Fraud, Hackers, Viruses, and Security - itmWEB Feature

The itmWEB Site™

Fraud, Hackers, Viruses, and Security

By Patrick Macken, IT Consultant

May 20, 2000

The Austin chapter of the Association of IT Professionals hosted a panel discussion on Network Security at its general meeting, April 11, 2000. Panel members responded to questions from the moderator and from the audience. The following article summarizes the major themes.

Moderator: Larry Leibrock, PhD
Associate Dean for Technology
College and Graduate School of Business
The University of Texas at Austin

Panelists: Clif Blanchard
Detective, High Tech Crimes Unit
Austin Police Department

Bobby Crouch
Systems Engineer
Tivoli Systems, Inc.

David Weber
Security Design International

How common is computer crime?

Clif Blanchard (Austin Police Department) reported that, based on a US Department of Justice study, about 64% of the companies polled had reported an intrusion of some kind. Other studies have shown that over 90% of unauthorized network access cases involve former employees. APD is seeing about one computer crime case filed per month.

The way that security breaches are classified tends to contribute to underreporting, according to David Weber with Security Design International. For example, getting access to someone's email is sometimes treated as if someone were reading a paper memo over someone's shoulder. Whether this kind of activity gets included or not varies widely.

Larry Leibrock (University of Texas) concurred, pointing out that many organizations intentionally do not confirm or deny breaches. This is particularly true for federal agencies and for financial institutions. It's also the case that many firms don't even know they've been hacked.

All panelists agreed that the biggest challenge in maintaining good security is the human factor.

For example, in Leibrock's experience, most college students never change their passwords, which typically relate to some aspect of "sex, drugs, or rock & roll."

Even within a security-conscious organization like the police department this happens, noted Blanchard. Two months after an APD security policy overhaul, he still found passwords on post-it notes stuck to monitors (or bottom of keyboards). Security can also be breached if a smooth talker, masquerading as tech support, convinces staff to share their account names and passwords.

A corporate study reported by Weber illustrates the vulnerabilities of password protections. Security consultants were hired to test the security of 1800 corporate user accounts. Their software looked for unprotected accounts and systematically attempted access using a database of commonly used passwords. The results:

111 of the accounts were easily accessed since their password was either the same as the user name or was the word "password."

1,678 of the passwords were cracked within 3 hours using the password database

Only 11 of 1,800 accounts remained secure.

Other examples of common security weaknesses include:

With rapid personnel changes and, in particular with the widespread use of contractors, many networks accounts are left active long after the staff member has left.

Remote Access Services (RAS) are increasingly used with home-based workers. Because they are relatively easy to implement, too often RAS servers are improperly secured.

At least 20% of VISA and AMEX users never check their statement charges, thus hiding some degree of computer based threat.

"Demon dialers" are programs that automatically dial random phone numbers looking for network access points. These programs are quite inexpensive and can be the starting point for an intrusion.

"Cookies," which are small text files stored on your computer by websites you visit, contain data used by that site to personalize your visits. While much of the information isn't vital from a security standpoint, it can include user accounts and passwords. Larry noted that if someone steals your laptop with a full set of cookies, they have stolen a good bit of your online identity.

Recommendations for good security policies

The Basics. Bobby Crouch (Tivoli Systems) emphasized that companies must start with the basics: formulate security policies and practices for password creation and management. These must be widely distributed, training provided, and the policies enforced.

The panelists suggested various basic practices for the creation of passwords:

Require passwords of at least 5-8 characters for all users

Mix upper and lower case since passwords are almost always case sensitive (ex. jollyroger and joLLyroGer would be treated as two different passwords with the second being more secure).

Use special characters such as !@%& in addition to alphabetic and numeric characters.

One good way to create a secure password that can be remembered is to think of a phrase and convert it into an acronym. Example: "Give me liberty or give me death" would become GMLOGMD. Using mixed case and throwing in numbers or special characters makes this less likely to be guessed.

Network security should enforce regular changing of passwords and require that new passwords be different from a certain number of previous ones.

Never use the same password that you use to log onto your office network when you join websites that require membership.

Configure Firewalls Securely. Firms should identify the specific kinds of Internet traffic that will legitimately be required for the company's business, Crouch said. Then tune the firewalls that protect internal networks from intrusion to block other types of traffic. All too commonly, firewalls are not fully configured in this way.

Protecting Intellectual Property. In addition to intrusion detection, computer security also works to protect the intellectual property of organizations, such as documents, contracts, software code, etc. The panelists noted that there are quite a few tools that help to monitor and authenticate the integrity of documents.

These include various 3rd party products that scan emails for key phrases that might indicate a problem. Although this might raise issues of privacy, the courts have ruled that the contents of corporate email systems are the properly of the company.

Digital certificates and Public Key Infrastructure (PKI) as technologies that can ensure that you know who the author of a document is and that it has not been altered in transit.

Digital certificates involve two or more individuals exchanging "keys" that are used to encrypt and decrypt messages between them. The combination of identity and encryption helps to maintain the integrity of the communication, Crouch reported. New government regulations, such as HIPAA (Health Insurance Portability and Accountability Act) are driving the need for electronic document authentication.

