Hackers: Corporate security stinks!

Despite the proliferation of firewalls, the average computer placed on the Net will be hacked in eight hours

Companies are paying more attention to safeguarding their digital assets, but the overall state of corporate data security is still poor, said hackers and security experts attending the CanSecWest conference on Thursday.

The conference -- whose speakers include creators of major open-source security tools as well as security specialists -- has brought together not theorists but the software mechanics who create and break network security for a living.

The evaluation of current Internet security seemed grim. "Awareness is growing," said Lance Spitzner, founder of the Honeynet Project and a security engineer at Sun Microsystems. "But so much stuff is being placed on the network that we can't keep up with securing (it)."

Spitzner should know. Under the Honeynet Project, he and collaborators -- some hackers, some security experts and many who are both -- leave unprotected servers on the Internet, keeping a close watch until a network intruder breaks in. Such "honeypots" have revealed much about the techniques of online attackers as well as the general lack of security in most operating systems' default installation.

The poor security of such cookie-cutter systems is a major problem, said Spitzner.

With automated scanners and Internet-aware worms searching for vulnerable machines and increasing in number, the average corporate computer placed on the Internet will be analysed for vulnerability by hackers in about eight hours, he said. "Bad guys are keeping ahead of us," he said. "There's data leaking out of networks everywhere."

Another network-security specialist, for an academic supercomputer centre, said university networks are even worse, with an unsecured computer lasting only about 45 minutes before some student or Internet intruder takes control of the system.

That's despite the proliferation of firewalls, even on personal computers, and increasing corporate use of so-called intrusion detection systems -- the burglar alarms of the Internet.

"The tools and the technology are making progress," said "Rain Forest Puppy," or RFP, a hacker and security consultant well-known for finding security flaws in Microsoft's software and for publishing responsible guidelines for making such information public. "The technology is getting easier to use, but there will be more people to secure, only a fraction of which we can handle."

Attempts at educating system administrators, management and users have only been partially successful, said Martin Roesch, president of SourceFire, a security-software company and the creator of a widely used intrusion-detection system called Snort. "I'm pessimistic," he said. "Users are starting to get more educated, but you can't make them learn." In particular, management generally pushes security onto the back burner, said Roesch.

With public attacks on such well-known companies as Microsoft, Egghead and The Associated Press, however, Internet security has moved to the front of the stage at many high-tech companies.

The Computer Security Institute's 2001 Computer Crime and Security Survey found that cybercrime tallied up $378m (about £260m) in losses among 186 companies that were able to quantify their damages in 2001. The damage figures take into account losses in the previous year. That average of $2m per company doubled the average shortfall of the 249 businesses that responded in 2000.

And those losses are only expected to mount. "It's not even a head-to-head race," said hacker RFP. "Security is still losing ground."

"Only if we have a few more meltdowns -- a few more AnnaKournikovas or NakedWives -- then perhaps people will start taking the problem more seriously."

Is your PC safe? Find out at the Hackers News Special.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the ZDNet news forum.

Let the editors know what you think in the Mailroom. And read other letters.