Greg Thatcher works in security–computer security. His specialty is helping small- and medium-sized businesses cope with hackers. The San Francisco-based Thatcher usually gets called in by a company after it has been attacked. He has several applications, at www.lokbox.net, designed to help businesses lock down computers and find their vulnerabilities to ward off hackers. At any given moment, Thatcher, 40, is working with five companies fighting prolonged, active security risks, and for the last 15 years he has been on the front line of the battle against this shadowy underworld. I recently asked him about practical issues advisors need to know about how to defend against computer security risks.
What’s the most important thing someone running a small financial advisory business can do to control security problems? Get Windows machines to go to windowsupdate.microsoft.com at least once a month. My guess is that 80% of small businesses do not do this.
That doesn’t sound like such an important thing. Microsoft releases patches to fix security problems. Hackers know that most people won’t install the patches. So they target computers that don’t have them.
If I use Outlook, for example, how does this affect me? A hacker could send you an e-mail message coded to exploit a security flaw. Ironically, the hole may already have been patched by Microsoft, and the hacker may in fact have learned of the flaw only after Microsoft patched it. If your computer is not patched, however, programming code embedded in the HTML of the e-mail message can make Outlook crash. The crash is usually triggered by making your computer misuse its memory–that’s called a buffer overflow attack. At the instant your machine is crashing–just a millisecond or two–you are vulnerable and a Trojan program can be inserted on your computer, allowing the hacker to come back and commandeer your computer whenever he wants.
Doesn’t the e-mail message with a Trojan horse have to contain an executable file before it can crash my machine? No. It could come through as a garbled HTML message, for example. The hacker e-mail message may only contain a small program that knows how to download other, bigger, malicious programs on your hard disk. The hacker could send you a message designed to exploit a mistake in Outlook. If a hacker figures out that Microsoft designed Outlook to not handle messages larger than 100 megabytes, for instance, a hacker would send a 101-megabyte message. When hackers learn that Microsoft made an assumption like that, they exploit it to make an application crash. When you are running a program and suddenly get an error message and the program shuts down, that’s typically a buffer overflow error. When hackers know how to induce an error, your computer is vulnerable. In the instant before the Microsoft error message pops up, a hacker can export instructions to your computer. Popular viruses like Code Red and Nimda exploit buffer overflows through e-mail. Hackers now are trying to induce crashes when you go to a Web page. This is something that you hear talk about but has not been done very effectively yet.
Windows Update can prevent these problems? Yes, but Windows updates are a double-edged sword. On the one hand, the patches protect you. But on the other, hackers know what vulnerabilities to exploit whenever Microsoft posts a security update. What’s obvious is that after Microsoft announces a security flaw, people who don’t load the update are at greater risk.
Who is trying to break into computers? Ten or twenty years ago, they were bored programmers in Eastern Europe, especially Bulgaria. To prove their programming prowess, they’d write a virus kit. A virus kit makes it easy for other hackers to write viruses. They did this basically to impress each other because they couldn’t make money after the fall of communism. One super programmer would write a virus kit and then a bunch of lower-level techies would run the kit to release the viruses into the wild. This is how the virus phenomenon started 15 years ago or so, and it spread over bulletin boards. Back then, when the Internet was truly in its infancy, there was a big danger in putting an infected floppy disk in your computer because it would boot up and copy the virus to your machine’s hard drive.
These hackers have a grown into a loose underworld today. Right? If you want to learn what the hacker underworld is, a good magazine to get is 2600. It’s in most bookstores. Some hackers are just plain criminals, but most believe they are helping society. They see probing machines for weaknesses as helping to make the world safer, as giving the world a wakeup call. They don’t see it as damaging a small company and wasting people’s time and money. There is also a political underpinning to some of this activity. These people may feel the biggest danger to society is unrestrained corporations, or they believe all software should be free, or that companies should not control the source code in software. These are a global fringe movements.
At any given time, it is hard to know who is breaking into you. Mostly, it is kids in their teens or 20s, often from countries like Korea, Germany, or China, with time on their hands. Hacking is a time-consuming pursuit. They are often unemployed or underemployed computer workers. It’s also people who have access to computers at work but don’t have a great deal of responsibility, or who are disgruntled in some way.
Isn’t the big fear the terrorist threat? Except for a few nuclear power plants, there isn’t a great terrorist danger in my opinion. I’m not saying it’s a good idea for a nuclear power plant to have an Internet connection, and there is some risk for hospitals. Financial institutions, the banking and brokerage systems, however, have so many backup systems. Taking the financial services industry down for a day or even for a few hours would be difficult. At worst, it would cause disruption and a cost of millions or hundreds of millions. But it would be extremely difficult for terrorists to take lives in an attack over the Web.
Many advisory firms are adopting wireless technology because it allows employees to use their laptops anywhere in the office. Any special risks there? Unfortunately, almost all of the out-of-the-box installations of a wireless access point (WAP) can be hacked. Many incorrectly configured WAPS can be broken into in minutes. WAPs should only be installed by qualified IT professionals and always in conjunction with a secure VPN (virtual private network). Hackers drive around in cars in big cities with laptops with WiFi cards looking for wireless signals coming from office buildings. They often mark these areas with chalk on a sidewalk. Manhattan is renowned as a target for “War Driving.”
Financial advisors have network servers connected to the Internet or run peer-to-peer networks hooked to the internet. What are the dangers they face? Hackers want to gain a sustained access to a machine, and yet hide their tracks. After they break into a machine, they want to be able to get in it again easily. As silly as it may sound, two hackers might be fighting each other and just commandeer your computer to do it. That’s a very common security problem.
That sounds almost like the rapper wars from 10 years ago, when East Coast rappers were shooting at West Coast rappers. It is like that. Often, hackers get into fights in chat rooms. They use Internet Relay Channel or other old chat channels that most people using the Internet today probably don’t even know about. It’s common for a dispute to break out over who controls a particular channel or for someone to get banned from going to a channel and then seek revenge. If it’s a kid at home on a 56K modem connection, it’s hard for him to launch a big attack. So his first goal is to commandeer other people’s computers to aid him in an attack.
That’s when we get hacked? Exactly. The hacker breaks into your machine and uses it to bombard an enemy and make his computer or server crash. They do this with 10 or 20 or even hundreds of other computers belonging to people who have nothing to do with the argument. This happens all the time. They send you an e-mail that causes your computer to crash in a small way and then installs a program on your computer that lets them come back whenever they want. The programs that do this are called Trojan horses, with the best known being Nimda and Code Red. A Trojan is designed to make hundreds of thousands of machines available to a hacker at any time. It’s called a Trojan because it pretends to be an e-mail but becomes an attack vehicle. When it’s released into the wild by being e-mailed to 100,000 machines, a Trojan typically pretends to be a “GIF” picture file or an HTML e-mail message. It’s also a worm virus, so each machine it infects tries to infect another machine. That makes it harder to track where it originated. When a computer is infected, it sends back the hacker notification saying, “I’m broken into and you can use me now.” The Trojan lets the hacker set up software to come in through the back door any time.
A back door? It’s basically like having PCAnywhere or GoToMyPC.com or any other program to remotely access a computer. The hacker can come in and use your computer as if he is at your console himself. You may not even notice his programs on your hard drive because they’re buried in a Windows subdirectory. And, if you are Windows 2000 or XP, how often do you check what account names you have set up on your computer? Which brings us to the next security flaw that these hackers will typically try to exploit: You might not be aware of this, but almost anyone may be able to log onto your computer as Administrator, and then he might be able to explore your entire network.