Quest For Security

It's 3 a.m. The rest of the world is asleep. Sitting in his underwear in front of his computer, a 15-year-old hacker scans the Internet. He finds your office computer. Instantly, he enters it, blowing past your firewall, thwarting your intrusion detection system. He inserts his rogue code into your operating system and turns your machine into his slave computer. Then — using your computer — he overcomes the security defenses of the National Security Agency where he changes NSA passwords and starts browsing, copying and moving files around — a kid in a cyber candystore.

Virtual Security

Constant vigilance is key to safeguarding against the new generation of hackers


by Keenan Davis
reprinted with permission from Comstock Magazine


Meanwhile, one of his friends across the country hacks into the computer system of a company that processes credit card transactions for Web sites. He goes deep into the system, finds and downloads the credit card files of 1,200 customers, with their Internet addresses, usernames and passwords. After clicking to a hacker community Web site, he launches his furtive attack on those 1,200 home and office computers, implanting each with his stealth code which lies dormant until he issues further attack instructions hours, days or weeks later. At his signal, 1,200 "drones" will simultaneously attack the specified target. It could be Yahoo or AOL. It could be your local Internet Service Provider - PacBell.net, JPSnet, or Quiknet. It could be any business with a Web site. What is clear: the attack will tie up systems and system administrators for hours.
Welcome to the brave new world of computer insecurity. It's a world of stealth software and denial of service attacks, of worms and viruses, spam storms and mail bombs, script kitties and drone bots. And it's a world we're going to inhabit for a long time.
Tim Burke, CEO of Quest, a Sacramento-based technology consulting firm, has watched this world evolve at lightening speed and has positioned his company to join the battle while growing from a company selling office supplies to more than $100 million in revenue as a technology consulting and management firm. Burke's current customer base includes companies with 200 users or more, but he says this ever-widening wave of computer security risks extends to even very small users. "Companies believe that security is static, like a medieval castle. They say, 1 built a firewall and now I'm safe.' A lot of companies don't understand that the security process needs to be managed regularly."

Hard Numbers
The incidents cited at the beginning
of this article are not fiction. They are real and widespread. With some variation, they happen every day; in fact, several hundred times a day - both across the country and here in Sacramento. And the frequency and dollar damage caused by cybercriminals have grown exponentially. The Computer Emergency Response Team Coordination Center ("'CERT") at Carnegie-Mellon University in Pittsburgh, Pennsylvania, tracks such activity. Their statistics show a four-fold increase in the last three years. In 1999, there were 9,859 incidents reported to CERT; in year 2000 the number increased to 21,756 break-ins. For the first three quarters of 2001, the number stood at 34,754.
Likewise, the Computer Security Institute in San Francisco conducts nationwide annual surveys of computer security personnel. According to this year's survey results, the threat is greater than ever, increasing at exponential rates with no sign of abatement.
The Sacramento Valley Hi-Tech Crimes Task Force, an intergovernmental organization dedicated to preventing and solving high tech crimes, is the largest law enforcement organization of its kind in the United States. According to Captain Jan Hoganson of the Task Force, local computer security problems are rising just as quickly. Between December 1999 and March of 2000, there were 200 reported break-ins in the private sector and 100 in the government sector.
Damage costs: $15-billion in losses last year due to network security breaches, viruses and other hacker attacks according to RBC Capital Markets' 211-page research report, Safe and Sound, a Treatise on Internet Security.
The Sacramento dollar figures are also rather large. For the nine-county region served by the Hi-Tech Crimes Task Force, in 2000, private sector computer crime damages alone totaled $411,000.
So while the current economy is in slow-down mode, cybercrime and security breaches are clearly a wildfire growth industry and so are businesses and organizations specializing in stopping the growth.

Fuel for the Fire
Why the sharp spike in computer crime? According to industry experts, several factors are at work. First is the development of more sophisticated attack tools. Hackers now have at their disposal an array of software automation tools which generate software source code, send pinging signals to detect the presence of other computers, distribute the code to unsuspecting computers across the Internet, and imbed other systems with the malicious code.

Second, standardization. The more computers run the same software as everyone else, the more prone they are to attack. Since a large number of users rely on a small number of popular computer operating systems, a would-be hacker only has to


create instruction for a small variety of systems.
Third is the rise in use of "always on" Internet connections like DSL and cable connections. These open connections are more likely to be victims of attack since they are always available for invasion.
A fourth factor is the increasing number of hackers. Steve Daugherty, longtime security expert for Earthlink, the nationwide Internet service provider with a large presence in Sacramento, says the typical profile of a hacker is male, 12 to 25 years old, curious in a destructive way and heedless of laws, security defenses and property rights. In his experience, there are more of them now than ever before.

A Diverse Arsenal
Just as the number of computer security violations is increasing, so too is the variety of violations. A malevolent person's computer can be a silent accomplice to denial of service attacks, creation and propagation of worms and viruses, running of mail bombs and spam storms, Cybersquatting, theft of trade secrets, credit card fraud, identity theft, invasion of privacy, employee abuse of Internet access privileges including downloading pornography, financial fraud, and in-house vandalism. The list is endless.
Have you ever clicked on Yahoo and found the wait interminably long (other than on a Sunday evening, the highest Internet traffic peak)or the site non-available? The site was probably suffering from a denial of service attack and its normal channels of communication are flooded with bogus requests for service. In a denial of service attack, multiple servers are remotely commanded to flood a particular Web site with so much traffic that it is rendered inaccessible to legitimate Internet traffic.

