The Hindu Business Line : Hackers

Who were the culprits? None other than anxious MBA applicants who could not wait for the official announcement of results.It was all a sequel to an applicant to the Harvard Business School (HBS) posting instructions in an online technology forum of Business Week, as to how MBA aspirants could check the status of their applications.

According to Apply Yourself, a Virginia firm that manages the Web pages used by students to apply to about 300 universities, the mischief was traced to this particular student who did some `reverse engineering' to access information pertaining to his application, and then most generously helped others to do so!

HBS and MIT have identified 119 and 32 applicants, respectively, who were guilty of breaking into their systems and have penalised them by closing their applications. It is not known how many of these 151 youngsters would otherwise have succeeded in getting into the MBA programme.

My reaction is one of amusement and dismay. I am amused because these two premier institutions could be victimised so easily. I am dismayed because of their petulance in rejecting the applications of those who sneaked in. I am not at all sure that the indiscretion of a group of youth on the threshold of a promising career merited such harsh treatment. Was this not at worst a case of overzealousness and not downright unethical conduct? Is it not more appropriate that the universities examine how to eliminate the weaknesses in their own IT systems? I am possibly being naïve and too soft. I will leave this to my readers to judge.

Two other major episodes have come to my notice just as I am putting down my thoughts on this absorbing subject. Online information provider LexisNexis has also been vandalised. Hackers have managed to spirit away vital data - passwords, names, addresses, social security numbers and driving licence numbers - relating to 32,000 customers. It is learnt that the data was for the use of law-enforcement agencies and some private companies to facilitate debt recovery and fraud detection.

In another recent incident, the victim was a Miami customer of Bank of America who found that his company bank account had been stolen to the tune of $90,000 through unauthorised transfer to a Latvian bank.

Investigation by the US Secret Service revealed that the hacker had used a Trojan horse called `Coreflood', which first came to experts' notice in 2001.

All these incidents raise serious concerns about the vulnerability of reputed institutions, especially banks, whose Internet banking systems carry weaknesses, traceable mainly to customer negligence.

Smugness won't do

Many organisations get smug once they install an Intrusion Detection System (IDS) and a Firewall. I distinctly remember an expert telling me at a Philadelphia meeting, hosted jointly by TCS and the Fox School of Business of Temple University about two years ago, that both devices had their own limitations and had been overrated for their utility.

The IDS, for instance, raises too many alerts that soon become a ritual. After enormous effort if it is found that an alert was a `false positive', a systems administrator feels frustrated, and in course of time, he tends to takes things easy.

Also, even when a genuine alert arrives, a delay in response — which is usually the case in large systems — often means that the damage is done before remedial action is taken.

An alternative technology that is mentioned in some quarters is `honeypots' which provide easy access — not to the system itself but its replica. The idea is to entice an intruder into believing that he has got at the target, when he actually has not done so. Honeypots can be easily analysed without disrupting the main processes such as a production activity. Experts do not recommend total replacement of IDS or firewalls with honeypots. The latter can at best be integrated with the former in a total security plan. At present it is consultancy organisations that use honeypots more than others, so that they can issue advisories to customers.

Innovation is the order of the day. The analogy here to conventional crime is appropriate. Criminal sophistication keeps pace with new crime prevention strategy and each advance in investigation tactics and forensic sciences! Hackers are ingenious and romantic like their brethren in the criminal world. In any case, not all hackers are malicious. There is a tribe of `ethical hackers' who are available to all of us to check how vulnerable our systems are.

An interesting addition to the mind-boggling array of facilities available to us through the Web is now a major cause for worry because it expands the opportunities available to hackers. My reference is to the Weblog (also known as the `blog') that is nothing but a journal to which all of us can contribute or maintain ourselves. Blogs could cover anything under the sun, from the most mundane to the most bizarre. The news is that hackers use blogs to infect computers with spyware. Can you believe this? Each modern blessing has undoubtedly a latent wicked face as well! It is believed that both JavaScript and ActiveX, used to launch programmes on a Web page, can be employed to deliver spyware to unwary visitors to a blog site. Is this not one more reason why we should guard ourselves against hackers?

Safety starts with you

There is a common misconception that only corporations need to build firewalls to protect their systems. Nothing can be farther from the truth. Every one of us using a PC at home needs this safeguard, because we are all addicted to the Internet. The message has gone round in most of the West where a majority have got hooked on to a 24/7 broadband connection. Naturally, these are the most vulnerable. We in India are also fast catching up, with broadband penetration likely to go up phenomenally in the next few years. Some operating systems, such as Windows XP Service Pack 2, have a built-in firewall. If you do not have this OS, there are downloadable firewalls available on the Net.

In the ultimate analysis, it is your personal care that will make you less vulnerable to computer attacks. Carelessness in opting for a simple password or communicating it to people who need not know it can cause havoc. You must remember that hackers do a lot of reconnaissance before they launch their attack. Such an exercise is carried out through the Net as well as through `social engineering', a word that has become synonymous with unethical influence over individuals to part with the protected information they have in their custody.

To understand this process in particular, and generally how hackers operate, I would recommend that one read The Art of Deception (Wiley Publishing, 2003) by Kevin D.Mitnick and William L.Simon. It is a classic treatise on the fine art that hacking has become in present times. In his preface Mitnick confesses to his "misdeeds". His final words are revealing as much as they are touching:

I went from being a kid who loved to perform magic tricks to becoming the world's most notorious hacker, feared by corporations and the government... .I admit I made some extremely poor decisions, driven by curiosity, the desire to learn about technology, and the need for a good intellectual challenge. I'm a changed person now... .I can use my experience to help others avoid the efforts of the malicious information thieves of the world.

I wish we had many more penitent Mitnicks amongst us who will make us wiser about this pernicious evil in cyberspace.

(The author is a former Director of the Central Bureau of Investigation, and is Adviser to TCS Ltd.)

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
Outsourcing: The cost equation

Master the mouse

Just hired

Update in a jiffy

Select rural talent too

Trouble after firefox installation

Meshing IT and BPO

Hackers - show them the door

`I want to be... '

Keen to score?

Quiz

Hosts are the lowest-hanging fruit on a network...

Cartoon

Thought-provoking