Steve flipped windows, and ran the exploit against yet another system that his port scanner had found. He'd left it running while he was at school that day. It had scanned about ten thousand internet addresses, and found almost fifty vulnerable systems. And now, he was casually going through each of those, running the script he'd been given, and taking control of each machine.

Steve wandered boredly through the Windows server's directory structure. Accounting files. Boring. Letters. Documents. Yawn. The kid took a swig of Mountain Dew, and started on his real work: installing an IRC program called a 'bot'. He couldn't justify a registered channel of his own on the chat system, so he just created one. But since he couldn't stay connected all the time, he was setting up these 'robot' connections to stay in his channel, and give him operator privileges whenever he logged on. Corporate security was lax on these boxes -- if it wasn't, the exploit wouldn't have worked. So he had little fear of discovery. Just to be sure, he wiped the event logs using another little program he had downloaded, grabbed off a site on another hacked system where he stashed all his tools.

Steve didn't really know much about computers. He knew enough to run the scripts, enough to wander around the directory structure, but he relied on these scripts he downloaded. He knew how to use those, how to install them. And it gave him a real thrill each time he got into a system, how he was able to use a company's computers without them even knowing. He was becoming pretty 'leet' (elite) himself. Before long, it would be impossible for someone to flood him off his channel. And if they tried, he'd have an army of cracked machines that he could use to launch an attack back at his attacker, to flood them off before they could hit him.

Steve had the package unzipped into the right directory, and he was just editing the config file, the one that would set it with the right passwords so only he could control it. And then, his mother yelled up the stairs for him to go to bed. Typing quickly, Steve entered a last few lines of config, and started the service. Then he logged off, and went to bed.

The program sat there running while Steve slept, on a single Windows 2000 server on a company's network. But unfortunately, Steve used the same password on this box that he had on others. Another user of IRC spotted the bot, and started probing at the system. Seeing the vulnerability, they used the same script Steve had used to break into the box. They wanted to take over Steve's channel, so they took the server and stopped the program from running. And then, just to make sure that Steve couldn't start it again, they proceeded to start systematically wiping the system directories, removing critical files, and then shut down the box.

Steve woke up the next morning, and logged onto IRC before schooln. His channel was still there, but as he entered it, he wasn't granted operator permissions. Instead, he was booted from the channel by another bot, installed by his nemesis. Steve growled under his breath, angry that he had been thwarted, and this time resolved to go into even more servers, to make himself even harder to remove next time.

Donald didn't know much about computers. But as a salesperson, he'd had a laptop computer equipped with a dial-in connection to the Internet, along with a VPN connection. He still had the company information sheet that showed him how to do it. He set up his computer at home, following the instructions religiously. He wasn't surprised when it told him 'access denied'. He would have been surprised if it hadn't.

Donald grinned. This was kind of fun. His password had been disabled, but that wasn't hard to do. Who wasn't laid off? Oh, yeah. Fred. Fred... let's see. Oh, yeah. What was his wife's name? Barbara? He tried to reconnect, using 'fredm' as the username, and 'barbara' as the password. Denied. 'barbara1' he tried, and suddenly, the familiar 'connected' message showed up.

Donald sat back, considered what he was doing. It wasn't too late to disconnect. It wasn't too late to give up on this. It was probably stupid anyway. But... he had a wife and kids to feed, and those evil managers had screwed him out of his best job in some time. It would be really rough for his family, and it was their fault. Donald reached for the mouse, and performed the familiar actions. How could he screw them over?

Donald wasn't an IT guy. He knew a little bit about computers. But he also knew that they kept backups. So he had to do something obnoxious, something that would hit them where it hurt. He loaded up the accounting package, and logged in as his boss. He tried a few passwords without success. Then, he went out on the web. A few searches later showed an 'administrative override' mode for the accounting software -- one that should have been protected. But there was a program, published on an obscure web site, that pointed out that there was a way around it. And that running this program would trigger it. Eagerly, Donald downloaded it, and ran it. Then he ran the program, and bang! He was in.

