Keeping Up With the Hackers

2:45 PM -- The human mind is an amazing thing. Some days, it gives us amazing mistakes – like major programming errors or the decision to turn "The Dukes of Hazzard" into a movie. Other days, it gives us incredibly creative security exploits – and, if we're lucky, the know-how to stop them.

Last week, we saw some of each – attackers taking creative advantage of stupid loopholes and programming mistakes, and the rest of us trying to keep up. It's sort of like watching Road Runner cartoons, only from Wile E. Coyote's perspective.

Consider, for example, our coverage of new phishing scams on eBay customers. (See Phishing Gets Phancy.) In this case, phishers used JavaScript capabilities offered to any eBay seller to create screens that look almost exactly like the real thing. We're not sure whether to applaud the phishers for their creativity or hiss at eBay for leaving the door open, but you can be sure of one thing: Phishing is getting more sofisticated by the minute.

In another case of programming gone bad, we reported that Wanadoo U.K., one of Britain's top ISPs, lost some sensitive customer data through a flaw in its account recovery indexing system (See Wanadooops! Flaw Reveals User Data.) One white-hat hacker said he collected more than 6,000 names through the simple exploit, but Wanadoo says it's still investigating in an effort to seal the hole.

Clearly, the attackers are ahead of the defenders these days. In fact, sometimes they're even ahead of the law – not the investigators, but the law itself. Congress is struggling to update U.S. computer crime legislation, but the process is slow. And criminals continue to escape through loopholes, such as the definition of the term "user computer."

But the attackers aren't always winning. In response to numerous reports of insider threats, PacketMotion has developed new technology that lets companies see activity down to the end-user level. (See PacketMotion Ups Management IQ.) This should help security managers identify insiders and guests on the network who are behaving badly, and stop them in their tracks.

And that, apparently, is where the fun is. In the second of our three-part Dark Reading security salary survey, we found that it's the challenge of finding the culprits and fixing them that makes security pros' days. In fact, they rated those challenges even higher than the money they make. (See DR Survey: Bring On the Challenges.)

So maybe the hackers are ahead. So what? If they weren't, we wouldn't have those challenges. Heck, we might not even have jobs. So lay on, MacDuff, let's see what you've got. We'll keep up.

— Tim Wilson, Site editor, Dark Reading

Organizations mentioned in this article: