Who`s knocking at my backdoor?

Wisconsin University is reportedly running a competition, where participants are invited to hack into an Internet-connected Mac OS X system to test its susceptibility to attack.

The competition was inspired by a similar event where a blogger encouraged participants to hack into and deface a Web site. One hacker who managed to succeed in under half an hour, dubbed Mac OS X as "easy pickings". This win was later deemed as null and void, however, as hackers were given a user account, making it akin to breaking into a different user account than into a fully protected system over the Internet.

It could be beneficial to go the hacker-testing route when checking a system`s vulnerability, but is opening a competition-driven event inviting aspiring hackers to participate not undermining the illicit nature and damaging consequences of the exercise?

Is the insight gained by these potential fraudsters outweighed by the knowledge gained about OS X vulnerabilities? It is no consolation that the winner of this "path to glory" does not receive a material prize for his efforts, because he gets a promise of fantastic hacker fame instead.

Another university is causing a stir this week for giving the thumbs-up to their computer-security class professor (nicknamed Professor Packetslinger of the School of Loose Screws) to assign a practical task requiring students to perform reconnaissance on an Internet server using tools available in the public domain, as long as it is "not performed on the university`s own Web servers". Successful hackings will count towards 15% of their overall grade.

Be that as it may, the changing threat environment is less focused on notoriety and more on profit.

Ironically, while phishing attacks are targeting bank accounts, stocks such as McAfee and their investors can only stand to benefit. A recent article on Business Week recalls a study released by the Anti-Phishing Working Group, showing the number of unique phishing Web sites jumped from 4 630 in November to 7 200 in December 2005, and the 15  244 US-based phishing attacks in the same month targeted primarily banks, credit unions, and other financial institutions.

Top threats today are not based on the destruction of systems, but are focused on identity theft, done mostly via phishing and pharming.

Ilva Pieterse, ITWeb contributor

This rise in online attacks means demand will remain healthy for security software and hardware, believes Gary McDaniel, Standard & Poor`s Equity Research analyst. "The primary driver is the evolution of the security threats faced by organisations and individuals. In the past, the typical security threat was a 16- to 23-year-old computer nerd who couldn`t get a date and created viruses and worms to gain notoriety among his peers," he says.

Top threats are not based on the destruction of systems, but are focused on identity theft, done mostly via phishing and pharming.

Worms are not yet entirely driven underground, as this week the latest version of the Bagle mass mailer worm came to light. It is embedded in e-mails which threatens recipients with a lawsuit.

With intimidating subjects lines such as "Pay your debts before we come to you", "Call your lawyer immediately", "Lawsuit against you" and "We wait your response", users are bullied into opening an infectious attachment (called lawsuit.exe, explanation.exe or documents.exe) which installs malware on compromised PCs.

Although the legal spin is a clever social engineering trick, this particular method has so far proved largely unsuccessful, and is rated a mere low-risk nuisance by anti-virus firms.

On the upside, a US man faces a real lawsuit after being charged with releasing Trojan horse malware onto an IRC channel. He targeted a chat room called DarkMyst where he attempted to obtain banking and identity information from unsuspecting members. Richard Honour, 30, faces up to 10 years imprisonment and fines of up to $250 000 if convicted.

Microsoft is denying rumours about a backdoor (BitLocker Drive Encryption) installed with Vista for use by stealthy government agents. As a matter of fact, in a blog entry on MSDN, Microsoft developer and cryptographer Neils Ferguson squashes this rumour as unfounded, saying: "Back doors are simply not acceptable. Besides, they wouldn`t find anybody on this team willing to implement and test the back door."

Although he admitted Microsoft had been talking to governments and law enforcements about Vista and BitLocker, the conversations did not broach backdoor territory.

"Over my dead body," Ferguson wrote.

Sources used: VNUnet.com, ZDNet, The Register, SANS