Rubbing his hands together, Donald leaned forward. This wasn't like it was in the movies, but he couldn't resist the thrill, the sense of revenge. His heart was pounding as he went into the salary figures. He ground his teeth as he saw how much the fat cats there were making. And so he started changing the figures -- a little here, a little there. And while he was at it, why not hit their bottom line? He made a few more mouse clicks, noting he had access to financial statements, and altered the amount of money in the corporate accounts, transferring it from one to another. Now the books wouldn't jive, and there'd seem to be far more money in the payroll account. Maybe paychecks would start bouncing. That would be fun to watch. He went through the system, making a few other random changes here and there, nothing -- he hoped -- that would show up for days, long after restoring from tape wouldn't be feasible.

Donald was just grinning happily. In a way, he wanted to tell somebody what he'd just done. But he knew he had to keep his mouth shut. Except for that one login on his own account, that one attempt, there was no record that he'd done anything. Maybe he shouldn't have used his own phone line, but... well, it was too late now. Sweating, he logged off the system, turned off his computer, and felt a curious mix of fear and delight. If they didn't catch him, maybe he could do that trick again in a month or two.

Leonard knew what he had to do. He'd chosen this company specifically because of their low rates, but in addition, he also had chosen it for the fact that they had a lot of accessibility to the Internet. That was a good thing. Leonard kept his head cool, and began to gently probe their systems, cataloguing each piece of hardware connected to the system. He wrote down the vendors of the firewall, of the router, of the servers, of the software used to run the web server, everything that he could find. So far, all of this was simply public information. Most systems will identify themselves if asked.

Leonard next began to search the Internet for these software packages. He started at the vendors' web sites, making a list of all known security flaws in those packages. Passwords were too much trouble, and he had nowhere to start. In most cases, Leonard had found, it was easier just to look for a mistake, a vulnerability somewhere.

He compiled a list. First, the web servers. Those appeared to have been patched with the latest releases of the software. Somebody was doing their job. Configuration was tight; that was not a problem. Next, he checked the firewall. Also patched. This was looking difficult, but after all, Leonard had all weekend.

Leonard did a lot of probing at the system, and each time he tried, the firewall would lock him out, detecting his traffic as being potentially bogus. Of course, he had taken the step of hacking into another machine, quietly and discreetly, and he had carefully covered his tracks inside that system. Tracing him back would be difficult indeed.

The thirty-year-old next considered different approaches. He called into their phone system, and entered a quick sequence of digits on his touch-tone phone. This PBX was an older model -- simple, unsophisticated, and uncrackable. He pressed an extension for the accounting department, and was rewarded by a series of clicks. This time, just as the autoattendant picked up, he dialed another sequence, heard the response. An error message, telling him that he had pressed an invalid extension. But he recognized the voice. A Tel-o-Fone III. Those shipped from the factory with certain codes pre-programmed in, and an admonition in the manual to change them upon installation. But nobody did that. He dialed the sequence, and was rewarded by an administrative menu.

He couldn't do much from here, really. But what he could do was create a fake extension for himself. And he did so -- a fake voice mailbox, everything. Leonard then began listing extensions, until he found one that sounded promising. Judging from her voice, she was young, optimistic. Perfect. He dialed her extension. After four rings, she answered.

'Hi, Jeannie, this is Bob Stevens in the IT department. I was calling, heard you'd had some trouble with your computer being slow?' This was a calculated risk on Leonard's part. After all, all users think their computer is too slow.

'Yeah, it is! How did you know?' Jeannie's voice came back.

'Oh, Tracie said something to one of the techs, and they asked me to look into it.' He gave the first name of another one of the names he'd heard in the voicemail list. 'Anyway, Jeannie, I want to check a few things on the system to see if we can speed things up for you. But I need to get your username and password.

