Secure in the knowledge…

With the firewall up, the ‘holistic’ security management policy in place and the system scrutinised regularly for vulnerabilities, it is easy to see why organisations might get complacent about information security. But a recent high-profile hacking break-in at the University of California at Berkeley, one of the US’s most prestigious technology research sites, provides some salutary lessons in why no-one can afford to relax their guard. Even more so because Berkeley was doing a lot right.

The university regularly checked its system for vulnerabilities and was in the process of implementing a new set of security standards that were due to come into force in spring 2005. Nonetheless, a hacker was able to gain access to the names, addresses, phone numbers, birthdates and Social Security numbers of 600,000 elderly and disabled people participating in Berkeley’s In Home Supportive Services (IHSS) programme.

The breach appears to have happened as a result of an unpatched vulnerability in an (unnamed) commercial database and an unsecured connection by a new user. A visiting scholar accessed the IHSS database for research purposes and saved the data on her own computer, which had accessed the network without the university’s usual security precautions.

Such errors are worryingly familiar. A recent survey of 36 security professionals from large UK organisations, mostly in the finance sector, by security consultancy NetSec found that patching was rated the greatest security problem facing their companies. Application-level vulnerabilities were deemed the most dangerous emerging threat and more than half admitted to finding it difficult to resource ongoing vulnerability and threat management in-house.


The SANS Institute Top 20 System Vulnerabilities

Windows Systems

  • Web Servers &Services
  • Workstation Service
  • Windows Remote Access Services
  • Microsoft SQL Server (MSSQL)
  • Windows Authentication
  • Web Browsers
  • File-Sharing Applications
  • LSAS Exposures
  • Mail Client
  • Instant Messaging

UNIX Systems

  • BIND Domain Name System
  • Web Server
  • Authentication
  • Version Control Systems
  • Mail Transport Service
  • Simple Network Management Protocol (SNMP)
  • Open Secure Sockets Layer (SSL)
  • Misconfiguration of Enterprise Services NIS/NFS
  • Databases
  • Kernel



At Berkeley, George Strait, the university’s associate vice chancellor of public affairs, told local newspaper the Oakland Chronicle that he wished “that computer security could be 100%, but in this day and age, it can’t be.” He said the university would bolster its routine system vulnerability checks and seek to improve departmental compliance with existing patching policy.

The acceptance that security can never be faultless is widespread among security experts such as Colm Murphy, technical director at Espion, an IT security services and training company which runs “ethical hacking” courses (see box). “In large networks, it just isn’t realistic to have everything patched and up to date. There will always be a window of opportunity for the attackers.”

Given the scale of the task, the best way for organisations to mitigate the possibility of a serious breach is to focus their attention on their system’s most critical areas, paying particular attention to known areas of weakness. To this end, the SANS (Systems Administration, Networking and Security) Institute, a US organisation that researches vulnerabilities and trains security professionals, releases an invaluable list of the “Top 20” areas of Windows and Unix system vulnerabilities every year in October (see table).

The complete list (see top20), which is not in any order of severity, contains over 230 individual vulnerabilities. New entrants this year include flaws in Windows instant messaging and version control systems in Linux. Alan Paller, the SANS Institute’s director of research, says the key lesson that users should draw from the list is “know your system intimately”. He also recommends that management looks “outside the toolbox” to information-sharing communities for trends and alerts, and “updating when necessary” with patches or by disabling insecure systems.

“All it takes is for an implementation or modification of a service to be neglected or not performed to the same standard and holes can appear which hackers can exploit,” says Phil Robinson, chief technology officer of Information Risk Management (IRM), an IT security consulting and services company. “So it’s not often the technology that fails, it’s poor design, change control, implementation, and/or policy.” He warns that many organisations fail to stress the importance of good Internet usage to new starters.

Forrester Research found large US financial institutions spend an average of $5 to $10 per employee on raising awareness of online security threats. Other advice from those who have the greatest incentive to get IT security right includes having a central information security (IS) department which focuses on strategic tasks such as risk assessments, policy formulation and product recommendation, while individual projects are budgeted and managed by other IT teams.


