Confessions of an Internet hacker: Stealing your personal information was hard to resist.
THE PERFECT COVER
My name is John Smith. I'm from Crescent City. In school I earned good grades, was always in my room before curfew and went to church every Sunday. A few months ago, my buddy and I were hired by a start-up computer security company to protect companies like yours against people like me. Unfortunately I had no idea that the folks who hired me were really from the Federal Bureau of Investigation. Now, it's pretty safe to say the jig is up. I'm writing this from my federal prison cell in Lompoc.
If only we had stayed in Crescent City, you never would have found us.
We had the perfect conditions for monitoring service providers, e-commerce sites and online banks that pointed the way to your personal computer to steal credit card numbers and other personal financial information. Sometimes we were able to use this information to persuade our "clients" to pay us not to share their sensitive data with the public or we would damage their computers.
Once we were inside your computer, we made copies of your financial data files from Quicken, Quickbooks, your tax return software and other data sources.
You pretend to protect your valuable data with passwords that don't take long to crack.
Password-cracking software-supplied by some good friends of ours--allowed us to discover your passwords in minutes. Fortunately, you didn't bother to use uncrackable passwords. Apparently they are too hard to remember or a nuisance to change.
We were able to obtain more than 56,000 credit cards with personal information "courtesy of" a few Internet service providers and Internet retail sites. You may have felt safe when you signed up for Internet services or bought stuff online, but those online vendors have big back doors just waiting for us to walk through. We also "borrowed" bank account and other personal financial information from online banking services.
PIECE OF CAKE
It was not difficult for us to take control of your unprotected computer over the Internet-using it to establish thousands of anonymous e-mail accounts at e-mail Web sites like Hotmail, Yahoo! and My Own Email. With our "personalized" e-mail accounts we used special software to create associated accounts at PayPal, an online payment service, with random identities using your credit card numbers.
With other software, we controlled and manipulated eBay auctions. We could act as both seller and winning bidder in the same auction and then paid ourselves with your "borrowed" credit cards.
Did I mention that we had accumulated over 56,000 valid credit card numbers? Most of these card number sources were from sites that had weak firewalls with ports opened by common trojans.
That's also how we accessed your PC. You may have acquired our trojan by opening an e-mail with attached script files, or by visiting some of our choice "educational" Web sites where this agent was downloaded without your knowledge.
Thank you, computer users who do not use good virus protection or keep your definition files updated. You feel secure because you have a firewall? There is an old saying, "No security is better than false security."
Even when we walked in through your computer's back door, we still had to crack a few passwords to get your personal information to authorize credit card use. If that information had secure password protection that took longer than a day or two to crack, we would have given up and moved on to one of your neighbor's computers whose passwords were not so secure. So please keep your passwords short--using only common English words and names.
At least I had five fun years before I was caught.
I have to go now. I have a hearing scheduled for 9 a.m. Monday. Don't worry, if I should somehow shake this rap, we'll be in touch.
Larry Russell, CPA, CITP, is a consultant with Valencia-based Cambridge Technology Consulting Group Inc., an information technology service provider. He is a member of CalCPA's state Technology Committee, CalCPA Council and chairs the Los Angeles Chapter's Members in Industry Committee.
RELATED ARTICLE: Viruses 101
Destructive. Secretive. Embedded. Executable. Variable. Just a few of the terms that describe a computer user's archenemy--the virus.
Once executed, a mechanism in the virus enables its distribution to other computer systems. Some current strains, known as worms, spread on their own. The Code Red Worm automatically sends itself to 99 IP addresses it generates. Once activated, viruses can do anything--delete files or send themselves, together with documents on your hard drive, to some, or all, of the names in your Microsoft Outlook address book or to any Internet address.
A virus attached to e-mail messages can infect an entire enterprise in a matter of minutes. It's estimated that businesses spend millions of dollars annually in productivity loss and clean-up expenses due to viruses. According to the International Computer Security Association, more than 10,000 already are identified, and more than 200 new ones are created monthly. No computer is immune from viruses.
Viruses fall into four main classes:
According to the International Computer Security Association, 80 percent of viruses are macro viruses--and the numbers are growing. These are not specific to an operating system and spread with ease via e-mail attachments, floppy disks, Web downloads, file transfers and general use applications.
Macro viruses are application-specific. They infect macro utilities within Microsoft Word and Excel, and can infect hundreds of files if undeterred. They can infect at different points in a file's use, such as when it is opened, saved, closed or deleted.
Trojan viruses hide themselves and quietly open a communication port on your Internet-connected PC. You may have installed a personal firewall or be inside a secured network, but this virus type opens back doors so that hackers can access your machine to steal data or use it as a zombie to attack other network PCs. These trojans are distributed by e-mail or picked up at unseemly Web sites referred to as Web bombs.
File Infecting Viruses
File infectors are parasitic viruses that operate in memory. They usually infect executable files with these extensions: *.COM, *.EXE, *.DRV, *.DLL, *.BIN, *.OVL and *.SYS. They activate every time the infected file is executed by copying themselves into other executable files and then remain in memory. The vast majority operate in a DOS 16-bit environment. Although some have successfully infected Microsoft Windows.
Boot Sector Viruses
This virus type was the most prevalent until the mid-1990s, spreading primarily in the 16-bit DOS world via floppy diskettes. It infects the boot sector on a floppy disk and spreads to a user's hard drive and can infect the master boot record (MBR) on a hard drive. Once the MBR or boot sector on a drive is infected, the virus infects the boot sector of floppies accessed on that computer.
How to Protect Against Viruses
The following steps will help protect users against most viruses:
* Install on every computer an industry standard virus protection, such as Norton AntiVirus, McAfee AntiVirus or Tend PC-cilin.
* Install server-based anti-virus protection on both file and e-mail servers.
* Turn on all the virus protection features such as scanning executing applications and opening data files.
* Enable Web filters, heuristics and today's most important option--POP3 or e-mail security.
* Stay current on the software virus application engine and update virus definition files at least once a week. New viruses strike within hours of their introduction to the Internet. A good virus software company will have the antidote within hours of a new virus introduction.
* Scan your hard drives regularly--at least once per week. Some viruses will hide themselves in a downloaded file and are set not to trigger until a future date. Regular virus scans will find and deactivate these sleepers.
* Save all e-mail attachment files and scan them before opening.
Most viruses are sent from people you know. You were in their e-mail address book and the virus selected you as its next victim.
If everyone practiced safe computing and simply kept their antivirus software up to date, viruses would have a hard time propagating, and maybe the individuals who create them might abandon their unfruitful efforts.
Your First Line of Defense
IMPLEMENT SAFE PASSWORD POLICIES
Ineffective passwords are the weakest link in computer security. With workstations attached to both the company network and Internet, having a weak password policy is the equivalent of puffing a $2 padlock on a jewelry store's door. You might as well post a sign, "Come and get it."
Guidelines for Secure Passwords
The FBI offers guidelines for an effective password policy, all based on common sense. Still, many of us resist applying these rules as they tend to be bothersome. The FBI guidelines include:
* Do not write down a password on a sticky note and place on or near your computer.
* Do not use words found in a dictionary. That's right, a dictionary--any dictionary.
* Do not use words from a dictionary followed by two numbers.
* Do not use the names of people, places, pets or other common items.
* Do not share your password with anyone else.
* Do not use the default password provided by the vendor.
* Use a different password for each account.
* Change your password often.
* Use passwords with 10 characters or more, mixing alpha, numeric and special characters.
* Turn off your computer or disconnect it from the network when not in use.
The Weak Links
Passwords are one of the first lines of defense that users have to protect their systems. Unfortunately, people are not accustomed to remembering difficult passwords consisting of numbers and weird characters. A growing number of applications and Web sites that require passwords makes this problem worse. The most common work-around for this problem is that users write down their passwords and keep them in an unsecured area, like stuck to a computer screen or taped under a keyboard.
A hacker will attempt to crack a system by running a program that will guess the correct password of the target machine. These programs may contain entire dictionaries in several different languages and often contain words from pop culture such as idioms, science fiction movies and novels.
Hackers attack people's weaknesses such as a user's reluctance to remember several long and difficult to guess passwords. Once most users choose a password, they tend to use it for several accounts. When a user keeps the same password for a long period of time, it allows attackers that much more time to gain access to a system.
Tricks of the Trade
Here are some basic techniques for remembering long passwords:
* Choose a phrase that is easy to remember, such as "Tastes Great and Less Filling."
* Pick a familiar number, such as a phone number, (800) 922-5272.
* Interlace the first letter of each word in your phrase with the last five digits of the phone number to create a password such as t2g5a217f2.
This method creates a password that won't be found in any dictionary and is unique to the person who created it.
Any password can be guessed if given enough time--even the one created here. Therefore, it is important to change your password within the amount of time it would take an attacker to guess it. The sample password may take 60 days to crack on a very fast computer. Therefore a user should change a password of this length every 60 days.
This Means You
The password security procedures outlined here apply to both organizational and home-use computers. All computers with Internet connections have the potential to become gateways to sensitive information. Crackers use unprotected workstations as agents to cover their attacks on other systems.
While passwords are a very important security measure, they are only one component of the "defense in depth" principle. Passwords need to be used along with other measures such as updated anti-virus software, personal firewalls and a well-constructed overall security policy.
|Printer friendly Cite/link Email Feedback|
|Date:||Mar 1, 2002|
|Previous Article:||Leaving California: And other hot state tax topics. (California Tax).|
|Next Article:||Property, Plant & Equipment. (Accounting and Auditing).|