Chris Blanc: Play and Projects: Blog

Litchfield took a look at just over 1 million randomly generated Internet Protocol [IP] addresses, checking them to see if he could access them on the IP ports reserved for Microsoft SQL Server or Oracle’s database.

He found 157 SQL servers and 53 Oracle servers. Litchfield then relied on known estimates of the number of systems on the Internet to arrive at his conclusion: “There are approximately 368,000 Microsoft SQl Servers… and about 124,000 Oracle database servers directly accessible on the Internet,” he wrote in his report, due to be made public next week. ^{^}

In Hollywood, hackers are people motivated by profit to ensnare others through ninja kung-fu style computer trickery that involves lots of fast and furious typing, as if it were military hardware in use through a virtual space that resembles the organic symbolic chaos of a dream more than the related structures of a machine. The machine may appear as chaos to us, but what defines a hacker is being able to decipher that chaos and so manipulate mechanisms behind the scene where others cannot see. It is as if life is a giant stage-piece, and the rest of us are crawling around on the painted skin, but a hacker can get inside and twist the wicker skeleton to create “magic” the rest of us can barely understand.

The movie vision as often differs from what you’ll find in your life. Real hacking will probably never sell books or movies, because it’s much more studious and also more boring than that view. Hacking is understanding the machine, and how it functions, entirely independent from what it looks like it is doing. Magicians are visual illusion hackers. Cooks are kitchen chemistry hackers. Psychologists are brain structure hackers. Martial artists are kinetic simian motion hackers. Artists are emotional symbolism hackers.

When the media says hackers, they mean black hat hackers with financial motivation, which usually means other roving digital criminals or no questions asked code warriors for hire.

Moore said what made the hacking job so easy was that 70% of all the companies he scanned were insecure, and 45% to 50% of VoIP providers were insecure. The biggest insecurity? Default passwords.

“I’d say 85% of them were misconfigured routers. They had the default passwords on them,” said Moore. “You would not believe the number of routers that had ‘admin’ or ‘Cisco0′ as passwords on them.^{^}

After having seen computer crime up close, and investigated instances of it that came out of the blue as far as the users were concerned, I have a different view of this situation than most. I don’t believe black hat hackers are illegal. Like spammers, they are people who choose to live outside of normal life, and they are looking for easy opportunities in almost all cases.

The exceptions are the rare hacks where a specific target is the reason for hire, and the hacker isn’t a free agent as much as a black economy contractor, sort of a digital Blackwater.

Spammers make their money by mailing ten million people with penis enlargement scams so that ten guys in Los Angeles write back with stubby sweaty fingers and get their oblong placebos. Hackers make money by prowlin for information people want, which is either monetary information or information that can be monetized like corporate and government secrets.

This means that as long as targets are plentiful, you can harden your business enough to make it a second-tier target, and escape the worst of the mess. This is one fundamental rule of security I have always tried to impart. There is a pyramid of opportunism, with the guys at top having the fewest hacks because they’ve made it the hardest, and the guys at bottom getting hacked frequently because they do what everyone else does, which is mediocre.

Seventy-five per cent of companies listed human error as the leading cause of security failures such as breakdowns and systems outages. Forty-eight per cent also cited operations and technology lapses as key causes of security failures. Problems resulting from third parties such as contractors and business partners, meanwhile, received 28 per cent of the votes as a root cause of security failures.

Misbehaving employees also figure prominently in IT fears: Ninety-one percent of respondents say the risk of employee misconduct related to information systems worries them. ^{^}

While there are security experts who will tell you to always update your patches and run a firewall, I think security advice is like dieting: you can’t escape the basics. These are:

Reduce. Remove extra services, sequester networks into subnets, remove machines and dead accounts, give out few real privileges because the user doesn’t need them.

Obscure. You don’t want to publish any information that can help an attacker, so be purposefully vague about your facilities and procedures in public information.

Verify. Verify people, not roles. Make sure your employees know who is on the other end of the phone, and that it’s always OK to take a few minutes to figure out who it is and whether they really should have this information.

Harden. Make your systems overkill to prevent brute-forcing, ensure that your software can handle sudden loads, and put in steel doors of virtual and physical types.

Refresh. If passwords haven’t changed in a while, now is a good time. If you haven’t prowled the network looking for little changes that could have a big impact, start now. Consider regular fuzz testing of your software, unleashing nmap and other tools on your network, just to see how inviting you look to a hacker looking for the easy score.

Interface. Most hacks happen with the help of the “human layer.” Educate your employees. Design your security procedures so they don’t encourage manic writing of passwords on sticky notes in publically viewable areas. Give your users a break, simplify their procedures, and they’ll follow them more, even if they’re not as secure as possible.

I know this list isn’t what you get from other sources. They will tell you technological ways to make your company 100% safe, but those ways rely on software and hardware to have no active exploits, which is never the case. Expect parts of your security to fail. If you have a generally healthy policy, and people who are aware of the importance of security, you’ll be better off than trying to build a bulletproof fortress.

This entry was posted on Monday, January 7th, 2008 at 12:17 pm and is filed under Computer Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.