Forwarded From: Nicholas Charles Brawn <ncb05@uow.edu.au>
10Nov98 UK: NET OPENS TO SABOTAGE.
By SEBASTIAN SMITH.
* Security LONDON: The young man perusing a bank's Web site on his laptop
computer in a London hotel hardly looks a threat, but within 10 minutes he
is able to infiltrate the company's main computer system and cause havoc.
"Now we are on the inside of the protected network and can access any
machine," David Litchfield says, demonstrating an attack.
The bank and its Web site are fictional, but the hacking techniques are
absolutely real.
Hacking is increasingly sophisticated, and companies are increasingly
vulnerable because of the use of Internet Web sites, says London-based
computer security consultancy Diligence, where Litchfield is an ethical
hacker testing clients' systems.
Web sites give the public a window on a company, but sometimes also an
entry point to information thieves and saboteurs, who can destroy company
files or simply write insults all over the site.
Hackers may target companies for money, like the Russian 24-year-old who
stole $US2.8 million ($4.4 million) from Citibank New York in 1994, and
even threaten a country's national security.
In March, an Israeli teenager hacked the US Pentagon computer, while in
April a Canadian hacked his way into the US space agency, NASA, and FBI
networks. Litchfield's method was to trick the Web site into revealing the
password for entering the fictional company's hard disk.
Another method is to crack a computer's entry code with systems available
on the Internet from hacking clubs such as Cult of the Dead Cow.
These groups also thoughtfully provide programs such as Back Orifice,
which give a hacker unseen control of a computer after entering in the
guise of an e-mail. In the hacking world, this is called a Trojan horse.
For major companies, the standard defence is the firewall, an electronic
guard system that keeps out unwanted visitors.
But these are often not properly adapted to conform to a company's
changing network of computer technology, and that leaves holes in the
wall, Diligence information security director David Cazalet says.
"The problem is that firewall vendors sell the firewalls on the basis that
they're totally secure," he says.
"Firewalls need to be reactive to change. It's largely a question of
ignorance, of education."
Diligence says it has recently successfully penetrated the defences of
FireWall-1, made by Check Point Software Technologies, the world market
leader.
Cable and Wireless Communications security manager Julie Wilkerson was
less alarmist, saying: "I don't think we need to be unduly scared of
firewalls." But, she too conceded: "Firewalls can be hacked."
Ironically, company computer systems are most vulnerable to their own
disgruntled or dishonest staff.
"More difficult is internal security - people who are supposed trusted
employees," says Andy Sawyer, from USbased ODS Networks, which is in an
alliance with Diligence.
ODS offers a software called CMDS that was developed by the US government
to catch spies and now can be turned against employees misusing their
computers.
With zeal that would make Big Brother proud, CMDS monitors every move of a
computer user, building up a complex profile of what sort of commands are
made, when and how often. When the profile changes unexpectedly, security
management finds out.
"A full pattern of behaviour is built up in each user," Sawyer says.
"We can begin to scrutinise a user, intensify observation then, as the
user begins to misbehave, his picture flashes up and his extension will
appear." Stephen Cobb, a leading US computer security adviser, called the
internal watchdog "a demonstration of where things are headed".
AUSTRALIAN 10/11/1998
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Tue Nov 10 08:41:07 1998