By now, every large firm and corporation has read the Washington Post article concerning the emails stolen from the top Global Warming scientists. While there is an ongoing debate over the contents of the stolen data, for most of you out there the actual concern is how to protect yourself and your colleagues from the same sort of data leak.
Before I move on the the heart of the matter, I want to clarify a few things. First and foremost, I am a bit old school in that I believe a “hacker” is someone who hacks programs in order to make them better.
This hearkens back to the old days where programs were designed on paper and then punched out on cards before being physically placed into the computer for processing. In those days, virtual memory was a scarcity that would be laughable by today’s standards and as such, programmers would often “hack away” at their programs and the programs of others in order to reduce the amount of code it took for them to run.
One example of this might be the MIT efforts to hack Conway’s Game Of Life in order to make the program small enough to run in the limited time available to the students. In this sense, the Hacker is a person who is interested in the underlying world of computers, the part that is hidden from the eyes of the End User and controls the outcome of various scenarios.
It is the curiosity and desire for control of this underlying, hidden world that causes honest men and women to “hack” the systems available to them. Second, and nearly as important, is the definition that has taken over the old school meaning of “hacker”, one that Richard Stallman and his fellow classmates would have called a “thief”, not a “hacker”.
These people are less interested in pursuing the goal of learning for learning’s sake than they are in learning for the sake of self-empowerment. As the old saying goes, “Just because you CAN do something doesn’t mean that you SHOULD.” If I might call back to the old MIT days; this is similar to Mr. Stallman’s work to undermine the early days of computer security, when the powers that be began locking away key components of the computer systems behind actual doors.
Back then, the students of MIT worked hard to get through those doors to the components, even to the point of making copies of the keys and in one instance, they actually entered one locked room by removing ceiling tiles in an adjacent bathroom and climbing over the wall. As justified as the students thought they were in their actions, today they would be called “hackers” and carted off to jail to await trial.
As the Secret Service can attest, you can not prevent someone from committing an illegal act if they are determined enough to do so. Someone who is willing to throw their life away in an attempt to get what they want can rarely be stopped, and if the individual is part of a larger group of similarly determined individuals, the chances get exponentially harder as the numbers increase.
Let’s for a moment look at passwords. If I wanted, I could quickly gain access to anyone’s password-protected system anywhere in the world as long as that system is connected to (1) the Internet or (2) a phone line. I’m not talking about the old “brute force” hacks where you have a program running away in the background using sophisticated algorithms to randomly try series of characters and words until the “aha!” moment hits. These attacks are very old and easy enough to foil by locking out a user’s account if multiple failed password attempts are created. Instead, I would socially engineer my way in.
Here’s a scenario for you: Let’s say that I wanted to gain access to a computer system from a fictional company called “Allied Divestments” that is connected to the Internet and allows users to log in from home. Most user accounts only allow limited access, for instance some systems may only allow company email to be accessed if your IP or MAC address does not come from inside the company.
Even though IP and MAC are easily hackable, I don’t worry about that right now since the account I am really after has root permissions. Since the company I am looking at would be a publicly traded corporation, the names of the key personnel would be a matter of public record and thus I would know that “Steve Ally” is the chief security officer.
A bit of digging around on MySpace, Facebook and Twitter could easily net me (1) Steve’s favorite user name or (2) the names of the people closest to him in the company. From there, I would look for and find the public email addresses of the highest possible security member on Steve’s staff. I really don’t want Steve’s information so much as that of someone right below him.
See, Steve may be head of security, but he may not even know how the system works, since most bosses don’t. Now, once I have the name of the underling in question, I buy a new pre-paid cell from a retailer, preferably a large store a few towns away. A bit of advance planning might have seen me purchase the phone and activated it months before. By securing the phone away from my residence, I am able to cover my tracks since I know that the FBI or police could trace my movements by looking at what towers the cell’s signal was bouncing off of.
Since the phone is pre-paid, I don’t even have to use a credit card or show any form of ID, thus the phone can not be traced back to me personally. Using this “black” phone, I can now locate an office where “Allied Divestments” houses accountants and make my call, impersonating the underling I had located earlier. I simply ask to speak to the branch manager, telling the switch operator my “name”, the full name that is of the underling, and tell them that it is an urgent matter of security.
Once on the phone with the manager, I tell him or her that a hacker is on the system and we are attempting to track them down. I give them my cell phone number, explaining that the hacker is causing disruptions all over and we believe them to be a minor employee, thus we do not want to use the internal lines for this. Speaking quickly and with confidence, I could have the branch manager reboot their computer into “safe mode” and read me the data from the command “ipconfig” from the command line in Windows.
