March 2, 2004
-
ISSUES
Securing Information and Assets in the Digital Age
Protection, privacy, progress. All hallmarks of growth. Until the digital age the privacy of confidential information was protected inside buildings with lock and key and perhaps further measures depending on the sensitivity of the information. If you or I were to venture to acquire that information we would have only three options. We could forcibly take the information despite physical measures put in place to prevent it, we could use deception in order to gain the necessary tools with which to access the information or we could employ a combination of the first two. Needless to say, it was an undertaking of a potentially very dangerous nature and one left to a tiny field of “professionals” of varying degrees. To further discourage intrusions, effective laws existed that would be used to further punish the intruder after his capture. Progress was assured because companies and individuals knew that when their personal information, accounts, histories, trade secrets were safely guarded- it could literally take an army to gain an unauthorized peek.
Enter the digital age
What is the state of security in today’s business, government and education? And what of the records they keep about your ailments, course grades, financial accounts, credit, journals, clients, projects and so forth. Whether you know it or not, none of these may be safe. Think of all of the places where information about you exists. Your doctor’s office. You start to perspire, “does he have a firewall?”. Then you think about your last visit to your bank online. How easy that was. But your son had downloaded a virus last week and while you thought you caught it in time, did it leave a back door open? Where hackers secretly recording your every move as you typed in your social security number or bank account number? Or is one of the banking execs visiting porn sites while at work, unwittingly installing several trojans and sniffers onto the server where his roaming profile is stored. You go back to school for your masters degree and find out your undergraduate GPA has been changed. You then discover that your school’s computers don’t even sit behind a single firewall (an alarming reality we will tackle later on in this blog). What do you do now? Naturally this all takes on a bigger than life role when the matter of national security comes into the picture. One quickly discovers that the same scenarios that could be playing out in your world are also at play in government and military agencies.
Many of the things I have either encountered or heard about simply confound me. How is it that common sense is so lacking that no one would think to lock the door in a city full of rioters with would-be intrutders walking by right in front of your house? I
have read countless articles, talked to friends with first-hand experience and had such encounters myself that all but leave me speechless by the sheer incompetence of many IT managers who are being compensated fairly nicely for little or no real effective expertise in return. Or at the other end by the capable IT managers who are literally hogtied by company policies and budgets to the very extent of rendering their jobs useless. Below is a cross-section of past results along with some possible likely future targets when either of these administrative arrangements exists in any company.
- University of Texas servers are electronically broken into; hackers take tens of thousands of social security numbers leaving students, employees and alumni open to identity theft and fraud.
- US Army hospital’s computers hacked, social security numbers, confidential medical records, names and addresses of thousands of US soldiers taken; reason as yet unclear.
- Civilian Hospitals and their patients fair about the same. Such was the case with the University of Washington Medical Center one summer in 2000.
- One well-known university that brags on its website of being a member of an elite group of schools utilizing what’s known as Internet2, which is basically a super-high-speed network shared by 107 other schools operates many of its systems connected to the World Wide Web without a firewall of any kind, according to a source within the IT Department of that school. The lack of a firewall of any kind potentially exposes the confidential records of its students and faculty. With Desktop nodes accessible to the internet, hackers need only to crack one machine, insert data mining, key logging, packet sniffer and dropper Trojans and all is free for the viewing and ready to be remotely controlled.
- Non-Profit organizations with no real IT security or user-education policy in place. Both small churches and synagogues and large charity-focused groups are often equally apathetic. Recently a friend who worked for a respected financial freedom organization had their email address hijacked to send a self-propagating virus. This virus, as many do, included files containing confidential information and possibly even information about the finances of its members, as well as left a port open for a later backdoor attack on and invasion of the network. The ironic part was that I had expressed interest in offering my help to this organization some time ago and had they taken me up on this, my no-nonsense approach would have helped in preventing such disasters as this one. Non-profit organizations at large are at times at greater risk because many, especially those that are politically centered have many who are passionately opposed to their goals and aims. Sometimes blackmail becomes a tempting option.
- Major Department of Defense contractors running networks with no antivirus software, no policies to block dangerous or security-risk websites, applications or protocols…nothing at all much different than that which the average home user has: a system waiting for a hacker to come along and discover it. The difference of course is the interest level of the first target vs. the second to that hacker.
