Rage Against The Machine
Michael Roman came home from a weekend-long conference one recent Sunday evening and noticed that there were 15 people logged on to the cable modem for his five-node business network. Only one problem: He was working alone at the time. Then he noticed that his own souped-up desktop was crawling along at a snail's pace.
The 41-year-old owner of Inhouse Appraisal Corp. in Toronto had been hacked, and computer users from locations as far away as Denmark were diligently downloading the MP3 music files he stored on his business computer.
In his rush to get away Thursday afternoon, Roman had forgotten to disable his network's Windows File/Print Share services, and Internet bargain hunters were pouring in through his company's always-on cable modem connection. He quickly turned off file sharing, but spent the entire next two days turning away requests-20 to 30 per minute-for access to his machine. He finally had to change his PC's Internet address. "I figure someone had posted my IP address in a newsgroup somewhere as a source for easy-listening rock," reasons Roman.
Welcome to the brave new world of widespread, often random, cyber-attacks. You may not have been singled out from the herd yet. But security experts agree the Internet has become a much more dangerous place to do business during the past year-and there's a lot more danger to come.
Mike Hogan, Entrepreneur's technology editor, can be reached at email@example.com.
Target: You, Me, Everyone
Ron Moritz, senior vice president and chief technical officer at Symantec Corp., tells about a Southern California bank that recently spent 45 days trying to figure out how a blackmailer got into its computer network. Yes, the bank had firewall and antivirus software, but neither were installed on one executive's PC. The hacker had uncovered passwords by using a Trojan horse to record the executive's keystrokes.
This happened to a bank, but did you know that your business-and you personally-can get caught in the crosshairs, too? A couple of data points:
- A June audit of homebased PCs by research firm PC Data found that almost 45 percent of those who log on to the Internet from home still don't use antivirus software.
- IDC estimates that the PCs in nearly 37 million American homes are used for work, ranging from telecommuting and after-hours catching up to running homebased businesses.
Does that work stay at home? No, it's almost always destined for an office PC via a floppy, portable, e-mail or dial-up connection. It doesn't matter to a hacker whether the entry point is the company network, home-office PC or laptop you carry around. And get ready for infiltrations through your PDA, cell phone and interactive TV.
When you think about it, hacking isn't really an attack on computers, but rather on the inattentiveness of the people who use them. We use computing devices everywhere, and they're mostly unprotected-even when they have protective software installed.
For example, the LoveBug virus that hit in May 2000 wasn't that technologically sophisticated, says Michael Erbschloe, vice president of research firm Computer Economics, but it caused almost $7 billion worth of damage to corporate networks in its first five days in the wild. It slid right through company firewalls and simply outran antivirus fixes by leapfrogging across an estimated 55 million computers worldwide in the first 24 hours. How? It seems we humans just can't resist opening an e-mail whose subject line reads "ILOVEYOU."
The Symantec Antivirus Research Center has counted some 48,000 viruses, worms, Trojan horses and other forms of malicious code floating around out there, and the number is increasing by about 1,000 each month. Erbschloe estimates cyberattacks cost companies about $17 billion in ruined PCs and lost productivity in 2000. But that's just a down payment.
Viruses are spawning still other forms of electronic chaos. Hacking has become so widespread, so romanticized and so easy that it no longer requires -programming skills or even much time, says security consultant Jim Weaver, owner of Cyber Resources in Crestview, Florida. Hacking technology now includes field-tested and quasi-automated tools for random acts of sabotage. They can be quickly found on the Web with any search engine, downloaded and wielded by anyone who can use their point-and-click interfaces.
There are still plenty of "über hackers" out there, says Weaver-bright, young programmers looking for a challenge or to find out "how things work." There also are "crackers," skilled people who just want to mess things up. But most hacks come from the half-willing and often unwitting wannabes the hacker elite get to do their heavy lifting.
The serious hackers make the tools available for the disgruntled or just plain venal and package them in that "screw the establishment" ethic that has proved so appealing to not-yet-enfranchised young people for the past several decades. One of the enduring axioms of the Internet is that everything on it should be free, and the fact that any of it has become commercial really rankles some hackers, notes Weaver.