'My username and password?' Jeannie asked. 'Which one? The one to the system, or the one for MEGAX?' Leonard didn't know the acronym, but guessed it was the name of the accounting software.

'Both,' Leonard responded easily. As Jeannie read them off, he wrote them down, checking the spelling. 'Cool. Thank you *very* much, Jeannie. I'll give you a call back later in the week with what I find.'

Jeannie sounded appreciative before she hung up, and Leonard felt a little bad for what he was about to do. Jeannie might lose her job if his changes got discovered. But sometimes, that's the way things have to be. Leonard dove back in, and looked over his port-scan again. There... there was an open proxy service on port 8080 on there. Probably an ISA server somebody hadn't set up properly. It needed a password, but now Leonard had one. He connected to the port, and began typing commands. As he suspected, the proxy responded cheerfully to the authenticated user. He had access!

The next step was to use the proxy server to begin scanning the internal layout of the network. Leonard wrote a quick Perl script to bounce packets off the proxy. He knew how do it himself, but using the script was faster and automated a lot of the tedium. It didn't take him long to locate the SQL servers. And from there, he was able to use poor Jeannie's password to log into the server. He didn't have a lot of privilege, but it wasn't too hard to make the change, changing his account balance to... well, wiping out the charge was possible. But what about... yes. He could issue a credit, to pay him back for his lost effort. Not too much. A couple of hundred dollars -- little enough to not set off any red flags, but enough that he'd not pay for service for the next six months.

He knew it would leave a log, and for that reason, he set the file to Simple logging briefly, then back to Bulk-Logged. Two simple commands. Then, he started systematically clearing the event logs, editing them at the binary level to remove or alter his entries. After all, poor Jeannie didn't deserve to get in trouble for such a simple mistake. He backed out of the system cautiously, and then left the systems he had compromised, erasing his tracks behind him and then closing the security holes he'd used to get in. The systems were more secure, and Leonard felt a good deal better. Any minor twinge of guilt he felt, he sated by telling himself that they overcharged him in the first place.

In a way, this had started as a theoretical idea. Could he write a virus? Maybe one that was harmless. The best way to do it would be to use a security exploit. But he wanted one that would keep spreading. In a way, it was a challenge -- him against the forces of The Man. Tommy didn't like The Man. Tommy wasn't much on authority at all. After all, they were the ones who made war and exploited people and stuff. And war sucked.

But right now, his attention was on that piece of code. Letting out a curse, Tommy knocked back another swig of Mountain Dew, and started typing. Maybe *this* way... yeah! He fell into a rhythm, the clicking of the keys almost hypnotic, and typed almost without moving for half an hour. Then, he compiled, and tested the code on another box. Click... click... BOOM. The system popped up the window. It was infected.

Tommy knew the most successful worms were the ones that could safely avoid detection for a while. He wrote his with a time delay, one that would cause it to stealthily enter systems and lie resident. And then, when the day came, boom! He grinned, thinking about it.

A little more code. This one wouldn't spread through E-mail. Instead, it would target all those Windows XP boxes where people hadn't patched them, or where they had blank Administrator passwords. There were a lot of those, Tommy knew. This virus wouldn't do much. Just pop up a little message and erase itself. He typed a bit more, and then ran a couple of tests. It worked!

Tommy grinned with glee. Ah, yeah. He proceeded to connect out onto the 'net, then bounce off a machine that had a weak passwords. That's okay, it was a public computer. Then from there, he ran a simple port scan, and found a set of vulnerable systems. Boom! The virus was winging on its way. Naturally, his own system was protected. That done, Tommy backed out, erased his tracks, erased the virus from the Unix system, and went to sleep.

Unfortunately, Tommy didn't take a lot of time to test. The time delay he had coded in didn't work -- Tommy had forgotten to correct for timezones. He wrote it in California. Once it hit something outside the Pacific time zone, it triggered, and started replicating like crazy. Internet lines were tied up, companies were unable to do business because of the massive traffic. And worse, Tommy had misused a pointer in his application. Instead of deleting itself -- he'd named it "Wintfs.sys" to make it hard to find in the system32 directory -- it instead deleted 'ntfs.sys' -- a critical component of the operating system. All around the world, Windows XP systems started to crash, and wouldn't reboot when they came back online.

