Hacking tools are simple and widely available, security experts say

Madison, Wis. — If you had blinked, you would have missed two security experts demonstrating how easy it is to hack into a Web server last Wednesday.

Dane Deutsch and Pete Adams, who head up Wisconsin-based security firm DCS Netlink, used a simple tool to gain complete control of a file server they set up at the University of Wisconsin-Madison E-Business Institute’s conference at the Monona Terrace, without leaving a trace — except, of course, for defacing the fictional “ACME Cola’s” Web site with their “Bobby Blackhat” logo.

“You wouldn’t know it necessarily unless you had something to tell you that something had changed,” said Deutsch, Netlink’s CEO and a retired U.S. Air Force captain.

Adams, who got his start in security through the U.S. Army’s intelligence branch, is the company’s CIO. He showed an audience how easy it is to use readily available tools to gain control of home or corporate computers without necessarily knowing how they work.

He first used a Web-based tool that showed him a file transfer server that was running and accepting anonymous logins. One command later — a pre-canned hack anyone could use — and he had system-level access to the computer. Adams then took the audience on a whirlwind tour of basic security. Hackers do not always want data or documents, he said, so it may not matter if you have valuable files.

“In most cases they could care less whether you’re a large corporation or a small business or a home user. They just want your computer,” Adams said.

For example, an unsecured computer could be used as the source of more attacks, in order to cover the hacker’s trail. It could also be used to send spam or viruses through e-mail.

That’s why hackers often randomly scan large numbers of computers across the internet looking for vulnerabilities, Adams said.

He shared a list of Netlink’s favorite sources of hacker attacks: the Vatican, the American Cancer Society and the Canadian Department of Defense. One of his company’s problems, he said, is not being able to convince such organizations that they have been hacked and their computers are being used for this purpose.

Many of the tools needed are available in forms so simple even kids could use them. Some do — security experts and “real” hackers call them “script kiddies,” slang for people, stereotypically teens, who cause havoc without understanding how their tools really work.

“The tools are becoming much more easly available and easy to use,” Adams said.

Usually, these tools exploit vulnerabilities in server or application software. Computers, after all, do only what they’re told — you can’t break into a computer in the same way you can break into a house. Instead, a computer must be tricked into doing something its creators never intended.

The technique Adams used is called a buffer overflow. Some programs, when fed more data than they can handle, simply break down instead of cutting the connection or ignoring further input.

When that happens, they can allow attackers to run their own programs on the vulnerable computer.

Deutsch and Adams said companies should make security part of their business processes.

“People only bring in the security guys after eveyrthing as been ripped apart, a lot of the time,” Adams said. “The worst security posture in the world is to say ‘I don’t know what to do, so I’ll do nothing.’”

------
Jason Stitt is WTN’s associate editor and can be reached at jason@wistechnology.com.