The Internet is a world inhabited by different kinds of people. Some read their mail, some download the latest games, some sit around chatting with others. Then there are the crackers. Seemingly almost supernatural in their abilities, these individuals usually hack through systems for fun, or profit, or spite. Case in point, the Bhabha Atomic Research Center in Mumbai, India.
BARC played a key role in the recent underground nuclear tests that our country conducted. And that attracted the attention of a fifteen-year-old adept in the dark art of cracking. On the Net, he went about by the name "T3k-9" and decided to crack into BARC.
Crackers abound the Net. And they come in all shapes and sizes. The disgruntled employee out for revenge, the cracker your rival company employed to hack into your systems. And one day, one of them is going to try and breach the security of your system. Are you taking adequate precautions? BARC didn’t.
T3k-9 used a powerful password cracking software called John The Ripper and set it to work on the BARC’s Web and e-mail server. The software repeatedly logged into the machine and tried out passwords in all combinations. Forty-five seconds later T3k-9 broke in. He couldn’t believe his eyes, someone had the same password as his login name, "ANSI"!
He immediately went about downloading the entire password list from the server and posted it on his favorite IRC channel. Access to a password file makes it much easier for crackers to get into a system, since the password cracking software gets the entire list of login names to work with.
Over the next few days, hundreds of crackers from all over the Net trampled through the BARC servers, overwriting their home page, downloading e-mail and some supposedly important papers on particle physics.
The dark side
The Net is still not secure. Every single organization that connects to the Internet renders itself vulnerable to attack. The cracker out there is always looking for new and interesting systems to attack. If your organization has a server connected to the Net with even the smallest chink in its armor, be sure that sooner or later a cracker is going to try and pry open your system.
In BARC’s case, its first line of defense, the firewall with its login password was broken in under a minute. And all because the administrators didn’t enforce a clear and strict policy on passwords. All in all, our premier atomic research center got off lightly. The damage done could have been much more.
Most often, systems are broken into because of weak or stolen passwords. When you put a lock on a warehouse, you put a huge lock with lots of levers inside. With a huge key! Same way, when you choose a password you should do so with care. Make it something nobody can guess. Don’t put in your wife’s or your own name. No birth dates or any such text. Make it long, make it crazy, make it something no cracker can guess.
One final thing about passwords and accounts, when an employee leaves your organization, do remember to kill his account and password from your computer systems. Not doing so is like leaving a duplicate key to your warehouse with him.
An organization’s computer system connected to the Net is like a portal to its internals. If a cracker manages to get in, he can possibly sift through a lot of sensitive documentation. Who knows, he might even do some lasting damage. What if he decides to delete a critical document? Or sell it off to a rival company? It all depends on who he is. But who is a cracker?
Who is he?
Could he be that computer nerd who lives next door and hardly comes out? Quite possibly. These guys are usually young, highly "techie" and armed to the teeth with knowledge, will, and the desire to break into your systems. Once they get in, it’s likely that they’ll do some damage before they get out. It takes a certain kind of mentality do all this, and plenty of guys out there are trying to prove their machismo.
You’re likely to run across dozens of them on the various IRC channels on the Net. Talking to them is like talking to a guy who doesn’t know the letter "s"—some dayz just spent downloading warez! Otherz, doing what I do best!
Another kind of "cracker" is of a different flavor all together. Enter the disgruntled employee. As this person already has an account on his company’s network, he can easily do plenty of damage. Fire him, and he’s likely to do much more.
The future of the Net holds many surprises. One that’s not a favorite among crackers goes by the name Kerberos (page 54). Kerberos is a system of security so powerful that it’s "almost" impossible to break in. The entire security model of Windows 2000 is based on this security system. Now I said "almost", because one day, someone will surely come up with a way to crack Kerberos.
The next generation of the Internet Protocol, IPv6, has an efficient security model built right into it. The Secure Electronic Transaction (SET) protocol will make credit-card transaction on the Net completely safe. The future looks good. The future looks safe. Does it actually? Always remember that the cracker is an individual working on the bleeding edge of technology. He will find his way through.
Meanwhile, all we can do is implement security to the best of our abilities, using the latest in technology. If done properly, the probability of a cracker gaining access will drop significantly, though it will never be zero. That would really be hard.