From The Business News

The art of hacking becoming less sophisticated Study: Most hacking comes from outside Michael Hardy News Contributor

The scariest thing about hackers is, they don't have to be technology experts anymore.

Nowadays, it often takes nothing but the ability to download a Windows program -- and a mean streak, according to Mark Fabro, a hacker who has sworn to use his powers only for good. He's director of assessment services for Secure Computing Corp., based in the California company's Toronto office.

"There are hundreds, literally hundreds and hundreds of ways to bring a system to a screeching halt, and it's all point-and-click," Fabro told a recent meeting of the National Capital Chapter of the Association for Information and Image Management, in Arlington, Va. To drive the point home, he scrolled through slide after slide showing user interfaces that make launching a packet flood or e-mail spoof as easy as firing up a personal accounting program.

"There's no command line here," he added, referring to the precise knowledge of commands and syntax required by DOS and UNIX systems. "Any one of you can do this right now, and all you need is your box at home and an Internet connection."

"It's becoming extremely easy," agreed Pete Hammes, vice president of Para-Protect Inc., a computer security firm in Alexandria, Va. "You don't have to have any knowledge about the technical details. You just have to be able to download a tool and enter the Internet address of your target."

The conventional wisdom is that most computer security threats come from inside companies, and that only programmers or other computer sophisticates could attack a corporate network from outside. Those notions are dangerously outdated, Fabro insisted.

Statistics from a 1999 survey by the FBI show that 43 percent of detected intrusion attempts came from outside the companies attacked. Only 37 percent were confirmed to come from inside, with the rest undetermined. "There is a problem on the inside, but the problem from outside is growing," Farbro warned.

Smart e-commerce companies take the threat seriously, said Elad Yoran, executive vice president at RIPTech Inc., an Alexandria, Va.-based security company.

"With the Internet and the rise of e-commerce, security has risen to the top priority," noted Yoran, whose company outsources security services. "It's a core enabling technology now."

RIPTech consults with companies to select the best combination of firewalls, intrusion detection and other software systems, and also provides around-the-clock monitoring from its Alexandria office.

The company's eSentry system reads data from client companies and alerts a RIPTech analyst of possible breaches, Yoran said. The analyst, in turn, checks the data and alerts the client.

A key weakness of many companies is that they simply don't recognize the threat, Fabro said. The FBI study found that 21 percent of companies surveyed didn't even know if anyone had tried to hack them. "The technology allows you to know yes or no," Fabro scolded. "If you don't know, that's bad."

Too many companies still aren't paying attention for varying reasons, agreed Mylissa Tsai, a research analyst with the Aberdeen Group in Boston.

"The Fortune 500s don't have the technical expertise. And if you're looking at middle-size companies, you're talking about two IT guys who are fresh out of college," she said. "There's a lack of resources out there."

"There are more hacking tools and the tools are more sophisticated," Yoran added. "There are also more targets, and relatively unsophisticated targets. People are in a mad rush to get to the Internet without taking the necessary steps to protect themselves."

"They're so focused on getting things operational that they don't think about the threats," Hammes agreed. However, it usually only takes a penetration test, where a security company hacks into a client's system to demonstrate how vulnerable it is, to get the customer's attention, he noted.

"We can show them that we were able to access one of their databases. That brings the point home, when you can show them you were able to do it," Hammes said.

Companies like RIPTech that outsource security services do stand to succeed, Tsai noted. Potential customers often like to turn their security over to outside providers, taking the burden off their own IT staffs.

However, companies can't neglect more traditional security either, Fabro noted, such as trained guards and desk clerks who keep unauthorized people away. A savvy hacker can gather useful information about a company's computer security with just a couple of minutes at an unattended terminal -- or by calling up a clerk and demanding information.

"You can do it by phone, you can do it in person," he affirmed. "I can't tell you how many times I've gotten into buildings in New York City dressed in my bike shorts as a courier

http://rm.amcity.com/RealMedia/ads/click_lx.ads/www.amcity.com/dayton/stories/2000/04/10/focus6.html/21792/Top/amcity2/468x60_book2.gif/63646263643065393338663639366530

-- Martin Thompson (mthom1927@aol.com), April 13, 2000