The Internet Security Apocalypse Is Coming:Read This Book And Weep
By
Jason Levitt
f there's one lesson to be learned from "
At Large: The Strange Case Of The World's Biggest Internet Invasion
" (Simon & Schuster, to be published in June), the nonfiction computer-security suspense thriller by David H. Freedman and Charles C. Mann, it's that breaking into a LAN of Internet-connected computer systems isn't rocket science. It doesn't take any special training -- just a modem, a computer, and some serious tenacity. Freedman and Mann, both veteran science writers, really bring that point home in their reporting of the true story of the gritty and very unglamorous escapades of
one prolific system cracker that the FBI caught but never prosecuted.
The reasons why the FBI decided not to prosecute the cracker, along with the lessons learned by the various victims of the cracker's exploits, are the reasons why every IT manager and system administrator should read this book. Readers shouldn't expect to find out anything revolutionary about the world of cracking, though. If nothing else, the authors make it clear that system cracking is rather mundane and does not require extraordinary skills, or even a clear motive. For some reason, it's the perfunctory nature of system cracking that makes the book's plot all the more accessible, and diabolical.
Lessons Learned
In the book's epilogue, Freedman and Mann forecast a bleak future for security of the Internet. Given the current state of things, it's easy to see why. The security apocalypse is coming to your desktop soon. It's just a matter of time before some huge break-ins or system failures
occur that affect a lot of people directly. When that happens, you'll hear about it. There are reasons why the apocalypse is inevitable, some of which are alluded to in the book:
- System cracking isn't that hard.
You heard correctly. It used to be a sinister cult of shadowy figures whose tools were difficult to find and even harder to use. But these days, you can
just put the word "hacking"
into your favorite search engine and up pops numerous archives filled with easy-to-use cracking tools and tips. [Note: I prefer the word "cracker," as in "system cracker," to refer to people who break in to computer systems. "Hacker" is usually used, in a good sense, to refer to skilled programmers, though it is also commonly used as a synonym for "cracker"].
- Lots of sites are vulnerable.
Despite the fact that many of today's biggest security holes are well understood, lots of sites either haven't bothered to patch them or don't c
are.
Dan Farmer's security survey
makes this abundantly clear.
- Promiscuous technologies are easier to use and abuse.
If you're thinking ActiveX controls and Java applets, you're on the right track. Digital-certificate and signature technology may help keep some rogue downloadables at bay, but if all it takes is a user clicking on an "OK"
button to cause an ActiveX control to download and execute, it's just a matter of time before security is compromised. Remember, an ActiveX control can do anything. It's not constrained by the Java Virtual Machine's security sandbox.
Tips And Strategies
The best defense is a strong offense. The security apocalypse is inevitable, but you don't have to sit around idly and wait for it to happen. Internet-connected sites can do a lot to prevent system crackers from gaining easy access. Here are some tips:
- Always load the latest security patches available fr
om your operating system vendor.
This is especially crucial for Unix-based systems, which are well understood and are easy targets when their services are left unprotected or unpatched. However, even relatively closed systems such as Microsoft's Windows NT Server have been the target of system crackers and the trend will likely continue as it gains in popularity.
- Keep abreast of the latest publicized security holes.
The SANS Network Security Digest
is a good place to start. All of the break-in techniques used by the book's system crackers are well-known today and they typically revolve around variants of Unix: exploiting security holes in
sendmail
, copying
.rhosts
files, installing Trojan horses and packet sniffers, and guessing user passwords. Most of these cracking techniques can be circumvented by installing security patches or by running the latest version of your operating system.
- Attack your system.
Programs
such as Dan Farmer and Wietse Venema's
SATAN (Security Administrator Tool for Analyzing Networks)
can be used to probe your network for vulnerabilities. If you don't use it, chances are someone else
will
.
- Use tools to test your systems.
The U.S. Department of Energy's CIAC (Computer Incident Advisory Capability) site contains numerous
tools that can help you analyze and test your security.
Most of the tools are oriented toward Unix systems, which still provide the majority of Internet services. As "At Large" points out so well, the presence of an omnipotent root or superuser account, along with the availability of Unix source code and documents detailing Unix internals, make the operating system a playground for system crackers.
- Read good books.
Simson Garfinkel and Gene Spafford's
"Practical Unix & Internet Security,
" 2nd edition,
is an excellent primer and a must-read for system administrators.
Looking Ahead
Freedman and Mann's book is not so much a wake-up call as it is a fascinating reminder of what we already know from the past 10 years of Internet connectivity -- that our standards-based Internet is both wonderful and extremely vulnerable.
It is also vast and complex. In such a system, security problems are inevitable. Even if you are the most uptight and anal-retentive system administrator who ever lived, you can't trust your users to follow all the rules, and, even if they did follow all the rules, new operating system security holes are being found all the time for crackers to exploit. Still, careful system administration procedures, coupled with judicious use of firewalls and other security products, can certainly help level the playing field by keeping out less-sophisticated, or less-motivated, system crackers.
The events chronicled in the book take
place mostly during the critical years of 1990-1994, when the Internet really started to gel and people became more concerned with the handling of network security. Security information is much easier to obtain today, even if actual security isn't much better overall. Today, we know, the apocalypse is inevitable.
"At Large: The Strange Case Of The World's Biggest Internet Invasion,"
by David H. Freedman and Charles C. Mann, will be published by Simon & Schuster in mid-June.
AuthorITies Archive
Send Us Your Feedback
|
Rich Levin:
Run Time
Rich fills you in on all of the latest products, issues, and trends in application development.
|
|
Stuart J. Johnston:
Redmond Watch
As our eyes and ears in Redmond, Stuart gives his perspective on the latest events at Microsoft.
|
|
Charles Pelton:
Eye On I.T.
Charles explores IT management issues and strategies that business and technology managers face.
|
Top of the Page
|
