ISSUE 462: THE HIGH-TECH OFFICE- Sept
1 1998
--Alan Zisman
Security on the Net takes good technology
and a dose of old-fashioned common sense
Computer security (or lack of security) has
been getting a lot of ink recently. E-mail programs from Microsoft
and Netscape have proven vulnerable to attacks if mail messages
included attached files with very long names. This would cause the mail
programs to crash and leave a window of opportunity for a hacker to run
destructive code on the affected computer.
Users of Microsoft Outlook 98 and Outlook Express can
download a patch from Microsoft (www.microsoft.com/security) to
fix the problem, but Windows users should make sure to get the August
11 version. The first, late-July so-called fix should in fact not be
used. (Mac users can safely use the original patch.)
As of mid-August, Netscape had not yet released a
patch, but promised that one would be available shortly. They suggest
Windows users of Netscape 4 versions are vulnerable, but that it
shouldn't be a problem for Mac users or for those using earlier
versions of the program. Until a fix is available, Netscape says users
of affected versions should configure the mail program to view
attachments as links, rather than display them in-line.
The makers of popular Eudora mail boasted that their
software wasn't affected by this problem, only to find themselves prey
to a different hack a day later.
According to Eudora manager Matthew Parks, the
problem would allow e-mail attachments to erase files or install a
virus, or link to an Internet site that could run destructive program
code. The problem only affects the Windows version of Eudora Pro 4.0.
While there are no known cases of damage actually being done in this
way, Windows Eudora Pro 4.0 users should go to www.eudora.com
and download and install the free patch to upgrade to (hopefully)
problem-free version 4.01.
Microsoft has never claimed that Windows 95 and 98 are
secure. A group called Cult of the Dead Cow has created and
distributed a program called Back Orifice to demonstrate potential
problems with this. Similarly, programmer Dannie Gregoire is
distributing what he calls a Spartan Horse that mimics standard
dialogue boxes, asking users to type in their passwords. He claims he's
trying to demonstrate how as desktop computing merges with the
Internet, users can be more easily fooled by outsiders.
Hired by a bank, security expert Ira Winkler
spent four days getting around the bank's three security firewalls in a
demonstration discussed at July's Black Hat Briefings '98
conference.
He started with the phone book. He called a secretary,
claiming to be from the bank's human resources department, working on
an article for the company newsletter profiling her boss. He got the
executive's background and, eventually, his company ID number.
Since the bank had hired a lot of new employees,
Winkler then posed as the executive and got someone in human resources
to read him a list of new hires, along with their ID numbers. The next
day, he contacted the new employees, posing as someone from information
systems. Seventy-three (73!) people gave him their network log-ons,
user IDs and passwords. Notice that the only high tech tool used so far
is a phone.
Using that information, Winkler was able to penetrate
the company network. It's estimated that if he'd mounted a genuine
security attack, he could have made $2-million transactions.
Winkler was demonstrating a so-called social
engineering attack. It demonstrated that no matter how much you spend
on security, your system is only safe if users are trained to not give
out sensitive information -- particularly over the phone. A safer
technological solution would be to require passwords together with a
physical device.
Of course, technology will never provide security
without the simultaneous use of common sense. Your mother probably
warned you not to talk to strangers. Even in these high-tech days,
remember that your mother is always right.*
|