Hackers and Attackers

&HackersLast week, I alluded to the suggestions by some that hackers were responsible for the 2003 blackout. This week, I'd like to pick up on that hacker and attacker theme a little more and look at some of their nasty tricks, many of which are aimed to separate you from your hard earned cash.

Back in the Stone Age (ok, not that far back, but you get my point) hackers knew a lot about computers. In fact, if you were called one, you probably wouldn&t have been too upset. They would dig deep to find out how computers worked. In fact, during that time they weren't considered “evildoers.” They were the ones contacted when something went wrong with computers. And even today, some suggest that we should be careful not to malign all hackers because without them poking around and finding security loopholes, products might not become more secure. You can ponder this last statement and note that I report, you decide.

But let's get back to those hackers who have crossed over to the dark side. Nowadays, these hackers and attackers are engaging in the same crimes committed in the offline world. Perhaps what's even more unsettling is that many of today&s attackers and hackers don't need to know much about computers. By using certain tools, these folks can carry out dangerous and sophisticated attacks and perhaps not even know the consequences of such attacks. But of course, there are those particularly dangerous ones who do know a lot about computers and put their knowledge to work in more Sithian ways.

So yes, hackers and attackers are busy. Consider this: 6 out of 10 American companies and government agencies have already been hacked. Yes, you read that correctly. Any company that accepts credit cards, allows us to view our bank accounts and/or offers products and services is vulnerable to hackers and attackers. But this isn't just an American problem. Amazingly enough, in the pre-9/11 world, one survey found that an Australian company was spending more on its coffee needs than on information security. Say what? Hope that company isn't holding any of my information! And that had better be some darn goooooooood coffee.

Since 9/11, companies have stepped up their security measures. As hackers and attackers are hunting for new victims, we must be ready to combat them.

Critical What?

&CriticalLast time we met, we looked at how millions of people in 2003 were impacted by a major disruption in our nation&s computer systems that resulted in a blackout.

But perhaps what you didn&t know was that just seven years earlier, on July 15, 1996, the President&s Commission on Critical Infrastructure Protection (PCCIP) was established by President Bill Clinton. The purpose of this commission was to investigate the types of attacks that were occurring, study how attacks could impact the nation&s computer infrastructure and to determine the vulnerability of the nation&s computer systems.

So what happened? Well, their findings weren't pretty. They determined that there were serious security vulnerabilities and that the federal government and the private sector would have to work together to combat the potential harm that could be done to the nation&s critical infrastructure, which includes: telecommunications, electrical power systems, gas and oil storage and transportation, banking and finance, transportation, water supply systems, emergency services, energy, financial services and continuity of government.

In response to the attacks of 9/11, President Bush created the Office of Homeland Security. The Homeland Security Act of 2002 defined critical infrastructure as: “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters (Sec. 1016(e)).

Sounds serious – you bet! I think it's fair to say that as our dependence on technology grows, each of us has an increasingly important role in protecting our homes, company and country. So let's get to work!

Local Administrator – The Magic of RunAs

Chess King & QueenWelcome back! If you&ve stuck with me this long, you must actually enjoy the pain of locking down your computer and seeing what breaks! In most cases, you are probably not having any problems, but there are those situations where you might find yourself wishing you hadn't taken my advice in the first place.

There are some normal tasks that require you to have local administrative privileges to get things done – adding a new printer, for example. So how do you accomplish this? Well, the tedious way would be to log out of your normal user account, and then log back in as an administrator, add the printer, then log out of the administrator account, and back in as your normal user account. Sounds like fun, doesn't it?

Fortunately, there are better ways to hack this one. Unfortunately, not all of them are super-simple, owing to Microsoft's way of managing things, but they should be an improvement over logging into and out of different accounts.

If you are running Windows XP or 2000, the preferred method would be to use the RunAs command. So, using our printer example from earlier, if you go to the Printers and Faxes icon in the Start Menu, you will see an Add Printer icon. Right-click on it, see anything interesting? Probably not, but if you hold down the “Shift” key on your keyboard, and then right-click, you should notice a new option, “Run as…” If you click on this, you will be prompted for a user name and password. Enter in the information of the local administrator account that you created, and click OK. Congratulations! You have now started the Add Printer Wizard using your powerful administrator account instead of your lowly user account.

You can also use RunAs from the command line, using the following syntax:

RUNAS /user:

You will then be prompted to enter the password for the user account.

You can find a massive amount of information on getting around without being an administrator at Aaron Margosis& “Non-Admin” Weblog . (This link is to all posts in the “Non-admin for home users” tag.) Some of Aaron&s posts are a bit technical, but the information he provides is invaluable.  Plus he&s from Microsoft, so he knows what he&s talking about.

Local Administrator Accounts – Make the Change

Chess King & QueenWell, if you're still with me, then my last article on local administrators may have motivated you to take the leap into a more secure user account. Congratulations, you will thank me later, after you see how much less spyware, viruses, and pop-ups find their way onto your computer.

There are a number of ways to “demote” yourself into a regular user account. The first method is to create a new user account that is a standard user, and use it instead of your current local administrator account. That would leave the admin account there for you to manage your computer as needed. The downside to this method is that the account you will be using on a regular basis will need to be customized from scratch, because all your settings and files will still be associated with the old account.

The method I prefer is to create another account, but this time give it the local administrative privileges. So you would go into Control Panel, and open up User Accounts. Go to New User, and create a new user. Name it something subtle, like “All-Mighty Admin.” No, seriously, go for something that doesn't scream “hack me, I'm the account with all the power!” I suggest something like “maint,” “user1,” or maybe a pet&s name. Then give it a nice strong password.

The next step is to log into your new local administrator account, and make sure everything looks like it is working properly. Now, from that account, go to Control Panel > User Accounts again, and select your old administrator account. You can change the type from Administrator to Limited User. Why didn&t I say Power User? Well, that&s the subject of another post, but for now, just know that a Power User account has virtually the same privileges as an Administrator, including relatively easy access to elevate the account to an actual Administrator! So stick with the Limited User classification, I promise it won&t be that painful.

Then log into your newly demoted user account, and make sure everything works for you. There are some programs that have “issues” with the lack of administrative privileges, however. If you find any, please post in the comments, and I will try to assist you in getting it running properly. We will also discuss methods of temporarily running as an administrator when needed in the next part of this series.

Who turned the lights out?

&Blackout&As you probably know, there are more than a few nasty people out there who'd love to bring down a nation&s information infrastructure. And in August of 2003, it felt like someone did just that.

Do you recall where you were when the northeast blackout occurred in 2003? Well, I was in the thick of it in Michigan. On a beautiful and hot August day, my carpooler and myself thought we&d sneak out of work a little early. Upon getting in the car, I recall not being able to get our favorite radio station. Oh well, that was an easy fix, pop in a CD.

As we proceeded near the highway, we noticed all the traffic lights were out. Strange, we thought, but didn&t think to much of it…until we couldn&t move any further. The highways were jammed. We noticed that gas stations were crowded, but that was because they ran out of ice on what was a very hot day. What we also found out was that one couldn&t get gas because of the lack of electricity. Luckily we filled up before going to work that morning.

So, what was normally about a 1.5 hour drive turned into five hours. Surprisingly, people were rather calm. As we sat there, it was eerie to wonder what was lurking on everyone&s minds since 9/11 wasn't in the too-distant-past. Once home, we arrived to no electricity, thus no air conditioning, no water, and no TV. But I can tell you as one of the 5.4 million people in Michigan affected that day, it was truly an eye-opening experience to the realization of our dependence on technology.

It's been reported that financial losses resulting from that blackout were about $6 billion. The official cause of that blackout was a software bug. Of course, there are those who believe this was the work of a hacker(s). I'm not sure, but just so that I can sleep a little better at night, I'm going with the official story. However, should the day come and our critical systems do get into dangerous hands, I'm sure that August 2003 might be child&s play compared to what we might really be up against.

Needless to say, technology touches almost every facet of our lives everyday. Therefore, we all have a vested interest in doing our part to keep the computer systems safe, at work and home. I'm not sure about you, but when my lights go out, I want to be the one flicking the switch.