However, as Weber noted, PKI is still vulnerable if someone obtains the password that a staff member uses to create the private and public keys. Again, the human factor can be the weakest link.

Biometrics. The panelists briefly discussed "Biometrics," which controls access to computer resources based on thumbprints or retinal scans. While acknowledging that this technique can be effective, it has some downsides:

Users may be resistant due to privacy concerns about the creation of central fingerprint and/or retinal scan databases

Operating System support is pretty limited at present.

The software drivers that support the hardware interface can still be hacked.

Have been expensive to fully implement although the costs have dropped somewhat over the past year.

Security Test Suites. Quite a few tools exist for testing the security environment of an organization.

One of the simplest (and free!) methods is to go to the Gibson Research website (http://grc.com/default.htm) and use its "Shields Up" tool to test your computer for open TCP/IP ports. Ports are used to connect processes on one computer to those of another or to access a remote computer's resources.

Much more sophisticated software packages are designed to probe an organization's security infrastructure for a wide range of know bugs or weaknesses.

The upside of these systems is that they provide a mechanism to test for known issues and then retest later for compliance. The downside is that the threats are constantly changing and the databases are not always kept up-to-date. Cost for software testing suites range from $5,000 to $250,000.

More Education. Larry Leibrock argued that security isn't simply an IT or a law enforcement issue. Schools and corporations need to provide more and better education regarding the ethical use of computing.

He also suggested that corporations would benefit from a healthy respect for their hacker "adversaries." In many ways, the hacker/cracker may represent a different culture within society and understanding their motivations can help organizations design more effective security.

Law Enforcement Perspectives

When asked whether current Texas statutes adequately address computer crime, Blanchard responded: "In a word, no." Partly this stems from the wide range of abuses that can occur and that are sometimes difficult to translate into the criminal code.

For example, one of the most common calls that APD receives is from a person asking them to take action against a former companion who has posted intimate pictures on a website. There is actually no law against this and as long as the pictures were originally taken with both party's permission, there isn't any recourse through the criminal justice system.

Breaking into a computer system, even if a server is brought down, is a Class B misdemeanor. APD has been helping the State Legislature draft bills to add more specific and sophisticated protections but more is needed.

What happens if you catch someone in the act? The key phrase is "breached system without knowledge or consent of the owner."

If it's a virus attack, the FBI can be notified since there are federal statutes covering this kind of activity.

In theory, damages would need to be at least $5,000 before authorities take action. But practically, the threshold tends to be somewhat higher ($20-$50,000). Because of the technical complexity of these cases and the difficulty of assessing damage, the courts sometimes appoint "Special Masters" to assist. Typically, the parties to the case pay for this, not the government.

The penalties meted out for computer crimes can vary widely between jurisdictions. Travis County courts tend to be more lenient than other Texas counties (such as Williamson or Lubbock).

For More Information

The panelists suggest the following websites as good sources of information on security threats and solutions:

CERT website (Carnegie Mellon): http://www.cert.org/ One of the most popular sites for reporting incidents of computer intrusions and virus attacks.

Center for Education and Research in Information Assurance and Security (CERIAS): http://www.cerias.purdue.edu/ Purdue University's site for computer security.

CIAC (Department of Energy): http://www.ciac.org/ Good site for information on viruses and virus hoaxes.

Security Focus http://www.securityfocus.com A comprehensive private site covering security flaws in various operating systems and software.

Hacker News Network http://www.hackernews.com/ Insight into the subculture.

2600 Hacker Quarterly http://www.2600.com/

Electronic Frontier Foundation: http://www.eff.net/ In addition to its other activities, the EFF provides information on creating secure (and private) Digital Identities.

CyberAngels http://www.cyberangels.org/ Internet security site that is more oriented toward crimes against persons such as cyber stalking.

10pht Heavy Industries: http://www.l0pht.com/ Password auditing / cracking tools. Dedicated to ferreting out and exposing security holes in Microsoft and other commercial products.

Internet Security Systems: http://www.iss.net/ Offers the SafeSuite security auditing software and performs security assessments.

Network Associates http://www.nai.com/ Publishers of McAfee Anti-Virus products; also offers a wide range of security tools under its PGP division.

Governmental agencies:

Austin Police Department: www.ci.austin.tx.us/police

US Department of Justice: http://www.usdoj.gov/criminal/cybercrime/index.htm

From David Weber: Hacker Community Resources:
http://www.hackernews.com/
http://www.2600.com/

Computer Security-related mailing lists: http://www.securityfocus.com/

Security Research, Education, and Response:
http://www.cerias.purdue.edu/
http://www.cert.org/

Security Products, Auditing Tools:
http://www.l0pht.com/
http://www.iss.net/
http://www.nai.com/

Patrick Macken is an IT Consultant, Microsoft Certified Trainer and MCSE in Austin Texas. He can be contacted at pmacken@austin.rr.com.

Read More itmWEB Features ...

Please share your thoughts and comments regarding this feature. You can do so by posting to our Hot Topics Forum.

Return to The itmWEB Site™