AUSTIN, Texas - A panel of security specialists compared notes this week at the Computers, Freedom, and Privacy conference, providing an overview of malicious hacks and strategies for fending them off, as well as insights into hacker culture, tricks, and tools.
Peter Shipley, a renowned - and reformed - hacker, and more recently the founder of Network Security Associates a security consulting business in Berkeley, California, offered his own intimate view of what types of hacks are most common today, and what can be done to defend against them.
Shipley said that malicious hacks can be classified into four categories: disclosure of information, such as theft of credit card numbers; destruction of data, which can be an act of economic terrorism; alteration of data, such as grade fixing; and denial-of-service attacks, including SYN floods and smurfing. The motivation for such attacks ranges from financial to revenge to peer respect, Shipley said.
Shipley and the other panelists for the "Net Hacks and Defenses" discussion attributed the lack of security in computer networks to disbelief, laziness, and overconfidence. Free Web-based email services are a classic example of a network vulnerability, he said.
"All of your Hotmail is readable by the world," said Shipley, introducing the topic of sniffers, one of the fundamental tools used to monitor and intercept data over a network. He then presented a list of protocols that can be exploited using hacking tools: telnet, http, SNMP, SNTP, POP, FTP, and many other baseline standards used to send email, files, and other communications over the Net and computer networks.
"It really works too well," was Shipley's mantra throughout the session, pointing to the fact that hackers routinely take advantage of the same tried-and-true techniques that have brought them so much success in the past.
A good hacker will normally do some research first, to discover anything useful about the nature of the target network. Information can include the type of firewall, networking software, and operating systems in use, as well as host lists, usernames, network connections, and sibling domains.
"Look at all your inbound connectivity and co-developers," Shipley said, explaining that even if a network itself is well protected, there are often peer network connections, such as those at business partners, ISPs, or home modems, that can be used as back doors into a network. "If you want to hack NASA, go to Lockheed and get in through their connections," he suggested.
But some methods are even more straightforward and bold, Shipley said, such as entering an office building to steal something as benign as an employee phone list, or something as guarded as the map of a network's computers and software implementations.
Even easier, he said, are social engineering techniques, where a would-be intruder calls up a network engineer - or someone else with pertinent information - and simply asks what types of software and configurations, or port assignments, are being used in a network. To guard against such attacks, employees at organizations like the National Computer Security Association answer their phones by saying their extension number, or nothing at all.
One audience member was skeptical. "But aren't people more sensitized to [social engineering] now?" the attendee asked.
Shipley answered with an exclamatory "NO," and Dave Del Torto, an software designer with Pretty Good Privacy, said: "People are absolutely pathetic about maintaining security policies, and social engineering is the easiest way in.
"Don't underestimate the value of educating your staff," said Del Torto.
Shipley recently conducted a "war-dialing" experiment and discovered that many networks in the San Francisco Bay Area are wide open to even novice hackers. As featured in the classic cold-war film "Wargames," a wardialer dials thousands of phone numbers looking for a modem's carrier signal. When Shipley found a number at the Oakland Fire Department, he found himself in a position to dispatch fire trucks and access the department's main network. (He subsequently notified them about the problem.) He also found that one of the Bay Area's biggest bookstores had left its ordering database unprotected.
Using Strobe, another popular software program, intruders can scan for open ports on networks, which provide easy entry to networks once they are identified. Once connected to such a network, other software can be used to scan for known vulnerabilities and unpatched security holes, which are common with operating system and security software products.
Vendors such as Microsoft and Sun are constantly posting software fixes to their Web sites to patch vulnerabilities, but it's up to network administrators to keep track of all of the patches they need to implement.
"I love Microsoft," said Charisse Castagnoli, an employee of Internet Security Systems, a company that audits and consults on security-related issues. "The rate at which they produce software, they create a permanent employment opportunity for me. We have a love-hate relationship," she added.
Some operating systems, Shipley said, are easier to compromise than others, and "[Windows] NT is not capable of being anything nearly like a reliable system for the Internet." He recommended that "multiple firewalls" be used if a Windows NT machine is to be used on networks with Internet connections.
But even firewalls have their problems. "Seventy percent of packet filter firewalls are misconfigured," said Castagnoli. "You don't just set them up and walk away. You need to constantly monitor and update them."
In general, the panelists were skeptical about the value of mainstream network security software products. One reason cited was that nobody, aside from the vendors, knows what's behind the GUI.
"You can't trust a system unless you can see the entire inside of it," said PGP's Del Torto. "As a trend, patronize companies that open source code," he advised, and complimented Netscape for doing so with its Navigator browser code.
The panelists recommended several strategies to improve individual user security.
First, a randomized, mixed character-number password kept in a wallet is much more effective than an English word or name committed to memory, panelists said. Several software programs, including Crack, are available for quickly cracking passwords that are dictionary words and common names.
The panelists also recommended cautious users buy a cross-shredding paper shredder and use it on anything that contains personal data. Dumpster-diving is popular sport for data thieves, and a woman in Oakland was recently caught with files on 300 people in the area, with enough information about them to get credit cards and driver's licenses.
Finally, the panel recommended encryption software be used on any sensitive communications or files that a user wouldn't want someone else reading.
The panel also advised that companies allow employees to use company email for personal use, because at least a firewall stands between their email and the open Internet. They estimated that 30,000 people are signing up for free email services every day, and most of those are open to packet sniffers and other monitoring tools that turn such emails into postcards on the Net.
