Please adjust the frame on the left to read the following story to avoid using the stroll bars at the bottom.

You know they're coming at you.
Can you stop them?

Hackers,Terrorists, and Spies

   Techno-metal thumps like a fibrillating heartbeat as a sea of people
   wearing black clothing, cell phones, and headsets flows through
   Manhattan's timeworn Puck Hall. Here, for two days in August, 800
   hackers and hacker wannabes have chucked the anonymity of their chat
   groups and E-mail to gather and talk shop. Many of these young people
   fit the stereotype of the pasty-skinned nerd who stays glued to his
   computer night after night. But many more are hard-core, sporting
   elaborate tattoos, long stringy hair, and bizarre body piercings.
   This is Hope97, where the elite denizens of cyberspace come to share
   hacker lore and tricks of the trade in their perennial cat-and-mouse
   game with IT security chiefs and law enforcement agencies the world
   over. Near the entrance of Puck Hall, a makeshift network springs up
   from stacks of hard drives, circuit boards, and laptops. It takes
   agility to walk here without tripping over the cables snaking across
   the aged oak floors. But the two-dozen young men connected to this
   network are too busy to notice the clutter around them. Instead, they
   sit mesmerized by the messages scrolling up their monitors. They peer
   intently as the data feed whizzes by, as if they might discover some
   secret formula from the jumble of coded messages. In truth, they are
   merely testing their skills against another group of hackers nearby
   who have launched a "denial of service" attack to bring their
   opponents' network to its knees. This time, at least, it's just a
   The Hacking Psyche 
   Mostly under the age of 25, hackers are talented, bored, obsessive --
   and organized. Thousands of them have banded into groups like the
   L0pht, KOS, HackerZ, Alt.2600 or CyberJihad. Some are 'white hat'
   (good) and some 'black hat' (evil). By the hacker code of ethics,
   white hat hackers agree to refrain from causing damage, and even pay
   penance for their trespasses by reporting security leaks to their
   victims. Some go so far as to develop patches for the very holes they
   exploited. This group represents the majority of hackers who, through
   self-policing, provide a rogue form of security and quality testing at
   no cost to vendors and their customers. Black hatters, on the other
   hand, are frequently malicious, unleashing dangerous viruses, crashing
   servers, defacing Web pages, and even waging information warfare
   financed by business competitors and foreign governments.
   Whatever their motives, hackers consider the Internet their domain,
   and any company using it as an interloper. They do their best work
   between the hours of midnight and dawn. Their basements brim with
   servers, routers, T-1 lines, and workstations -- equipment every bit
   as powerful as the tools used by the companies and governments trying
   to stop them. For a hacker, the ultimate goal is to 'gain root' in a
   targeted system, and with it the power to explore, manipulate and in
   some cases steal the information assets they find there. In most
   cases, the only reward they seek is the admiration of their peers.
   They post their exploits at hacker sites around the Web, which then
   spread like wildfire. Within hours of a posting, hundreds of hackers
   are testing the attack themselves.
   Posted on the Web are enough pages documenting custom-made hacker
   tools and procedures to wallpaper the Pentagon. They may contain
   step-by-step instructions on how to break into a Cisco router, or how
   to exploit ActiveX through its Red Button test tool, or an easy way to
   gain root through old send-mail programs, or how to disable a Web
   server in minutes with E-mail bombs like UpYours, Avalanche, or
   Be Afraid, Be Very Afraid 
   Think this doesn't affect you? Think again. "There's no Fortune 500
   company that hasn't been hacked, I don't care what they tell you,"
   says a burly 24-year-old hacker who answers to the name of Veggie.
   Firewalls? As easy to get through as a screen door. Encrypted data?
   Last June a group of hackers quickly cracked the much-vaunted 56-bit
   key code using relatively simple brute force techniques. The hack came
   just five weeks after RSA Data Security invited the attack in the hope
   of proving its encryption impervious to such assaults. And virus
   scanners? New viruses are popping up so fast that virus scanner
   vendors can't hope to keep up with them.
   While the majority of hackers are relatively harmless, their exploits
   are nonetheless chilling. If they can break in so easily, who else is
   slipping past security? The truth is that every company using the Web
   -- especially those with significant trade secrets or IT assets -- is
   probably under constant attack from a range of sources, including
   competitors, foreign governments, industrial spies, disgruntled
   employees, terrorists, and black hatters up to no good. Indeed,
   according to the 1996 Ernst & Young Information Security Survey,
   industrial spies working for business competitors are a top threat to
   corporate secrets, second only to disgruntled employees. And the
   majority of the information being hacked -- some 82% -- is of interest
   to both foreign and domestic competition, according to the San
   Francisco-based Computer Security Institute (CSI).
