Many hacks go unnoticed: analyst

Don’t always believe what you read – especially if it’s on the Internet.

These days just about anyone can break into a Web site and deface it, or set up a mirror site with bogus information. CNN.com recently fell victim to one such prank when a Web page was posted that looked and acted just like a CNN page, but with one important difference – the story “Microsoft Patents Ones, Zeroes” was a fake.

“Because all integers and natural numbers derive from one and zero, Microsoft may, by extension, lay claim to ownership of all mathematics and logic systems, including Euclidean geometry, pulleys and levers, gravity, and the basic Newtonian principles of motion, as well as the concepts of existence and nonexistence,” the story said. It was still up at press time at www.cnn.com@scitech@3520040376/new_010325/alert/breakingnews.html.

Although Atlanta-based CNN did not return ComputerWorld Canada‘s calls, CNN spokesperson Edna Johnson told our affiliate Itworldcanda.com there was no reason for CNN to be concerned as the spoof page was not part of CNN’s site. She downplayed the incident.

But such pranks are only the tip of the iceberg when it comes to computer hacking. And, as with icebergs, it’s the worst and most dangerous parts that we never see.

“The really good hacks are the ones that you never hear about because in reality they probably haven’t been discovered,” said Bill Spernow, a research director for the information security strategies group at Stamford, Conn.-based Gartner Inc.

Most of the hacks that get airplay are perpetrated by hackers seeking to make a reputation for themselves. It doesn’t always take a lot of sophistication to hack into a site – just a browser, a little bit of determination and unsuspecting IT administrators who haven’t taken all of the precautions they can. Anyone interested in hacking can find appropriate tools on the Internet.

There are two basic types of hacks, said Jack Gorrie, the provost’s advisor on information technology and a professor at the University of Toronto. Hackers can hijack somebody’s identity either by breaking into a site’s Web server and changing the content on the server or by attacking the network and redirecting network traffic to another site which masquerades as the site people are trying to visit.

The second type of attack is far more sophisticated and therefore more rare, Spernow said. Hackers have used this type of attack in the past to redirect traffic headed for bank Web sites. Unsuspecting users hand over their ID and passwords when they visit the phoney sites.

“You never really know that your stuff has been intercepted,” Spernow said.

It’s not easy for companies to protect themselves against such tactics, but it can be done, Gorrie said.

“I think in a sense this may take care of itself as more commerce travels on the Internet and as companies depend more on this and invest in it. I think you’ll see better security come along naturally because more and more companies will protect their resources. And for them a denial of service attack becomes more than a nuisance. It actually starts to impact the bottom line.”

The problem, said David Jones, a computer science professor at McMaster University in Hamilton, Ont., and the president of advocacy group Electronic Frontiers Canada, is that most companies are complacent and have come to accept insecure systems as a norm. For example, if you use Microsoft software you get used to your computer freezing all the time, he said.

“It doesn’t have to be that way. It really is possible to have secure systems.”

It’s a matter of priority, he said, adding that for many companies security is not the primary concern. Security is expensive, and in the business world you always want to balance costs and benefits. If you’re building a network for CSIS then security will obviously be a top priority at which you can throw a lot of money, but if you’re just placing a catalogue up on the Web then security is less important.

More CIOs are beginning to place security among their top concerns, Spernow said. But even when CIOs get the “security religion” they often have difficulty finding security experts.

“The biggest complaints I have from Gartner clients is that they have a really difficult time hiring people with the expertise to understand actually what the threat is and then to defend against it.”

That’s why the idea of outsourcing security is starting to gain more popularity. But outsourcing comes with its own concerns, Spernow warned.

Security providers will have the same difficulty attracting, hiring and keeping talented workers, he said. They will also become the single point of failure and a very attractive target for hackers.

“I’ve had discussions with people from the FBI and the secret service and they all agree that if they were organized crime, and they knew what they knew about technology, they’d be setting up and funding small geographical outsource providers to provide [security] to companies, and in reality what you get is the keys to the kingdom,” he said.

Companies with really sensitive information to protect probably shouldn’t consider outsourcing, he recommended.

For companies with less to risk, vetting the vendors should be an important part of any outsourcing decision, he said.

But in most cases it’s not necessary to set up a Fort Knox-type of security system to keep hackers at bay, Spernow suggested. “Most hackers I’ve had the opportunity to meet, while very smart people, are not ambitious with reference to working hard, and they look for the easy victims. And there are a lot of easy victims out there right now,” he said. If companies just raise the bar of security a little, most hackers will go looking for another victim.

Part of the problem, Gorrie said, is the nature of the Internet itself.

“It’s an intrinsic problem with the way the Internet was designed in the early days,” he said.

The BIND (Berkeley Internet Name Domain) system was designed to work in a much friendlier environment, he said.

“We’re now applying this technology in areas where it was never really originally intended for. Although it works pretty well most of the time, we probably shouldn’t be too surprised that it’s starting to show problems,” he said.