- Foreign embassies running networks connected directly to a DSL modem with no firewall, no administrative passwords, no antivirus software and nobody checking logs, setting policies or noticing…
These institutions and organizations often consider being plagued by the latest virus as just another big annoyance, while in reality it may just be the door through which their trade secrets are being quietly stolen or altered or deleted. Sometimes proprietary data makes its way along to competitors, professional scam artists and blackmailers, enemy states or other third parties.
As an earlier article at CNN.com pointed out, the infected machine can become a literal surveillance tool against its user. Logging keystrokes and reading e-mail is only the beginning. Once control of a system is gained, it can be lights, camera, and action for the show you don’t want to be aired. Microphones (most computers have them) and computer web-cameras are turned on their unsuspecting query collecting every word and action that takes place nearby.
So what is lacking today in the IT industry? Certainly companies are demanding the best and brightest. But do they always know what that animal really looks like? When you hear of positions available for major corporations, hospitals and universities, you see the requirements: Computer Science degree, 5 or more years experience at a senior IT position, MCSE, CCNA, NOVELL, knowledge of IIS, UNIX, C#, etc. None but the best and the brightest, right? Not always. More than a few IT professionals, from large-scale enterprise admins (who hail from some of the largest insurance, medical, electronics, auto, banking, government (domestic and foreign), educational institutions in the game), to Exchange server gurus busying themselves with getting everything working in the real world of mixed environments, down to the mom-and-pop level dashboard lizards who oversee four or five machines and a candy bar have similar stories. Some of these with whom I have come into contact over the years (whose businesses will remain unnamed here) left more than a bit to be desired when it came to the basic knowledge tools of good administration. Many of them while skilled and well-rooted in the functionality of their positions were somewhat to very apathetic to potential threats and lacked the proper troubleshooting skills to anticipate, investigate and prevent threats (as well as day to day system and network problems). In short, they were not able to think three-dimensionally, much to the hurt of their charge. It was not that most of them couldn’t, it was because it had never been taught to them or encouraged.
.jpg)
Certainly, Microsoft Windows is far from a secure operating system. But then, so is a poorly configured Linux box. And matters have only gotten worse, now that Windows has been open-sourced, if you will, due to parts of its code being formally released into the wild by someone. Those who have that code have a decisive advantage over the administrator who can only patch holes when Microsoft acknowledges them- which sometimes takes awhile for both to happen. In fact, every time a major network aware virus strikes, we get a de facto census of all the servers that went unpatched for months after one was made available, left open to be exploited in the latest infection, costing their own as well as other companies dearly. As it is with the case of anti-pirating techniques used today, Windows security only manages to be an annoyance to the average user, fugacious to the administrator and a joke to the hacker or pirate. Without any doubt hacking continues on as it did well before the well-publicized “Security Initiatives” of Microsoft.
As for businesses and agencies that wish to be secure, it remains up to them to decide how seriously they are willing to take the idea of data security and the privacy of their members…not to mention the possible liability for being negligent. All too often those who do the hiring only look for acronyms, not proven competence, mental agility or common sense. And once in the door, any truly qualified admin then may find that he is in an environment where apathy reigns supreme and the paramount thing is not security, but to never rock the boat. He may be restricted by a budget that is among the first to receive cuts and a general attitude shared by many within the company that his advice on securing network machines is more of a nuisance than a godsend. And it may well be expected he should instead concentrate on only fixing things when they visibly break. If the admin pushes too hard, he may lose his job. Yet dispite users’ perceptions the fact remains: though hacking into a network database is exactly the same as picking a lock on a door or walking over and pulling folders out of a filing cabinet. There is no broken glass upon each intrusion, no splintered door or picked lock. No wailing siren. And for some reason many organizations cannot grasp how often and extremely easily it is accomplished. For the IT guy, it becomes a matter of little reward and a great deal of liability that could potentially far outweigh that reward.
