ISSUE 462: THE HIGH-TECH OFFICE- Sept 1 1998
--Alan Zisman
Security on the Net takes good technology
and a dose of old-fashioned common sense
Computer security (or lack of security) has been getting a lot of ink recently. E-mail programs from Microsoft and Netscape have proven vulnerable to attacks if mail messages included attached files with very long names. This would cause the mail programs to crash and leave a window of opportunity for a hacker to run destructive code on the affected computer.
Users of Microsoft Outlook 98 and Outlook Express can download a patch from Microsoft (www.microsoft.com/security) to fix the problem, but Windows users should make sure to get the August 11 version. The first, late-July so-called fix should in fact not be used. (Mac users can safely use the original patch.)
As of mid-August, Netscape had not yet released a patch, but promised that one would be available shortly. They suggest Windows users of Netscape 4 versions are vulnerable, but that it shouldn't be a problem for Mac users or for those using earlier versions of the program. Until a fix is available, Netscape says users of affected versions should configure the mail program to view attachments as links, rather than display them in-line.
The makers of popular Eudora mail boasted that their software wasn't affected by this problem, only to find themselves prey to a different hack a day later.
According to Eudora manager Matthew Parks, the problem would allow e-mail attachments to erase files or install a virus, or link to an Internet site that could run destructive program code. The problem only affects the Windows version of Eudora Pro 4.0. While there are no known cases of damage actually being done in this way, Windows Eudora Pro 4.0 users should go to www.eudora.com and download and install the free patch to upgrade to (hopefully) problem-free version 4.01.
Microsoft has never claimed that Windows 95 and 98 are secure. A group called Cult of the Dead Cow has created and distributed a program called Back Orifice to demonstrate potential problems with this. Similarly, programmer Dannie Gregoire is distributing what he calls a Spartan Horse that mimics standard dialogue boxes, asking users to type in their passwords. He claims he's trying to demonstrate how as desktop computing merges with the Internet, users can be more easily fooled by outsiders.
Hired by a bank, security expert Ira Winkler spent four days getting around the bank's three security firewalls in a demonstration discussed at July's Black Hat Briefings '98 conference.
He started with the phone book. He called a secretary, claiming to be from the bank's human resources department, working on an article for the company newsletter profiling her boss. He got the executive's background and, eventually, his company ID number.
Since the bank had hired a lot of new employees, Winkler then posed as the executive and got someone in human resources to read him a list of new hires, along with their ID numbers. The next day, he contacted the new employees, posing as someone from information systems. Seventy-three (73!) people gave him their network log-ons, user IDs and passwords. Notice that the only high tech tool used so far is a phone.
Using that information, Winkler was able to penetrate the company network. It's estimated that if he'd mounted a genuine security attack, he could have made $2-million transactions.
Winkler was demonstrating a so-called social engineering attack. It demonstrated that no matter how much you spend on security, your system is only safe if users are trained to not give out sensitive information -- particularly over the phone. A safer technological solution would be to require passwords together with a physical device.
Of course, technology will never provide security without the simultaneous use of common sense. Your mother probably warned you not to talk to strangers. Even in these high-tech days, remember that your mother is always right.*
Alan Zisman is a Vancouver educator, writer, and computer specialist. He can be reached at E-mail Alan
