Spyware Sucks
“There is no magic fairy dust protecting Macs" – Dai Zovi, author of “The Mac Hacker’s Handbook"

Why would somebody want to hack into my network?

May 19th 2006 in Uncategorized

That got your attention, didn’t it…  :o)

Just yesterday I was having a discussionwith some powers that be about physical and network security.  Overall, they were dismissive of the need for such things – “there’s nothing we have that hackers would want” and “nobody’s going to be interested in our stuff – it’ll put them to sleep”.

My primary nightmare is that, one day, a disgruntled client will walk in and start attacking their servers with a baseball bat or axe or just take the whole damned box. Yet, whenever I voice my concerns about unlocked doors and unfettered access to servers I’m told that  “if we put a lock on the door we’ll have to walk the long way around to get to the comms room”.  Umm, guys, let’s get your priorities right.

Ok, so let’s imagine that somebody walks in to your office and walk out with that backup tape which contains your entire network.  Or they walk in and plug one of those tiny wireless access points into an unused network outlet in some quiet corner of your office.  I don’t think your insurance company will be very sympathetic if the worst happens and your company gets sued.

Y’know, putting convenience before security is a real bad idea.  Thinking that there is nothing that the bad guys would want is worse.  What can we do to convince people to be cautious about their security *before* they’re hit with a worst case scenario?

Here is a real world this-is-actually-happening example of what can go wrong if your computer or server is unprotected:

Guess who is going to be blamed for damage caused by the hostile Web site hosted on that “home PC located in Herndon, Virginia”.  How much do you want to bet the *owner* of the “home PC” doesn’t even realise that his machine is being used to attack people on the Internet.

Last week somebody set up an unsecured wireless network close to my home.  When I went on to a business site I was shocked to discover that their wireless access point was also unsecured (personally I think that company should have sued the IT providers that set up the servers and wireless network – security was a foreign concept – how can *any* reputable IT company walk in, make all users domain admin, plug in a wireless access point, leave it completely unsecured, and say that that was a job well done??  How can their staff be working on the servers, go to lunch or disappear whatever other reason, and leave the server screens unlocked??). 

*Anybody* could connect to those networks and download whatever they wanted **including illegal stuff**.  And here is something else that was really scary.  The business site being discussed is located in a building right next to a hotel run by a major international chain.  Guests in that hotel were able to detect and use the business’s unsecured broadband connection.  Why pay a hotel to use their broadband when you can simply hook into that nice unsecured network right next door?  I shudder to think how many hundreds, or thousands, of business travellers with laptops that are wireless capable have stayed at that hotel over the past few years…

Do you want your computers to be used to host phishing sites or as a virus vector?  Do you really want to the bad guys to be using *your* internet account to download warez or kiddy p0*n?  Law enforcement is not going to believe you when you say it wasn’t you if those downloads are traced to your hardware. 

A fellow MVP, Rocky Heckman, has put together a SOHO security video, in flash format, that is available here (scroll down if you are using IE7) that helps get the point across, discussing the risks that SOHO face, and what should be done to minimise risk.

Comments are closed.

Some may recall that Google complained to the European Commission about the IE7 Search Box.
I am pleased to report that the U.S. Department of Justice will not be pursuing Google’s complaints, saying that the opinion of it and the other plaintiffs in the ongoing U.S. anti-trust case is that:
“Plaintiffs studied the new search feature in […]

Previous Entry

I spend *far* too much time chasing after false positives in antivirus and antispyware applications, and too much time shouting down misinformation – do a search for the words “false positive” in this blog and you’ll see what I mean.  (Note: please do NOT assume that just because Trend is highlighted so often in my blog that they […]

Next Entry