In February, an unknown hacker typed in a command that caused a harem of slave computers called zombies to begin what is known as a distributed denial of service (DDoS) attack. Their target was giant portal site Yahoo!. The secret army of computers flooded Yahoo! servers with repeated requests for data, keeping almost all legitimate visitors from reaching the site for three hours. In the days that followed, copycat hackers had their way with some of the biggest and busiest e-commerce and portal sites on the Internet. Microsoft, eBay, and Buy.com were just a few of the Goliaths knocked down, allegedly by the likes of a few David-sized teen hackers.
Though one arrest has been made (a 15-year-old has been charged with disabling Cnn.com), the DDoS attacks are still being seen as "victorious" and hordes of curious techno-wizards are nosing around in cyberspace right now, sniffing out unsecure servers on which to display their criminal prowess. And just in case you were feeling left out, rest assured: The big sites aren't the only ones at risk. Smaller sites may be just as vulnerable to hacking, whether from unknown pranksters, thieves seeking your customer's financial information or saboteurs in search of company secrets. But don't shut down your e-shop yet.
While every computer connected to the Internet is exposed to the prying eyes of the world, there are steps you can take to evaluate and eliminate potential security risks. The first step is to be aware of the ways high-tech criminals attempt to compromise network security. Read on to educate yourself about common hacking methods and how to reduce your risks.
Tina Gasperson writes about technology, business and the Internet. Her articles and columns have been published at Andover.net, Office.com, TechTraveler.com and many other publications. Visit her Web site at www.gasperson.com.
The Trojan Horse
Trojans are evil programs that hackers either secretly install on your system or trick you into installing yourself by disguising them as good programs. These programs enable hackers to access your network remotely, gain complete control and perform any number of dirty deeds, including making your computer into a zombie and using it to perform DDoS attacks.
- Build a firewall. Firewalls control access to your network according to a set of rules you devise, and protect against unauthorized logins and access. Most network software allows you to set up a firewall. According to the Internet Firewall Frequently Asked Questions Web site, for a firewall to work, it must be a part of a consistent organizational security architecture. Simply put, firewalls can't protect against all types of attacks, but they're a good first step.
- Act like a hacker. Self-taught hacker Markus "Fluid" Delves says the best way to protect your server is to try to break into it yourself. "I suggest heading to a site like Church of the Swimming Elephant or Security Focus. They have all sorts of excellent information on how to protect your machine," says Delves, owner of Fluid Enterprises Inc., a network consulting and security firm. "Security Focus has a large database of exploits [scripts that hackers can run on servers]. Test every one of them against your server. If one happens to work, you can find out how to patch the hole. I constantly check here for new holes that could appear on my system."
The Numbers Game
Many hackers simply want access to private information, like databases filled with credit card numbers and sensitive company data. All they have to do is figure out your administrator password. Many times they'll attempt to grab it through "social engineering"-calling or e-mailing you or an employee, claiming to be a technical support person. Then they'll go to work on schmoozing you out of your password. Hackers may also try to "crack" your password, choosing from a variety of password dictionaries, which automatically try thousands of word/letter combinations. Take the following measures to avoid this scam:
- Create and use good passwords. A successfully cracked administrator password gives an intruder virtually unlimited power, so make sure your password is complex. AntiOnline.com, an Internet security journal, recommends you use a combination of upper and lower case letters, numbers and symbols. Don't just spell a word backward or add a couple of numbers to the end of your name. Never use a password that can be found in a dictionary of any language. Create a unique password for every instance where one is required, and change your passwords periodically.
- Separate customer data. "The safest thing to do is have a Web server that's totally separate [from confidential information]," says Erik B. Sherman, networking expert and author of Home Networking! I Didn't Know You Could Do That (Sybex, $19.99) Transfer credit card and other personal data to a stand-alone computer each day, erasing the sensitive information from the server.
- Never tell. Obviously, never divulge your password, ever, no matter who claims to need it.
