[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] Cracking the Code
From:       mea culpa <jericho () dimensional ! com>
Date:       1999-03-17 15:36:17
[Download RAW message or body]


http://cgi.pathfinder.com/time/magazine/articles/0,3266,21458,00.html
MARCH 22, 1999 VOL. 153 NO. 11

Cracking The Code
BY CHRIS TAYLOR

The dress code is business casual--no jeans allowed, not to mention
pierced noses. It's the first day of class--hacking class--and the
instructors, smartly attired in matching corporate polo shirts, point at
screens full of code and step-by-step directions on how to hack a host
computer. "Get this:  No username, no password, and we're connected," says
one. "I'm starting to get tingles. They're going to be toast pretty
quick." Geekspeak, at least, is still de rigueur. 

In the world of corporate espionage, a company's host computer is the
mother lode, which means that protecting it is vital. That's the goal of
Extreme Hacking, one of a growing number of counterhacking courses that
teach perfectly respectable people the how-tos of cracking their own
networks so they can better protect them. "We're kind of wearing the white
and black hats at the same time," says Eric Schultze, the Ernst & Young
instructor who gets tingles from an exposed password file. 

How easy is it to hack? If these guys can teach a novice like me how to
break through a firewall, I figure, then all our networks are in trouble.
Guess what? All our networks--at least, the ones without encryption keys
or extremely alert administrators--are in trouble. Why? Because this is
the information age, and the average computer gives up far too much
information about itself. Because a network is only as strong as its
weakest user. And because the most common log-on password in the world,
even in non-English speaking countries, is "password." With users like
this, who needs enemies? 

How big a problem is this in the real world? "Rarely is there a moment
when a hacker isn't trying to get into our networks," says a senior
Microsoft executive. "People go looking for that weak link."  Recently
hackers found a backdoor through a user in Europe--an administrator, no
less--with a blank password. This allowed the hacker root access--the
ability to change everyone else's password, jump onto other systems and
mess up the payroll file. 

In our first class, we have no problem rooting around in the Web servers
of a top Internet company.  We find three open ports on the firewall and a
vulnerable mail server. "This network is a f___ing mess," says a
classmate. "We need to have a word with these people." 

Over the next few days, any faith I had in the security of the world
around me crumbles. Think your password is safe because it isn't
"password"? If it's in the dictionary, there is software that will solve
it within minutes. If it's a complex combination of letters and numbers,
that may take an hour or so. There is software that will hijack your
desktop and cursor--and you won't even know about it.  Hacking doesn't
require much hardware; even a Palm Pilot can do it. What protection do you
have?  "Minimize enticements," say the teachers. If you don't want to be a
victim of information rape, in other words, don't let your network give
out so many details to strangers. 

Old-school hackers scoff at the notion that businesses can stop them.
"Corporations can't teach hacking," says Emmanuel Goldstein, editor of the
hacker quarterly 2600. "It has to be in you."  Perhaps. But if a few more
firms learn to avoid becoming toast, that's no bad thing. END


-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Internet Security Institute [www.isi-sec.com]

[prev in list] [next in list] [prev in thread] [next in thread]