   How are they getting in? Through remote dial-ins, hidden modems, or
   poorly configured routers. And, thanks to the meteoric rise of
   Web-based computing, they're increasingly exploiting poorly configured
   Internet connections, application servers, electronic mail, and Web
   servers. Late last year, Dan Farmer, author of the network security
   testing tool Satan, probed some 2,200 high-profile Web sites at banks,
   federal institutions, newspapers, and the like. He found that
   two-thirds of them had serious vulnerabilities. He found that most
   firewalls and other protective measures were largely ineffective, and
   that of the 2,200 sites he probed, only three detected his activities
   and contacted him to ask what he was doing.
   "Corporate America is very naive," says Modify, a 25-year-old who
   started hacking gaming codes on a Commodore 64 at age 10. "Most of
   those people think 'out of sight, out of mind.' They're dead wrong.
   And, if they're hooked up to the Internet, it's all over."
   With threats like this, it's no wonder some companies aren't joining
   the stampede to the Internet. One organization, the $1.2 billion Blue
   Cross/Blue Shield of the National Capital Area, has managed thus far
   to keep most of its 2,000 in-house users off the Internet. To maintain
   tight security, Blue Cross ships traffic to other franchises across a
   virtual private network, and manages strict access controls through
   tightly defined RACF parameters. RACF is a well-regarded security tool
   for mainframes, which have long provided the greatest security.
   But maybe not for long. As more and more end users acquire Web-based
   access to legacy data on the mainframe, even big iron may become
   vulnerable. "There are a lot of mainframe-enabled business
   applications coming up that are going to force me to open up the
   firewall to the Internet," says Peter Gost, manager of
   telecommunications and IS security at Blue Cross/Blue Shield. That
   scares him to the point that he's taking a year to plan his security
   Gost's data center hosts a database containing all the insurance
   records of the nationwide Federal Employee program, which must be
   accessed by the 70 other Blue Cross franchises and numerous medical
   facilities that need insurance information on Federal employees. His
   biggest problem is that he has no control over the security measures
   being taken by the other Blue Cross plans that will ultimately connect
   to his network via the Internet. "The other plans are doing whatever
   they want," he says. "There's no standardization and the tools don't
   interoperate. If worst comes to worst, I may have to standardize and
   require each plan to spend 20 grand on a single brand of firewall
   before I let them in."
   While no external Internet access is allowed into the dedicated
   network, a few key employees, whose jobs require it, are allowed
   backdoor access to the Web -- and that makes Gost and company
   vulnerable. They have no virus checker to scan for incoming E-mail or
   Java and ActiveX applet-born viruses. Their only protection is a
   written policy directing the handful of users not to download attached
   .exe files, the most common hosts of viruses. "We have gotten some
   viruses from the Internet via E-mail, no question about it," says Sam
   Bennett, director of IS. "Most have been harmless, like the [Word
   Concept] virus that makes it a pain to save Microsoft Word files as
   documents. We did get some viruses that would wipe out a C drive, but
   we caught and deleted them before anybody got hit."
   Bennett's staff is currently evaluating a virus scanner from Secure
   Computing Corp. -- and none too soon. Viruses are beginning to pop up
   in Java and ActiveX applets everywhere. While Java applets themselves
   are secure because their functions are executed in a self-contained
   sandbox inside a Java Virtual Machine, they can be exploited as
   carriers when developers start opening the sandbox so the applets can
   communicate with other applications, according to Clay Ryder, chief
   analyst for Zona Research.
   "When the applet's out of the sandbox, I could write a rogue
   application in Java that deletes files, perhaps even the boot sector.
   Outside the Java sandbox, you could code an applet to delete
   everything on a hard drive," says Ryder. Applet security, he says, can
   only be controlled if Java applets are used in conjunction with
   ActiveX, by passing through the authenticating component of the
   ActiveX object model.
   "Not anymore," retorts Modify, as he sips from a bottle of Evian in a
   coffee shop at a Maryland shopping mall. "Here's a new one I just got
   yesterday that makes ActiveX security invalid," he says, revealing a
   new hack perfected by one of his colleagues. "Microsoft doesn't know
   about it yet." He reaches into an expandable folder and pulls out two
   printed pages describing how to push the ActiveX control to the
   browser and drop the security level from 'high' to 'none' by touching
   certain buttons while descending through several HTML pages. He reads
   the instructions aloud, then smiles. "It works."
   NT Hot, Unix Not 
   Hackers these days loathe everything Microsoft. For years they've
   tested their prowess on Unix boxes, posting successful hacks at hacker
   hangouts around the Web. Now, they're beating up on NT. "Everyone
   wants Microsoft right now," Veggie explains, "because Microsoft has
   been incredibly arrogant about their security. They won't even admit
   there are any problems."
