From the break-in at Egghead.com in which hackers stole credit card information to the hacking of Microsoft to viruses disguised as tennis player pinups, Internet troublemakers are forcing everyone to think about the security of their systems. We recently spoke to George Kurtz, chief executive officer of the security consulting firm Foundstone Inc. and coauthor of the book Hacking Exposed, about security threats and defense strategies for everyone from home users on a broadband connection to major electronic-commerce sites and software companies.
PCW: We hear a lot of hype about hacking these days, but how much danger is a typical home PC user exposed to?
Kurtz: I think home users are definitely at an increased risk right now, particularly those with 24/7 connections via DSL (digital subscriber line) and cable modems. It's not so much that hackers are targeting a specific computer, they're basically targeting any computer that happens to be residing on one of those larger broadband networks.
If you run any sort of PC firewall or IDS [intrusion detection system] on your system, you can see upwards of 20 different scans a day from people looking for specific vulnerabilities on a home user's PC. We worked with one client who was running a Windows NT home system and had a virtual private network into the corporate office. The NT system was compromised and was used to leapfrog through the VPN into the main network.
PCW: How secure or insecure are the various versions of Microsoft Windows?
Kurtz: There are not a lot of ways to actually break into a Win 9x machine if the user doesn't have file sharing enabled. Overall, Windows 2000 and NT are frequent targets of attack but can be made very secure by taking additional measures to lock down the file and registry permissions. In the default setting, most vendors have very little security turned on because, if they turn everything on, people wouldn't be able to use the box the way they want to. The most important precaution is to apply all of the vendor-related security patches as quickly as possible.
PCW: If users of Windows 9x disable file sharing, do they need a software firewall?
Kurtz: I would still recommend a personal firewall for Windows 9x, or Windows 2000 and NT, just because I think it's beneficial for people to know when their machines are being attacked. And also it's an added layer of protection.
PCW: What would you say is the soft underbelly of security for companies today? How can hackers most easily get in?
Kurtz: The method of choice--I should say the weapon of choice--is the browser. If you look at any of the e-commerce sites, what's the first thing they do? They punch a hole in their firewall to allow people to get to the Web server. And most of the e-commerce sites--95 percent of them--are not proxy-based. That means they have no ability to actually monitor what's happening.
You can come in and manipulate hidden HTML tags or manipulate the URLs to gain access. You go to an online site to buy something, for example. If you download the HTML and you look at hidden tags, they actually contain the price information. If you change the hidden tag from 100 dollars to 10 dollars and do a post, you just bought something for 10 bucks instead of 100.
PCW: How much do individual consumers who use e-commerce sites or online banks have to worry about hackers intercepting their personal financial information?
Kurtz: Hackers are not going to try to sniff a 40-bit SSL [Secure Sockets Layer] transaction and then decrypt it. Why not just break into the Eggheads of the world? The pot of gold at the end of the rainbow is all the credit cards sitting in a database that's unencrypted anyway. So home users are not going to be targeted one-by-one. It's going to be those e-commerce sites that are storing the information that will be hit.
PCW: How can a consumer know whether a company they're dealing with has solid security policies? Are there any security certifications?
Kurtz: I think people need to look for some sort of privacy and security policy on the site that they're visiting or that they're transacting business with and at least look for details of what they're doing from a security perspective. Are they using encryption? Are they using firewalls? Do they have third-party audits?
If you go to a site that doesn't even address the issue, there's a good chance that maybe they're not paying enough attention to it. If you go to a site that puts it out there and says, "Yeah, we're proactive," then I think you can get a little warmer feeling about the site.
But that doesn't necessarily mean it's all up to snuff. They're going to tell you what they want to tell you. So I think third-party certification is going to become critical for consumers in the coming years to really help them understand what a site is doing to protect their security.
PCW: What's the motivation for today's hackers? Are they looking to steal corporate information? Are they out to make a political statement? Or do they just want to wreak havoc for the fun of it?
Kurtz: All of the above. We see some hackers who are looking to target specific organizations. They're looking to get source code. There is a lot of source code that floats around the Internet because organizations have been compromised. They're also looking to use those organizations as a staging point to launch other attacks, or they're looking to embarrass the organization.
And then there are people who are just fishing. They're kind of throwing the hook out there and automatically scanning. And when they find something, they take advantage of it just because it's there.
PCW: Was any source code compromised in the autumn 2000 attack on Microsoft?
Kurtz: We were involved a little bit on that, so I can't give you all the details. What they said publicly was that people were able to view the source code, but they said that the source code was not changed or modified. If you modify it and then put in a back door, then every piece of software that ships has a security problem. So that was their big fear.