Roman speculates that the people who hacked his MP3 files probably thought they were raiding a corporate Web site-which, of course, is OK under the anything-goes hacker's code.
Hacking is fast becoming the background noise of the Net, and hackers don't aim that carefully. Most victims aren't actually selected, but rather stumbled upon using simple port scanning software that quickly probes a suc-cession of IP addresses for open ports. This is the hack du jour, thanks to the always-on nature of cable and DSL modems in homes. And don't think your intranets, extranets or virtual private networks at work are any more secure. "These things are so easy to [hack] into," says Erbschloe. "There are half a dozen ways." If entry is possible, a more expe-rienced hacker may try to install a program. Popular ones include the Hack "A" Tack Trojan horse, Back Orifice, Brown Orifice and the Qaz worm.
Each of these miniprograms has its own bag of tricks. The harvesting of passwords, financial data and identity information is one possibility. Once infected, a machine can even be turned into a zombie and launched with thousands of others in Denial of Service (DoS) attacks against popular Web sites like Yahoo! and eBay. "The real attacker can sit back and watch the show, because the victims are going to be blamed," says Troy Billington, a network security consultant for Internet service provider KCL.net in Miami.
Über hackers harvest addresses of victims and potential accomplices from Usenet newsgroup postings. They also befriend chat room participants and persuade them to download bugs that are supposed to be something else-MP3 music, porn or PC utilities, says Billington, who operates a popular chat room as well as the DoSHelp.com Web site for DoS victims. And, of course, hacker wannabes who download hacking tools are ready-made patsies.
Easy To Use/Easy To Crack
One big advantage the hacking community enjoys, agree experts, is the uniformity of today's computers, thanks to Microsoft's various monopolies. This uniformity makes PCs easy to learn, but also gives the average hacker a pretty good idea of how the computers of complete strangers are configured.
Do you keep your files in the My Documents folder? Do you accept the default C:Programs directory for all your program installations? And who doesn't accept the default operating system directory as C:Windows?
A big weak spot: the default settings for the Windows network file and print sharing utility. According to authorized scans of PCs conducted by Symantec, the ports on four out of 10 PCs have the same share vulnerability that opened up Roman's network. Says Erbschloe, "The very things that make computing easy and enjoyable make PCs vulnerable."
Every personal and business computer is a potential target of opportunity for fired or disgruntled employees, competitors or just ill-intentioned Internet passersby who spot an open TCP/IP port and decide to investigate. Most business Web sites lack redundancy, and a rather limited DoS attack could bring them down-maybe during the holiday sales season, adds Erbschloe.
"Corporate espionage is not limited to large organizations, and law enforcement is a very difficult call," warns Moritz. "In almost all cases, this traffic has passed through several states."
What does the future hold? A lot more of the same. Expect viruses to attack your cell phone via the Small Messaging Service and to have political groups launch "legitimate" DoS attacks by having members simultaneously request the same GIF file off a Web site.
Password protection of your files and Web site? The experts use the word "lame" in describing these measures. In fact, because a large number of hackers often team up on encryption cracking projects, experts aren't even that confident about the 128-bit Secure Socket Layer encryption on which so much e-commerce relies. Says Billington, "To be perfectly honest, security and encryption are best-effort technologies."
What can you do to protect yourself? Don't be an easy target. Use constantly updated antivirus and firewall software and follow practices that reduce your exposure (see "10 Ways To Protect Yourself"). It can't guarantee safety, say the experts, but it helps. And always know that while you're on the Internet, there's the chance you'll be one of the lucky few to discover the next big hacking innovation.
As Billington puts it: "When you're on, you're open."
|10 ways to protect
1. Install and regularly update antivirus
and firewall software.
Popular Antivirus and Firewall Programs
BlackICE Defender: NetworkICE;
$39.95 (all prices street) with free updates for one year, $19.95
per year thereafter; www.networkice.com. Prized for
silent intrusion detection system and firewall capabilities.