Although Berkeley’s breach occurred on 1 August 2004, it was not revealed for some months so as not to impede the FBI’s (ongoing) investigation. The unwanted publicity was required by a Californian law that ensures people are notified if their personal information has been stolen.

Although similar laws exist elsewhere, any announcements of exposure are few and far between.

“People are afraid to share information,” says the SANS Institute’s Alan Paller. He says the phenomenon of criminals using the threat of ‘denial of service’ (DOS) attacks to extort money from online businesses is “an epidemic of crime” most are ignoring. “The reason it is working is people don’t want other people to hear about it.” He says as many as 7,000 companies are paying up an average of $40,000 because they lack faith in law enforcement’s ability to protect them.

BlueSquare, a UK online gambling site, faced one such threat in late October but with an added twist: As well as the usual DOS attack, the extortionists threatened to send out emails containing child pornography in the company’s name unless they were paid E7,000. “We’ve had demands ranging down from £40,000 to £3,000 so we see no pattern,” says Peter Pedersen, BlueSquare’s chief technology officer. “I’ve lost count of how many times we’ve been threatened like this.”

Although the company has allowed for extra bandwidth to help withstand a DOS attack, as well as a strict security policy and well trained staff, the site was out of action for a few hours as the company monitored the attack. Pedersen says he plans to “continue doing exactly the same thing” to mitigate future threats – which includes not giving into the demands.

Only armed with knowledge – of their own systems, of others’ experiences and of new developments – can even well-secured organisations protect themselves from the kind of attacks that hit Berkeley and BlueSquare.


A day as a hacker

Organisations that have suffered a major break-in are usually shocked into a tougher security policy. But the same effect can be achieved in a much safer environment through courses such as Espion’s ‘Hands on Hacking’, which demonstrates just how easy it is to break into an unsecured computer.

The course’s aim is not to cause alarm, but to enable IT staff to ‘attack’ their company in the same way a hacker might, so they can better protect it.

First, the hacker trainees need to get their victim’s server or database ‘footprint’. That is easily discovered by using a freeware tool such as Sam Spade, which digs up IP addresses, domain name owners and whether a mail server is secure. “Hacking is all about knowing what’s out there,” says Colm Murphy, Espion’s technical director. “Most scans are opportunist – like walking down the street looking for open car doors.”

Then the hacker scans the target’s PCs for open ports (connections) using Telnet, a text-based program available on most computers. This can also indicate when software was last modified – a good way to tell if patches have been installed. Although such scanning is detectable, it can be routed through so many different systems in different countries that it would require the involvement of international agencies to find the originator.

A short Internet search can easily detail specific vulnerabilities in the victim’s software and the programs necessary to exploit them. These tools are very user-friendly, with simple graphical interfaces. A couple of mouse clicks can allow the hacker to bring up messages on the victim’s screen; they can turn on the victim’s webcam, if one exists, and view them; they can even pop open the victim’s CD drive – good fun if the hacker spots a Styrofoam coffee cup in front of it, says Murphy.

From then on it is all too easy to install a Trojan horse or a back door to allow re-entry at some point – and then disguise this as an innocuous piece of code. One example, Netbus, allows users to ‘listen’ to keyboard strokes or take complete control of a server. It can then be hidden in the Windows filesystem so that virus scanners cannot detect it by simply making the directory path longer than the prescribed 256 characters. Tools like Ethereal and NetCat not only listen in on the traffic moving in and out of the computer, they can even filter out useful data like usernames and passwords (although, reassuringly, a firewall can scramble this).

Would-be hackers do not even need to venture into the computer underground to download these tools – most are easily available from reputable security consultancies such as @stake (recently bought by Symantec) and Foundstone (acquired by McAfee), and come with their own ‘Help’ files.

This, of course, is to help ‘ethical hackers’ – although there is considerable crossover potential for ‘script kiddies’. “If you have a vulnerability it will be hacked,” says Murphy. “Scan your systems every couple of months or whenever you have a major change. There’s nobody better to do it than yourself – don’t trust anyone.”  


Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics