30Apr98 UK: SECURITY - RETURN OF THE HACK. Even Nasa's security measures aren't always enough to deter hackers. Sharon Smith outlines a problem that just grows and grows. Like street muggings, computer hacking has become so ubiquitous that it is almost accepted as one of those unavoidable facts of modern life. It's a plague that, in theory at least, afflicts primarily the weakest. But a couple of weeks ago, when some of the top US chief executives gathered for a security convention in Atlanta, the statistics must have made their hair curl. The figures underlined the vulnerability of even apparently secure computer systems to cyber attack. Last year, the Pentagon was subject to 250,000 hacker attacks, while the annual cost of hacking to US industry is now reckoned to be a staggering $10 billion. Worse still, it was revealed, there are now nearly 2,000 Web sites offering tips, tools and techniques to miscreants who, like mountaineers scaling Everest, want to conquer any and every system - if only because of the challenge it presents. Kevin Mitnick, the supposed grandmaster of hackers, is languishing in jail awaiting trial on charges relating to nearly $30 million of alleged computer and telecoms fraud, but there is a queue of applicants waiting to follow in his footsteps. Among the more recent headline grabbers was an attack launched from the Internet last month that froze thousands of computers running Windows NT. Victims of the attack included 14 of the 15 Web sites operated by Nasa, plus computers operated by the US military and by many universities. The cyber attack crashed the computers by sending out a message which exploited a flaw in the NT operating system. Microsoft had issued a patch for the loophole in January, but the victims had not applied it, nor had they erected firewalls in front of their Web servers. Another recent high-profile case involved two US teenagers who roamed through unclassified military Web servers using a server security hole. Again, the Webmasters could have used well-known software patches to keep the hackers out. The duo, who got on to the Internet using service provider Sonic, used what is known as the statd exploit, which was publicised on the Web in November 1997 and for which an advisory was issued in December. The exploit allows hackers to gain root access to Unix machines running Sun Microsystems' Solaris operating system. Once access has been obtained, hackers can install programs or delete Web sites. In the UK, hacking exploits such as these do not surprise security experts, who warn that the threat will continue to grow in tandem with the Internet's own expansion. Contrary to popular opinion, the problem will not necessarily be confined to the US. Industry observers say hacking is already a growing menace in the UK. UK organisations, however, have been lulled into a false sense of security because computer attacks are not always publicised. Bill Brett, sales director at Hertfordshire-based IT services company Barron McCann, estimates there are thousands of hacking cases each year in the UK. 'Hacking is a bigger problem in the UK than companies realise, because the last thing a company wants everybody else to know is that they have been hacked into. 'It's embarrassing for them to admit that their IT system was not secure enough, and there is the fear that the hacker will return. You wouldn't advertise the fact that you'd had a burglary at your home, would you?' The real extent of UK hacking is difficult to gauge. 'Around 5% of our disaster-recovery cases are known to be due to people getting into company IT systems via the Internet,' Brett says. 'But the statistics could be even higher because we don't always know that hacking is the cause of a problem.' Outsiders hacking into company IT systems fall into one of two categories. Experts say that 95% of cases are of hackers infiltrating systems merely to show how clever they are or to create havoc, as in the Windows NT incident in the US. These incidents are serious enough for the organisations affected to be heavily inconvenienced, and they can lose money through wasted business time. But even worse are the 5% of attacks where hackers set out to crack passwords in order to alter, steal or erase data. Such acts threaten companies' livelihoods and even peoples' lives. Bernie Dodwell, security products manager at Integralis, says: 'Once hackers have cracked a password, they are into a system with free range to do anything they want. If they know where a hospital's patient records are held, they can go in and change them. They can totally destroy businesses by altering or wiping out their data.' Attacks on Web sites, where mischievous hackers go in and alter information, are already commonplace. Richard Woods, a representative of Internet service provider UUNet Pipex, explains: 'They go in and muck around a bit, then go off again. But it can damage a company's reputation if obscenities or duff information are left on its Web site.' Cookies, or information about visitors to Web sites, are another popular target - hackers can tap into users' browsers to get cookie data. The technique has also been used by marketing companies intent on poaching potential customers from rivals, as well as companies aiming to convert visitors to their Web sites into customers. The problem is exacerbated by the fact that the Internet and, increasingly, corporate IT systems are open systems as opposed to the closed architecture of the traditional mainframe environment. 'Security on the mainframe is very well developed because of the time it has been around, so it's difficult to crack mainframe security measures,' says Dodwell. Unix, as a more open environment, is a different case altogether. Although security has improved with time, it is still not as good as for mainframes. And Windows NT is not much better - it has a reputation of having little security because it is so new. The same applies to the Internet: it is such a recent and complex technological achievement that it, too, has caught many organisations unawares. There is a third type of hacking danger - insider attacks by a company's own employees. Tony Martin, marketing director at router manufacturer Teltrend, explains: 'In larger organisations, during salary reviews, it has happened that employees interrupt financial transactions, change the amount allocated to them, complete the message and get a salary increase of 100% instead of 10%.' Experts agree there is no way yet to render a system totally foolproof. But there are measures that organisations can adopt to make their systems secure enough to deter hackers. If an attack does take place, a system should be secure enough to enable a company to pick up the incident immediately and act quickly to prevent a return visit. To prevent hacking in the first place, says Woods, organisations need to devise and implement security strategies. 'One of the biggest problems is that security experts are often not called in until after the horse has bolted. Companies think that if it hasn't happened to them yet, it's not going to,' he explains. One of the most simple measures is almost universally the most neglected. 'Organisations don't change their passwords frequently enough,' says Brett. 'They forget that a lot of people have access to a password, including former employees who were sacked or made redundant and might be upset.' A few other precautionary measures should be enough to safeguard most corporate systems. The key to combating the problem is to treat like with like. Hackers are like any other sophisticated criminals: they take pride in their work, and are up to date with the latest equipment. It is vital to make sure the system's users do the same. They should know how to constantly maintain and review any security features. One step is to implement sniffer software that can prevent intruders from reaching designated parts of the system. And Web sites should be monitored constantly, so any defacement can be immediately rectified. Encryption, too, helps prevent interference with messages sent over the Internet and internal networks. Disaster recovery also plays a part. Brett estimates that a mere 12 to 14% of UK companies have a recovery plan in place. If a company does become a victim of hacking, it is essential to have the necessary backup system so the program can be running again as quickly as possible. 'We can also examine the hacked system to find out where the holes were,' says Brett. Protection against hackers is the number one priority, warns Dodwell. Sad though it sounds, you should trust no one: 'There are going to be 300 million users on the Internet by the end of 1999, and not every one of them will have no intention of going out to cause mayhem.'. COMPUTING 30/04/98 P56