Oh, and the moral of the story is – don't leave work early. Oh, who am I kidding? Before you do, look into your crystal ball. Make sure there are no blackouts planned. They have a bad habit of rendering your “sneaking out” pointless.

Local Administrator Accounts – Why they are bad

Chess King & QueenDo you work on your computer as a local administrator?  If you are running Windows, most likely you are.  Certain other operating systems also place you in a local administrator account by default, but many alternatives to Windows are smart enough to create a regular user account for you to use by default.  Note for Windows Vista, this is slightly different.  However, since the majority of users haven&t upgraded yet, I will hold off on the Vista details until a future article, so we don't confuse things too much.

What is a local administrator?  This is the account on your computer that has absolute power over Windows.  Anything you want to do – such as install drivers, update the system, install new programs, or manage user accounts – can be done from the local administrator account.  This account is appropriately named “Administrator” by default.

Why is this bad?  After all, it's your computer, don't you want to have full control over everything?  While you certainly need the local administrator account to properly manage your computer, you shouldn't be using it for your day-to-day tasks.  Web surfing should never be done from a local administrator account.  Why?  Because any program you run as an administrator has the same level of access that you do.  So if you go to a website that has malicious code on it, that code could direct your computer to install programs, delete files, or many other equally dangerous tasks.

Convinced, but not sure if you are using a local administrator account?  There&s a number of ways to find out.  Go to the Start Menu, and click on Run.  In the window that comes up, type “cmd” (without the quotes).  In the Command Prompt window, type “net localgroup administrators” (again, without the quotes).  A list of users who are local administrators will come up, so check to see if you're in there.  Another way to check would be to go to Control Panel, and click on User Accounts.  You should see your account there, with a word such as Administrator, Power User, or Limited User with it.

In the next part, I&ll show you how to turn your account into a regular user account, without losing all your carefully customized settings and files.

Protecting The Nation

&1sLast week we spent time understanding the CIA of computer security and why we should be concerned with confidentiality, integrity and availability. While we focused on how this impacts individuals, this week we&ll look at just how critical protecting technology is for a nation.

During wartime, we typically become more aware of the possibilities of information warfare. (Or perhaps not, with 60 million+ people voting on American Idol – but I digress). Anyway, some of us are informed that nations are engaging in ways to disrupt other nation&s information infrastructure and that those methods are becoming increasingly sophisticated. This becomes particularly onerous when we realize just how critical technology is for our everyday activities.

As we know, civilians aren&t the only one&s dependent on technology. Most of the images that we see of Iraq today show troops on the ground – shooting, fighting, etc. What we typically don't see are the technological tools used to control the military vehicles, weapons systems and communication systems that soldiers must depend on. Imagine those tools being compromised.

Interestingly enough, during the Persian Gulf War in 1991, Saddam Hussein was offered some very hot information, that had he bought, could have possibly changed the outcome of that war. According to some reports, 34 American military sites were breached by hackers from the Netherlands. The computers that they attacked contained important information about Operation Desert Storm, such as the exact location of military troops, weapon details, and the movement of American warships. Imagine what could have happened had Saddam not thought this was a trick?

Within the last few weeks, Russia has been accused of cyber attacks against Estonia (yes, go ahead and dust off that atlas). The websites of Estonia&s government ministries, banks, companies and newspapers have been disabled. Even NATO has sent some of its top cyberterrorism experts to investigate the situation and to help the Estonians augment their electronic defenses.

So, while there a plenty of examples, we should recognize that today, nations must protect their critical infrastructures against cyber attacks. Later on we&ll cover popular attack methods, but for now, realize that our nation&s next war might be more about the rise of the machines and less about human battles.

Browser Wars

Firefox LogoWhat web browser do you use?  If you're like over 60% of the population (as of May), you probably use Internet Explorer, most likely because it comes with Windows.  There are a number of other choices out there, and they all have things to offer that IE does not.

