How safe is your system?
Source: The Columbian
By SUSAN FITZGERALD
Date: December 22, 2003
If you think your business is safe from computer hackers because you aren't a juicy a target like Microsoft, think again.
"They (hackers) don't care what kind of business you are, they just want to use your computer," said Assistant U.S. Attorney Floyd Short in Seattle, head of the Western Washington Cyber Task Force, a coalition of federal, state and local criminal justice agencies.
"I think people are getting hacked all the time, most just don't know it," Short said.
There's more at stake than defacing your Web site or bringing it down with an onslaught of hits. That's kid stuff compared to installing a "back door" in your network that gives hackers access to your company's and your customers' data, proprietary or financial information. Or planting a "bot" that makes your terminal a vehicle for crime.
Businesses most at risk, experts say, are those handling online financial transactions. The FBI's Internet Fraud Complaint Center (IFCC) received a referral from a small business that sold pharmaceuticals online. A hacker acquired credit card numbers, and the names and addresses of approximately 200 customers from the business's system and posted it on an Internet message board, available to anyone who logged on to it.
"With the proliferation of turnkey hacking tools available on the Internet, a 12-year-old could locate, download and implement them," James E. Farnan, Deputy Assistant Director of the FBI's Cyber Division, told Congress in April. "Cyber crime continues to grow at an alarming rate. Criminals are only beginning to explore the potential."
The FBI Cyber Task Force received 75,000 complaints in 2002, and at the rate of 9,000 a month, complaints should top 100,000 this year.
A Web site that provides a self-reporting mechanism, www.cert.org, mirrors the alarming rise of incursions, and shows even higher numbers: 2001, 52,658^; 2002, 82,094^; 2003, 114,855 (first three quarters).
Hackers are halted by vigilant security, but experts say system administrators can be underqualified for security measures, home users don't feel themselves at risk, and the high-tech community itself can play into hackers' hands.
"You're not going to see it, that's why you have to keep it from happening," said Chuck Dryke, president of Dryke & Associates, a consulting firm in Vancouver.
Though it's easier than ever to hack, software companies and law agencies have become more effective at prevention, and tracking and prosecutio* of hackers.
What makes hacking possible is the cyber-connectivity of the Internet. Information and instructions can flow back and forth via "ports" through which each terminal accesses the World Wide Web via Internet service providers (ISPs).
And what makes the Internet faster also makes the hacker's job easier. With slower, dial-up service, ISPs use any port available to access the Internet, changing the "address" of the user each time they connect, said Dryke which impedes hacking. But DSL and cable ISPs create 24/7 connections that keep the same address all the time, streamlining the hacker's efforts.
"The typical hacker has software that keeps hitting (Internet) address after address looking for one that's unprotected so they can go in and do whatever they want," said Dryke, whose firm designs, installs, and maintains computer systems.
Hackers have always shared information, if only for bragging rights about their exploits. Now they also share the actual methods and codes they used to break into a system. That lessens the amount of knowledge needed to do malicious damage, or to transfer crimes like fraud, theft and blackmail to cyber-space.
"Automation of hacking is definitely on the rise, and is a concern," said Craig Schmugar, virus engineer researcher for the Anti-Virus Emergency Response Team (AVERT), a subdivision of McAfee, which creates anti-virus software.
"Somebody else can do all the technical work and all (a hacker wannabe) has to do is push a few buttons."
Without spending hours hunched over a keyboard, a hacker with criminal intent, a "cracker," can download and run programs that will scan the Internet looking for computers logged on that have inadequate security. In such a computer, a hacker can plant a (ro)bot that will take orders from the hacker to, in turn, hack into other terminals and systems, or create a Trojan Horse or back door from which to download data, financial or proprietary information, all without the user knowing about it.
But there are ways to guard against intruders. That's there software comes to the aid of systems administrators.
Vulnerability seems inevitable in software, and companies continually check their own products for such problems even after they are on the market. When Microsoft, for example, finds that one of its software codes leaves an opening for hackers, it posts an announcement on its Web site and issues a free, downloadable "patch" that restores integrity to the program.
"The problem is between the time the patch is issued and companies install it," said Schmugar.
"When patches are issued, hackers will reverse-engineer it to see what it fixes. Often, hackers wouldn't even find the vulnerability unless a patch were issued."
Companies or individual users who don't stay current on the glitches and patches risk the possible consequences of hacking.
"Most of the outsider-intrusions cases opened today are the result of a failure to patch a known vulnerability for which a patch has been issued," according to testimony given to Congress in April by James E. Farnan, Deputy Assistant Director of the FBI's Cyber Division.
"Companies that say they can't keep up with the patches, that's a copout," scoffs Scott Schnoll, product support manager at TNT Software, in Vancouver. "There's plenty of (software) tools to let you scan internally and externally" to detect intrusions.
Security measures are different for each operating system, from Windows to Linux, and Schnoll said there is no end of literature on all of them for securing ports and file systems, and installing in-depth defenses and various security frameworks.
"Security is best when it's layered," said Schmugar. "Protect each terminal with a desktop firewall, as well as the (network's) gateway to the Internet. Firewalls make sure hackers "can't even 'see' the stations behind the wall."
AVERT uses the hackers' work against them. "A lot of our detections now are from sites where hackers share information," said Schmugar. "We grab the code and write software" to forestall security breaches.
The vigilance and knowledge required may outpace the means of many companies or systems administrators, but contractors are available to provide the level of security needed to avert intruders.
Besides lax security, hackers continue to operate with near-impunity because victims don't always cooperate.
