[Full article at end.]


Hackers are ubiquitous, malicious and taken far too lightly, expert says
Karen D. Schwartz
Government Computer News

   Both are examples of serious security breaches - breaches that often
are completely avoidable, according to Mark Fabro, a hacker-turned-network
security specialist who now works for Secure Computing Corp. of Vienna, Va.

[A single ex-hacker (self proclaimed) is able to make blanket statements
 about all other hackers?]

   Fabro spoke at a GTE Corp. conference for users of its Outside Cable
Rehabilitation II contract, which provides the Army with a variety of
networking equipment. He warned Amry attendees that hackers are everywhere,
and they are heartless.

[Hackers are 'heartless' Fabro says. Yet a paragraph above he is styled a
 "hacker-turned-network security specialist". Does that mean he
 is now a heartless security consultant?]

   The federal government is hardly immune to these attacks. The Defense
Information Systems Agency estimates that there are 250,000 attempts to
enter unauthorized military systems a year. Pentagon systems are favorite
targets. One study showed that hackers were able to penetrate the systems
about 65 percent of the time. Most of the attacks go undetected; only 1
percent are reported to DISA.

[Here they quote the magic 250,000 attack figure.]

Spoofing and sniffing

   Denial of service attacks are easy and devastating, Fabro said. They
exploit TCP/IP and in most cases, "you can't do anything about it." One such

[You most certainly CAN do something about it. There are ways to
 protect against 95% (or more) of the Denial of Service attacks.]

attack is a ping storm, in which larger-than-normal packets travel across
the network in standard TCP/IP. Because the packets are large, when
reassembled at the target machine they overrun its buffers, often provoking
a systems crash.

[A ping flood is designed to saturate the network and overload a foreign
 system. The large packet attack so often referenced incorrectly, is the
 "Ping of Death" which only required one or two oversized packets
 to crash vulnerable machines.]


No safe haven
   Even Windows NT, once thought to be virtually hacker-proof, has been
shown to have security holes, Fabro said. A program available today will

[I don't believe ANY security professional EVER considered NT to
 be "virtually hacker-proof". If that was ever stated, it should be taken
 with a lot of skepticism.]

   When surfing the Internet, also be wary of image files that use a lot of
black in the background. Sensitive information in the hacker underground is
often traded in pictures with black backgrounds, Fabro said, and there are
hacker programs available that allow people to hide and transmit data in
the black backgrounds of seemingly innocent image files.

[?! Be wary? If the above is true at all (which I question), the typical
 user will not be aware of the 'altered' image, or in danger of it.
 If he is referring to 'steganography', then it is a form of hiding
 data as an alternative to (or in conjunction with) encryption.]

   Fabro acknowledged that keeping on top of security is a monumental task.
As hackers create more sophisticated tools and increase their knowledge,
security breaches show no signs of abating.


=-= Original Full Article =-=

Hackers are ubiquitous, malicious and taken far too lightly, expert says
Karen D. Schwartz
Government Computer News

   If you visited the Air Force's AFLink World Wide Web site recently, you
might have seen a picture of two people in the throes of passion, with the
tag line, "This is what the government is doing to you every day."
   If you had accessed the Los Angeles Police Department's Web site on May
29, you would have seen snippets of Rodney King being beaten, as well as
a link for something called the LAPD Death Squad. If you had clicked on
that icon, you'd have been transported to the Klu Klux Klan's Web site.
   Both are examples of serious security breaches - breaches that often
are completely avoidable, according to Mark Fabro, a hacker-turned-network
security specialist who now works for Secure Computing Corp. of Vienna, Va.
   Fabro spoke at a GTE Corp. conference for users of its Outside Cable
Rehabilitation II contract, which provides the Army with a variety of
networking equipment. He warned Amry attendees that hackers are everywhere,
and they are heartless.
   The federal government is hardly immune to these attacks. The Defense
Information Systems Agency estimates that there are 250,000 attempts to
enter unauthorized military systems a year. Pentagon systems are favorite
targets. One study showed that hackers were able to penetrate the systems
about 65 percent of the time. Most of the attacks go undetected; only 1
percent are reported to DISA.
   There are many reasons why the government's systems are so tempting to
hackers. Often, Fabro said, it is because federal Web sites have lax
controls or outdated technology.
   Fabro said just displaying a banner warning that the site is a
government installation will put off many hackers. It's a simple step, but
a recent FBI survey of 428 organizations found that 70 percent of sites
did not have a warning banner. The FBI survey also noted that 50 percent
had no written security policy.
   "In 1997, if you don't have a policy, you have no right being connected
to the Internet," Fabro said. "You are asking for it."
   Prevention measures include making sure those responsible for security
keep abreast of hacker techniques and programs, making sure your equipment
is new enough to include some of the security advances manufacturers now
ship with their computers, and backing up systems, Fabro said.
   Data backup might seem like a simple thing, but too few organizations
do it right, Fabro said. "I've been at sites where people say they do tape
backups every night. But when I ask them about it, they say someone else
is in charge of it. I stayed to watch the machine on my first night there,
and it wasn't even connected. It turned out that they hadn't backed files
up for 11 months."

Spoofing and sniffing
   The most popular type of attack is called spoofing, a technique in which
hackers masquerade as trusted machines, giving them access as trusted
machines, giving them access to other systems on a network. With the
introduction of bulletin boards and hacker sites, spoofing is easy to
do, even if you don't know anything about the Internet or TCP/IP. Hackers
have created Microsoft Windows 95 programs that produce spoof files.
   Denial of service attacks are easy and devastating, Fabro said. They
exploit TCP/IP and in most cases, "you can't do anything about it." One such
attack is a ping storm, in which larger-than-normal packets travel across
the network in standard TCP/IP. Because the packets are large, when
reassembled at the target machine they overrun its buffers, often provoking
a systems crash.
   In mailbombing, a hacker generates thousands of e-mail messages, filling
the target system until it breaks down. Sniffing is an attack in which the
hacker watches and reads unencrypted traffic as it travels on the Internet.
Fabro noted that most information around the world still goes through the
Web in plain text, and "by capturing the first 128 keystrokes, you've got
everything you need - user names and passwords. Once you have those, it's
smooth sailing." The solution, Fabro said, is to encrypt everything.

No safe haven
   Even Windows NT, once thought to be virtually hacker-proof, has been
shown to have security holes, Fabro said. A program available today will
give hackers user names and encrypted passwords, while another program will
corrupt passwords by adding zeros to the end until the file is too large to
work.
   When surfing the Internet, also be wary of image files that use a lot of
black in the background. Sensitive information in the hacker underground is
often traded in pictures with black backgrounds, Fabro said, and there are
hacker programs available that allow people to hide and transmit data in
the black backgrounds of seemingly innocent image files.
   Fabro acknowledged that keeping on top of security is a monumental task.
As hackers create more sophisticated tools and increase their knowledge,
security breaches show no signs of abating.