Security Scene Errata


30Apr98 UK: SECURITY - RETURN OF THE HACK.

Even Nasa's security measures aren't always enough to deter hackers.
Sharon Smith outlines a problem that just grows and grows. 
 
Like street muggings, computer hacking has become so ubiquitous that it is
almost accepted as one of those unavoidable facts of modern life. It's a
plague that, in theory at least, afflicts primarily the weakest. 

But a couple of weeks ago, when some of the top US chief executives
gathered for a security convention in Atlanta, the statistics must have
made their hair curl. The figures underlined the vulnerability of even
apparently secure computer systems to cyber attack. 

Last year, the Pentagon was subject to 250,000 hacker attacks, while the
annual cost of hacking to US industry is now reckoned to be a staggering
$10 billion. 

[Quoting the flawed GOA report.]

Worse still, it was revealed, there are now nearly 2,000 Web sites
offering tips, tools and techniques to miscreants who, like mountaineers
scaling Everest, want to conquer any and every system - if only because of
the challenge it presents. 

Kevin Mitnick, the supposed grandmaster of hackers, is languishing in jail
awaiting trial on charges relating to nearly $30 million of alleged
computer and telecoms fraud, but there is a queue of applicants waiting to
follow in his footsteps. Among the more recent headline grabbers was an
attack launched from the Internet last month that froze thousands of
computers running Windows NT. Victims of the attack included 14 of the 15
Web sites operated by Nasa, plus computers operated by the US military and
by many universities. 

[This is the first mention of Mitnick being a 'grandmaster' of
hacking. The damage stats of $30 million seem to be a bit high
considering he sold no information, abused no credit cards, etc.]

The cyber attack crashed the computers by sending out a message which
exploited a flaw in the NT operating system. Microsoft had issued a patch
for the loophole in January, but the victims had not applied it, nor had
they erected firewalls in front of their Web servers. 

Another recent high-profile case involved two US teenagers who roamed
through unclassified military Web servers using a server security hole. 
Again, the Webmasters could have used well-known software patches to keep
the hackers out. 

The duo, who got on to the Internet using service provider Sonic, used
what is known as the statd exploit, which was publicised on the Web in
November 1997 and for which an advisory was issued in December. The
exploit allows hackers to gain root access to Unix machines running Sun
Microsystems' Solaris operating system. Once access has been obtained,
hackers can install programs or delete Web sites. 

In the UK, hacking exploits such as these do not surprise security
experts, who warn that the threat will continue to grow in tandem with the
Internet's own expansion. 

Contrary to popular opinion, the problem will not necessarily be confined
to the US. Industry observers say hacking is already a growing menace in
the UK. 

[Who's popular opinion says hacking will stay confined
to the US?!]

UK organisations, however, have been lulled into a false sense of security
because computer attacks are not always publicised. Bill Brett, sales
director at Hertfordshire-based IT services company Barron McCann,
estimates there are thousands of hacking cases each year in the UK. 
'Hacking is a bigger problem in the UK than companies realise, because the
last thing a company wants everybody else to know is that they have been
hacked into. 

'It's embarrassing for them to admit that their IT system was not secure
enough, and there is the fear that the hacker will return. You wouldn't
advertise the fact that you'd had a burglary at your home, would you?' The
real extent of UK hacking is difficult to gauge. 'Around 5% of our
disaster-recovery cases are known to be due to people getting into company
IT systems via the Internet,' Brett says. 'But the statistics could be
even higher because we don't always know that hacking is the cause of a
problem.'

Outsiders hacking into company IT systems fall into one of two categories. 
Experts say that 95% of cases are of hackers infiltrating systems merely
to show how clever they are or to create havoc, as in the Windows NT
incident in the US. 

[The incident quoted regarding NT did not allow infilitration.
It allowed a remote Denial of Service.]

These incidents are serious enough for the organisations affected to be
heavily inconvenienced, and they can lose money through wasted business
time. But even worse are the 5% of attacks where hackers set out to crack
passwords in order to alter, steal or erase data. Such acts threaten
companies' livelihoods and even peoples' lives. 