   Not true, says Microsoft's Enzo Schiano, group product manager for
   Windows NT server, who adds, "We have been extremely committed." In
   response to escalating attacks on NT, Microsoft has set up an
   emergency response team of more than 20 engineers to monitor hacker
   news groups and read hacker-submitted messages that come in through an
   inbound alias, [3] Hacks are tested, then
   addressed with patches or other fixes, which are posted on Microsoft's
   Security Web site for customers to download.
   At Hope97, the preoccupation with Microsoft was most apparent during
   back-room tutorial dedicated to teaching attendees how to hack NT with
   a tool called L0phtCrack. L0phtCrack was developed by a team of
   hackers-turned-consultants in the organization called the L0pht
   (pronounced "loft"). Mudge, a 28-year-old L0pht member, speaks
   excitedly about the war on NT during the presentation. Here, he
   introduces the improved L0phtCrack 1.5 designed to get around
   Microsoft's SYSKEY patch to L0phtCrack 1.0. The new tool uses a brute
   force attack that tests every possible combination until it finds the
   duplicate passwords stored in NT's LAN Manager network operating
   system. When it finds a password -- which is only a matter of time --
   L0phtCrack 1.5 returns it to the hacker. The only protection, says
   Mudge, is for Microsoft to dump its LAN Manager which, he suggests,
   won't happen anytime soon. Microsoft has responded to L0phtCrack by
   posting an enhancement that allows users to turn off their LAN
   Managers. Unfortunately, this is not a realistic solution for most NT
   users. The reason: LAN Manager can only be removed from networks that
   are solely based on NT.
   Despite its technical limitations, most of NT's vulnerabilities are
   due to human errors, says David Kozlowski, assistant VP of technical
   operations for American Credit Indemnity (ACI), which insures $70
   billion in business equipment. Kozlowski runs a pure Microsoft shop,
   with NT and Windows operating systems and the SQL Server database. He
   takes pains not to overlook the simple but obscure, like deleting the
   original administrator password put in for set-up and configuration.
   For additional security, Kozlowski builds security controls, such as
   application log-ins, passwords, and rotating encryption, directly into
   ACI's applications, all of which are developed in-house.
   Take Down
   Another popular hacker method is the denial-of-service attack, the
   most common being Ping of Death and E-mail bombing. Ping of Death
   attacks send excessive pings containing very large packets to routers
   or servers, which become overloaded and shut down, thus denying
   service to users of those network segments. Flood mail attacks
   overload the E-mail server, with the same results. A ping flood can
   also overload and shut down a firewall server in the same way. With a
   firewall server down, a hacker can freely enter and roam the network.
   An older, but still common, way to pass through firewalls is with IP
   spoofing -- faking a trusted IP address, which the server will
   identify and allow entry. "The only way to protect against these flood
   attacks and IP spoofing is by turning the ping response off on the
   [firewall] box or not allowing certain IP addresses to connect," says
   Most hackers begin with the obvious. "Open doors" they call them --
   modem pools or open ports that have escaped the network manager's
   attention, or unfiltered routers or holes that have been punched in
   the firewall by the system administrator to allow easier access to
   certain network traffic.
   Indeed, many security lapses could be avoided if senior managers had a
   thorough knowledge of their network's configuration. Michael Smith,
   director of network infrastructure for the New York City-based Home
   Box Office (HBO), uses a map of his network that resembles the
   intersecting freeways and city streets of Gotham. Smith uses
   Compuware's EcoScope network management tool instead of a security
   tool to map the network and monitor traffic from its entry point on
   through to its destination. Recently, this mapping feature revealed
   that HBO's link to Comedy Central was allowing unrestricted access to
   their network, and pointed Smith's staff to a Cisco router with
   misconfigured filters. "The most exciting thing is not that we have
   secure ID boxes and access lists -- it's the fact that we have a
   monitoring tool that keeps the checks and balances going, that shows
   who's using what and when," Smith notes.
   Even with the best of tools and policies, bulletproof security is
   probably unattainable. High costs, changing networks and software
   versions, incomplete security tools, and the growing pool of ingenious
   and dedicated hackers prohibit this. The best that IS security chiefs
   can hope for is to minimize their risk to acceptable levels.
   Ironically, one place they can turn to for help is the hackers
   themselves, many of whom are happy to share their insights. Modify,
   who has a legitimate day job as a systems administrator, offers some
   advice to his IS counterparts who are faced with fending off security
   breaches. "Go through your system reports thoroughly each morning and
   evening," he advises. "Update your software and keep on top of
   security issues. Have some penetration testing done and keep your
   employees up-to-date on password selection, telephone policy, and
   log-offs. Security is always evolving, so don't fall behind, because
   if you do, then you are going to get hit."