What does this have to do with security?  Well, for starters, Windows includes Internet Explorer with the base operating system.  Because of the way the components of IE are tied to the components of Windows, Microsoft successfully argued to the antitrust courts that it was impossible to truly uninstall IE.  Sure, as a result of those antitrust proceedings you can have a different browser as your default, but IE is still there, hiding in the background.  Because of this collusion between IE and Windows, I believe IE has an easier path into the operating system in the event of a security breach.  What I mean by this is that a malicious website that exploits a vulnerability in IE is more likely to break through into Windows itself, as opposed to a similar vulnerability in a browser that is simply installed on top of the operating system.

My browser of choice is Mozilla Firefox.  There are many reasons for this.  First of all, in my experience it loads pages considerably faster, and crashes less often.  Second, it is extremely customizable.  You can load different themes to totally change the look and feel of the browser, and you can install add-on applications that perform different tasks to make the browser more useful to you.  Since you can choose which add-ons you install, your browser can become very personalized.

NoScript LogoAgain, what does this have to do with security?  A lot of these add-ons are used to enhance the security of an already reasonably secure browser.  For instance, I use an add-on to block advertisements, which can prevent certain malicious pop-ups from loading.  My favorite add-on is known as NoScript, which is an amazing tool if you can deal with how it breaks certain sites.  NoScript effectively disables all scriptable components of any website, include Javascript and ActiveX.  Without scripts, it is practically impossible to have a malicious site compromise Firefox.  Of course, many sites use these scripts to provide basic functionality – YouTube, for instance.  The point is you can pick and choose which sites you want to enable scripts on, and any other site will be script-less the first time you visit it. Play around with it, I'm sure you&ll get to enjoy the feeling of only allowing sites to run scripts that you specify.

 What&s your choice for the most secure browser?  Let me know in the comments.

Finally – The A in CIA

&TheLadies and gentlemen, we&ve arrived at the A in our CIA acronym. As a review, C=Confidentiality and I=Integrity. Can you guess what the A might mean? Here&s a hint: Remember the last time you went to the ATM with your hot date and you had no money? What was that embarrassing message that the machine seemed all to quick to tell you in front of your now very cool date? No funds _______. If you said “available”, you're the genius that you think you are (okay, maybe dateless, but take the compliment anyway).

For computer systems, the availability of information is paramount. When information isn't available productivity can be affected, possibly costing the company money and more then a few angry customers. Therefore, information must be reliable and accessible in a timely fashion so that tasks and responsibilities won&t be impeded.

Let&s say, in our date scenario above, you decide to call the bank to find out what's going on with your account. The teller would like to help you, but she can't access the database for one reason or another. In this example, not only does the bank have an embarrassed customer, but now a mad one too.

Unfortunately, most of us have experienced a time when we needed information and it wasn't available. That's why it's critical that mechanisms (which we&ll discuss later) are put in place to ensure the availability of resources to maintain productivity and to keep those customers happy.

Integrity and Computers – Say What?

Picture of man and computerOkay, think of the biggest weasel you’ve ever worked with. Okay, calm down. I can detect your blood boiling. Take a deep breath. Now, think of why s/he’s such a weasel. I detect another deep breath is in order here. If one quality that they lack is integrity, then you’ve already identified the second term in our CIA acronym that we’re going to discuss today – although I’ll bet many other words came to mind first.

Now I know you’re saying what in the world does integrity have to do with computers. I’m sure you must be thinking that my computer, at its worst, could never be as terrible as that *&*^% weasel. Well, when our computer systems lack integrity, the accuracy and reliability of the data stored on them is much like that weasel that you work with – unreliable. When there’s no integrity with our computer systems, unauthorized modification of data isn’t prevented. And as a result, data can end up in unintended destinations, often contaminated, corrupted and maliciously modified.

As an example, let’s say that that weasel accidentally made a mistake in a database entry and charged a customer $50,000 for a bill instead of $50… and tried to creatively blame you. Thanks to that weasel, (or too bad for you if s/he’s convincing) the data is now corrupted. The customer has now been inconvenienced by having to straighten out this error. And now your job might be on the line – but of course you’ll go into Soprano mode and prevent that from happening.

When hardware and software don’t work in a concerted effort to maintain the accuracy and reliability of data, trouble ensues. And while later on we’ll uncover ways to harden systems and educate/train users on ways to avoid such costly errors, for now, just note that integrity is critical to making sure that the correct data ends up in the correct destination.