FREE online courses on Corporate Espionage - Why and how is Espionage
happening - Technical Vulnerabilities
Technical vulnerabilities account for only about 25% of ‘break
ins' for information. That still translates into a hefty price to pay, since the
costs are bound to rise as the IT revolution really gathers full impetus. It is
worthwhile taking a brief look at this potential hazard:
Systems have (well-known) vulnerabilities:
i.e. they have inherent problems which enable anyone knowing which system you
have, to probe for that weak spot to gatecrash.
Configuration errors are problems created by
the way in which the systems administrator sets things up. Usually over-worked
and under-trained, most systems administrators are expected to know
about/trace/eliminate these errors/vulnerabilities. In real life, however,
this often doesn't happen. In the well-documented hacking of M/s Far East
Apparels Limited's system, which, many analysts firmly believe, compromised
their database/confidentiality to the extent that they were ruined, the
hackers got through to the system via modern access and password-unprotected,
logged-on terminals, having ‘socially engineered' their way to acquiring user
IDs/passwords.
Hackers gain easier access, thanks to human
tendencies like reluctance to burden memory – almost 70% of passwords centre
around names of family, pets, car make/model, residential locality of city, or
date of birth – much of this data easily socially engineered by an experienced,
determined hacker. Sometimes, passwords are taped to bottom of keyboard/drawers,
even conveyed by email to family to enable them to gain access while operator is
on the long way home. One hacker, an ex-student of a certain Pune College,
hacked into the system after only 14 days ‘research', his path considerably
smoothened by poor password security as above.
Hackers modify systems skillfully to cover
traces of intrusion: they replace/ modify them in such a way that they don't
reveal hacker processes – allowing hacking to continue unchecked.
Data (Storage can be) in danger: any
information stored on a computer is vulnerable to:
Over the past year, hackers have done all these things to important Indian
Websites including those of Parliament, the Ministry of Information Technology
(!), Banks, newspapers, firms et al. (Times of India, New Delhi 24 July 2000).
The new IT, laws are ever under pressure, not entirely able to cope with all the
ramifications of the issue of digital piracy or vandalism immediate pressure.
Police and CBI are stepping up intensive training/exposure to IT related crimes.
Rs 300 fetches any would be schoolboy hacker, a choice of CD Roms to facilitate
hacking (available at Palika Bazar, New Delhi, according to Times of India,
27 July 2000).
Interception during transmission: when a
computer is connected to another, the entire system ‘knows' – and anyone on that
network can:
Modify/monitor data flow
Substitute it with a totally different
message
A gang of hackers had compromised the
VSNL network to the extent that: One sub-server for Internet remained under
their absolute control for one month – they made a fortune selling Internet
connections to people, providing 24 hr. free connectivity for a nominal
one-time fee.
Telephone exchanges (all digital now)
are basically computer networks – one well-organized gang (later caught) had
started a private overseas call business after hacking an exchange – they were
furnishing 24 hours international calling facility at 25% VSNL rates. They
caused losses of over Rs 4 crores (official figures).
“TEMPEST”: Almost every electronic device emits
radiation, known as ‘Van Eck' radiation. A simple device, costing about Rs
40,000/- can pick up these signals and convert them into readable (on a TV
screen) signals – from hundreds of feet away!
TEMPEST – protected computer systems are
available, but are very expensive
An alternative (in case an organization
has too many computers) selectively cost-effective solution is to sheath the
entire building structure in copper!
Both alternatives being expensive and
hard to install, beware of TEMPEST!
Electromagnetic
Pulse: EMP's were an accidental
discovery by scientists; during nuclear testing, these impulses literally fried
transistor circuits within a given radius. Now possible to generate without
setting off a nuclear explosion, it has given birth to a device, which could
cause virtual ‘explosions' in offices if someone uses an EMP Gun to meltdown
their computer circuitry.
Police in USA use it to destroy computer
controls in runaway cars.
EMP Guns damage/destroy systems and have
the potential to cause havoc when manned by a malicious criminal.
Telephone Taps and
Bugs: The more sophisticated
systems are very hard to detect. Can be very simple, to highly sophisticated,
hard to detect without hi-tech equipment.
Commonest, most popular technical means of obtaining data
Regular bug-sweeps/phone tap tests are
the only answer.