Hackers Find More Ways In

[Computerworld] (06/01/98) Data security managers at a 
conference here last week were dismayed to hear of dozens 
of new network hacks making the rounds, and some privately 
acknowledged that they are grossly unprepared.

The managers from three dozen Fortune 1,000 businesses - all
under the cloak of anonymity - attended the New Hack Tour,
sponsored by consultancy Cambridge Technology Partners, Inc.
 
Peter Shipley, who performs "white-hat hacks" for KPMG Peat
Marwick LLP in San Francisco, identified the following as
some of the latest attacks:

Firewalls that run on Windows NT and Unix servers can 
let crackers break in to the underlying operating system 
via the TCP/IP protocol.

HotMail, the free Internet mail service, is almost always
unencrypted, making it easy for hackers to get user account
names.
 
Vulnerabilities in the Internet Protocol let malicious
hackers easily install network sniffers on networks they
have compromised and, unbeknownst to the user, intercept
corporate data traffic.
 
New "Smurf" attacks send echo packets from the hacker's
system to the victims via the broadcast address of a third,
intermediate network with a forged return address. The
network is flooded with packets until it slows or crashes,
and it is difficult to trace the hacker.

Also, Shipley said old hacker techniques such as "Dumpster
diving" and "war-dialing" are increasingly popular.
 
Dumpster divers pick through corporate garbage to find
sensitive data such as passwords. War-dialing is the
rapid-fire entry of user account names and passwords 
until a match is found.

War-dialing is systematic dialing of phone numbers
to look for other computers. "rapid-fire entry of user account
names and passwords" is brute-forcing.

"This just confirms my worst fears," said the manager of
information security at a Boston-based firm with 60,000
employees worldwide.
 
That manager presented a detailed case study of her
organization's security setup, which she acknowledged was
seriously lacking. The security problems include too many
user passwords (an average of 20 per user), outdated
antivirus software, insufficient use of encryption and
inadequate security staffing and budget.
 
"Until we get a big hit that impacts our business, I suspect
that I'll continue to go through 17 rounds of approval and
30 meetings before I get more money for basic items like
penetration testing," she complained. "Meanwhile, I pray a
lot."
 
Another security manager, at a multinational communications
carrier, acknowledged that his firm's Internet connectivity
"is outstripping any security measures I can install."
 
Ray Kaplan, a white-hat hacker who works at Secure Computing
Corp. in Roseville, Minn., said users can't eliminate all
security breaches, but they can manage the risk with such
measures as encryption, strong authentication for dial-in
access and testing the security of firewalls.