So who exactly is to blame then for the cost society has to pay in revenue, lives and reputations? The argument could well be made it is the incompetent IT manager, who failed to recognize basic threats and patch holes known to exist in software for long periods of time. The fact is, we far too long have put our faith in these systems to act alone in the protection of our information when in honest reality, they were never intended to be the sole line of defense. They were designed to be used in conjunction with the common sense and discretion of a seasoned system administrator. And unfortunately for home users, this is true for them as well, since what they use are essentially the same systems. Windows XP Professional and Windows XP Home Edition are at their core (and most other ways) exactly the same in function and flaw. Indeed, they are the same old geeky and end-user-cumbersome Windows NT boxes of yesteryear that have recently been painted in bright colors for consumer approval. But this does not diminish the fact they still must be managed in ways that truly require an IT professional in order to run safely and correctly. Until this changes, consumers are better off doing their finances with pen and calculator and their purchases over the phone. Or in the meantime (from a usability standpoint at least), buying a Mac. And for the IT pro, the task of trying to keep track of curious and unruly users can prove daunting. Many admins admittedly spend so much time at this, they find little time to plan for and address developing outside threats which may or may not actually appear- that is, the ones the desktop users haven’t invited.
I once had an international non-profit client whose president’s nefarious nocturnal internet activities were compromising the network at the office every time he brought his laptop to work. Whenever something new would show on the radar screen such a virus, strange network traffic or stability issues, it would invariably point back to his laptop. Upon reading the logs or even taking a rather short glance at the desktop, one had a pretty educated guess what was going on. But this fellow didn’t like to be embarrassed as the reason the office manager or the secretaries or other employees couldn’t get their work done. Even though the details of why were never shared, the unavoidable fact that something on his computer was always causing ripples throughout the network was ever present…and the fact that someone knew why made him far too nervous. My services were soon phased out. At first, he just sort of kept his laptop out of reach by assigning frivolous tasks whenever he was in the office in order to keep me at a safe distance or by trimming my visits during those times. Eventually after one last major discovery that essentially was on the larger scale of things, I had to go bye-bye. Needless to say however, they were calling me back within just a couple of months begging me to help them with their once more infected network and the floods of spam they were now receiving. I remember asking them, “is your antivirus software up to date?” “How do we do that?”, came the response. They proceeded to admit to committing several security no-no’s and not having their systems protected and up to date. I simply reminded them of the obvious need for such security and let the I-told-you-so’s remain unsaid. A sentiment no doubt shared by the other three consultants who preceeded me. Incidentally, it turns out that this company had a lot to lose, too. They were also using illegal copies of operating systems and other software that, if knowledge of it fell into the hands of a hacker with the will to blackmail, could spell mess with a capital M for this group. As explained with the words of this organization’s president, “better to ask for forgiveness than get permission”. Makes one wonder if those whose financial information is in the database feel the same way that he does… This is one example of what many who handle your private information do every day: play with fire. In such cases it is not a matter of how but when.
Biology of Russian Roulette
.jpg)
There often exists a misnomer that connecting two computers is like having two people shake hands. But in point of fact, connecting your computer to a network is really a lot more like sharing a drink, a kiss…or perhaps even more intimate contact with someone. When computers connect, they do so in a way that would make any pair of young lovers swoon…or blush. The two simply “become one flesh” – they are literally sharing cyber-fluids with each other. If the one is infected or controlled by an operator with less-than-honorable intentions, you can see just how easily the other is likely to come down with something. It would be in such a way be easy to spread that infection to any that come into contact with it as well as compromise its security in other ways.
Already in the United States alone, literally scores of thousands of social security numbers, names, addresses, medical records, student records, financial records, credit card numbers and the like have been stolen during a time in which identity theft has become the fastest growing crime perpetrated against Americans and during a time when national security has begun to mean knowing the person you’re dealing with is the person they claim to be. The question is, for what purpose will stolen information be used? To fund terrorists, to blackmail decision-makers, to threaten the very lives of the families of soldiers fighting overseas? Even something as insignificant to everyone else as your grandmothers medical records, ergo her social security number, ergo her home lost due to bogus debt created when a faceless thug bought a new sports car in her name ends up affecting society in the end. When we lose security, we lose productivity. And what if the afore-mentioned thug votes in her stead, as well? This could certainly make things interesting. From what we know, there have already been numerous severe intrusions into our military information systems. And it is the amateurs that we only get to hear about!
