People | Halting the Hacker: A Practical Guide to Computer Security (2nd Edition)

I l @ ve RuBoard

Technological solutions can address only technological problems. Everything else requires policies, procedures, practices, and education. People need to understand the importance of security in their day-to-day life and they need regular reminders through an awareness program.

People are social animals needing to communicate with others. They want to brag about their accomplishments and complain about their troubles, especially with those who are involved in similar pursuits, even if they are competitors .

All the computer security in the world will not help if the information that these measures are protecting is being gathered from people. People are generally more willing to share information than machines are.

Publishers

Individuals in the organization need to be kept aware of how the information that they make public may affect the organization. Today, the posting of resumes on the Internet has become common. These are full of useful information, not only about the individual, but also the systems he or she has been working with, the type of work being done, and more. Personal websites of employees boast of achievements and complain about the organization's shortcomings. All is valuable information to an attacker.

Eavesdropping

Hackers take every opportunity they can to look over the shoulder of someone who is entering "secret" information, whether it is a phone card number, an ATM PIN number, or a password for a computer system. Crowded areas are a prime location for these types of activities. All of us need education about the handling of information. You need to take the same care with company information as you would with personal information. You must be aware of your surroundings and pay attention to those around you.

There are also high-tech methods of eavesdropping. It has even been demonstrated that a laser can be bounced off a window and vibrations caused by the sounds inside the building can be collected and turned back into those sounds. The cost of high-tech surveillance has made it available only to the professional information gatherer. But as with all high-tech electronics, falling prices are making it more affordable for a wider audience. As in most other things, security is an economic issue. Security is the process of making it economically unfeasible to compromise the system or information.

Wireless networks are growing increasingly popular among companies, with uses that range from e-mail, instant messages and Internet access to file transfers and access to corporate servers and databases. But hackers have found that their errant signals often spill past office walls. They leak into adjacent businesses, ground floor lobbies of office towers , parking lots, even nearby streets .

Researchers told MSNBC.com that they had been able to "spy" on wireless systems used by such retailers as Wal-Mart and Home Depot. Best Buy followed suit by shutting down its wireless cash registers upon learning that it, too, had been monitored . ^[42]

^[42] Hornaday, Bill, "Team IDs possible hacker targets," The Indianapolis Star , 13 June 2002.

Socializing

It has long been said that it is easier to get information by buying someone a drink after work at the local pub than by trying to covertly gather it. Once befriended, people are very likely to talk about what is happening in their life, including office gossip. Why should a hacker steal information when all he has to do is ask for it? This technique requires the hacker to be a sociable person, which many computer hackers are not. However, this is the mainstay of the professional information-gathering industry.

Social Engineering

Social engineering is a confidence game; that is, gaining the confidence of the victim so he or she will give you the information you are requesting. Hackers can accomplish this through a number of methods. They will often start by calling the phone numbers around a modem number to find out what company owns the modem line. Once they identify the company, they will start to work on the employees.

A successful social engineer will use both intimidation and preying on people's natural desire to help people who ask for help. He will utilize new employees to get information from them and he will impersonate new employees to get information from help desks and other employees. He can befriend users who have privileges, or he can convince someone that he is a support person and he needs the information to debug a system problem.

Much social engineering will go unnoticed, since a hacker will ask one individual only a few specific questions and then move on. These attacks will be numerous inconsequential inquiries that add up to a great wealth of information.

Unscrupulous account information brokers are obtaining customers' account information from insured financial institutions through a practice known as pretext phone calling or social engineering. Brokers who engage in this practice call institutions and use surreptitious or fraudulent means to try to induce employees into providing a customer's account information. For example, a broker may pose as a customer who has misplaced his or her account number, and may repeatedly call the institution until the broker finds an employee who is willing to divulge confidential account information. The broker may use information about the customer, such as the customer's social security number, that has been obtained from other sources, to convince the employee that the caller is legitimate . While there are no reliable estimates as to the extent of this practice, there is concern among the federal banking and law enforcement agencies that it is becoming increasingly prevalent . ^[43]

^[43] "Pretext Phone Calling," FDIC Special Alert , 2 September 1998.

Trojan horses are a type of social engineering via software. Games that request passwords so that others cannot pretend to be you while playing the game will surprisingly often yield login passwords. Another common Trojan horse is the exciting new utility that does something very useful while giving your privileges to the hacker. These are just a few ways that a hacker can abuse the trust a user has put into him or his software.

Trusted Advisor

It is possible that a hacker will know more about the computer system than anyone else, including the system manager. If he is an employee, he has an advantage. He is already trusted, knows the people and the relationships, and can use his knowledge to build relationships with system managers, programmers, and other people who have privileges on the system by helping them with the problems they have with the system. In this manner he will become a trusted advisor, someone to whom these people turn when they need help. To facilitate this assistance, people will often allow him to access the system with their login, thereby giving him access to their privileges. Every employee should be aware of the importance of information security.

The lion's share of security incidents are caused by either current or former employees. This is why you must know the mood of your personnel. Most employee hackers are disgruntled employees who will cause trouble of some type; the computer is just a handy tool. Specific employees generally become disgruntled when there is stress in their life, either personal or business- related . However, if the company is going through change which has the employees concerned about layoffs or strikes, then you must be more alert to the possibility of in-house hacking.

You must impress upon your users the importance of not sharing logins and passwords. If a user needs special privileges, he should be given a special temporary login specific for the function that he is to do. This is required for accountability.

People need to understand the importance of security in their day-to-day life and they need regular reminders through an awareness program.

I l @ ve RuBoard