Passwords are not enough to keep criminals out, Sanjay Bavisi, president of the International Council of Electronic Commerce Consultants (the EC-Council), told a session on 5 November at the CSI 2007 conference in Washington DC.
Bavisi told a session titled ‘Uncomplicated hacks for complicated networks’ that even the most complicated network can be compromised if it has the smallest of holes. This can lead to a simple breach which will then cascade through the network. “There are three ways to authenticate yourself when logging onto your system, by something you are (biometrics), something you know (password) or something you have, like a smartcard for example. None of these are flawless,” he said.
Passwords that are made up of common words or indeed any word that can be found in the dictionary are easy to hack, said Bavisi. “Employees do not follow basic password rules. Often default passwords are left for ease of use, or passwords are written on post-it notes and stuck onto the computer.”
“Creating an alpha-numeric password with special characters and multiple cases of over twelve characters is ideal,” he added. “But even then, keyloggers could be used to gain access to that password,” referring to software which captures the user’s keystrokes, and transmits everything that is typed. “Keyloggers are an old technology, but still very dangerous.”
People will unknowingly help you hack into their own accounts, argued Bavisi. “Social engineering attacks are very common, and play on human nature. It’s easy to find out someone’s date of birth and mother’s maiden name just by asking them. These common questions asked by different sites and companies to verify identity don’t work.”
He also criticised alternative identity technologies. “Biometrics can be easily faked, and face recognition technologies can be tricked. No biometric technologies are 100% hacker-proof,” said Bavisi. “And as for ID cards, that’s easy – taking photographs of these cards to obtain the details on them and to gain access to buildings isn’t hard.”
Hacking communities are unfortunately very close communities, said Bavisi. “They are very tight, sharing knowledge and advice. Hacking tools are readily available online – a quick Google will lead you to many.”
“People place blind trust in anti-virus and other software and believe they are more secure with it,” he added. “But they’re wrong. Anti-virus will only defend you from common attacks – the clever hacker won’t bother with these.”
Bavisi said that updating the company IT security policy is one way of protecting a company against uncomplicated threats. “Often, tasked with writing an IT security policy, an employee will just go and pull one off the internet. An IT security policy should be specific to the company. There should also being a good deal of education surrounding the policy, educating the staff of the dangers out there and why they need to follow the policy.”