Seven Myths About Network Security

Hacker tools are growing more sophisticated and automated. Hackers can now quickly adapt to new security vulnerabilities as they are uncovered and distribute the fruits of their exploits more widely with the help of automated toolkits. And they're employing an ever-increasing range of methods to find individuals' and companies' private information and use it to their own advantage.

And yet many of us have a false sense of security about our own data and networks. We install a firewall at the perimeter, put anti-virus and anti-spyware tools on our desktops, and use encryption to send and store data. Microsoft and the big security companies provide ever-improving tools and patches to protect us. Although others who are less careful might be at risk, we're safe, right?

Maybe not. Take a look at these seven security myths and see if your data is as secure as you think.

Myth #1: Encryption guarantees protection

Encrypting your data is an important component of data protection, but it's not infallible. Jon Orbeton, senior security researcher with Zone Labs, which makes ZoneAlarm firewall software, is a proponent of encryption, but he warns that sniffers are getting more refined and can intercept SSL and SSH transactions and grab the data after it's encrypted. While encryption helps protect the captured data from being read, encryption standards do have several points of vulnerability that can be exploited by a determined hacker armed with the right tools. "Hackers are finding ways to circumvent the security mechanisms," Orbeton said.Myth #2: Firewalls will make you bulletproof

"A lot of people say, 'We have a firewall,'" says Steve Thornburg, an engineer with Mindspeed Technologies, a developer of semiconductor networking solutions. Thornburg deals frequently with security issues. "But you can read the entire IP trail through the best firewalls and sniff out these systems." By tracing the IP trail, which shows the network addresses of systems, hackers can learn details about the servers and the computers connected to them and use the information to exploit vulnerabilities in the network.

It's clear, then, that firewalls and encryption aren't enough. Network administrators must not only make sure they have the latest and most secure versions of the software they are running, they must also stay up to date with reports about loopholes in popular operating systems and stay on top of monitoring their networks for signs of suspicious activity. In addition, they need to enforce smart usage practices among end users on the network to discourage them from installing new and untested software, opening executable e-mail attachments, accessing file-sharing sites, running peer-to-peer software, and setting up their own remote access programs and unsecured wireless access points.

The problem, says Thornburg, is that very few organizations are willing to put forth the money and effort it takes to maintain security. "They know it won't be popular," he says. "It will downgrade efficiency. Cost is the big issue, because these companies are all looking at the bottom line."

Myth #3: Hackers ignore old softwareSome of us think that if we're running legacy systems, we're not a target for attack because hackers only go after the most widely used software, which is more recent than our own.Not so, says Johannes Ullrich, chief technology officer for the SANS Internet Storm Center, an analysis and warning service that publishes warnings about security vulnerabilities and bugs. He warns that Web servers that haven't been updated or patched recently are a common point of entry for hackers. "A lot of old versions of Apache and IIS (Internet Information Server) are attacked with buffer overflows," says Ullrich.

A buffer overflow is what happens when a memory space gets overstuffed with more information than it can handle. The extra information has to go somewhere, and a hacker can exploit the vulnerabilities in various systems to have the extra information go where it wasn't intended. While both Microsoft and Apache.org issued patches years ago to fix buffer overflow issues, the old systems are still out there.

Myth #4: Macs Are safe

Many users also believe that their Mac systems, like legacy systems, are not vulnerable to attack by hackers. Many Macs, however, run Windows programs such as Microsoft Office or are networked with Windows machines, which could expose Macs to the same kinds of vulnerabilities that Windows users experience. As security expert Gary McGraw, CTO of Cigital, posits, "it's only a matter of time" before cross-platform viruses that target Win32 and OS X appear.

The Mac OS X environment is vulnerable too, even without running Windows software. Symantec recently issued a report that found 37 vulnerabilities had been identified in Mac OS X in 2004 and warned that such vulnerabilities could become more of a target for hackers, especially as Mac systems grow in popularity. In October 2004, for example, hackers created a script called Opener that disables the Mac OS X firewall, retrieves personal information and passwords, creates a back door for remotely controlling the Mac, and potentially erases data.Myth #5: Security tools and software patches make everybody safer

Some tools allow hackers to reverse-engineer patches that Microsoft distributes through its Windows Update service. By comparing the changes in the patch, the hacker can see how the patch is trying to work around a particular vulnerability and then determine how to take advantage of it.