- Create a company security policy. If you have employees or contractors with access to the network, outline procedures for password safety in a company security policy. Make sure your staff understands how vital password secrecy is to data security, and that you are the only person with whom they should ever share their password.
The Inside Job
The worst threat against your computer files and databases may be an employee or contractor with legitimate access. It's a lot easier for someone on the inside to copy sensitive information to a disk than it is to penetrate a firewall. Use these precautions with everyone from clients and employees to contractors:
- Watch your back. Exercise due caution when allowing employees and contractors access to your network. Pay attention to their actions. Are they copying files to a disk? Having secretive telephone conversations or sending confidential faxes? They may be stealing company information. Don't get paranoid, but don't get lackadaisical either.
- Whom do you trust? Sometimes, it may be a dishonest customer who tries to get the upper hand. "In January of last year, we found our server was hanging unexpectedly," says Dan Arndt, sales director and VPO for Rockliffe Systems Inc., an Internet-based e-mail software developing company that recently moved out of founder John Davies' home to new headquarters in San Jose, California. "We learned that certain hacking attempts on Microsoft servers could cause this. We upgraded the server but couldn't determine the types of attacks and where they were coming from. [Later,] we got involved with the beta testing of a product called BlackICE."
Greg Gilliom, president and CEO of NetworkICE, the company that created BlackICE, says of the software, "If you have any valuable information on your server and someone tries to break in and get it, you'll know about it and BlackICE blocks the attempt." The program runs in the background, logging intrusion attempts along with identification information, while providing a customizable firewall for sites that allow database information retrieval by site visitors. By setting the software to a "paranoid" access level, for instance, all attempts to access the server that don't fit into a pre-determined range are rejected. This allows your customers to spend money freely but keeps nosey crooks out.
After Rockliffe began running the product on its server, the hacker made another attack on the system. This time, the company was able to track the identity of the hacker, contact his Internet service provider and have his account closed. Probably the work of a stranger, right? Not according to Rockliffe owner John Davies. "We linked the hacker's domain name to his customer record in our database. I guess he really liked our software. He was trying to see if he could find any license keys."
Asking The Experts
Once you've learned to think like a hacker, consider enlisting the services of an expert. "Security can get so complex so quickly, that even major corporations will hire security experts. Chances are, unless you're an expert in the area, you're not going to know enough," Sherman says. IBM Global Services provides "Ethical Hacking," an alternative to hiring a full-time security guru. For between $15,000 and $40,000, a team of expert hackers performs a thorough review of your overall network design. Then they'll attempt to gain unauthorized access to your server and you'll get a complete report, along with recommendations for immediate and long-term security improvements.
What can you do if your budget isn't big enough to hire a team of white-hatted hackers or a security genius? Move the whole thing offsite, like Rockliffe Software did shortly after the hacking incident. "Running a server locally can be problematic, especially if your Internet connection goes down. To be honest, I wouldn't recommend it to anybody," Davies says.
"People who have servers in their homes have a lot of challenges because they have to manage the software and the traffic and they have to be on call 24 hours a day," says Laura Zung, vice president of product management for Verio Inc., a Web hosting company that offers secure e-commerce packages with built-in encryption. "The very best option for homebased entrepreneurs is a hosting account and e-commerce software. It gives the best price performance and is very secure." With equipment in your home, you're responsible for your customers' security. If you sign up for a remotely hosted Web site, then the ball is in the provider's court. A Web host also absorbs most of the overhead and setup costs, creating an inexpensive, virtually hack-free solution.
Whether you keep your server at home or farm it out to a Web host, you can insure yourself against electronic attacks. INSUREtrust.com offers policies that cover breach of computer security, computer theft, damage to data and software, and loss of business income due to illegitimate use or a denial of service attack. Marsh Inc. provides a "Net Secure" policy that covers security breaches, information theft and denial of service attacks.