Passwords: The Biggest Security Problem for Corporate Networks

Breaking a RANDOM eight-character password would take more than 13 years on average even for the password-cracking programs that can test nearly 8 million combinations every second on the latest Pentium 4 processor. But majority of passwords are not made of random characters. Rather, they are meaningful words that can be easily remembered. Sometimes, they have a few numerical extensions, which do not complicate the hacker's life to any significant extent.

Hackers can crack most of commonly used passwords in less than a minute. And once they discover passwords on one server, they frequently have the way to other servers. Having stolen the digital keys to a large fraction of the accounts on the network, an intruder can wander about preserving the appearance of a legitimate user. "Passwords are one of the biggest security problems that corporate America has," said Chris Pick, associate vice president for product strategy at PentaSafe Security Technologies. This is why scientists are developing the authentication technologies other than passwords, for example graphics and biometrics. Meantime, the Internet security gurus offer the following common sense rules for passwords:

• Don't use dictionary words. Webster's New World College Dictionary has 163,000 words in it. The smallest dictionary in a password cracker has more than 200,000; it includes places and popular names, such as Spock. Do the math.
• Don't use personal information. Social security numbers, telephone numbers, date of birth, and the names of kids, pets and significant others should all be considered off-limits.
• Do use numbers and symbols, and not just at the end. To generate memorable passwords, use the first letter of each word in a memorable sentence and then randomly capitalize some letters and add numbers and special characters.
• Do use a different password on each important system. Assume that the administrator for each system can decipher your password for that system; don't give them access to all of your accounts. By using different passwords, you limit the damage of a breach to a single account.
• Don't give your password out to anyone. No one, not even the system administrator, needs your password. If someone asks for your password, assume the worst.
  Source: Chris Wysopal, director of R&D for @Stake.

Effective Ways of Fighting CyberCrimes: Tougher Punishment?

Under current law, punishment for cybercrimes often results in little or no jail time. For example, the author of the Melissa computer virus, which caused $1.2 billion in damage, was sentenced to 20 months in prison and a $5,000 fine. Likewise, current law prohibits Internet Service Providers from reporting user activity unless it presents an immediate risk of death or injury, and allows customers to sue for damages if their privacy is violated.

Under a new law, whose bill was unanimously approved by the House Judiciary Committee and sent to the House floor for a full vote, computer criminals could face life in prison. The bill also would help Internet service providers to report suspicious activity on their networks. "Cybercrime knows no borders or restraints and can harm the nation's economy and threaten its security," said Rep. Lamar Smith, R-Texas, who sponsored the bill that would coordinate efforts to fight cybercrime.

Although supported by Internet service providers, who complain of having to determine the gravity of threats made in their chat rooms or contained in customer e-mails, the bill is criticized by the Center for Democracy and Technology, a civil-liberties group, who said it could further erode electronic privacy by encouraging law enforcement and other government agencies to pressure ISPs to turn over their records without a search warrant.

It remains to be seen what human rights activists, psychologists, and social workers will say on whether tougher sentencing laws will be any more EFFECTIVE for fighting cybercrime than they have been for fighting drugs, violence, and other crimes.

2002 Computer Crime and Security Survey

"2002 Computer Crime and Security Survey" confirms that the threat from computer crime and other information security breaches continues unabated and that the financial toll is mounting. The survey is based on responses from 503 computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions and universities. Its highlights include:

• 90% of respondents (primarily large corporations and government agencies) detected computer security breaches within the last twelve months;
• 80% acknowledged financial losses due to computer breaches;
• 74% cited their Internet connection as a frequent point of attack than cited their internal systems as a frequent point of attack (33%);
• 44% (223 respondents, who were willing and/or able to quantify their financial losses), reported $455,848,000 in financial losses.

Respondents detected a wide range of attacks and abuses, whose examples include:

• Computer viruses (85%);
• Employee abuse of Internet access privileges (for example, downloading pornography or pirated software, or inappropriate use of e-mail systems ( 78%);
• System penetration from the outside ( 40% );
• Denial of service attacks ( 40% ),
• 52% of the respondents conduct electronic commerce on their sites;
• 38% suffered unauthorized access or misuse on their Web sites within the last twelve months;
• 21% said that they didn't know if there had been unauthorized access or misuse;
• 25% of those acknowledging attacks reported from two to five incidents;
• 39%t reported ten or more incidents;
• 70% those attacked reported vandalism (only 64% in 2000);
• 55% reported denial of service (only 60% in 2000);
• 12% reported theft of transaction information;
• 6% reported financial fraud (only 3% in 2000).

However, Patrice Rapalus, Director of Computer Security Institute (CSI), remarks that "there is much more illegal and unauthorized activity going on in cyberspace than corporations admit to their clients, stockholders and business partners or report to law enforcement. Incidents are widespread, costly and commonplace".

The "Computer Crime and Security Survey," he says, has served as a reality check for industry and government. "Over its seven-year life span, the survey has told a compelling story. It has underscored some of the verities of the information security profession, for example that technology alone cannot thwart cyber attacks and that there is a need for greater cooperation between the private sector and the government. It has also challenged some of the profession's 'conventional wisdom,' for example that the 'threat from inside the organization is far greater than the threat from outside the organization' and that 'most hack attacks are perpetrated by juveniles on joy-rides in cyberspace.' Over the seven-year life span of the survey, a sense of the 'facts on the ground' has emerged".

The "Computer Crime and Security Survey" is conducted by CSI with the participation of the San Francisco Federal Bureau of Investigation's (FBI) Computer Intrusion Squad. The aim of this effort is to raise the level of security awareness, as well as help determine the scope of computer crime in the United States.

CSI, established in 1974, is a San Francisco-based association of information security professionals. It has thousands of members worldwide and provides a wide variety of information and education programs to assist practitioners in protecting the information assets of corporations and governmental organizations.

The FBI, in response to an expanding number of instances in which criminals have targeted major components of information and economic infrastructure systems, has established the National Infrastructure Protection Center (NIPC) located at FBI headquarters and the Regional Computer Intrusion Squads located in selected offices throughout the United States. The NIPC, a joint partnership among federal agencies and private industry, is designed to serve as the government's lead mechanism for preventing and responding to cyber attacks on the nation's infrastructures. (These infrastructures include telecommunications, energy, transportation, banking and finance, emergency services and government operations). The mission of Regional Computer Intrusion Squads is to investigate violations of Computer Fraud and Abuse Act (Title 8, Section 1030), including intrusions to public switched networks, major computer network intrusions, privacy violations, industrial espionage, pirated computer software and other crimes.

For a free copy of "2002 Computer Crime and Security Survey," complete with graphs, charts and analysis, please fill out the Survey Request Form.

http://www.gocsi.com/press/20020407.html