Is it really that
As borrowed (and compressed) from phathookups.com, some noteworthy examples of what resulted when security was too lax. How secure is your data? Well, if it’s something such as patient records or military secrets, store them on a server off the network and under physical lock and key. If they are personal records, don’t keep them on the same computer your children use for always-on internet gaming. This is the only way you will truly be secure, it doesn’t matter what any self-proclaimed guru tells you. This, along with regularly patching your networked systems, monitoring system and network activity, setting strict policies and placing pressure on 3rd party vendors to comply with the latest OS service packs and patches will save a world of pain in the end, and just might help out your career, too. The more valuable your data, the more at risk it is. And if you find that hard to believe, just read some of the brow-raising accounts below…
Bill Wall’s list of hacker incidents*
—————————————————————————-
1961.12.00 Caltech hackers hacked the cards at a football game scoreboard with U of Washington
1981.05.30 Mitnick gets into Pac Bell’s COSMOS phone center; takes passwords
1982.00.00 Mitnick (Condor) cracks Pacific Telephone system and TRW; destroys data
1983.00.00 Mitnick arrested for gaining illegal access to the ARPAnet & Pentagon
1984.00.00 Kevin Poulsen (Dark Dante) arrested for breaking into the ARPAnet
1986.00.00 Chaos Computer Club cracks German government computer that had info about
1987.07.05 hackers got secret access codes from Sprint
1987.09.18 hacker accesses AT&T computers, stealing $1 million worth of s/w
1987.09.28 hackers from
1987.11.23 Chaos Computer Club hacks NASA’s SPAN network
1988.09.00 “Prophet” cracks BellSouth AIMSX computer network
1988.11.23 hacker cracks USAF Sperry 1160 computer in
1989.06.21 hacker cracks USAF satellite-positioning system
1989.07.22 Fry Guy cracks into MacDonald’s mainframe; also stole credit cards
1990.03.07
1990.04.00 hackers from
1991.03.00 hacker penetrates NASA, NIH, Bureau of Land Mgt, BBN
1991.04.21 Dutch hackers from
1992.11.00 Mitnick cracks into
1992.12.00 hacker arrested for penetrating NASA, NIH, BBN, etc
1993.00.00 food scientist gained access to General Mills mainframe computers
1993.08.00 Justin Petersen arrested for stealing computer access equipment
1993.10.28 Randal Schwartz uses Crack at Intel to crack passwords
1994.02.00 hacker installs network sniffer and grabbed 100,000 names and passwords
1994.02.00 Texas Racing Commission computer hacked into
1994.02.01 hacker spoofed a
1994.03.23 hackers broke into
1994.06.13 Citibank hacked by Vladimir Levin; $10 million in illegal transfers
1994.07.14 French student Damien Doligez cracks 40-bit RC4 encryption
1994.07.21 hackers crack into the Pentagon, altering and erasing records
1994.08.00 Justin Petersen electronically steals $150k from Heller Financial
1994.09.00 Netcom’s credit card database was on-line an accessible to the unauthorized
1994.10.00 Michael Smyth, a regional manager at Pillsbury, fired due to intercepted email
1994.10.12 computer engineer cracks Marks & Spencer security file containing PIN numbers
1994.11.01 hacker cracks FBI’s conference-calling system; made $250,000 in calls
1994.12.00
1995.01.00 Chris Lamprecht (Minor Threat) incarcerated for hacking; banned from Internet
1995.01.27 Mitnick cracks into the Well; puts Shimomura’s files there and Netcom credit card numbers
1995.02.15 Mitnick captured; broke into NORAD,
1995.04.00 Journalist David Pogue’s AOL account deleted by hackers
1995.05.05 Chris Lamprecht (Minor Threat) becomes 1st person banned from Internet
1995.06.02 hackers using Vanderbilt computers hack Air Force site – caught
1995.07.00 crackers tapped into Navy computer system and gained access to French and Allied data
1995.07.00 Julio Ardita of
1995.08.15 several hackers crack Netscape 40-bit SSL; Damien Doligez used 120 computers