Tommy wasn't intending to cause this when he started the task. He felt badly about it... but he was way too scared to come forward. In time, the threat was contained, and virus scanners started to recognize the code. Tommy knew he could never tell anybody what he'd done. It was a point of shame for him, but also a point of intense pride. And maybe, someday, he could try again... with something even better.

Hackers can be broadly categorized into three groups:

• Indirect Hackers. These people aren't concerned with who they hack, but instead are just interested in compromising a system. These hackers are typically not directly destructive, but are doing it for the thrill. They present no real threat as far as release of information is concerned. They simply don't care about your data. The majority of hacking that goes on today is of this type.
• Direct Hackers. These people are going after you specifically, whether because they dislike you, because you have something they want, or because you present an attractive target. This is not as common as it might appear. Hacking takes a lot of time and a lot of patience. Most adults who would have a reason to target a specific business have either too much to lose, or lack the specialized knowledge required and the patience to learn to use it.
• Viruses and Worms. These attackers are indiscriminate and relentless. Fortunately, they are also generally not that difficult to thwart, since they exhibit no real intelligence. Still, many of them exploit security holes, or open back doors in systems that can then be used later by other attackers.

Indirect hackers, often called 'Script Kiddies', are the most common security threat on the Internet by far. The sheer quantity of them, and the number of systems they can hit, makes them a serious threat. However, taken individually, there are simple steps you can take to protect yourself.

The indirect hacker starts out with a port scan, generally of a large range of addresses. He's just looking for targets, trolling for systems that might be easy. If a system is hard to get into, he'll pass. There are easier pickings elsewhere. He usually doesn't know how things work on the inside -- he's just interested in using systems for his own purposes.

The indirect hacker usually does not cause a lot of damage, at least not directly. In many cases, he doesn't even know what's on a system. He doesn't look at your documents except in passing. He doesn't care about your financial figures. He's like a kid peeking into windows, just to see what might be going on. The damage he causes is much more indirect -- bandwidth consumed, hard disk space taken up, applications that don't work because what he installed interferes with them, mysterious crashes.

Indirect hackers usually don't have a lot of knowledge. Many of them have a series of scripts that they try on a system, one by one, until they either get in, or move on. If they succeed, they go ahead and install their programs. If they fail, they just keep moving. After all, there are a lot of fish in the sea that is the Internet.

The indirect hacker is stopped by fixing security patches and by making at least a vague attempt at securing systems. Passwords that are not easily guessable -- that aren't blank or 'password' or the same as the username or the same as the domain name -- passwords like that stop him cold. It isn't worth it. He isn't going to do social engineering. It's too much trouble.

In the examples above, Example #1, Steve, is a script kiddie. He's young, and he doesn't know that much himself. Just enough to be dangerous. His actions caused a system to get damaged, but he himself didn't do the damage. He just wanted a bot, and he got it.

The threat that an indirect hacker presents is based on four things:

• How good are his scripts?
• How good are your security patches?
• How good are your passwords?
• How well is your system configured?

An attacker with good scripts has more chance of success than one with bad scripts. However, having security patches in place, and decent passwords, and security policies that deny the easy routes of attack, will generally cause them to move on.

Possible sources of direct hacking might be ex-employees, current employees, disgruntled customers, angry members of the public, activists, or in some cases, curious people. In very few cases will they be competitors -- your competition has far too much to lose should they get caught.

The threat that a direct hacker presents is based on five things:

• How much does she know about computer technology in general?
• How much inside information does she have?
• How good are your security policies?
• How good are your security patches?
• How good are your passwords?

