"In God we trust. Everybody else is suspect." That should be the mantra for all businesses today, says Kevin Mitnick, the most famous hacker of them all - the man who hacked into the computer systems of Fujitsu, Motorola, Nokia and the University of California and was subsequently jailed for five years, and then freed early on parole.
If you thought you`d come across the ultimate in online violations, think again.
= Ian Melamed, MD, Ian Melamed Secure Computing
Speaking at Giga Information Group`s Infrastructures for E-Business conference in Los Angeles, he warned that unless every employee is educated - from CEO to receptionist - about how hackers work and how to bolster security, corporate networks and Web sites will never be safe.
Mitnick was released on parole in January and this is the first time he has been able to speak publicly about security. His key points are worth noting:
- The key to security is detection and reaction.
- People are the weakest link when it comes to security.
- It`s not if, but when, your e-business will be targeted.
- All employees must know how to choose good passwords.
- The company must write policies and procedures to protect itself from viruses, worms and Trojan horses.
- Just installing a firewall is not going to protect you from all potential security threats.
- Do not leave conference rooms with data jacks, computer training rooms and telephone and cable closets unlocked when not in.
- Classify sensitive and confidential information and erase or destroy data on all discarded magnetic media to dissuade dumpster diving, a trick hackers use to obtain password lists and corporate directory information.
Mitnick`s parting message: Today there is no way to eliminate the threat; there are people who will make it their business to get through your systems. But deal with the people issue first, as this is the weakest link.
Mitnick`s words are lent credence by the US Federal Aviation Administration (FAA), which is as full of holes as a Swiss cheese, according to a Congressional report. This is serious stuff, as the US General Accounting Office (GAO), the investigative arm of Congress, found. After all, the FAA is probably the best-funded aviation authority in the world, and we entrust our lives to such organisations. The GAO has been warning the FAA for over three years, and nothing much has been done. Major sins include:
- FAA officials have allowed background checks for many senior agency employees with top-secret security clearances to lapse. One employee had not been investigated since 1973.
- Officials have failed to inspect and secure numerous air-traffic control facilities.
- The agency "has made little progress" in assessing its operating systems and therefore "does not know how vulnerable many of its systems are and has little basis for determining what protective measures are required". Happy flying!
The Palm platform continues to be targeted by virus authors. Network Associates has discovered a new virus, the PalmOS/Phage.963, a destructive load that can infect PalmOS applications and replicate itself. Its malevolent nature sets it apart from the recent "Liberty Crack" from Sweden. It first fills a PalmOS`s display with a dark grey box, then terminates the current application and then replicates itself to other applications. A hard-reset followed by a hot-sync with a desktop will clear the problem, if you`ve backed up! Note that the virus is not yet in the wild.
The industry fights back well, sort of. A consortium of Internet service providers and Internet businesses have got together in Atlanta to try and tackle the thorny issue of distributed denial of service attacks. First step is to communicate better. That`s a good start, but how about tackling the attackers? Denial of service is a form of attack where networks are flooded with spurious packets in an attempt to overload servers and prevent their legitimate use.
London-based IBNet has carved an interesting niche in the security market. It`s managed to list on revenue of just ₤14 000, based on its value proposition of keeping track of the activities of cyber-criminals, share rampers, IP-heisters and con artists prevalent on the Internet.
American Express is leading a consortium of online payment companies and retailers aiming to fight e-commerce fraud. Laudable, but their first outcome is to launch a Web site where they will share information to help eliminate fraud, and publish best practices for retailers. The fraudsters are no doubt quaking in their boots. Amex`s initial partners are Amazon.com, buy.com, Expedia.com, Starwood Hotels and Ventro Corporation, and card processors Paymentech, First Data and ClearCommerce.
If you thought you`d come across the ultimate in online violations, think again. The tale of how a Ralph Dressel, a 28 year-old UK Web surfer, uncovered "millions" of online bank accounts - as many as 200 million - boggles the mind. Using "simple attacks", he could obtain the access log of his bank through Fiserv, the software company that runs his bank`s operation and many others. Once he was through, he claims he accessed bank account information across the US. In theory, the access logs would have allowed him to transfer funds and change user passwords. The Observer reported the loophole and then had to retract the story when it transpired the site accessed was only a test site. By this time the FBI had got involved. My bet is this story has only begun to unfold.
Sources: HNN, Silicon.com, Computergram and USA Today.
Share