"New tools are developed every day around the same basic theme of scanning for vulnerabilities," said Marty Lindner, team leader for incident handling, CERT Coordination Center at Carnegie Mellon University's Software Engineering Institute. "You scan the Internet and make an inventory of what's vulnerable. You write tools that assume every machine is vulnerable to a particular vulnerability, and then just try it. There are vulnerabilities in everything. Nothing is perfect."

Among the ubiquitous tools being used by hackers is Google, which can search for and find vulnerabilities in Web sites, such as server log-in pages left in their default states. Google has been used to look for unsecured Webcams, network vulnerability assessment reports, passwords, credit card accounts, and other sensitive information. The Santy worm and a new MyDoom variant recently exploited Google hacking capability. Websites such as Johnny.IHackStuff.com have even begun to spring up that contain links to a widening array of potential Google hacks. (See How To Stop Attacks That Use Google for one way to fight such attacks.)

Earlier this year, McAfee released an update of its SiteDigger 2.0 tool with new features that determine whether a site is vulnerable to Google hacking. While the tool is supposed to be used by administrators to test their own networks, hackers could potentially employ the software to probe any site for vulnerabilities. Myth #6: As long as your corporate network is unbreached, hackers can't hurt youSome IT departments defend their enterprise network to the death only to have security compromised by users who take a company laptop computer to an unprotected connection at home or at a Wi-Fi hotspot. Hackers can even set up rogue Wi-Fi access points near hotspots to trick users into logging onto their networks. Once a malicious user has control of a computer, they can plant a keylogger that can steal passwords to corporate VPN software and use it to access the network at will. (For precautions to take when using an unsecured access point, see Securing Your Starbucks Experience.)

Sometimes the mere threat of mischief can bring a company to its knees. Hackers have extorted money from victims by threatening to bring down their Web sites, delete important files, or place child pornography on their computers. Many online gambling sites in the United Kingdom have reportedly been paying extortion money to hackers who threaten to hit them with denial of service attacks.

Myth #7: If you work for a security enterprise, your data is safe.

Even the most supposedly secure organizations may find themselves vulnerable to hackers. George Mason University in Fairfax, Va., home to the Center for Secure Information Systems, a workplace filled with security experts, discovered recently that the names, Social Security numbers, and photos of more than 32,000 students and staff members had been exposed to hackers who attacked the university's main ID server and installed tools there for probing other university servers. The hackers may have entered through a computer that lacked firewall protection and then planted scanning tools to search for passwords to break into other systems.

In response, the university shut down part of the server and replaced students' Social Security numbers with a different ID number to guard against identity theft. The school might also employ software to scan computers before permitting them to connect to its network, set up smaller subnetworks to isolate computers that contain sensitive data, and monitor overall network activity more closely.National defense departments aren't immune either. They constantly have to deploy new software to guard against emerging vulnerabilities as well as maintain tried and true security practices. The Canadian Department of Defense, for example, uses Vanguard Security Solutions 5.3 from Vanguard Integrity Professionals to protect its IBM eServer zSeries mainframes. The software includes two-token user authentication and works along with IBM's Resource Access Control Facility (RACF) for z/OS.

George Mitchell, central RACF administrator for the Canadian Department of Defense, says he always has to be vigilant against unauthorized users gaining access to the system. In addition to monitoring tools, he must use common sense. "I'll have someone call on the phone saying he's so and so. I have several questions that I ask and I'll always reply to that person via encrypted e-mail if he wants a password changed."

What it all boils down to, unfortunately, is eternal vigilance. As the recent hack of Paris Hilton's T-Mobile Sidekick account and theft of customers' confidential credit information from ChoicePoint and LexisNexis show, the range of subterfuges employed by hackers is growing. Hackers are exploiting an increasing number of vulnerabilities in increasingly creative ways, and it's up to us to stay abreast of the latest tools and tricks and protect ourselves accordingly.

Michael Cohn is a freelance journalist.