The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers (11 page)

He says, "One of the members told my mom, `I got more mail from him than my six kids combined.'" It worked: He kept it up for almost a year and on his next appearance before the board, they signed him out. Danny, on a shorter sentence, was released about the same time.

Since leaving prison, both William and Danny live fiercely determined to stay out of trouble, working computer-related jobs with skills gained during their years "inside." While each took college-level tech courses in prison, both believe their hands-on experience, perilous though it was, gave them the advanced skills they now depend on for their living. Chapter 3 The Texas Prison Hack 61

Danny earned 64 college credit hours in prison, and though he fell short of earning any professional certifications, now works with high- powered, critical applications including Access and SAP.

Before prison, William completed his freshman year in college and was a sophomore, with his parents supporting him. Once he got out, he was able to continue his education. "I applied for financial aid and got it and went to school. I got straight A's and also worked in the school's com- puter center."

He now has two associate's degrees -- in liberal arts and network com- puter maintenance -- both paid for by financial aid. Despite the two degrees, William didn't have quite the luck of Danny in landing a com- puter job. So he took what he could find, accepting a position involving physical labor. Credit his determination and his employer's open-minded attitude: As soon as the firm recognized his computer skills, he was pulled off the physical tasks and set to work at a job that makes better use of his technical qualifications. It's routine business computing, not the network designing he'd rather be doing, but he satisfies that urge by spending time on weekends figuring out low-cost ways of networking the com- puter systems for two Houston-area churches, as a volunteer.

These two men stand as exceptions. In one of the most pressing and least-discussed challenges of contemporary American society, most felons released from prison face a near-impossible hurdle of finding work, espe- cially any job that pays enough to support a family That's not hard to understand: How many employers can be confident about the idea of hir- ing a murderer, an armed robber, a rapist? In many states they are ineli- gible for welfare, leaving few ways of supporting themselves while continuing the near-hopeless search for work. Their options are severely limited -- and then we wonder why so many quickly return to prison, and assume it must be that they lack the will to live by the rules.

Today, William has some solid advice for young people and their parents:

I don't think there's any one thing you can say to a youngster to

make them change, other than to have value in themselves, you

know, and never take the short road, 'cause the long road always

seems to be the most rewarding in the end. And you know, never

sit stagnant because you don't feel you're worthy enough to do

what you need to do.

Danny would no doubt also agree with these words of William's:

I wouldn't trade my life now for nothin' on earth. I've come to

believe that I can gain my way in life by my own merit and not 62 The Art of Intrusion

take shortcuts. Over the years I learned that I could have people

respect me on my own merit. That's what I try to live by today.

INSIGHT This story makes clear that many computer attacks can't be protected against just by securing the perimeter. When the villain isn't some teen hacker or computer-skilled thief but an insider -- a disgruntled employee, a bitter former worker recently fired, or, as in this case, some other type of insiders like William and Danny.

Insiders often pose a greater threat than the attackers we read about in the newspapers. While the majority of security controls are focused on protecting the perimeter against the outside attacker, it's the insider who has access to physical and electronic equipment, cabling, telephone clos- ets, workstations, and network jacks. They also know who in the organi- zation handles sensitive information and what computer systems the information is stored on, as well as how to bypass any checks put in place to reduce theft and fraud.

Another aspect of their story reminds me of the movie Shawshank Redemption. In it, a prisoner named Andy is a CPA. Some of the guards have him prepare their tax returns and he gives them advice on the best ways of structuring their finances to limit their tax liability. Andy's abili- ties become widely known among the prison staff; leading to more book- keeping work at higher levels in the prison, until eventually he's able to expose the Warden, who has been "cooking" the books. Not just in a prison but everywhere, we all need to be careful and discreet about whom we give sensitive information to.

In my own case, the United States Marshal Service created a high level of paranoia about my capabilities. They placed a warning in my file cau- tioning prison officials not to disclose any personal information to me -- not even giving me their names, since they believed a wild rumor that I could tap into the government's plethora of secret databases and erase the identity of anyone, even a Federal Marshal. I think they had watched "The Net" one too many times.

COUNTERMEASURES Among the most significant security controls that can be effective in pre- venting and detecting insider abuse are these:

Accountability. Two common practices raise accountability issues: the

use of so-called role-based accounts -- accounts shared by multiple

users; and the practice of sharing account information or passwords Chapter 3 The Texas Prison Hack 63

to permit access when an employee is out of the office or unavail-

able. Both create an environment of plausible deniability when

things go seriously wrong.

Very simply, sharing account information should be discouraged if

not altogether prohibited. This includes allowing one worker to

use his/her workstation when this requires providing sign-on

information. Target-rich environment. In most businesses, an attacker who can

find a way of getting into the work areas of the facility can easily

find a way to gain access to systems. Few workers lock their com-

puters when leaving their work area or use screensaver or start-up

passwords. It only takes seconds for a malicious person to install

stealth monitoring software on an unprotected workstation. In a

bank, tellers always lock their cash drawer before walking away.

Unfortunately, it's rare to see this practice being used at other

types of institutions.

