Editor's note: Adrian Lamo, a white hat hacker who pled guilty to accessing The New York Times computers without permission, agreed to share what he knows about some of the common IT security slips network administrators make. Lamo studies journalism at American River College in Sacramento, Calif, as he awaits sentencing next month.
One well-ranked Fortune 500 company was recently hiring a network security professional. The interview process required applicants to wait in the HR lobby, where they could use public workstations to browse job listings.
Although the company had spent a hefty sum on a Cisco PIX firewall installation, it made the mistake of placing these visitor workstations on the internal network where files could be accessed. Rather than invest less than $100 per month to equip the public workstations with their own broadband connection, the firm left a fine trophy for anyone with an interest in competitive intelligence.
Knowledge about potential security threats is generally required for the defense of any complex system. But intruder intelligence is only useful as long as it's not running the show. Otherwise, you'll be predictable by the same schemas you use to predict the actions of others.
For instance, many would-be intruders know that administrators configure their intrusion-detection systems in very linear ways, assuming that intrusions will come in the form of scans, buffer overflows and predefined attack patterns.
One way around this is to simply push random requests through the Web browser, a legitimate point of access. At one company, the Web mail system let users forward their mail to any address with only their Social Security number and last name. However, a quick search revealed a corporate directory that included Social Security numbers of all employees and contractors, including the CEO.
Some companies even put in extra layers of security such as token authentication devices. But again, they perceive the problem incorrectly by forgetting that attacks can't be counted on to originate at the edge of the network.
In the late 1990s, intruders remotely bypassed AOL's SecurID authentication system by developing software that would let them redirect their Internet connections through AOL employee workstations, masked as innocent Web connections. Suddenly AOL's network was riddled with private gateways. AOL's logon servers saw their connections as originating from inside the network, and didn't bother to ask them for a SecurID code. As a result, hundreds of high-profile AOL accounts were compromised.
The belief that attacks will inherently come from the outside sets networks up to fall. Security is not always a linear process. If you're going to profile intruders, profile defenders too - be they good examples, or terrible warnings.
Main | Next: Meeces to pieces: What motivates the computer criminal