http://www.amcity.com/buffalo/stories/1999/01/18/focus3.html January 18, 1999 Experts say stymie hackers by using several safeguards David Troester Business First If your company has a computer, a computer system or a series of computer networks with online Internet access, then it's vulnerable to "hackers" and "crackers." How do you safeguard a computer system? Firewalls are the most common method. Firewalls check passwords and other ID of users seeking system access from the outside. [Technically, no. Firewalls act a method of allowing or disallowing traffic based on a ruleset. If traffic is deemed 'allowed', then it is passed through the firewall and to the target machine, at which point the user must authenticate themselves.] "It's a piece of equipment or a piece of software that runs on a computer," said Michael Rockwell, CTG principal consultant. Firewalls may filter by address or actually interrogate a message. Hackers often attach a file to e-mail which, when opened, can damage a system. [Hackers often attack a file to mail that can damage a system? I don't think that quite meets the description of your average hacker.] "It's like placing a landmine somewhere and just waiting for somebody to step on it," said Natalie Neubauer, business manager at PC Expanders Inc. in Amherst. [A better analogy would be "trying to convince someone to pull the pin of a grenade". You aren't trying to hide the program usually, rather, hoping they will run it when they see it.] Firewalls can vary in price, depending on the system and needs, from hundreds to thousands of dollars. Passwords are another way to keep out hackers. Each system user should have a password, typically known by only the user and system administrator. Passwords should not be common, trite or familiar words, names or dates. [Even the system administrator should NOT know your password. They have full access to the system and should never have need for that piece of information.] "We suggest a combination of both characters (letters) and numbers," Neubauer said. "We always tell our users, `If you can't remember the password then it's a good password.' " System users should be required to change passwords on regular intervals, monthly is recommended for best safety. "Never send your password through e-mail. The e-mail can actually get snatched, and they can get the information out of the e-mail," Neubauer said. Encryption is another good way to safeguard a system from outside invaders. Encryption software essentially scrambles information sent across a network in a code, to be decoded by the intended receiver. Private and public keys are the most common form of encryption. "Essentially what happens is you generate a key pair. One of those keys you keep for yourself, which is a private key and then the public key you make available to everyone," said Rockwell. Tracking and recording of information and messages sent on a network also may avert potential hackers from hacking. Most systems, encryption programs or other software log network activity. For example, PC Expanders' ISP operating system uses Lynux software to monitor activity and has traced malicious users in the past. [Might they mean 'linux'?] Tracking also can identify the password and equipment used to enter a system during an inside intervention. [What?! This sounds more like a kludge of terms than a valid factual statement. Is this a sniffer or tracking software or both?] "What I keep hearing is most of the things that happen are internal," said Stephen Adorian, president of Cybernetic Communication Systems Inc. in Lockport. For example: "People want to find out what the guy is making down the hallway so they get into employee payroll records," he said. Smart Cards can protect a system in a method similar to passwords with much heightened security. About the size of a credit card, they are used for access to a system and generate new entry codes about every minute in synchronization with system entry points. "Those actually work really well," Neubauer said. "Even if you are on the Internet and someone snags that password, it changes within 60 seconds." Smart card software costs about $500, she said. The danger of smart cards arises if the card is lost or stolen. Biometrics is another sophisticated way to protect systems, but used only in high-security organizations. Biometric technology allows system access by scanning thumb prints, eye retinas or other physical characteristics. "There's not much of a request for it around here," Neubauer said. System administrators and computer professionals agree no system is hacker proof. System upgrades, software patches and monitoring need to occur on a regular basis to maintain defense against invaders. "You can set up different kinds of equipment so that just like moats of old it's going to take somebody to swim through the alligators to get to your machine," Adorian said. =-=-=-= These are the most annoying articles regarding hackers and/or security. Because they contain no hard facts, and insist on using several buzz words and vague descriptions of technology, the reader has a hard time understanding what is real and what is opinion. Pointing out the mistakes is difficult because it often requires going into a lot more background explaining the concepts, then pointing out why each part is wrong when used in conjunction with each other.