Security Scene Errata

Source: Networking+
April 98
'HACKED OFF WITH COMPUTER CRIME'

In 1989, John Austen, former head of the Computer Crime Unit of Scotland Yard
and now security advisor to the British Government, tracked down three
members of a group of five hackers that, in less than two years, had
broken into 68,000 different systems, accumulating 7GBytes of data.

[68,000systems / 5people = 13,600systems_per_person
13,600systems_per_person / 5 systems_per_hour = 2720hours
2720 hours / 24hours_per_day = 113days

So that means these 5 people were hacking 24 hours a day, for 113 days
to accomplish that. Spread out over two years, that is 5 people hacking
93 systems a day, non stop. Does that seem feasible?]

Probably the most common attack by a hacker is the Denial of Service (DoS)
scenario, which involves altering passwords and changing codes to prevent
the user from entering his system.

[DoS attacks DENY SERVICE to the machine. They do not alter passwords,
change codes, or anything else.]

Another favourite is stealing or altering other company's websites. With the
correct tools, this is all too easily achieved by visiting the target
website, changing the company name and information, and then saving it
under a different name. So simple is this, in fact, claims Austen, that
the Department of Justice, the CIA, and NASA have all recently been
attacked in this way.

[Those web pages were altered on the HOST computer where they were originally
stored. That means a lot more was done than "visiting the target website,
changing the company name and information, and then saving it"]

According to John Austen, a variation on this theme is when large
organisations approach naive computer buffs, offering them new
'cracking tools' and then giving them the opportunity to test these
tools against certain systems.

[Large corporations approach long establish and BONDED security professionals
for penetration testing. They do not approach naive hackers. Even then,
they rarely have "new 'cracking tools'". Think about it.. why are they
looking for security help in the first place? Because they are behind
the curve.]

=-= Original Article =-=

------------------------------------------
Source: Networking+ April 98
------------------------------------------
'HACKED OFF WITH COMPUTER CRIME'

In 1989, John Austen, former head of the Computer Crime Unit of Scotland Yard and now security
advisor to the British Government, tracked down three members of a group of five hackers that, in
less than two years, had broken into 68,000 different systems, accumulating 7GBytes of data.

Of the companies attacked, 90% did not know about it until they were told after the event.
And if that was the case almost 10 years ago - when most people thought a 'hacker' was a bad
golfer - one can only speculate how far this doubtful 'skill' has progressed.

Talking at a business seminar in London last month, John Austin and Robert Schifreen [the first
person in the UK to be arrested for computer hacking] addressed some of the main concems
about computer hackers.

There are three main questions that companies should answer when addressing the subject of
hackers, stated Schifreen.
· What damage can hackers inflict on your system?
· How well protected is your system?
· How to minimize the risk of being attacked?
Although most regard the main role of the hacker as that of a virus creator, the reality is that a virus
is just one facet of a hacker's makeup.

Probably the most common attack by a hacker is the Denial of Service (DoS) scenario,
which involves altering passwords and changing codes to prevent the user from entering his
system.

Another favourite is stealing or altering other company's websites. With the correct tools, this is all
too easily achieved by visiting the target website, changing the company name and information,
and then saving it under a different name. So simple is this, in fact, claims Austen, that the
Department of Justice, the CIA, and NASA have all recently been attacked in this way.

However, one arrow in the hacker's quiver that is often overlooked by companies, is that of storing
undesirable data on someone's systems. This can take the form of pirate software or even
pornography. If discovered at the wrong time or by the wrong person, the result of such an act
could go a long way to destroying the company's reputation.

Perhaps even more worrying than any of the above, is the growing market for professional hackers,
or 'contract' hackers. With knowledge comes power, and, according to the seminar speakers,
professional hackers are sort out by organisations such as intelligence agencies, organised crime
syndicates, detective agencies, large corporations - and sometimes, even the media!

According to John Austen, a variation on this theme is when large organisations approach naive
computer buffs, offering them new 'cracking tools' and then giving them the
opportunity to test these tools against certain systems.

Information most often targeted by the professional hacker is company structures, research and
development material, customer lists, contracts, information on takeover bids, and profit margins.
There are numerous ways hackers can breach network security, from simply 'dustbin-diving'
(scanning IT waste), to finding security loopholes, which, according to Austen, "exist now and will
exist in the future, in every single network worldwide.""I do not foresee a time when there will be no
security loopholes," he warned.So then, it is not a case of asking "Am I at risk?" but rather "How
great is that risk?"Schifreen suggests that companies ask themselves the following questions:

What is our most important data?
Where is it?
Could we survive without it?
For how long?
Who has access to it?
Who needs access to it?

Answering these questions should give a fair indication of the risks a company is currently taking.
The solutions, according to Schifreen, is to minimise unauthorised access risks by backing-up
often, using encryption, ensuring physical server security, offering user training and increasing
awareness, auditing regularly, securing erasure after working with encrypted files, and updating
virus scanners regularly.

The final word goes to Austen:"The measure of your security is not how good you think it is, it must
be measured against the capabilities of those that would attempt to break into it."

For more information visit Computer Emergency Response Team (CERT.com)
or Computer Incident Advisorypability (CIAC.org)