Computer Security
The, A, B, C's

COPYRIGHT 1999

by Mad Hacker Snyder

As the head of Sun recently remarked, privacy is something of an archaic concept. KEEP THAT IN MIND CONCERNING YOUR "PRIVATE" NETWORK DRIVE!!!! Peace of mind will be best preserved if you consider it as a paper interoffice envelope that's held shut with just a string -- NOT A VAULT!!!!

On many networks, users are set up with their first names as the network login and their last names as the password. This obviously means that ANYBODY with access to a system could login as ANY USER IN THE SYSTEM. Once in, the adversary could read files, copy files, change files, destroy files, read e-mail, send "cuckoo" e-mail, erase e-mail, and probably a lot of other things that my limited imagination is unable to concoct.

If this is not an inviting prospect, contact a network technician to CHANGE YOUR PASSWORD. It's very easy to change a password to something that only you know.

For a higher level of security two options exist:

  1. Keep all files on some sort of removable media:
    • CD-R
    • floppy disk
    • Zip disk
    • Jazz disk
    • Removable hard drive

    When not in use, the disk would be stored in a secure, locked enclosure. The user would be responsible for backups. This practice is good in terms of redundancy. The more copies, the less likely it is for downtime from data loss. Data can be destroyed by theft, flood, fire, electrical malfunction, equipment failure, virus, or terrorism.

  2. Use an encryption program like PGP

A combination of the two methods is perfectly feasible.

Social Engineering

Remember that most hackers accomplish a cyber B&E, not through advanced programming techniques, but through social engineering. This is the process of getting passwords and user names through conventional means and trickery.

The most basic technique is simply going through the trash bins outside of a building. SHRED any and every piece of paper that you don't want somebody else to read!

If an adversary can gain entry to an office, which is very easy if they are employed at an establishment, he/she can peruse for blotters, notepads, post-its, etc., close to the computer with the USER NAME and/or PASSWORD for all the world to see! If your memory is not reliable, write this information on a card and put it in your wallet.

Most people pick their home phone number, birthday, nick-name, or the name of a significant other for a password. DON'T FOLLOW THIS BAD EXAMPLE! Of course these will be the first things that will be tried.

The ratchet up is for the adversary, posing as a network administrator, to phone a user to request, upon some pretext, the user name and password. DO NOT GIVE THIS INFORMATION OVER THE PHONE! It's very unlikely that anybody running a network would ever make this sort of request. The mirror image of this tactic is, possibly after getting a list of names of new employees and tech support numbers from the garbage, for the hacker to call and either request a user ID and password or to claim that they've forgotten one that was issued.