"We've not had many cases, we're fortunate," said Jim Davis, Clark County deputy prosecutor.
"But we don't know if that's because it's not happening, not discovered or not reported."
According to the annual Computer Security Institute/FBI Computer Crime and Security Survey, released in April, 90 percent of the respondents detected computer security breaches in the last 12 months, but only 34 percent reported the intrusions to law enforcement. The report notes this rate is encouraging, however, since it is up from a 16 percent reporting rate in 1996.
Many intrusions are never reported because companies fear a loss of business from reduced consumer confidence in their security measures or from a fear of lawsuits, according to FBI testimony before Congress.
"You're dealing with security and credibility," said Schmugar. "Why would I want to use your product or service if you can't protect your system?"
With e-commerce (exclusive of business-to-business transactions) at $46 billion in 2002, up from $36 billion in 2001, businesses would be understandably reluctant to disclose hacker activity.
Despite the ability of hackers to cover their "ether trail," law enforcement has become more sophisticated about tracking them, and statutes have been amended to cover cyber-crime.
"We have prosecuted several cases in recent years," said Davis, recounting disgruntled ex-employees, and some students who hacked into their school computers, and even local software companies, all of which he declined to name.
"Unless you do computer forensics every day, your staff may not know what tools law enforcement has to trace it," he said. "If we can't handle it, the federal government has been very good about stepping in," whether for jurisdictional reasons or technical expertise.
Once caught, there are many avenues to prosecute, Davis said. In Washington state, computer trespass, with or without criminal intent, is a felony, and malicious mischief laws now i*clude computer crimes.
As with all crime, prevention is the best protection, though the cost of prevention always seems high compared to relative risk. The random risk posed by automated software scanning cyber-space for vulnerable computers and systems, however, is impossible to calculate.
What businesses need to ask themselves instead, said Dryke, is not the nature of the risk, but the nature of the information to be protected.
"How sensitive is your data? Can you live without it?" he asked.
The answer to those questions, Dryke said, will determine whether a business needs to invest in security.
ON THE WEB
For more information on computer and Internet security, go to the Carnegie Mellon University Software Engineering Institute Web site at www.cert.org
The Hackers Among Us
While data is hard to come by, experts agree malicious hackers are most likely to be males in their teens and 20s. It's the "glory grabbers" who want applause from peers that go in for the flashy exploits, like defacing high-profile Web sites, says Scott Schnoll, product support manager for TNT Software in Vancouver.
Hacking contests gain winners notoriety and bragging rights, said Craig Schmugar, anti-virus engineer at AVERT, as they vie to compromise as many systems as possible in a set time.
There's no glory to grab unless your peers know about it, so hackers splash their deeds on Web sites, where they also share tools, utilities and software code or "script" among themselves.
Parents need to monitor home computer use, preferably by keeping the terminal in an open area. Parental controls can be installed on computers to block certain Web sites or activities but, Schmugar said, "if you have a teenager who's hacking, he can probably get around parental controls."
The bigger danger is posed by "elite" hackers, according to a 2002 report from Riptech. Fewer than 1 percent of hackers are responsible for the vast majority of intrusions, as determined by high number of attack signatures, extended duration and focus on a small number of select targets. Most attacks originate from the United States, Great Britain, Germany, Canada, Italy, France, Taiwan, South Korea, Japan and China.
There actually are some good hackers, designated as "white hats." They help security and software firms find vulnerabilities and patch them. They are ticked off that some wannabes, aided by the media, appropriated their moniker.
Hacker once was what Internet geeks called themselves, according to author E.S. Raymone.
In his book, "How to Become a Hacker," he said. "Hackers built the Internet. Hackers make the World Wide Web work. ... There is another group of people who loudly call themselves hackers, but aren't. These are people (mainly adolescent males) who get a kick out of breaking into computers."
Real hackers, he said, call these people "crackers" and want nothing to do with them. "Being able to break security doesn't make you a hacker any more than being able to hotwire cars makes you an automotive engineer."
What Hackers Can Do To You
Hackers can break into your business's computer network using a variety of tools and can boast about it on Internet sites where exploits and program codes are shared.
They might only "tag" your site, much like graffiti on a wall. This is just an "ankle bite," aggravating but not damaging. They may alter data without your knowledge just to be malicious. Worse, they might steal your or your customers' financial information for theft or fraud, or plant a program in your computer to cover their own tracks while they use it to trespass into another system. Here are some typical intrusions:
* Trojan Horse/back door: Create a reusable passageway in your computer system or network to copy or download data without your knowledge.
* (Ro)bot: A program that enters your computer or system, perhaps via e-mail, that lets the hacker "own your box," or make your computer do tasks for the hacker, like break into another system.
* Spamming: Getting scores or hundreds of junk e-mails, or spam, was bad enough. Now, the FBI's Internet Fraud Complaint Center (IFCC) is seeing more spam that directs individuals to provide personal, financial and password information, for a bogus reason like updating their account information.
* Spoofing: Pretending to be an institution to get information, for example a spoofed Web site made to appear to be a U.S financial institution. This site was used to lure victims into providing personal financial information, including credit card and debit card numbers.
* Social engineering: Hackers may create or enter chat sites and try to get others in the site to reveal information on their computer system, to determine the best way to break in.
* DoS: Denial of Service. This is what happens when hackers plant bots or worms into remote computers (not their own) and instruct them to launch an simultaneous attack a particular Web site such as Microsoft or the White House. The resulting blizzard of hits can make the Web site crash.
^macro[showdigestcomments;^uri;How safe is your system?]