By Chris Farnsworth, Freedom News Service
Meet Bob. Bob works at your company. At least, he did until yesterday. Bob just got laid off. Bob is not happy.
Bob is the kind of guy who always remembers the scores of the weekend games and takes long lunches, but doesn’t know a whole lot about computers.
No matter. Bob just types a few words into an Internet search engine, downloads some software and, not long after, your computer network collapses into a pile of smoking data.
Bob feels better now.
This happy little tale will be rerun at companies everywhere, unless business owners start taking the threat of hacking seriously.
Hacking isn’t just for dateless kids wired up on Jolt cola and wired into monster computer equipment anymore. Today, there are dozens of tools available over the Net that anyone can use to crash your company’s systems.
In the most-startling example, a busboy in New York was arrested last week for allegedly using information he found on the Internet to hack the bank and stock accounts of Steven Spielberg, Oprah Winfrey and Ted Turner. Abraham Abdallah, a 32-year-old high-school dropout, didn’t even own a computer, police said, but used the ones at his local public library.
Hackers have always used the Internet to trade secrets. They’ve posted strings of “do-it-yourself” code used by novice hackers called “Script Kiddies,” who cut-and-paste them to write destructive programs.
The latest freely available hacking software offers the entire package – no special know-how required.
“It’s all point-and-click now,” said Andrea Hoy, director of information security for Fluor Corp. in Aliso Viejo. “You don’t have to know any programming at all. Everything can be done with just a few mouse clicks.”
Hoy, who’s responsible for protecting Fluor’s multinational computer network, said that the biggest problem businesses have is that they don’t realize there’s a problem.
“You might not think of yourself as being a target, but you might be one anyway because you’re the site they decide to hit first,” Hoy said.
An open computer attached to the Web presents a wealth of opportunities for any hacker. There’s software that turns the computer into a “zombie,” a remote point used to launch malicious attacks against bigger networks. There are other programs that can hide a virus or pirated software copies inside a small business’s mainframe.
VENGEANCE Now that anyone can be a hacker, the reasons for an attack can be a lot more personal.
The recent waves of layoffs have given a number of people cause to look for ways to get even, Hoy said.
“You have people who are getting laid off, even though it may be for legitimate reasons. They get on the Net to look for job opportunities, and they may fall upon this. And they may decide, ‘Well, let’s try this instead,’ ” she said.
Some Web sites – like twww.infosyssec.com – provide links to all varieties of hacking software, including Ares, a password cracker that comes with a list of frequently used passwords. Just click the button, and Ares begins running thousands of combinations through password-protected sites.
The software can also be used to guess passwords on office networks, giving a hacker access to all a company’s files.
For those who need more hands-on instruction, Fry’s Electronics or any other computer store has a stack of books available about hacking techniques, some of which include software on CD-ROM. Titles include “Hack Proofing Your Network,” “Hacking Exposed,” and “Inside Internet Security: What Hackers Don’t Want You to Know.”
Like the Web sites, the books are marketed as ways to protect your computer from hackers. But in order to show the ways to defeat hackers, the books demonstrate hacking techniques in easy-to-follow instructions.
“There are well-known vulnerabilities that hackers exploit time and time again; they’re published on hacker sites, in manuals, and they’re published so that people can know about them and button them up,” said John Droge, vice president of emerging technology applications at Rainbow Technologies, a computer-security company in Irvine.
Droge said the fact that these loopholes are so easy to find gives companies the ability to stop the most-common attacks. But if a business hasn’t taken those measures — because it doesn’t think it’s a target — then it’s vulnerable to even a novice.
Some advanced hackers are even willing to help the newbies out, Droge said, by leaving “back doors” to the command levels of a computer network. These are ways to access the top administrative privileges that are programmed in by a hacker who’s made his way deep inside a system.
These backdoors are then often posted on Web sites or in newsgroups.
“The biggest threat is the internal threat, not the external threat. There’s a lot more damage someone can do on the inside,” Droge said.
PROTECTION Fortunately, there are off-the-shelf solutions as well as plug-and-play problems.
The best defense against hackers, in most cases, is to keep the doors shut to them at all times.
Norton and McAfee, which both make popular antivirus programs, and Black Ice have all created “firewall” software, which prevents unwanted intrusions into personal computers. Firewalls can also track the Internet address of the person launching an attack on your computer — something most newbies don’t realize.
A small business that doesn’t at least have firewalls as protection is a giant target, waiting for any one of millions of people to throw a dart.
Larger businesses can invest more in protection of their systems, and have more to lose.
In addition to firewalls and password-protection, some businesses have taken the added step of laying traps for hackers called “honeypots.” These are fake computer networks within the network that hackers are allowed to access. Once the hacker is stuck in the honeypot, the company can go to the police or the federal authorities.
The law is taking these crimes more seriously now, said Scott Feldmann, an associate with Brobeck, Phleger and Harrison, a law firm that specializes in technology issues with offices in Irvine. Both California and federal statutes have stiff punishments for the hackers who get caught.
A convicted hacker faces both criminal and civil penalties; up to five or 10 years in jail and fines up to $50,000, plus restitution.
Still, there’s no penalties yet for posting hacking software, Feldmann said, in part because security experts use the publicly available information to improve their systems.
The other reason is the First Amendment. But that could change soon, Feldmann said.
“There’s a decent First Amendment argument — but as we go down the road, that may change for public-policy reasons,” Feldmann said. “You can’t possess fully automatic weapons, or bombs, or anthrax. The public may decide that there’s no good, compelling reason to be able to post a virus.”
If it becomes illegal to post hacking software, hackers may simply be driven further underground. That may make it tougher for novices, but it could also lead to more danger in the long run.
“The things you don’t know about are always scarier than the things you know about,” Droge said.