NASSAU, Bahamas – Between 65-70% of all computer crime comes from employees and contractors, according to Glen Christopher who spoke at the Seventh Annual Leadership Conference held by the World Council of Credit Unions (WOCCU) on August 1-4th. However, the remaining attacks can come from any hacker, cracker or script kiddie. Christopher's talking from experience and observation. A graduate of Cornell University, he's spent 22 years designing, installing and managing computer network systems and has worked for all types of companies. He describes his mission in life as "Helping organizations reduce cost and improve customer loyalty using Internet technologies." Who are these culprits who commit computer crime? This is how Christopher defines them: "a Hacker is a person who enjoys exploring the details of programmable systems and how to stretch their capabilities" while a "Cracker is one who breaks security on a system." This term Hacker was coined in 1985 by hackers in defense against journalistic misuse of the word. Christopher talked about the so-called "hacker code" which espouses it's "an ethical duty of hackers to share their expertise by writing open-source code and facilitating access to information and to computing resources wherever possible," he says. A script kiddie, Christopher said, was "the lowest form of cracker; doing mischief with scripts and programs written by others." Christopher traced the history of computer security problems starting in 1997 when. "Paul Greene, a student at Worcester Polytechnic Institute, discovered that a specially written Web page could trick Microsoft's Internet Explorer into executing practically any program with any input on a target computer. An attacker could use this bug to trash a victim's computer, infect it with a virus, or capture supposedly private information from the computer's hard drive." He warned credit unions that are Microsoft Office or Windows users that "Microsoft is reporting five new flaws in its software, including one of `critical' severity that affects nearly all programs in its Office suite of software. The critical vulnerability could allow an attacker to read files on a victim's computer or run programs. To be successful a person would have to open an affected e-mail attachment." Even the Department of Homeland Security's U.S. Computer Emergency Readiness Team has been involved. They "touched off a storm this week (early July 2004) when it recommended for security reasons using browsers other than Microsoft Corp.'s Internet Explorer," he said. When hackers plan an attack, says Christopher, they have many tools to work with including scanners. They hunt modems, sniff out passwords, have remote control programs to crack passwords. He even described how he would attack a credit union's network if he were thinking like a hacker. Christopher said he might start with SuperScan that would show him what ports were open. Then he would use a tool called SNMP to map out the credit union's network. Although Hackers are out there, Christopher said credit unions could fight back. Some methods were quite simple such as turning off unused services. Firewalls also help keep hackers away from what Christopher called "Hacker Friendly Ports" among the 65,000+ easily accessible ports. He named Telnet(23), ftp (21), TFTPSSimilar and Finger as some of the more vulnerable.. He spoke more strongly about NetBIOS (135) and nbsession (139) saying they "should never be on the Internet." Christopher called wireless LANs "A Hacker's best friend". There are tools that credit unions also use to help administrators locate and fix security holes. Credit unions that want to foil hackers, says Christopher, must maintain a security policy that covers not just viruses, but also written permissions, passwords, locked doors and equipment cabinets, limited access to server and network hardware, a perimeter firewall, a server and workstation firewall, secure encryption, log file review, and staying updated on new tools. Credit unions should have regular data backups and also a recovery plan in place well before they are needed. Christopher encouraged people in charge of their computer security to try and think like a hacker. If they do, they are well on their way to protecting themselves. -

[email protected]