Hackers Find More Ways In [Computerworld] (06/01/98) Data security managers at a conference here last week were dismayed to hear of dozens of new network hacks making the rounds, and some privately acknowledged that they are grossly unprepared. The managers from three dozen Fortune 1,000 businesses - all under the cloak of anonymity - attended the New Hack Tour, sponsored by consultancy Cambridge Technology Partners, Inc. Peter Shipley, who performs "white-hat hacks" for KPMG Peat Marwick LLP in San Francisco, identified the following as some of the latest attacks: Firewalls that run on Windows NT and Unix servers can let crackers break in to the underlying operating system via the TCP/IP protocol. HotMail, the free Internet mail service, is almost always unencrypted, making it easy for hackers to get user account names. Vulnerabilities in the Internet Protocol let malicious hackers easily install network sniffers on networks they have compromised and, unbeknownst to the user, intercept corporate data traffic. New "Smurf" attacks send echo packets from the hacker's system to the victims via the broadcast address of a third, intermediate network with a forged return address. The network is flooded with packets until it slows or crashes, and it is difficult to trace the hacker. Also, Shipley said old hacker techniques such as "Dumpster diving" and "war-dialing" are increasingly popular. Dumpster divers pick through corporate garbage to find sensitive data such as passwords. War-dialing is the rapid-fire entry of user account names and passwords until a match is found. War-dialing is systematic dialing of phone numbers to look for other computers. "rapid-fire entry of user account names and passwords" is brute-forcing. "This just confirms my worst fears," said the manager of information security at a Boston-based firm with 60,000 employees worldwide. That manager presented a detailed case study of her organization's security setup, which she acknowledged was seriously lacking. The security problems include too many user passwords (an average of 20 per user), outdated antivirus software, insufficient use of encryption and inadequate security staffing and budget. "Until we get a big hit that impacts our business, I suspect that I'll continue to go through 17 rounds of approval and 30 meetings before I get more money for basic items like penetration testing," she complained. "Meanwhile, I pray a lot." Another security manager, at a multinational communications carrier, acknowledged that his firm's Internet connectivity "is outstripping any security measures I can install." Ray Kaplan, a white-hat hacker who works at Secure Computing Corp. in Roseville, Minn., said users can't eliminate all security breaches, but they can manage the risk with such measures as encryption, strong authentication for dial-in access and testing the security of firewalls.