Reproduction permitted for personal use only. For reprints and reprint permission, contact firstname.lastname@example.org.
If you had blinked, you would have missed two security experts demonstrating how easy it is to hack into a Web server last Wednesday.
Dane Deutsch and Pete Adams, who head up Wisconsin-based security firm DCS Netlink
, used a simple tool to gain complete control of a file server they set up at the University of Wisconsin-Madison E-Business Institutes conference at the Monona Terrace, without leaving a trace except, of course, for defacing the fictional ACME Colas Web site with their Bobby Blackhat logo.
You wouldnt know it necessarily unless you had something to tell you that something had changed, said Deutsch, Netlinks CEO and a retired U.S. Air Force captain.
Adams, who got his start in security through the U.S. Armys intelligence branch, is the companys CIO. He showed an audience how easy it is to use readily available tools to gain control of home or corporate computers without necessarily knowing how they work.
He first used a Web-based tool that showed him a file transfer server that was running and accepting anonymous logins. One command later a pre-canned hack anyone could use and he had system-level access to the computer.
Adams then took the audience on a whirlwind tour of basic security. Hackers do not always want data or documents, he said, so it may not matter if you have valuable files.
In most cases they could care less whether youre a large corporation or a small business or a home user. They just want your computer, Adams said.
For example, an unsecured computer could be used as the source of more attacks, in order to cover the hackers trail. It could also be used to send spam or viruses through e-mail.
Thats why hackers often randomly scan large numbers of computers across the internet looking for vulnerabilities, Adams said.
He shared a list of Netlinks favorite sources of hacker attacks: the Vatican, the American Cancer Society and the Canadian Department of Defense. One of his companys problems, he said, is not being able to convince such organizations that they have been hacked and their computers are being used for this purpose.
Many of the tools needed are available in forms so simple even kids could use them. Some do security experts and real hackers call them script kiddies, slang for people, stereotypically teens, who cause havoc without understanding how their tools really work.
The tools are becoming much more easly available and easy to use, Adams said.
Usually, these tools exploit vulnerabilities in server or application software. Computers, after all, do only what theyre told you cant break into a computer in the same way you can break into a house. Instead, a computer must be tricked into doing something its creators never intended.
The technique Adams used is called a buffer overflow. Some programs, when fed more data than they can handle, simply break down instead of cutting the connection or ignoring further input.
When that happens, they can allow attackers to run their own programs on the vulnerable computer.
Deutsch and Adams said companies should make security part of their business processes.
People only bring in the security guys after eveyrthing as been ripped apart, a lot of the time, Adams said. The worst security posture in the world is to say I dont know what to do, so Ill do nothing.
Jason Stitt is WTNs associate editor and can be reached at email@example.com