Greg Thatcher works in security–computer security. His specialty is helping small- and medium-sized businesses cope with hackers. The San Francisco-based Thatcher usually gets called in by a company after it has been attacked. He has several applications, at www.lokbox.net, designed to help businesses lock down computers and find their vulnerabilities to ward off hackers. At any given moment, Thatcher, 40, is working with five companies fighting prolonged, active security risks, and for the last 15 years he has been on the front line of the battle against this shadowy underworld. I recently asked him about practical issues advisors need to know about how to defend against computer security risks.
What’s the most important thing someone running a small financial advisory business can do to control security problems? Get Windows machines to go to windowsupdate.microsoft.com at least once a month. My guess is that 80% of small businesses do not do this.
That doesn’t sound like such an important thing. Microsoft releases patches to fix security problems. Hackers know that most people won’t install the patches. So they target computers that don’t have them.
If I use Outlook, for example, how does this affect me? A hacker could send you an e-mail message coded to exploit a security flaw. Ironically, the hole may already have been patched by Microsoft, and the hacker may in fact have learned of the flaw only after Microsoft patched it. If your computer is not patched, however, programming code embedded in the HTML of the e-mail message can make Outlook crash. The crash is usually triggered by making your computer misuse its memory–that’s called a buffer overflow attack. At the instant your machine is crashing–just a millisecond or two–you are vulnerable and a Trojan program can be inserted on your computer, allowing the hacker to come back and commandeer your computer whenever he wants.
Doesn’t the e-mail message with a Trojan horse have to contain an executable file before it can crash my machine? No. It could come through as a garbled HTML message, for example. The hacker e-mail message may only contain a small program that knows how to download other, bigger, malicious programs on your hard disk. The hacker could send you a message designed to exploit a mistake in Outlook. If a hacker figures out that Microsoft designed Outlook to not handle messages larger than 100 megabytes, for instance, a hacker would send a 101-megabyte message. When hackers learn that Microsoft made an assumption like that, they exploit it to make an application crash. When you are running a program and suddenly get an error message and the program shuts down, that’s typically a buffer overflow error. When hackers know how to induce an error, your computer is vulnerable. In the instant before the Microsoft error message pops up, a hacker can export instructions to your computer. Popular viruses like Code Red and Nimda exploit buffer overflows through e-mail. Hackers now are trying to induce crashes when you go to a Web page. This is something that you hear talk about but has not been done very effectively yet.
Windows Update can prevent these problems? Yes, but Windows updates are a double-edged sword. On the one hand, the patches protect you. But on the other, hackers know what vulnerabilities to exploit whenever Microsoft posts a security update. What’s obvious is that after Microsoft announces a security flaw, people who don’t load the update are at greater risk.
Who is trying to break into computers? Ten or twenty years ago, they were bored programmers in Eastern Europe, especially Bulgaria. To prove their programming prowess, they’d write a virus kit. A virus kit makes it easy for other hackers to write viruses. They did this basically to impress each other because they couldn’t make money after the fall of communism. One super programmer would write a virus kit and then a bunch of lower-level techies would run the kit to release the viruses into the wild. This is how the virus phenomenon started 15 years ago or so, and it spread over bulletin boards. Back then, when the Internet was truly in its infancy, there was a big danger in putting an infected floppy disk in your computer because it would boot up and copy the virus to your machine’s hard drive.
These hackers have a grown into a loose underworld today. Right? If you want to learn what the hacker underworld is, a good magazine to get is 2600. It’s in most bookstores. Some hackers are just plain criminals, but most believe they are helping society. They see probing machines for weaknesses as helping to make the world safer, as giving the world a wakeup call. They don’t see it as damaging a small company and wasting people’s time and money. There is also a political underpinning to some of this activity. These people may feel the biggest danger to society is unrestrained corporations, or they believe all software should be free, or that companies should not control the source code in software. These are a global fringe movements.
At any given time, it is hard to know who is breaking into you. Mostly, it is kids in their teens or 20s, often from countries like Korea, Germany, or China, with time on their hands. Hacking is a time-consuming pursuit. They are often unemployed or underemployed computer workers. It’s also people who have access to computers at work but don’t have a great deal of responsibility, or who are disgruntled in some way.
Isn’t the big fear the terrorist threat? Except for a few nuclear power plants, there isn’t a great terrorist danger in my opinion. I’m not saying it’s a good idea for a nuclear power plant to have an Internet connection, and there is some risk for hospitals. Financial institutions, the banking and brokerage systems, however, have so many backup systems. Taking the financial services industry down for a day or even for a few hours would be difficult. At worst, it would cause disruption and a cost of millions or hundreds of millions. But it would be extremely difficult for terrorists to take lives in an attack over the Web.
Many advisory firms are adopting wireless technology because it allows employees to use their laptops anywhere in the office. Any special risks there? Unfortunately, almost all of the out-of-the-box installations of a wireless access point (WAP) can be hacked. Many incorrectly configured WAPS can be broken into in minutes. WAPs should only be installed by qualified IT professionals and always in conjunction with a secure VPN (virtual private network). Hackers drive around in cars in big cities with laptops with WiFi cards looking for wireless signals coming from office buildings. They often mark these areas with chalk on a sidewalk. Manhattan is renowned as a target for “War Driving.”
Financial advisors have network servers connected to the Internet or run peer-to-peer networks hooked to the internet. What are the dangers they face? Hackers want to gain a sustained access to a machine, and yet hide their tracks. After they break into a machine, they want to be able to get in it again easily. As silly as it may sound, two hackers might be fighting each other and just commandeer your computer to do it. That’s a very common security problem.
That sounds almost like the rapper wars from 10 years ago, when East Coast rappers were shooting at West Coast rappers. It is like that. Often, hackers get into fights in chat rooms. They use Internet Relay Channel or other old chat channels that most people using the Internet today probably don’t even know about. It’s common for a dispute to break out over who controls a particular channel or for someone to get banned from going to a channel and then seek revenge. If it’s a kid at home on a 56K modem connection, it’s hard for him to launch a big attack. So his first goal is to commandeer other people’s computers to aid him in an attack.
That’s when we get hacked? Exactly. The hacker breaks into your machine and uses it to bombard an enemy and make his computer or server crash. They do this with 10 or 20 or even hundreds of other computers belonging to people who have nothing to do with the argument. This happens all the time. They send you an e-mail that causes your computer to crash in a small way and then installs a program on your computer that lets them come back whenever they want. The programs that do this are called Trojan horses, with the best known being Nimda and Code Red. A Trojan is designed to make hundreds of thousands of machines available to a hacker at any time. It’s called a Trojan because it pretends to be an e-mail but becomes an attack vehicle. When it’s released into the wild by being e-mailed to 100,000 machines, a Trojan typically pretends to be a “GIF” picture file or an HTML e-mail message. It’s also a worm virus, so each machine it infects tries to infect another machine. That makes it harder to track where it originated. When a computer is infected, it sends back the hacker notification saying, “I’m broken into and you can use me now.” The Trojan lets the hacker set up software to come in through the back door any time.
A back door? It’s basically like having PCAnywhere or GoToMyPC.com or any other program to remotely access a computer. The hacker can come in and use your computer as if he is at your console himself. You may not even notice his programs on your hard drive because they’re buried in a Windows subdirectory. And, if you are Windows 2000 or XP, how often do you check what account names you have set up on your computer? Which brings us to the next security flaw that these hackers will typically try to exploit: You might not be aware of this, but almost anyone may be able to log onto your computer as Administrator, and then he might be able to explore your entire network.
So this would be the hacker’s next step? Yes, this could be the second stage of an attack when someone starts prowling around your network. When you install Windows 95 and 98, it automatically inserts an account name called Administrator. That’s the default (Windows 2000 stopped doing that). A lot of people use the Administrator account name and leave the password blank. This is pretty common human behavior. As a result, someone could try to break into your network using the Administrator user name and leaving the password blank. Another problem is when you leave both the user name and password blank on a computer. This is called a “null session.” Microsoft allowed you to run a null session to let Windows machines “talk” to each other without authentication. This was designed before people worried much about security. Later, hackers learned they could exploit this. Someone could easily do that and log into your computer. If you’re using Windows 95 or 98, you may be open to blank password risks. Even three years ago, the 1999 version of Windows NT contained this risk.
Well, my guess is that most advisors don’t have too many computers on their network that are more than three years old. Yeah, but a lot of firms probably have one or two older machines on their network, and that is all it takes. If you have one old machine on your network, your security decreases to the lowest common denominator, and your entire network’s security is as weak as your weakest link. Hackers can target that one old machine and use that as the gateway. For example, the hacker can run several programs that check for whether any of your computers that allow null sessions–the log-in method, used by older Windows machines, using a blank username and password–is running on your network. Then, any time he wants to get into your network, he can come through that machine. Also, getting older machines to operate your network’s printers or see files on other computers or servers on your network can be tricky. It’s complicated even for a seasoned network administrator to do with proper security settings. So many firms take shortcuts. They may set up a network with a new Windows server 2003 operating system and have just one computer using Windows NT or Windows 98. As a result, they may run the Windows 2003 machine in what’s known as compatibility mode, which makes it easy to set it up so that the old machine on the network can see the new one and vice versa.
So what happens once they are in your network? It depends. If it is one hacker fighting another, they will use your machine to flex their muscles while hiding their tracks behind your machine. They might then deface the enemy’s Web site or create a “denial of service” attack where they try to overwhelm the enemy’s Internet pipe with so much traffic that nothing else can get through. Using 10 other machines fills the enemy’s pipe with 10 times as much traffic, maybe sending a “ping flood” to the enemy’s machine with just a bunch of simple little Internet packets.
Won’t a firewall protect you from this kind of stuff? A firewall is necessary but insufficient on its own. If you are a bank and you want security, putting a minimum-wage security guard at the front door is a good idea, but you also need cameras, a good safe, and other measures. If your IT person says you’re safe because of the firewall, then I can pretty much guarantee you are not. A firewall is like a traffic cop that checks everyone’s ticket coming in. The firewall can say that anyone sending e-mail to the network from the Internet is okay, but that nobody from outside can read documents on your network. But think of it as a minimum wage security guard. It is not very smart.
So what do I need beyond a firewall? Like I mentioned, you should use Windows Update at least once a month, and as soon as you bring a new machine into your office. Any machine with an operating system prior to Windows 2000 is vulnerable to a wide range of attacks. But apart from that, the best thing you can do is have procedures in place for making changes to network settings. You need a policy in place that spells out the steps that must take place and approvals that must be obtained whenever you must reconfigure your e-mail server or firewall or change passwords on the network, or setup a WiFi device. Changes to these settings should only be allowed with approval from your IT security chief. You need to review security settings every two or three months to make sure everything is set up the way it was previously. Companies also become vulnerable by making quick changes on their network. Typically, an IT person is handling stressed-out people who need their computers to work and it is easy to make a mistake in a pinch. Quick-fix settings are often done incorrectly. Another weakness you need to be aware of occurs when you allow staff to use laptops at remote sites and then bring them back into the office. It’s easy then to make mistakes that will allow a hacker to get in easily.
A particular threat to financial advisor networks would be crooks seeking to steal clients’ identities. Any tips to avoid that? A criminal will want to steal the identity info for your customers. A policy should be set in place to shred all documents related to customer accounts, addresses, and any IT documents that include passwords. This prevents “Dumpster divers” from finding these documents in your garbage. Security guards and receptionists should be made aware of policies regarding sensitive office areas. Many hackers pride themselves on their social engineering skills, fooling security guards and secretaries into giving them information over the phone. For example, a hacker may ask a nighttime security guard to read a phone number of a wall jack (a first step for breaking into a network), or ask them to read a Post-it note pasted onto a computer monitor (for passwords).
