|
|
 |
|
 |
Hacking into the mind of a
hacker | |
| back |
The
first thing to know about computer "hackers" is
that the term itself is a point of
dispute.
Many people who hack into systems
without criminal intent proudly label themselves
"hackers," and say they're the good guys and the
bad guys should be called "crackers" or something
else. "Hackers are not evil, malicious people out
to damage computer systems and steal passwords.
Hackers hate these kind of people," read one
e-mail I got after I wrote a column about virus
writers.
Others argue that "hackers" represent
both good and bad guys — people who explore and
"test" systems for a living or a hobby, as well as
those who break into systems to embarrass or rip
off companies and people. "Just like in the Wizard
of Oz, there can be good witches and bad witches.
In the world of hacking, it goes the same way,"
wrote a reader.
Indeed, all "hackers" aren't
criminals. Both good and bad share a common bond
and form a highly caffeinated community where the
lines get blurred. At several hacker conventions
each year, they talk, among other things, about
networks compromised, databases mined, or products
where they've found holes. Some are like
twenty-something Marc Maiffret, who calls himself
"chief hacking officer" at eEye Digital Security
in southern California. They begin hacking
networks as naive teenagers, learn the ropes and
then put it to use as consultants or corporate
security czars.
My purpose with this column is
to explore the mindset of people who break into
systems with malicious intent, and then to offer
suggestions on how to protect your own system.
These people, predominantly males, represent
serious threats to the safety of networks and
users. Bob Sullivan, a veteran MSNBC.com reporter
who's covered the hacker community since 1997,
refers to the threatening ones as "computer
criminals," "attackers" or "online thugs" —
something other than "hacker" to avoid confusion
or controversy. I'll follow his
lead.
Important things to know about the
bad guys: |
 |
Hackers in
general, and computer criminals in particular,
love the power of control. "For many,
it's more about the thrill of technology than
active malice," says Richard Ford, a security
expert and former chief technology officer for
Cenetec Ventures. "It's a puzzle to solve, a
game to play. For some, it's about money,
although these seem to be few and far between."
Adds Simson Garfinkel, a computer security
researcher and the author of several books on
security: "The bad guys want to control as many
machines as possible. The majority are in it for
fun. They attack the machines of their enemies
and of companies. Yet many who break in for fun
graduate to breaking in for monetary
gain." |
|
They cause the
most damage with data theft and fraud.
While technology today is generally becoming
more secure, breakdowns are continually
exploited and the Internet is ballooning so fast
that online thugs have new opportunities EVERY
time they boot up. According to statistics from
Carnegie Mellon University's CERT Coordination
Center, the number of cyber-security incidents —
break-ins, virus attacks, etc. — ballooned in
2003 to nearly 138,000, up from 82,000 the
previous year. While viruses remain the most
common type of cyber-attack, the FBI/Computer
Security Institute annual survey in 2003 found
those aren't the most damaging. The 530 survey
respondents reported a total annual loss of .1
million due to theft of proprietary data, and .6
million due to denial of service, compared to .3
million from viruses. |
|
Many companies
allow attackers to get away with it.
The same FBI survey cited above found that only
50% of the respondents reported computer
breaches to authorities. Many cited fears of
potential bad publicity. MSNBC's Sullivan
illustrated just how attackers can take
advantage of companies in a 2002 story about his
e-mail interview with "Zilterio," a noted
extortionist whose real identity is a mystery.
For more than a year, Zilterio hacked into
financial institutions and online businesses,
stealing data and then demanding extortion
payments. He claimed nine firms paid him 0,000
in "quiet money." While this claim couldn't be
verified, Zilterio is indeed being sought by the
FBI for extortion, Sullivan reported. |
|
Any business
with a Web site is a target. Many of
today's online thugs use scanners to track
unprotected Web sites and networks to attack,
says Garfinkel, co-author of "Web Security,
Privacy and Commerce." Some can scan hundreds or
thousands of sites in a matter of seconds.
Garfinkel's own site is protected by a firewall
that can track how many times it has been
scanned by potential intruders. One particular
day, he counted 289,000 different scans,
including 1,044 by the same would-be attacker.
"Once they find a vulnerable site, they set up
their attack tools," he says. Adds eEye's
Maiffret: "Know that you could be a target. It
doesn't matter what business you are
in." |
|
Attackers will
get bolder — with blended threats?
That's the fear of Sarah Gordon, senior research
fellow at Symantec's security response unit and
an expert on the psychology of computer
criminals. By "blended threats," she means
break-ins combined with virus infections and
other methods of destruction, all of which could
take down companies' networks in a matter of
minutes. Ford agrees. "Massive numbers of
systems could be compromised, leading to huge,
nationwide outages. Fortunately, we haven't seen
this happen. But I do believe it's a matter of
when, not if." So much of the software on
computers today is similar, he says, so a
problem for one computer is likely to be
replicated in others. Gordon adds that with
mobile phones and other devices connecting
networks to the Internet, attackers have more
entry points. | |
| So,
how can you protect yourself? Here's what the
experts say. |
|
1. |
Have the best
security protection you can afford.
Companies with sensitive data need to go beyond
basics of antivirus and firewall protection and
get intrusion-detection systems and, perhaps,
software that pinpoints the vulnerabilities of
your system and recommends fixes (see
www.eeye.com for more information). Never get
complacent — criminal hackers thrive on
penetrating "secure" systems. |
|
2. |
Develop your
own company's security policy and
guidelines. Put it in writing, and make
security a companywide effort. Don't let your
employees get away with leaking sensitive
information — absent-mindedly or
otherwise. |
|
3. |
Invest in your
security personnel. They need tools,
training, resources and some authority to make
decisions. For many small businesses, managed
security services by third-party vendors are the
best option, Gordon says. |
|
4. |
Report
computer breaches, and don't cave in to
extortion threats. If you are
victimized, authorities should be notified, as
embarrassing as it may be to you. If you're
confronted by an extortionist, don't
automatically assume the criminal has all the
info he needs to ruin your business. It may be a
prankster testing you. "If you aren't
intimidated, there may be nothing he can do,"
says Sullivan, who hears a lot about these
pranks. "Bottom line, know your
leverage." |
|
5. |
Educate young
people on computer morals and ethics.
Gordon believes strongly that today's young
people need more guidance from parents and
teachers on what's right and wrong on a
computer. A greater emphasis now may mean fewer
computer crimes
tomorrow. | |
| |
| back | |
| | | |
