Patrick Hynes, a baby-faced computer hacker, stared at a PC monitor and observed, “All we have to do to shut down their database is click the Stop button and they’re out of business until they figure out what’s going on.”
Fortunately for the company involved, the finger on this corporate electronic carotid artery is a friendly one.
Hynes, 27, is a paid cyber burglar–and a manager in Ernst & Young’s e-security solutions group, part of the burgeoning Internet security business.
As electronic commerce on the Internet expands, so has the proliferation of hacking. There are thousands of ways to break into a computer and a large community of hackers, ranging in sophistication from hobbyist novices–so-called script kiddies–capable of launching automated programs that probe the defenses of computer systems, to obsessive, highly skilled programmers who plot meticulous break-ins against heavily fortified sites.
Instead of hacksaws and crowbars, on-line trespassers use widely available freeware, like Back Orifice, which is used for taking over computers from remote locations, and scanning tools, like NMap, which enable the cyber equivalent of a stroll through a neighborhood looking for unlocked doors.
Hynes and his colleagues are white-hat hackers, attacking a corporate computer system to identify vulnerabilities and recommend fixes.
Hacking, or at least worrying about it, came naturally to Hynes. As a student at the University of Michigan in the early 1990s, he managed the business school’s computing lab when the Internet was still mainly a research network and academics plugged into it with no thought of safeguards. “At that time there wasn’t even such a thing as a firewall,” Hynes said. “You always had to be vigilant for people trying to take the server down.”
Nowadays, with the Net a thriving multibillion-dollar infant commercial medium, it takes real money just to learn about the weaknesses of your electronic network perimeter, let alone fix them. A friendly hack by Hynes and his colleagues runs from $25,000 to $100,000.
On the other hand, a nefarious hack can cost far more than that in unscrambling tainted files, bad PR or, worst of all for an e-business, a closed-down Web site.
What makes the cost-benefit analysis difficult is that most external “attacks” are the ineffectual gropings of amateurs, said Charles Rutstein, a networks analyst with Forrester Research, of Cambridge, Mass.
“One way to do it is to look at security as insurance,” spending in proportion to the value of the information needing protection, Rutstein said. “You wouldn’t spend a million dollars to protect something worth $100,000.”
But Hynes said there’s still a reticence to underwrite security among executives conditioned to expect a tangible return for every outlay. “Really, companies don’t like to spend money on security,” he said. “It doesn’t directly help the bottom line.”
Hynes does his best to convince clients that a bigger security budget might be in order.
“It’s sort of an eye-opener for the executive management that brings us in,” Hynes said, noting that “we get in most of the time,” usually within a couple of days.
As a general rule, “if it takes less than a week, they’ve got concerns,” he said. “More than a week, they’re pretty good.”
Though the visible veneer of hacking involves a numbing layer of acronyms and abstruse computer jargon, a successful invasion depends as much on human behavior as on technology.
For companies delving into e-commerce for the first time, there’s a tendency to slough off safeguarding measures. “Their focus is not on security,” Hynes said. “It’s making sure that the system is up and running, that the users are happy.”
Furthermore, the vigilant, almost paranoid posture of secure computing rubs many people the wrong way. “I think it’s the nature of the individual to trust,” Hynes said. “It really kind of goes against that tendency, that you have to be suspicious.”
You also have to put up with a certain amount of tedium and inconvenience adhering to the rigorous routines of password protocol, audit trails and other security measures.
The common pathway for computer intrusion is through a Web site or a mail server because these offer a bridge from the outside world into a business’ purportedly closed system. Most of the techniques used to press an attack employ widely available diagnostic software tools used in routine system maintenance.
In one recent attack on a client system, Hynes began by compiling a list of a company’s Web sites, available from a master list of Internet domain names kept by Network Solutions Inc. (www.nsi.com). Besides the domain name, the NSI database lists the specific cyber location–the Internet Protocol address–of the server doing the hosting.