According to Stefan Savage, computer science professor at UC San Diego and cofounder of the Internet security company Asta Networks, there are at least 4,000 denial of service attacks each week. Not all of these attacks result in severe damages but they certainly take up time, money and effort to combat.
And no system is immune from these attacks. The American mecca for computer security, matters, The Computer Emergency Response Team Coordination Center ("CERT") at Carnegie-Mellon University itself was hit severely earlier this year. It was flooded with millions of simultaneous data requests. Result: it was impossible to access the Web site for 24 hours. These sorts of attacks happen almost daily to major Web sites. In 2001, the FBI's Web site was hit. Microsoft's Web site was hit last year, cutting it off from legitimate users for more than 24 hours by two attacks. White-house.gov is the subject of frequent attacks.
Bottom Line
Spending money to create a more secure system is inevitable. Spending on computer security is predicted to grow from $13.5 billion this year to $31.8 billion in 2005. The message is plain that computer security is serious business and does not come cheaply.
Building a safe system takes planning and money. There is an inevitable tradeoff between security and economy. Because the benefits are not so readily visible, businesses are sometimes loathe to spend money on security.
Mike Dillon, director of professional services at Quest, analogizes the computer security to an insurance policy, saying "while no business will knowingly underinsure, there is a tendency to pay lip service to computer security, then to spend less and get less. Often companies will want to 'go cheap' but they are playing with their assets."
Better to build a safe system. According to Dillon, the first step in securing your network from unwanted access is to have a workable network security plan in place. The plan should be based on the sensitivity of the data being secured. If your staff doesn't have the expertise to create such a plan, then you can hire local consultants to help you create it.
Minimum is firewall and intrusion detection, along with some means to also detect anomalous activity within your own system uploading to the Internet. Separate functions, access and software. Maintain the integrity of passwords and other "human-related" security measures.
Not many companies have the expertise or time to do what Patrick Tully of Mindset Software in Sacramento did in response to an attack. In 2001, Mindset's hard drives were being used as a cyber-parking lot by a group of rap music distributors. Mindset took matters into its own hands, traced the originator of this cyber-squatting ploy, contacted them directly, and mentioned the word "FBI". The music distributors apologized and offered free copies of their music as penance.

Firewall
A firewall is a mechanism for protecting a corporate network from external communications systems such as the Internet. A firewall typically consists of a PC or Unix machine containing two network interface cards (NICs) and running a special firewall program. One network card is connected to the company's private LAN, and the other is connected to the Internet. The machine acts as a barrier through which all information passing between the two networks must travel. The firewall software analyzes each packet of information passing between the two and rejects it if it does not conform to a pre-configured rule.

FTP
File Transfer Protocol. The method by which files can be transferred over a TCP/IP network. Anonymous FTP is the system which allows transfer of files over the Internet where the user receiving the files need not have a valid account name and password on the system being accessed. He does, though, only have access to files which have been designated as available to anonymous FTP users by the system administrator.

SATAN
Security Administration Tool for Analyzing Networks. Written by Dan Farmer and Wietse Venema and released on 5 April, 1995. SATAN is, in many ways, the forerunner of today's intrusion detection products. It probes systems looking for vulnerabilities. It works by telnetting to one port after another of the victim computer. It determines what program (daemon) is running on each port, and determines whether that daemon has a vulnerability that can be exploited. SATAN can be used by system administrators to audit their own system security, or it may just as easily be used by a hacker to break into someone else's computer. Toward the end of 1996, Dan Farmer used SATAN to survey the security of 2,200 of "the most interesting sites - banks and credit unions, some US federal computers, newspapers and some pure online Internet commerce systems." Farmer found that "over 60 percent could be broken or destroyed (ie, all network functionality deleted or removed)." Furthermore, "no attempt was made to hide the survey, but only three sites out of more than 2,000 contacted me to inquire what was going on when I performed the unauthorized survey - that's a bit over one in one thousand questioning my activity."

SNIFFER
A program that monitors network traffic. Sniffers are used to capture data transmitted on a network.

SPAM VT.,VL.,N.
[from "Monty Python's Flying Circus"] 1. To crash a program by overrunning a fixed-size buffer with excessively large input data. See also buffer overflow, overrun screw, smash the stack. 2. To cause a newsgroup to be flooded with irrelevant or inappropriate messages. You can spam a newsgroup with as little as one well- (or ill-) planned message (e.g. asking "What do you think of abortion?" on soc.women). This is often done with cross-posting (e.g. any message which is crossposted to alt.rush-limbaugh and alt.poli-tics.homosexuality will almost inevitably spam both groups). 3. To send many identical or nearly-identical messages separately to a large number of Usenet newsgroups. This is one sure way to infuriate nearly everyone on the Net. The second and third definitions have become much more.