[Threaten lives? A bit over-dramatic I think.]

Bernie Dodwell, security products manager at Integralis, says: 'Once
hackers have cracked a password, they are into a system with free range to
do anything they want. If they know where a hospital's patient records are
held, they can go in and change them. They can totally destroy businesses
by altering or wiping out their data.'

[Only if they crack a password of an account that grants them
access to the information. Cracking a password doesn't necessarily mean you
can get ANY access to the system.]

Attacks on Web sites, where mischievous hackers go in and alter
information, are already commonplace. Richard Woods, a representative of
Internet service provider UUNet Pipex, explains: 'They go in and muck
around a bit, then go off again. But it can damage a company's reputation
if obscenities or duff information are left on its Web site.'

Cookies, or information about visitors to Web sites, are another popular
target - hackers can tap into users' browsers to get cookie data. The
technique has also been used by marketing companies intent on poaching
potential customers from rivals, as well as companies aiming to convert
visitors to their Web sites into customers. 

The problem is exacerbated by the fact that the Internet and,
increasingly, corporate IT systems are open systems as opposed to the
closed architecture of the traditional mainframe environment. 

'Security on the mainframe is very well developed because of the time it
has been around, so it's difficult to crack mainframe security measures,'
says Dodwell. 

Unix, as a more open environment, is a different case altogether. Although
security has improved with time, it is still not as good as for
mainframes.  And Windows NT is not much better - it has a reputation of
having little security because it is so new. The same applies to the
Internet: it is such a recent and complex technological achievement that
it, too, has caught many organisations unawares. 

There is a third type of hacking danger - insider attacks by a company's
own employees. Tony Martin, marketing director at router manufacturer
Teltrend, explains: 'In larger organisations, during salary reviews, it
has happened that employees interrupt financial transactions, change the
amount allocated to them, complete the message and get a salary increase
of 100% instead of 10%.'

Experts agree there is no way yet to render a system totally foolproof. 
But there are measures that organisations can adopt to make their systems
secure enough to deter hackers. If an attack does take place, a system
should be secure enough to enable a company to pick up the incident
immediately and act quickly to prevent a return visit. 

To prevent hacking in the first place, says Woods, organisations need to
devise and implement security strategies. 

'One of the biggest problems is that security experts are often not called
in until after the horse has bolted. Companies think that if it hasn't
happened to them yet, it's not going to,' he explains. 

One of the most simple measures is almost universally the most neglected. 
'Organisations don't change their passwords frequently enough,' says
Brett.  'They forget that a lot of people have access to a password,
including former employees who were sacked or made redundant and might be
upset.'

A few other precautionary measures should be enough to safeguard most
corporate systems. The key to combating the problem is to treat like with
like. Hackers are like any other sophisticated criminals: they take pride
in their work, and are up to date with the latest equipment. It is vital
to make sure the system's users do the same. They should know how to
constantly maintain and review any security features. 

One step is to implement sniffer software that can prevent intruders from
reaching designated parts of the system. And Web sites should be monitored
constantly, so any defacement can be immediately rectified.  Encryption,
too, helps prevent interference with messages sent over the Internet and
internal networks. 

[Sniffer software will not prevent intrusion AT ALL. Sniffers
passively monitor information going to and from the system.]

Disaster recovery also plays a part. Brett estimates that a mere 12 to 14%
of UK companies have a recovery plan in place. If a company does become a
victim of hacking, it is essential to have the necessary backup system so
the program can be running again as quickly as possible. 

'We can also examine the hacked system to find out where the holes were,'
says Brett. 

Protection against hackers is the number one priority, warns Dodwell.  Sad
though it sounds, you should trust no one: 'There are going to be 300
million users on the Internet by the end of 1999, and not every one of
them will have no intention of going out to cause mayhem.'.

COMPUTING 30/04/98 P56