Let’s talk about passwords. You want to have at least two passwords. One for information you don’t care about, and another for places where you store personal financial data and credit card account information. Your log-in for your computer is a sensitive password and user identity for you. It is very easy for someone to get your e-mail password, and there is not much you can do about that usually. You may want to use your unimportant password for e-mail. E-mail passwords go across networks in clear text. A hacker can sniff your e-mail password pretty easily as it goes across the network. Anyone on your network in your office can run a “sniffer” program to learn your password. And if you are in a hotel or logging in remotely to your e-mail server in your office, an employee at the desk of the hotel’s network could do it. In fact, even if you do not have a mail server in your office and store your e-mail with your ISP’s server, your password could easily be sniffed. There are probably three or four networks between you and your ISP, and it can be as many as 10 networks, and someone at any of those 10 networks could sniff your password–any bored employee at the ISP or at the networks relaying your password to your ISP’s e-mail server.
Can someone crack my password? There are programs designed to do just that. One of them is called L0PHtcrack. It was designed specifically to break into Windows 95 and 98 passwords, and you can use it to sniff a network. That is, watch somebody log onto their machine or their domain controller. You can also steal the file that contained all the passwords on a computer or network server.
Do these programs randomly insert a string of numbers and characters to guess my password? No, that would take too long. They have a dictionary file with words and they run each word. A smart dictionary cracker program will try words in upper case and lower case and in combinations. They make the assumption that everybody is going to use a real word from the dictionary, or a real word and a number, or a real word in all upper case or lower case. The programs also let you personalize the dictionary. So the hacker could input the computer user’s name or his kids’ names and try to crack it with all possible variations or with some numbers. But doing this is not very common. But once a single computer on your network is broken into, a hacker may try to do this time-consuming work to get to other machines or to find more important information. Since your readers are financial advisors, there’s probably a perception that they could have good personal information about people’s accounts, which could attract the rare real criminal rather than nuisance attacker.
So how do you create a good password? You want your passwords to use upper and lower case letters, plus numbers and a non-alphanumeric character such as a semicolon or asterisk. You want more than eight characters–at least one number and at least one punctuation mark. Also, you can do tricks like replacing letters with numbers in a word, replacing the letter “O,” for instance, with a zero. Make it so your password is not a real word or use punctuation or replace a space between two syllables in a password with a question mark. Spelling your name backwards, using your favorite color or your birthday is not a good idea. You want a password to be complex but not so complex that you need to write it on a Post-it note. Ideally, you want to change everyone’s password every three months.
A lot of advisors use an IT consultant. Any tips on that? It’s a good idea for a consultant to be certified. There’s a bunch of certifications that you can get from Microsoft or from Linux. If you are running Windows, a MCSE (Microsoft Certified Systems Engineer) certificate is good. For a firewall, maybe a CCNE, for Cisco Certified Network Engineer, is good. The designation that is becoming kind of like the Ph.D. of security is GIAC (Global Information Assurance Certification Security). A consultant can review your system and security policies and create a written security policy that addresses who may read what on the network. It names the people with given access to bookkeeping information. It says what people can access from outside the office. Then, the consultant implements the policy.
Every time someone is fired, or even if they leave voluntarily, you should review your security. Every six months, the policy should be reviewed.
What does a consultant cost? A consultant who is an MSCE might charge you $50 to $150 an hour.
Editor-at-Large Andrew Gluck, a veteran personal finance reporter, is president of Advisor Products Inc. (www.advisorproducts.com), which creates client newsletters and Web sites for advisors. Advisor Products may compete or do business with companies mentioned in this column. Gluck can be reached at firstname.lastname@example.org.