Hackers: Corporate security stinks!
VANCOUVER, British Columbia--The conference--whose speakers include creators of major open-source security tools as well as security specialists--has brought together not theorists but the software mechanics who create and break network security for a living.
The evaluation of current Internet security seemed grim.
"Awareness is growing," said Lance Spitzner, founder of the Honeynet Project and a security engineer at Sun Microsystems. "But so much stuff is being placed on the network that we can't keep up with securing (it)."
Spitzner should know. Under the Honeynet Project, he and collaborators--some hackers, some security experts and many who are both--leave unprotected servers on the Internet, keeping a close watch until a network intruder breaks in. Such "honeypots" have revealed much about the techniques of online attackers as well as the general lack of security in most operating systems' default installation.
The poor security of such cookie-cutter systems is a major problem, said Spitzner.
With automated scanners and Internet-aware worms searching for vulnerable machines and increasing in number, the average computer placed on the Internet will be hacked in about 8 hours, he said.
"Bad guys are keeping ahead of us," he said. "There's data leaking out of networks everywhere."
Another network-security specialist, for an academic supercomputer center, said university networks are even worse, with an unsecured computer lasting only about 45 minutes before some student or Internet intruder takes control of the system.
That's despite the proliferation of firewalls, even on personal computers, and increasing corporate use of so-called intrusion detection systems--the burglar alarms of the Internet.
"The tools and the technology are making progress," said "Rain Forest Puppy," or RFP, a hacker and security consultant well-known for finding security flaws in Microsoft's software and for publishing responsible guidelines for making such information public. "The technology is getting easier to use, but there will be more people to secure, only a fraction of which we can handle."
Attempts at educating system administrators, management and users have only been partially successful, said Martin Roesch, president of SourceFire, a security-software company and the creator of a widely used intrusion-detection system called Snort."I'm pessimistic," he said. "Users are starting to get more educated, but you can't make them learn." In particular, management generally pushes security onto the back burner, said Roesch.
With public attacks on such well-known companies as Microsoft, Egghead and The Associated Press, however, Internet security has moved to the front of the stage at many high-tech companies.
The Computer Security Institute's 2001 Computer Crime and Security Survey found that cybercrime tallied up $378 million in losses among 186 companies that were able to quantify their damages in 2001. The damage figures take into account losses in the previous year. That average of $2 million per company doubled the average shortfall of the 249 businesses that responded in 2000.
And those losses are only expected to mount. "It's not even a head-to-head race," said hacker RFP. "Security is still losing ground."
"Only if we have a few more meltdowns--a few more AnnaKournikovas or NakedWives--then perhaps people will start taking the problem more seriously."