking 24 hours a day, for 113 days
 to accomplish that. Spread out over two years, that is 5 people hacking
 93 systems a day, non stop. Does that seem feasible?]

Probably the most common attack by a hacker is the Denial of Service (DoS)
scenario, which involves altering passwords and changing codes to prevent
the user from entering his system.

[DoS attacks DENY SERVICE to the machine. They do not alter passwords,
 change codes, or anything else.]

Another favourite is stealing or altering other company's websites. With the
correct tools, this is all too easily achieved by visiting the target
website, changing the company name and information, and then saving it
under a different name. So simple is this, in fact, claims Austen, that
the Department of Justice, the CIA, and NASA have all recently been
attacked in this way.

[Those web pages were altered on the HOST computer where they were originally
 stored. That means a lot more was done than "visiting the target website,
 changing the company name and information, and then saving it"]

According to John Austen, a variation on this theme is when large
organisations approach naive computer buffs, offering them new
'cracking tools' and then giving them the opportunity to test these
tools against certain systems.

[Large corporations approach long establish and BONDED security professionals
 for penetration testing. They do not approach naive hackers. Even then, 
 they rarely have "new 'cracking tools'". Think about it.. why are they
 looking for security help in the first place? Because they are behind 
 the curve.]


=-= Original Article =-=

------------------------------------------
Source: Networking+ April 98
------------------------------------------
'HACKED OFF WITH COMPUTER CRIME'

In 1989, John Austen, former head of the Computer Crime Unit of Scotland Yard and now security 
advisor to the British Government, tracked down three members of a group of five hackers that, in 
less than two years, had broken into 68,000 different systems, accumulating 7GBytes of data.

Of the companies attacked, 90% did not know about it until they were told after the event.
And if that was the case almost 10 years ago - when most people thought a 'hacker' was a bad 
golfer - one can only speculate how far this doubtful 'skill' has progressed.

Talking at a business seminar in London last month, John Austin and Robert Schifreen [the first 
person in the UK to be arrested for computer hacking] addressed some of the main concems 
about computer hackers.

There are three main questions that companies should answer when addressing the subject of 
hackers, stated Schifreen.
	What damage can hackers inflict on your system?
	How well protected is your system?
	How to minimize the risk of being attacked? 
Although most regard the main role of the hacker as that of a virus creator, the reality is that a virus 
is just one facet of a hacker's makeup. 

Probably the most common attack by a hacker is the Denial of Service (DoS) scenario,
which involves altering passwords and changing codes to prevent the user from entering his 
system.

Another favourite is stealing or altering other company's websites. With the correct tools, this is all 
too easily achieved by visiting the target website, changing the company name and information, 
and then saving it under a different name. So simple is this, in fact, claims Austen, that the 
Department of Justice, the CIA, and NASA have all recently been attacked in this way.

However, one arrow in the hacker's quiver that is often overlooked by companies, is that of storing 
undesirable data on someone's systems. This can take the form of pirate software or even 
pornography. If discovered at the wrong time or by the wrong person, the result of such an act 
could go a long way to destroying the company's reputation.

Perhaps even more worrying than any of the above, is the growing market for professional hackers, 
or 'contract' hackers. With knowledge comes power, and, according to the seminar speakers, 
professional hackers are sort out by organisations such as intelligence agencies, organised crime 
syndicates, detective agencies, large corporations - and sometimes, even the media!

According to John Austen, a variation on this theme is when large organisations approach naive 
computer buffs, offering them new 'cracking tools' and then giving them the
opportunity to test these tools against certain systems.

Information most often targeted by the professional hacker is company structures, research and 
development material, customer lists, contracts, information on takeover bids, and profit margins.
There are numerous ways hackers can breach network security, from simply 'dustbin-diving' 
(scanning IT waste), to finding security loopholes, which, according to Austen, "exist now and will 
exist in the future, in every single network worldwide.""I do not foresee a time when there will be no 
security loopholes," he warned.So then, it is not a case of asking "Am I at risk?" but rather "How 
great is that risk?"Schifreen suggests that companies ask themselves the following questions:

What is our most important data?
Where is it?
Could we survive without it?
For how long?
Who has access to it?
Who needs access to it?

Answering these questions should give a fair indication of the risks a company is currently taking. 
The solutions, according to Schifreen, is to minimise unauthorised access risks by backing-up 
often, using encryption, ensuring physical server security, offering user training and increasing 
awareness, auditing regularly, securing erasure after working with encrypted files, and updating 
virus scanners regularly.

The final word goes to Austen:"The measure of your security is not how good you think it is, it must 
be measured against the capabilities of those that would attempt to break into it."

For more information visit Computer Emergency Response Team (CERT.com) 
or Computer Incident Advisorypability (CIAC.org)