Re: Hackers

by "Darrell King" <darrell(at)webctr.com>

 Date:  Tue, 11 Jul 2000 08:23:14 -0400
 To:  <hwg-techniques(at)hwg.org>
 References:  westhost barnum
  todo: View Thread, Original
A few thoughts:

1) As some has suggested, change passwords when an employee leaves.  Even if
that employee didn't have access to the password, you must consider that
they obtained it somehow while with you.  While this may not be practical
with a large company, smaller companies should have no problem. If your
turnover is so large this is a major inconvenience, it's possible you have
bigger problems than site security...:)

2) Never store your password(s) in a public area of your site.  It can be
accessed with the view-source option, or by simply browsing to it.

3) Never use the same password for anything else.  You have no idea who runs
"Joe's Online Newsletter", so don't use your Unix password for your member
account at Joe's site...

4) Never use an easily guessed password, or one that follows a pattern.  I
can write a script in a short time that will combine all the words I know
you like, as well as anything else I know about you, and it'll work it's way
through all the possible combinations very quickly.  (BTW, everyone: that
was hypothetical...don't bother writing me to ask for such a script!)

5) Check the server logs for access records as well, when attempting to
track the cracker.  They feel secure within their anonimity...track them
down, drag them into the light and they wither and die into a smokey puddle
of sludge.  This isn't really in line with your request, but it does make a
satisfying picture!

There's a pattern to the list above...:).  Physical access to the computer
is a biggie: anyone who has access to the server can probably get into your
site.  You can't control that without switching ISPs, but the next biggest
offender is physical access to the password, followed by guessing the
password.  Assuming your attacker did not have physical access to the
machine, it's quite likely they simply waltzed into the directories using
your own FTP or telnet account.  They knew/guessed your id/password, and the
guard just let them through...

Recently, I found files on my own hard drive, placed there by a hacker (no
damage was done) who simply ran a program on the Internet checking for
unprotected networked Windows machines and wrote the files to disk on them.
Activity was blocked because of other safeguards in place, but I missed a
bit of security...since corrected!   Put simply, there are literally
hundreds of people out there from 12 to 80 who are just looking for ways to
break into your system...often with fairly sophisitcated software doing the
work for them.  With that much brainpower looking for holes, they will find
them sooner or later.  All you can do is take the matter seriously, and not
skimp on the few security measures you have control over...:)

D




----- Original Message -----
From: "Sue Bailey" <sue(at)bartandsue.co.uk>

>. Most of the break ins
> we here about are because someone forgot to lock the door.
>
> -- jalal --

Well, really what I was asking for was ideas about doors I might have
forgotten to close.

Sue

HWG hwg-techniques mailing list archives, maintained by Webmasters @ IWA