Hacker tools are growing more sophisticated and automated. Hackers now can adapt quickly to new security vulnerabilities as they are uncovered and distribute the fruits of their exploits more widely with the help of automated tool kits. And hackers employ an ever-increasing range of methods to find individuals' and companies' private information and use it to their own advantage.
Yet, many organizations have a false sense of security about their own data and networks. They install firewalls at the perimeter, put antivirus and anti-spyware tools on desktops, and use encryption to send and store data. And Microsoft (Redmond, Wash.) and the big security companies provide ever-improving tools and patches to protect systems and data. Although others that are less careful might be at risk, companies that take these steps are safe, right?
Maybe not. Take a look at the seven security myths on the following pages and see if your data is as secure as you think it is.
Myth #1: Encryption guarantees protection.
Encrypting your data is an important component of data protection, but it's not infallible. Jon Orbeton, senior security researcher with San Francisco-based Zone Labs, which makes ZoneAlarm firewall software, is a proponent of encryption, but he warns that sniffers are getting more refined and can intercept Secure Socket Layer (SSL) and Secure Shell (SSH) transactions and grab the data after it's encrypted. While encryption helps protect the captured data from being read, encryption standards do have several points of vulnerability that can be exploited by a determined hacker armed with the right tools. "Hackers are finding ways to circumvent the security mechanisms," Orbeton says.
Myth #2: Firewalls are bulletproof.
"A lot of people say, 'We have a firewall,'" says Steve Thornburg, an engineer with Mindspeed Technologies, a Newport Beach, Calif.-based developer of semiconductor networking solutions. "But you can read the entire IP trail through the best firewalls and sniff out these systems." By tracing the IP trail, which shows the network addresses of systems, hackers can learn details about the servers and the computers connected to them and use the information to exploit vulnerabilities in the network.
It's clear, then, that firewalls and encryption aren't enough. Network administrators must not only make sure they have the latest and most secure versions of the software they are running, they must also stay up to date with reports about loopholes in popular operating systems and stay on top of monitoring their networks for signs of suspicious activity. In addition, they need to enforce smart usage practices among end users on the network to discourage them from installing new and untested software, opening executable e-mail attachments, accessing file-sharing sites, running peer-to-peer software and setting up their own remote access programs and unsecured wireless access points.
The problem, relates Thornburg, is that very few organizations are willing to put forth the money and effort it takes to maintain security. "They know it won't be popular," he says. "It will downgrade efficiency. Cost is the big issue, because these companies are all looking at the bottom line."
Myth #3: Hackers ignore old software.
Some of us think that if we're running legacy systems, we're not a target for attack because hackers only go after the most widely used software, which is more recent than our own. Not so, says Johannes Ullrich, chief technology officer for the SANS Internet Storm Center (www.isc.sans.org), an analysis and warning service that publishes warnings about security vulnerabilities and bugs. He warns that Web servers that haven't been updated or patched recently are a common point of entry for hackers. "A lot of old versions of Apache and IIS [Internet Information Server] are attacked with buffer overflows," says Ullrich.
A buffer overflow is what happens when a memory space gets overstuffed with more information than it can handle. The extra information has to go somewhere, and a hacker can exploit the vulnerabilities in various systems to have the extra information go where it wasn't intended. While both Microsoft and Apache.org issued patches years ago to fix buffer overflow issues, the old systems are still out there.
Myth #4: Macs are safe.
Many users also believe that their Mac systems, like legacy systems, are not vulnerable to attack by hackers. Many Macs, however, run Windows programs such as Microsoft Office or are networked with Windows machines, which could expose Macs to the same kinds of vulnerabilities that Windows users experience. As security expert Gary McGraw, CTO of Cigital (Dulles, Va.), posits, "It's only a matter of time" before cross-platform viruses that target Win32 and OS X appear.
The Mac OS X environment is vulnerable too, even without running Windows software. Symantec recently issued a report that found that 37 vulnerabilities had been identified in Mac OS X in 2004 and warned that such vulnerabilities could become more of a target for hackers, especially as Mac systems grow in popularity.
Myth #5: Security tools and software patches make everybody safer.
Some tools allow hackers to reverse-engineer patches that Microsoft distributes through its Windows Update service. By comparing the changes in the patch, the hacker can see how the patch is trying to work around a particular vulnerability and then determine how to take advantage of it.
"New tools are developed every day around the same basic theme of scanning for vulnerabilities," says Marty Lindner, team leader for incident handling, CERT Coordination Center at Carnegie Mellon University's Software Engineering Institute in Pittsburgh. "You scan the Internet and make an inventory of what's vulnerable. You write tools that assume every machine is vulnerable to a particular vulnerability, and then just try it. There are vulnerabilities in everything. Nothing is perfect."
Among the ubiquitous tools being used by hackers is Google, which can search for and find vulnerabilities in Web sites, such as server log-in pages left in their default states. Google has been used to look for unsecured webcams, network vulnerability assessment reports, passwords, credit card accounts and other sensitive information. The Santy worm and a new MyDoom variant recently exploited Google's hacking capability. Web sites such as Johnny.IHackStuff.com have even begun to spring up that contain links to a widening array of potential Google hacks.
Earlier this year, McAfee (Santa Clara, Calif.) released an update of its SiteDigger 2.0 tool with new features that determine whether a site is vulnerable to Google hacking. While the tool is supposed to be used by administrators to test their own networks, hackers could potentially employ the software to probe any site for vulnerabilities.
Myth #6: As long as your corporate network is unbreached, hackers can't hurt you.
Some IT departments defend their enterprise network to the death, only to have security compromised by users who take a company laptop computer to an unprotected connection at home or at a Wi-Fi hot spot. Hackers can even set up rogue Wi-Fi access points near hot spots to trick users into logging onto their networks. Once a malicious user has control of a computer, they can plant a keylogger that can steal passwords to corporate VPN software and use it to access the network at will.
Sometimes the mere threat of mischief can bring a company to its knees. Hackers have extorted money from victims by threatening to bring down their Web sites, delete important files or place child pornography on their computers. Many online gambling sites in the United Kingdom have reportedly been paying extortion money to hackers who threaten to hit them with denial of service attacks.
Myth #7: If you work for a security enterprise, your data is safe.
Even the most supposedly secure organizations may find themselves vulnerable to hackers. George Mason University in Fairfax, Va., home to the Center for Secure Information Systems, a workplace filled with security experts, discovered recently that the names, Social Security numbers and photos of more than 32,000 students and staff members had been exposed to hackers who attacked the university's main ID server and installed tools there for probing other university servers. The hackers may have entered through a computer that lacked firewall protection and then planted scanning tools to search for passwords to break into other systems.
In response, the university shut down part of the server and replaced students' Social Security numbers with a different ID number to guard against identity theft. The school also might employ software to scan computers before permitting them to connect to its network, set up smaller subnetworks to isolate computers that contain sensitive data and monitor overall network activity more closely.
Even national defense departments aren't immune. They constantly have to deploy new software to guard against emerging vulnerabilities as well as maintain tried-and-true security practices.
What it all boils down to, unfortunately, is eternal vigilance. As the recent hack of Paris Hilton's T-Mobile Sidekick account and theft of customers' confidential credit information from ChoicePoint and LexisNexis show, the range of subterfuges employed by hackers is growing. Hackers are exploiting an increasing number of vulnerabilities in increasingly creative ways, and it's up to us to stay abreast of the latest tools and tricks and protect ourselves accordingly.
Courtesy of Security Pipeline, a CMP Media online resource.