• Investment World
• eWorld
• Brand Line
• Mentor
• Life
• Canvas
• Praxis
• Urban Pulse
• Brand Quest
• The New Manager

Stocks

• Quotes
• SE Diary
• Scoreboard
• Open-End Mutual Fund

Cross Currency

• Rates
  
  

Shipping

• Ports
  
  

Archives

• Yesterday
• Datewise
• Resources

Group Sites

• The Hindu
• Business Line
• Sportstar
• Frontline
• The Hindu eBooks
• The Hindu Images

R.K. Raghavan

Here's a `non-technical guide' to computer security written by a former hacker, Robert Schifreen.

As cyber crime gets reported prominently all round the globe, public interest in the nuances of such crime mounts.

A lot of romance gets attached, and many myths start building up. Another related phenomenon is the burgeoning literature on the subject, some of which alone is meaningful while all else can be easily classified as trash, deserving no notice.

My favourite bookshop in London is undoubtedly Waterstone's. It is slowly yielding place to Foyles, another world-famous haunt for the bibliophile.

What strikes me about Foyles is its amazing collection devoted to computer studies. Nowhere have I found a whole section, more than three tall and broad shelves, dedicated to computer security. To those who are passionate about the subject, I would say with some authority that if you can't find what you want at Foyles, you cannot, anywhere else.

A fortnight ago, browsing at Foyles, I was fortunate to stumble on Defeating the Hacker (2006 John Wiley & Sons, Chichester), a very recent addition to cyber security literature. Written by a former hacker, Robert Schifreen, the blurb describes it as a "non-technical guide" to computer security.

Just out in the market, it struck me as a straightforward account of a complex subject, in the simplest possible style, avoiding all jargon and frills. It fills a long-felt need to educate the average computer user on all the perils that await him in cyber space, without getting unduly baffled.

Brush with law

Schifreen had a brush with law very early in life. On leaving school in the early 1980s, he started working for a computer games magazine, where a career in journalism blossomed.

It just happened that the company in London that owned the magazine also ran an online service Micronet, which targeted home computer users.

Schifreen was a subscriber to Micronet , and while testing out a modem he found that he could access all the material stored by Micronet (that was not open to the ordinary subscriber) in its mainframe through a 10-digit User ID.

He could not, thereafter, resist the temptation of accessing this goldmine of information for free, as and when he wanted. He also logged in as one `Reynolds', an employee of the Prestel system, of which Micronet was part.

`Reynolds' was, again, a chance discovery! The real Mr Reynolds had an internal account that had an easily guessable ID and password. Remember, at that time, there was no anti-hacking law.

The only mistake that Schifreen committed was to mention to a Micronet staff what he had found about Micronet's vulnerability.

In addition, he `bragged' about his adventure on TV. The sequel to all this was a complaint of forgery by Micronet to the just formed Computer Crime Unit of the Metropolitan Police.

The matter went up successively to various Courts and ultimately to the highest Court in the land, namely, the House of Lords, which threw out the charges against Schifreen pressed under the Forgery and Counterfeiting Act 1981. One direct outcome of the Schifreen prosecution was the promulgation of the Computer Misuse Act of 1990, which took care of data stored in an electronic form. The Data Protection Act came eight years thereafter. (We in India are yet to have such a law.)

Of passwords and biometrics

Schifreen writes a whole chapter on passwords. Many of us are aware of the travails of remembering the numerous passwords that we employ daily for a variety of needs. I would go with Schifreen in advocating biometrics and one-time passwords as the most effective way of authentication.

The latter could form part of a list of about 50 passwords, none of which would work for the second time. It is, therefore, attractive in a situation when one particular password gets compromised.

In Schifreen's view, on the face of it, a fingerprint reader (a popular biometrics device) may seem costly to an organisation. But if one reckons the cost of the support staff trying to reset forgotten passwords, biometrics (assuming that it does not need any technical assistance) could be less expensive.

Not many large organisations are, however, convinced of the wisdom of switching over to biometrics. They look upon it as a costly and time-consuming day-to-day drill for an office that has too many users. The debate may never end in our lifetime!

Curse of spam

Another useful chapter is `Curse of spam', a curse that we want to be rid of permanently, but without success. E-mail services such as Hotmail and Gmail do have built-in spam filtering that is reasonably effective. But you still receive spam on which you spend valuable minutes, each day. One basic precaution that organisations should advocate to their employees is for the latter to never reply to a spam message. I personally know how even some clued-up professionals ignore this salutary advice and invite disaster on themselves and the official network to which they have access.

The problem is compounded by the dishonesty of some traders who want to send bulk mail to promote their wares.

An employee of America Online (AOL), the popular service provider, was caught last summer for selling a database of 92 million AOL users' e-mail addresses to spammers. He received $28,000 for this deal!

Abuse of Internet

One major issue that confronts the modern organisation is how to prevent its employees from misusing the Internet from the office location.

You cannot refuse to provide Web connection, just because it is liable to be used for private needs. Often, discharge of basic duties could demand such a facility.

There are now tools available to bar certain sites, both irrelevant and inappropriate at the workplace, and employers use them effectively.

But how many such sites can you identify and shut out? Schifreen refers to a new software — an improvement over the traditional one that scans only text content — which is capable of dealing with graphics. This comes in handy when you want to counter child pornography. PixAlert has a solution that appeals to Schifreen as one way of tackling the menace.

Some sound advice

The last word has not been said on computer security. It will perhaps be never said. Many egos have been hurt and many reputations have suffered a blot, because of the arrogant stand of some that they need not do anything more to protect their networks.

To those bruised by cyber crime, I can only commend Schifreen's sound advice:

... ..keep your systems sufficiently unattractive to hackers... . You'll never defeat the hacker, but you can certainly frustrate him. And in this game, that's normally good enough.

The writer is a former CBI Director who is currently Adviser (Security) to TCS Ltd.

More Stories on : Security | Security Musings

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
The rush to connect

Copyright © 2006, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line