Consider implementing a policy that requires the use of a screen-

saver password or other program to electronically lock the

machine. Ensure that the IT department enforces this policy

through configuration management. Password management. My girlfriend was recently employed by a

Fortune 50 company that uses a predictable pattern in assigning

passwords for outside web-based intranet access: the user's name

followed by a random three-digit number. This password is set

when the person is hired and cannot ever be changed by the

employee. This makes it possible for any employee to write a

simple script that can determine the password in no more than

1,000 tries -- a matter of a few seconds.

Employee passwords, whether set by the company or selected by

the employees, must not have a pattern that makes them easily

predictable. Physical access. Knowledgeable employees familiar with the com-

pany's network can easily use their physical access to compromise

systems when no one is around. At one point I was an employee

of GTE of California, the telecommunications company. Having

physical access to the building was like having the keys to the

kingdom -- everything was wide open. Anyone could walk up to

a workstation in an employee's cubicle or office and gain access

to sensitive systems.

If employees would properly secure their desktops, workstations,

laptops, and PDA devices, by using secure BIOS passwords and

logging out, or locking their computer, the bad guy on the inside

will need more time to accomplish his objectives. 64 The Art of Intrusion

Train employees to feel comfortable challenging people whose

identity is uncertain, especially in sensitive areas. Use physical secu-

rity controls like cameras and/or badge access systems to control

entry, surveillance, and movement within the facility. Consider

periodically auditing physical entry and exit logs to identify unusual

patterns of behavior, especially when a security incident arises. "Dead" cubicles and other access points. When an employee

leaves the company or is transferred to a different position, leaving

a cubicle empty, a malicious insider can connect via the live net-

work jacks in the cubicle to probe the network while protecting

his/her identity. Or worse, a workstation often remains behind in

the cubicle, plugged into the network ready for anyone to use,

including the malicious insider (and, as well, any unauthorized

visitor who discovers the abandoned cubicle).

Other access points in places like conference rooms also offer easy

access to the insider bent on doing damage.

Consider disabling all unused network jacks to prevent anonymous

or unauthorized access. Ensure that any computer systems in

vacant cubicles are secured against unauthorized access. Exiting personnel. Any worker who has given notice of termination

should be considered a potential risk. Such employees should be

monitored for any access to confidential business information,

especially copying or downloading a significant amount of data.

With tiny USB flash drives now readily available that can hold a

gigabyte or more of data, it can be a matter of minutes to load

up large amounts of sensitive information and walk out the door

with it.

It should be routine practice to put restrictions on an employee's

access prior to his/her being notified of a termination, demotion,

or undesirable transfer. Also, consider monitoring the employee's

computer usage to determine any unauthorized or potentially

harmful activities. Installation of unauthorized hardware. The malicious insider can

easily access another employee's cubicle and install a hardware or

software keystroke logger to capture passwords and other confiden-

tial information. Again, a flash drive makes stealing data easy. A

security policy that prohibits any introduction of hardware devices

without written permission, while justified in some circumstances,

is admittedly difficult to police; benign employees will be inconve-

nienced, while the malicious have no incentive for paying attention

to the rule. Chapter 3 The Texas Prison Hack 65

In certain organizations that work with extremely sensitive infor-

mation, removing or disabling the USB port on workstations may

be a necessary control.

Walk-around inspections should be conducted regularly. In particular,

these inspections should verify that the machines have not had unau-

thorized wireless devices, hardware keystroke loggers, or modems

attached, and that no software has been installed except as authorized.

Security or IT personnel can check for unauthorized wireless access

points in the immediate vicinity by using a PDA that supports

802.11, or even a laptop equipped with Microsoft XP and a wire-

less card. Microsoft XP has a built in zero-configuration utility that

pops up a dialogue box when it detects a wireless access point in

the immediate vicinity. Circumventing processes. As employees learn about critical business

processes within the organization, they're in a good position to

identify any weaknesses with the checks and balances used to detect

fraud or theft. A dishonest worker is in a position to steal or cause

other significant harm based on their knowledge of how the business

operates. Insiders usually have unfettered access to offices, file cabi-

nets, internal mailing systems, and have knowledge of the day-to-

day business procedures.

Consider analyzing sensitive and critical business processes to iden-

tify any weaknesses so countermeasures can be implemented. In

certain situations, developing separation of duties requirement in

the process, where a sensitive operation performed by one person is

checked independently by another, can reduce the security risk. On-site visitor policies. Establish a security policy for outside visi-

tors, including workers from other office locations. An effective

security control is to require visitors to present State-issued

identification prior to being allowed into the facility, and recording

the information in a security log. If a security incident should arise,

it may be possible to identify the perpetrator. Software inventory and auditing. Maintain an inventory of all

authorized software installed or licensed for each system and peri-

odically audit these systems for compliance. This inventory process

not only ensures legal compliance with software licensing regulations,

but also may be used to identify any unauthorized software installa-

tions that could negatively affect security.

Unauthorized installation of malicious software like keystroke log-

gers, adware, or others type of spyware are hard to detect, depend-

ing on how clever the developers were at hiding the program

within the operating system. 66 The Art of Intrusion

Consider using third-party commercial software to identify these