1995.09.11 Golle Cushing (Alpha Bits) arrested for selling credit card and cell phone info
1995.09.16
1995.09.17 Hackers discover weakness in Netscape random number generator; SSL cracked
1995.12.28 Julio Ardita arrested in
1996.01.15 Swedish computer hacker hacks into 911 phone system in FL
1996.01.22 Chaos taps cleartext transmission of banking information
1996.01.25 Russian pleads guilty of participating in Citibank wire fraud
1996.02.15 Hackers altered
1996.02.27 BerkshireNet in MA hacked; data erased and system shut down
1996.03.05 whitehouse.gov flooded with forged email; denial of service
1996.04.19 NYPD voice-mail system hacked
1996.04.27 Cambridge U hacked; confidential files broken into
1996.05.15 Datastream Cowboy from
1996.06.15 Two
1996.06.20 14-year old arrested for using fraudulent credit card numbers
1996.06.25 hackers penetrate the public library network of a state
1996.07.09
1996.07.10 HS students crack a drink manufacturer’s computer voice-mail system
1996.08.00
1996.08.04
1996.09.06 hackers shut down PANIX,
1996.09.17 computer files with names of 4,000 AIDS patients taken in
1996.09.20 cancelbot attacks Usenet; 25,000 messages wiped out
1996.10.15 disgruntled employee wipes out all computer files at Digital Technologies Group
1996.10.22 hackers crack Czech banks; steal $2 million
1996.10.23
1996.11.17 hackers removed songs from computers at U2′s
1996.11.21 Danish Research group get into computers at TX base
1996.11.22 NY city workers falsified computer records in largest tax fraud in NY
1996.11.26 Web site that provided news about
1996.11.29 Disgruntled computer technician brings down Reuters trading net in
1996.12.20 6 Danish hackers sentenced for attacking Pentagon computers
1996.12.23 Zhangyi Liu arrested in
1997.01.06 Croatians intrude into computers at Anderson AFB,
1997.01.15 hacker sentenced to prison for reprogramming Taco Bell computers
1997.01.29 phf hack from
1997.02.03 hackers spoof Eastern Avionics web page to grab credit card numbers
1997.02.05 German Chaos group uses ActiveX and Quicken to withdraw money
1997.03.09 NCAA WWW site hacked; pages changed by 14-year old
1997.03.12 IP floods of SMTP causes DoS at base in VA
1997.03.16 The Well hit by hackers. Passwords stolen, files deleted, trojans planted
1997.04.27 British Conservative Party got hacked
1997.05.23 Carlos Salgado grabs 100,000 credit card numbers from
1997.05.29 hacker hit LAPD
1997.06.00 Netcom voice-mail hacked by “Mr Nobody”
1997.06.03
1997.06.18 hackers in CO crack RSA’s 56-bit DES encryption
1997.07.11 ESPN and nba.com (starwave) shut down after hacker emails shoppers credit info
1997.07.14 Danish computer guy finds hole in Netscape; asks for big reward money
1997.07.15 Canadian Security Intelligence Service got hacked
1997.08.01
1997.08.08 George Mason Univ students hacked their way into the Univ computers
1997.08.10 Cyper Promotions servers hacked
1997.08.16 Experian (TRW credit bureau) Internet allowed wrong credit reports
1997.09.25
1997.09.26 US Geological Survey NT server got hacked
1997.09.27 methodisthealth.com NT server got hacked
1997.10.01 hacker spoof SANS Security Digest newsletter; hacks into ClarkNet ISP
1997.10.06 hacker breaks into
1997.10.14 Yale e-mail account servers hacked; sniffer used
1997.10.19 RSA’s RC5 56-bit encryption key cracked by Bovine effort
1997.10.31 Eugene Kashpureff arrested; redirected the NSI web page to his Alternic
And these were just freelancers…
-Blogbat
*Abridged from original list, emphasis and corrections added. Original text can be found at the following web address: http://fux0r.phathookups.com/textfiles/hack/hacker.timeline.txt. Reprinted for educational purposes only.
ISSUES
.jpg)
Comments (1)
:dork: thats scary stuff
but i agree we all go willingly along with it, hand over our creditcard and bank details without a qualm and make ourselves available to hackers..