This, I would explain, will tell me if the manager’s own computer were “infected” since only his IP address should be showing up. Within no time at all, this branch manager would give me his or her username and password and any other information I wanted. If “Allied Divestments” had stringent security measures in place, I might have to use an accomplice or two to help solidify the whole mess by asking the manager to call “Security Headquarters” from his or her cell phone and give them a 1-800 number that had already been set up to ring to an accomplice’s cell phone. This accomplice would back up my story and verify my credentials as needed. Now that I have the branch manager’s username and password, I have access to the system. I would ask the manager to wait about five minutes before changing their password for security reasons. I would not ask for the new password, because at this point I am already logged in from a remote location and any changes would not affect my connection.
Working quickly, I could have the data that I wanted, whether it be the name and company phone number of a higher individual with more access, or with luck the branch manager might have the access I need. With a high-speed Internet connection, I could download the payroll, expenditures, email and even the employee file records that I wanted before anyone could step in and sever my connection. With any luck, the branch manager would continue to call the 1-800 number I provided for any inquiries into the steps we were taking to located the “hacker” I mentioned earlier. Of course, even if the manager caught on to the deception, I would have covered my tracks enough to back out of the system and possibly even upload the data to a public server where anyone could read it at will. Of course, that is just one of countless scenarios available.
Even with my tracks covered as best as I could, there are countless ways for the FBI to track me down, since there are countless clues I might have dropped on my way through, such as the security camera footage at the retail location where I bought the black phone or the machine address of the laptop I used for connecting to the server. Even if I managed to cover every angle, the FBI has access to technology that can still track me down, technology that I have no idea even exists, for instance they might have a program that can detect the speed of which I hit certain keys when typing at my normal speed, given enough characters typed, this could be just as individual as a fingerprint or drop of blood.
The point is not whether or not I get caught, which is very likely, but whether or not I was able to access the data I wanted, which I did. In the end, I might be facing criminal and civil charges, but I accomplished what I wanted; much like an assassin might be caught but their victim is still dead. In the end, the results are that Allied Divestments lost, the hackers won.
The most damning information any company can lose are inter-office memos in the form of email. Much of the time, emails coming for “Headquarters” are worded in a way that is appropriate to politicians and lawyers. These emails do not generally contain sensitive information, such as upcoming fiscal reports or pending lawsuits. Instead, a hacker could find these things in the inter-office communication.
Many times in the corporate world, people begin to lose sight of the fact that their every keystroke could be recorded. Since Bob’s best friend Max works just down the hall, Bob feels safe enough to send Max the latest joke, rumor or fact that is circulating, with no thought to how the email might be intercepted. Some companies use large off-site servers to store emails and such, servers that are physically managed by other companies.
These off-site servers are easy enough to hack with the right credentials, which may in turn be easily enough hacked from the individual users. Once the server is located and opened, the attacker can use the information contained therein to literally bring a company to its knees.
For an example of this just look at how the so-called “Big Tobacco” companies were humbled by inter-office memos detailing the desire of some key employees to alter the chemical makeup of their product to make it more addicting. Those documents were not hacked out, but actually obtained via a court order. Imagine the damage that the companies might have suffered had a hacker located and publicly distributed this information before the court was able to seal the records from the jury’s eyes pending investigation.
So, now that we’ve outlined the dangers of security breaches, let’s talk about how you can protect yourself against hackers with 100% efficiency. What we are talking about is not how to keep hackers out of your system, no amount of security can protect you there. Even locked doors and the latest password encryption systems can not foil a determined attacker, since those can be broken down by attackers on the inside; the door could be bypassed by an attacker who managed to get a job on the cleaning crew and the encrypted passwords might be given away by trusted but naive employees. If you can think of a security measure, a desperate enough individual can think of a way to bypass it. Even Fort Knox can be broken into if the attackers had the resources and will to do so.
The answer is obvious and simple: Stop worrying about the hackers and start focusing on the data. If you can’t keep flies out of the syrup, throw out the syrup. If you have employees who are sending damning information to one another via email, fire them. That’s not a joke, no single individual is worth the trouble they can cause with a few poorly worded sentences. Track them down and purge them from the system.
Much as a chain is only as strong as its weakest link, a company’s sensitive information is only as secure as it’s most disgruntled employee. The same guy down the hall that just sent everyone the video of the humping elephants could very well be the same guy who is about to send a colleague a copy of the transcript of the conversation he just had with a company lawyer concerning an upcoming lawsuit.
It’s called “Insider Trading” for a reason, insiders discover sensitive information and leak it to their “friends” or family members, or even capitalize on it themselves. In the end, it’s not the kid with the new laptop and a beef with your company’s carbon footprint that you have to worry about, it’s the data itself that is going to get you in trouble. You don’t go to jail because you got caught; you go to jail because you committed a crime.
In the end, you can protect yourself and your company from any hacker, no matter how determined by taking away the fuel they need to start the fire that will devastate your company. Monitor emails, record phone calls, and most importantly, fire anyone who acts in an unethical or immoral way whether it be immediately damaging or not. You can’t stop the hackers, but you can protect yourself. It’s hard and some might say impossible, but without fuel there is no fire and without damning data, the hackers can’t hurt you. Stop them? Can’t be done. Protect yourself from them? It’s hard, but it’s possible.