Securing the World Wide Web is a never- ending battle – and the good guys seem to be losing. David le Page reports
Imagine stealing R5 from every credit card holder of a major South African bank. Well, you’re too late. Someone’s already done it, according to an informed source.
The tactic was ingenious – few people check their statements carefully; fewer still are likely to notice or pursue a missing R5.
The bank isn’t about to admit it, though. Banks like to avoid that kind of publicity. But the very fact that it happened is a symptom of a bigger problem. For despite being prowled by crackers, despite South African e-commerce alone being likely to total nearly R4-billion in 1999, the local Internet is about as secure as a ”luxury German sedan” in Alexandra.
Not that South Africa is unique. Perhaps 90% of local websites are wide open to attack by the unscrupulous. The international figure is about 80%, according to Rosemary O’Mahony of Andersen Consulting Europe.
Despite 30 years of cracking, and break-ins to major websites, computer security remains pretty feeble around the world. Recent high- profile break-ins include the government’s Statistics South Africa website and a major East Timor site hosted in Ireland (visit www.2600.com for a list of hacked sites and system vulnerabilities).
Crackers are hackers (programming adepts) who gain illegitimate access to computer systems, for the hell of it, to exploit the system’s resources or to steal or destroy information.
Gary Middleton, sales manager for Didata Security, says companies often imagine that just because ”we’re on the bottom end of Africa”, they are somehow less vulnerable. In fact, the Internet makes everyone connected to it equally vulnerable.
Ignored, that vulnerability can be expensive. An FBI survey on network security determined that the average security breach costs $575 000 to repair. Most of that goes to marketing and public relations work needed to restore public confidence in the company.
Among the global ranks of the digitally vulnerable are some surprises. The United States military is not the paranoid animal we always thought it was, judging by the state of their computer security. A 1999 US General Accounting Office report says: ”[Control weaknesses reported in 1996] persist across every area of general controls.”
So what should be done? Ask an IT manager what the state of security is on the Internet-connected systems he or she administers, and you’ll immediately be told: ”We’ve got a firewall.”
What does this actually mean? Bear in mind that the Internet works by shunting around billions of little ”packets” of data. A firewall behaves rather like a security guard.
When those data packets arrive at the gateway to a company network, the firewall immediately asks: ”Who are you? Where do you come from? What do you want?” It even makes you ”fill in your details on the form”, logging the answers. If the answer to these questions is satisfactory – ”I’m just requesting a page from your website.” – that data packet will be admitted.
Firewalls can be extremely effective. Unfortunately, three out of five companies experience break-ins after they have installed firewalls.
The problem, according to senior manager Chris Budnik of Deloitte & Touche, is that firewalls lull people into a false sense of security.
Firewalls are set up using a list of rules, rather like a security guard’s checklist. But those rules can be muddled by an inexpert administrator, or relaxed when there is pressure to ”just get the damn thing working”. One cracking tactic is simply to swamp the firewall with so many service requests that it cannot cope, and as with a busy security guard, an illegitimate request can simply slip through.
Budnik says since IT people are usually not security people, their focus is more on getting the system to work than on ensuring invulnerability.
What are the questions you could be asking an IT manager about your company firewall? Says Budnik: ”When was the firewall installed? When was its configuration last reviewed? How often are the logs checked? When was the firewall last tested for vulnerability? Do you have all the skills you need to properly run the firewall software?”
As new cracker exploits and software vulnerabilities are discovered (such as in Microsoft’s recent Hotmail debacle) constant revision is needed; what was secure in August may not be secure in October.
”Extranets”, private networks shared between companies, are new sources of vulnerability. However good your security, if that of your partner is poor, it opens you up to attack.
How does a cracker set about breaking into your system? One technique might be ”war-dialling”. Suppose your company’s switchboard number is 43-3000. There is a good chance that 43-3001 to 43-3999 are direct line numbers. And there’s a good chance that on one of those numbers a modem is waiting for company personnel to dial in to connect to the company network. The line is not on the Internet, so there’s no firewall.
The cracker simply writes a simple program instructing his PC to dial all those numbers, and to log those at which a modem responds. Once he (they almost invariably are he’s) has those numbers, he can find his way in, exploiting published vulnerabilities to do so. If passwords have been poorly chosen – words like ”cucumber” rather than ”d7X*slwf937” – getting in is all the easier. Once in, he can create a ”side door” accessible over the Net.
The risk involved in having a vulnerable system depends on the value of data on the network. Credit card information from e- commerce transactions stored on a company network is very valuable data indeed.
But other kinds of information can be valuable. If a cracker accesses a company’s interim results before they are published he can make money from the information. This kind of attack doesn’t change or destroy data, making detection less likely.
How secure is the average Net user? A computer’s address on the Internet is written as an Internet protocol (IP)address, something like ”127.0.0.1”. These numbers never change for machines permanently connected to the Net, but if you dial up from home, your service provider allocates you a new IP number each time, making it harder for crackers to target you.
As for using your credit card over the Internet, even without the use of secure socket layer (SSL)encryption, such as that used in online banking, you’re not at much risk. Handing your credit card to a waiter in a restaurant is far, far more risky.
Your real concern should be the network security of companies to which you submit credit card information, such as online stores. Even high-profile companies can be vulnerable to attack.
>From PAGE 34
But 60% of attacks are internal: this makes SSL protection of banking information, for example, almost pointless. Banks and companies need to ensure that information is encrypted when stored, and that internal procedures ensure its protection.
Recently, a group of hackers (not malicious crackers) collaborating over the Internet set out to survey its vulnerabilities. They built and tested the Bulk Auditing Security Scanner (Bass), which would probe Internet hosts for 18 possible weaknesses. Using publicly available information, they compiled a map of the Internet and its multitudinous nodes.
They tested Bass on Israel, revised it, tested it on the United Kingdom and then scanned 36 431 374 ”hosts” – individual computers – worldwide. It took 21 days. During that time, they survived several ”counter-attacks” from system administrators who objected to having their pet systems probed. With this entirely automated, simplistic approach, they uncovered 450 000 vulnerable hosts.
Their conclusion is sharp and deeply alarming: ”We were stunned to find just how many networks you would expect to be ultra- secure were wide open to attack. Banks, billion-dollar commerce sites, computer security companies, even nuclear weapon research centres, goddammit!”