Hynes plugged the IP address into freeware called Work Station Ping Pro Pack, to glean information on what kind of operating system a business is using. Operating systems use telltale logical pathways or ports to convey information about themselves. Windows NT, Microsoft’s widely used corporate level server, for instance, receives information on ports 135 to 139.
Once he knows the kind of operating system he’s dealing with, Hynes can concentrate on its known vulnerabilities. He can consult a Web site like www.cert.org, which is essentially a catalog of the ongoing cat-and-mouse games between hackers who find and exploit security holes and programmers who fix them.
There is, for instance, a well-known glitch in Microsoft’s Internet Information Server 4.0 that allows intruders to execute random commands, including crashing server processes.
A hacker can look for that application within a company’s computer environment to see if an administrator has applied the Microsoft-supplied fix to the problem or if the flaw remains exploitable.
With another diagnostic tool, Hynes learned the names of specific computers on a network. Monikers like “HR” and “Payroll” are giveaways of the boxes’ function and help in zeroing in on targets.
With what he already knows–the type of OS and specific names of computers–Hynes usually can anonymously log onto a network and view any information that is shared within it, like who the administrator is, who the users are and when they changed passwords.
Noting that one user last entered a new password last November, Hynes observed, “he doesn’t change a password regularly.”
Hynes recommends changing passwords every 90 days. Keeping the same password for longer than that increases the chances that the user will breach security by telling someone else and gives a hacker more time to work mischief.
Administrators are a subject of special hacker interest. They have access to multiple programs, or local accounts, on a network and sometimes forget to safeguard each of them.
Think of a group of trailers, Hynes said. When one is parked by itself on a street, you wouldn’t dream of leaving it unlocked. But if you moved it into a fenced compound with other trailers, you might might leave individual units unlocked, counting on the fence to provide security.
That’s the attitude some administrators have about securing individual accounts with distinct passwords, Hynes said. “What frequently happens is administrators forget about local accounts,” he said.
If an account doesn’t have a password, Hynes can log in, steal sensitive data, delete files and wreak other havoc.
Even a password, however, is no guarantee of security.
Passwords for Windows NT applications are up to 14 characters long and are encrypted–buried in strings of code with 32 or more characters.
No problem. Hynes can run a program like L0phtcrack, a simple version of which compares encrypted passwords with all of the words in a dictionary until it finds matches.
Most simple passwords, like people’s names, get cracked in minutes.
But for longer, more elaborate passwords, involving combinations of letters, numbers and symbols, cracking programs need time, sometimes as much as a couple of weeks, Hynes said.
Like a lot of tools used by hackers, L0phtcrack is marketed as an aid for IT managers to identify system weaknesses. It’s a measure of the rapid evolution of microprocessors–their power has increased roughly one million-fold over the last 30 years–that such powerful cracking tools can operate on a Pentium II-based PC.
That’s one of the reasons stealth is critical to a hacker and one of the reasons consultants recommend that IT managers install intruder detection software, which can be programmed to send e-mail warnings to administrators, or even shut down a network if computers have been altered to “listen” to others.
Another obvious software countermeasure is installation of a firewall, which functions much like a drawbridge, controlling access to the network castle.
Firewalls can prevent would-be intruders from learning what kind of operating system is in use and can collect a wealth of information on unauthorized probes, Hynes said.
Built-in features such as internal auditing, which tracks user travel on a network, can create a lot of extra work and slow down a system, but can help a network manager spot an intruder or unauthorized user.
“You have to strike a balance” between burdening employees and computer operations on one hand and collecting useful data on the other, Hynes said.
Indeed, finding balance between panic and a common sense digital safety patrol is not easy.
“There’s a huge debate in the security world about whether quantifiable risk analysis is possible,” said Jay Heiser, a northern Virginia-based security consultant for International Network Services. Security gurus agree that certain baseline measures, like use of firewalls, are no-brainers.
“It’s beyond that the argument begins,” Heiser said. “It’s alchemy right now. People don’t know.