An attacker without much computer knowledge presents very little real threat. Their threat comes from inside information. If they lack inside information and they lack computer knowledge, then they present little threat themselves. Of course, it's always possible they have a friend who knows more and who might be willing to help them out.

A really good intruder is hard to protect against. There, your best defense is logging, in monitoring your system and investigating any issues. In Example #3, Leonard succeeded by trying a lot of different options. He used a combination of vulnerabilities to penetrate the system. The system was in and of itself secure; however, it didn't have sufficient defense in depth. Jeannie should have been better trained; the ISA server proxy should have been protected by the firewall and should not have been allowed to go from the outside into the corporate network; Jeannie's account shouldn't have had that many permissions on the SQL server. A combination of factors made it possible for Leonard to get in, but only by fully understanding how the network was structured.

Fortunately, direct attackers who are also skilled are rare. These are the traditional hackers, and many of those who have the knowledge also have too much to lose to make it worthwhile. Most of those with the knowledge are white hats, fighting for companies to protect them rather than working to intrude.

By far, the biggest threat in this category, unless you are a high profile company, are ex-employees. Ex-employees who resent being terminated have a strong motive to attack those who, they feel, betrayed them. They want to cause damage. And while they may or may not have knowledge, they certainly have a good amount of inside information, including other users' passwords.

The worst combination of events is when a skilled Information Technology employee leaves the company in an unfriendly manner. This person has skills as well as inside information. Care must be taken to ensure that no back doors exist in the system that the person might have placed there to permit re-entry. If the person was deeply enough involved in the system, and had some warning that the termination was coming, nothing short of a full security audit of the code the person was working on, or a complete rebuild of the servers, can guarantee their safety. Once again, defense in depth is important. When an IT person leaves, it's generally recommended to take serious steps to change passwords, to double-check security, and even potentially go through the expense of a security audit if needed.

• Security Vulnerabilities. These programs attempt to exploit well-known security vulnerabilities on unpatched systems, and use those to spread.
• Guessing Passwords. They will automatically attempt to guess passwords, using very simple algorithms. For example, they may look for blank passwords, passwords the same as the username, or passwords set to 'password', or something else easily guessable.
• Social Engineering. In this case, they need human intervention to replicate. They try to get the user to run an attachment, or visit a certain web page, or read an E-mail, or type a command. Once this happens, the virus or worm can move into the system. Part of this technique are so-called trojan-horse programs: programs that claim to do one thing, and really do another.

Viruses and worms will be thwarted by up-to-date virus scanners, which will eliminate the threat. The only remaining danger comes from so-called 'zero day' attacks, where you are unlucky enough to be hit by the virus before the definition files to deal with it have been released. Having had to fight Nimda once on the day it was released on a customer's system where they hadn't been religious about security patches, I can tell you that this was not fun.

The ability of viruses and worms to infect your system is related to three things:

• How good are your security patches?
• How good are your passwords?
• How good is your security configuration?
• How well are your users educated to not perform risky actions?

Viruses and trojans are relatively easy to defeat, in the sense that they exhibit no intelligence of their own. It's also the case that the most destructive viruses and worms are not intensely destructive. Just like in nature, a virus that kills its host instantly does not survive to reproduce. It will not be very successful or very widespread. The most successful viruses are the ones that replicate rapidly and spread quickly. Their damage comes primarily from downtime and from the network bandwidth consumed by their replication.

