Ira Winkler on
Monkey Business
Describes Pen Test involving
Password Sniffing.
Hacking is simple. Any monkey
can hack a computer given
the right training. Hacking is
simply breaking into a computer.
Anybody can break into a computer; protecting it is the hard part.
People learn how to break into
their own systems; that’s okay, but
it’s like a parlor trick. What’s going
to teach you more is learning how
to protect them. If you really
want to know the inner workings
of your systems, you need
to understand your operating
systems and understand how the
OS can be compromised.
Read about how to prevent
the vulnerabilities. People look at
hackers as super geniuses. They
are not super geniuses; they are
just using the slight of hand that
anyone can use if they, “pay the
money to buy the magic trick in
the store,” says Winkler.
You need more sophistication
to know how to protect yourself.
“You need no sophistication to
figure out how to break in. I went
into a company once and 70% of
the passwords were the same
as the user id. I needed zero
knowledge to break into that,”
commented Mr. Winkler.
These are the results of the Pen Test.
the actual company name], “and, if
the firewall and network aren’t set up
properly, you can map the network of
your potential target,” Winkler details.
How to Secure Networks
and Pass Pen Tests
Use strong passwords and change
them often. You can start by following
Microsoft’s instructions for creating
strong passwords, found at www.
microsoft.com/security/articles/pass
word.asp. Changing your password
weekly can help prevent a hacker who
sniffed your password (See PW Sniffer
Flow Chart) from having a chance to
use it. This helps guard against one of
the primary means of hacking —
attacking configuration weaknesses
that are due to human error.
You can also harden your
operating system against attacks and
intrusions. Check the Center
for Internet Security at www.
cisecurity.org where you’ll
find links to “benchmarks”
(detailed hardening configuration instructions) in the left
pane. Additional hardening
instructions are available at
the same location.
“The concept of hardening the systems means you
are taking the systems as
they come ‘out of the box,’
which are, unfortunately, pretty much
insecure, and just turning features on
and off,” Winkler explains. Turning up
the right features secures systems
against known hacking methods.
If you use Windows, you should
also use the Windows Updates tool
under the start menu. It’s just a link
that takes you to Microsoft, where
they scan your computer for needed
updates. You can bypass the scan and
select the updates yourself.
You should check with your
software vendors to get their updates.
They also have bulletins for their
software packages. These notify you
of new patches you should install.
Installing new patches immediately
should keep you secure.
Here, Winkler provides a
compelling example of what can
happen when you don’t apply patches
immediately:
“The Code Red virus appeared to
come out of nowhere and take over
everybody overnight. What happened
was that it really didn’t come out
overnight. The fundamental vulnerability that allowed Code Red to
propagate was announced six months
prior to Code Red being released.
Code Red was more of a delivery
mechanism for that vulnerability. If
people had patched that vulnerability
when it was announced — six months
prior or anytime prior in that
six-month period — they wouldn’t
have been susceptible to Code Red.
The irony is that
when the Nimda virus
came out, Nimda wasn’t
as big, but Nimda
compromised the same
This is the path a hacker might
take to gain administrative
privileges on your network in
order to use a password sniffer
to gain additional access.
64
May 2007