• Curiosity. Some hackers hack because they want to see if they can. They want to see what might be in there. They want to know what it feels like. Maybe they're curious about those payroll figures, or what the boss has been saying about them.
• Thrill. Just like breaking any law, hacking can be exhilarating. The thrill of doing something you aren't supposed to do can appeal to some people, especially younger people.
• Competition. There is a hacker culture, and it's not like the one in the movies. Bored kids with no lives can become 'somebody' on chat systems like IRC, and by hacking into systems they can 'prove' themselves to others. In addition, hackers often get into fights, usually over something somebody said, and they start an escalating war by compromising other people's systems and using them as weapons... and targets.
• Superiority. Sometimes, people hack because it gives them a feeling of worth. A feeling of smug superiority over those that own or run the systems they hack into.
• Power. Hacking systems can make one feel powerful, especially when one doesn't get caught. Having an army of servers lined up and waiting for commands can give some people -- especially young people -- a sense of power and efficacy that might be missing from their lives. Sometimes it's power over somebody specific they want -- they become direct hackers rather than indirect hackers.
• Revenge. This is appropriate for those who feel they've been wronged, and want retribution. Maybe you fired them. Maybe you said the wrong thing in a chat channel. Maybe you turned their best friend in to the authorities. Whatever the reason, they want to get you back for what you did.
• Activism. Perhaps they disagree with your company's actions or positions on some issue. Perhaps they disagree with animal testing, and your company does such. Perhaps they're crazed nuts with some strange agenda against your company's product or service. But whoever they are, they feel that bringing you down furthers their cause.
• Idealism. Closely related to activism, the attacker is firmly convinced that you have done or are doing something wrong, and they see this as the best way to end it and restore justice.
• Justice. Sometimes, the hackers really are the good guys. There are hackers who break into systems that have been compromised and remove the intruder, then close the door behind themselves. They attack systems that are knowingly being used to distribute spam or to hack into other machines, and shut them down. While hardly legal, there are those who believe that this kind of vigilante action is the best way to keep the Internet clean. It has the same issues as any other kind of vigilante action, however, and it's hardly impossible that they could mistakenly target an innocent system.
• Greed. The most universal of all human motives, this tends to include actions where the person wants to gain something for themselves, either by obtaining and selling confidential information, performing blackmail, or stealing credit card information or transferring money to hard-to-trace accounts. They might even want to obtain free merchandise. Whatever the cause, these people simply want to exploit your system for direct personal gain. This category includes spammers who want to take over your system to send their fraudulant advertising.

In many cases, that's the goal. Many of the things these programs want to do requires administrative control, such as installing new software, modifying the system files or the registry, and so forth. Security vulnerabilities provide a way for these people and programs to accomplish this without having to know anything beyond the software version you are running -- easy to find or to discern from other data, such as the style of prompts it prints. For example, I can tell you the brand of a router in most cases just by the prompt it prints for a password when you first connect.

Security patches are a pain in the behind, but they are the single most effective hole to plug. If you don't have your systems patched, then you need to get them that way. If you don't, then you are leaving the door not just unlocked, but standing wide open for the attackers.

Firewalls function by blocking traffic. It's been joked that the most effective firewall is a pair of wire cutters. Snip! No traffic that's not supposed to get in is going to get in. However, it's not very selective. The key to a firewall is how sophisticated its decision making process is.

The most effective firewalls can watch for a port scan in progress, and take action to fight it. They can start returning random results to the attacker, or start blocking any and all traffic -- even legitimate traffic -- for a period of time. They can alert an administrator when it occurs, or tighten security overall for a period of time.

The primary issue with firewalls is how to make them selective. To make them stop bad traffic, and permit good traffic. How do you tell the difference? There are a lot of different techniques, and each one has its pros and cons. However, a firewall is an important part of your network security.

For example, if a DNS server has a vulnerability, but it cannot be connected to from outside your firewall, then the chance that an attacker can exploit that vulnerability is greatly reduced. The threat, as is used in security parlance, has been mitigated. It's not a replacement for other forms of security, but when combined with them it provides defense in depth.

Defense in depth is a situation that is coming about as systems get more complex. As security changes from being like a fortress to being like a battlefield. In the past, the goal was to create impenetrable security. Now, with systems getting complex, there's always a chance a mistake will get made, leaving the door open. Defense in depth makes it more likely that in front of the open door is another one that still remains closed.

As in Example #3, Leo showed us that sometimes social engineering is the easiest way to get what you want. If you know how to talk the talk, and have a little inside information, sometimes you can get more information using that just by convincing people to give it to you.