Security? What security?
I’ve come to the conclusion that computer service, and especially security, is something that you cannot learn how to do. You have to already know it. It’s not knowledge. It’s a whole way of thinking. If you don’t have it, you’re never going to get it from a book.
How have I come to this conclusion? Well, it’s fairly simple, really.
Among the techy goodies on my Christmas wish-list this past year was The Art of Intrusion, by Kevin Mitnick. One of my relatives took pity on me and bought it for me, and I’ve done a fair amount of reading since, both this book, and various others.
Computer security has always been fascinating to me. Not in the sense of intending to break into other computer systems, but in that it’s an intellectual challenge, not unlike a good game of chess. You’re either the one breaking in, or the one trying to stop others from breaking in. Either way, it’s trying to stay one step ahead of your opponent, to outthink, outwit, and outplan their strategy.
Well, reading this book has got my brain percolating over various security concepts, even moreso than usual. I started doing some more research online into various problems that could exist with typical home users and their Windows-based systems. Well, what I found shocked me. I’ve always known that the majority of computer systems were pitiful in their insecurity, but even I didn’t expect things to be this bad.
I used no special tools, nothing I’d written myself, nothing fancy at all. Nothing except a standard Windows XP Pro computer, and a tiny, free program available to any Internet user.
Using these two tools I managed to find, in a matter of a half hour or so, enough information to go about several serious cases of identity theft, if I were so inclined. People commonly think you can use Google to find anything you need to know, and for the most part you can, as long as you know what you’re looking for. No, I didn’t use Google at all for this. This was solely information that was being given up by home computers, and occasionally a couple of business systems. To get this information, I didn’t have to break into anything. I didn’t bypass any passwords, or use any unpatched security flaws to get into any of these systems. This was all information that was shared using standard Windows networking, with no passwords involved. Simply put, it wasn’t a bug in the software. It was a problem with the way the system was configured.
I found one home computer giving up hundreds of megabytes of documents, photos, letters, resumes, school projects, and more. Enough that I could find out the person’s name, address, education level, work history, children’s names and approximate ages, and more. I also (and this is the only thing I went to an external source for, rather than the computer in question, although I’m sure I could have found it if I had looked hard enough) could look up their phone number on canada411.com, using some of this information. Had I spent more than the roughly 5 minutes I spent on this machine and looked further, I’m sure I could have found more information regarding credit cards or banking, or possibly a Social Insurance Number. At this point, I would have easily been able to go on a Christmas shopping spree for all the things I asked for but didn’t get.
Well, I didn’t do that. Instead, I called them, asked for them by name, and proceeded to tell them all that I had found out from their computer. The parents weren’t home, but I talked to the teenage son who answered the phone. The fact that I knew his sister’s name and age, along with some information about him shocked him. He also confirmed when I asked that they had a home network, but it wasn’t working anymore, and they hadn’t been able to fix it. I gave him the information he needed to close this huge leak, which he promptly did, as I could no longer connect to this computer 30 seconds after I hung up.
I found another computer, again offering up megabytes worth of information: budgets, account information for household utilities, including account numbers, and dozens of businesses that they were customers of. This included hydro, cable, telephone, car insurance, and pretty much everything else you could think of that involves a monthly payment. A couple of phone calls to some of these businesses, and I could easily have retrieved enough information to pretend to be this person.
That’s not the worst part about this computer, though. Not only was it giving up this information to anybody who wanted it, but it was also giving me permission to change it. If I had looked and found, for example, a half-finished business letter to their boss, explaining the benefits of a new gizmo they were considering at work, I could have added insults about the top management, ratted out coworkers for stealing company property, and tendered their resignation for them. If they didn’t proofread the whole thing before they sent it, they’d never notice, and probably get fired, along with a few other people from their workplace.
I think by far the scariest thing I found, though, was a financial services company that had their entire hard drive open for my perusal. I had access to customer lists and private financial information, quotes, names and addresses, business correspondence, and several other financial services firms that this company had some type of relationship with. The only things preventing me from making off with all of it on some million dollar heist was my conscience, and the fact that it was a french company operating out of eastern Canada. I don’t speak french. I can understand it enough to know that there was oodles of information available on this computer, but without babelfish.altavista.com translating it all for me, I couldn’t make enough sense of it for any serious information theft.
So, you might be thinking that these are home users who may be completely computer illiterate, so how does my intial statement of security not being something you can learn tie in to this. These aren’t the only computers I found. Just the most obviously dangerous ones. Here’s more:
One with the MSN Messenger chat history available, showed a chat of how someone was going to pay the owner of the computer $120 to modify their XBox to play backup and pirated games. This person obviously knew enough to be able todo hardware modifications to an XBox, but couldn’t secure their own computer. They were saying they would get the chip from somebody else, though, so it was essentially a dropin solution designed by someone else, that they were simply “plugging into the socket” so to speak.
Other systems with various security cracking tools, with a large portion of their hard drive shared with no password. Who needs cracking tools in a case like this?
A system belonging to a computer consultant, who’s resume claimed that at their last position they’d “Put in place the infrastructure for a 400% increase in growth for a home business, featuring a web-centric business model in which clients receive registration, confirmation, payment information via the Internet.” How can someone do this securely, when they can’t even keep their own system remotely secure?
I also found one that, according to a resume on the computer, was owned by a programmer for Bell Canada. This machine was set up to be a webserver for a blog site, using the exact same blog software I’m currently running, WordPress. Large portions of his hard drive were shared, again, allowing me to change files on his computer. I editted one of the source files for WordPress, adding a comment that would be ignored by the webserver, so it wouldn’t show up in the viewed page. I intended to send him an email saying “Check this file…” Before I got around to doing that though, he found my comments, removed them, and disabled write access to his hard drive.
Quick, and commendable, you might think.
What he hadn’t done, however, was disable access for me to be able to read his hard drive. In one of the source configuration files for the WordPress software was a username and password to access the MySQL database server the WordPress software uses to keep track of articles, comments, etc. This database password was the same as the administration password for WordPress. That means I would be able to write articles under his account. It’s also the password he uses for his GMail account, and another couple of accounts that he has at various online services.
Not so quick, or commendable, after all. And this is a computer programmer. If his computer is in this state, what on earth chance does the average user have?
The last one I’m going to mention was, again, someone who should have known better. Again, large sections of the hard drive were writable from the Internet, again, with no password. Again, I found a resume on the computer, stating that the owner was a computer technician. According to that same resume, he was also an MCP. That stands for Microsoft Certified Professional.
So, a Microsoft certified computer technician can’t keep a Microsoft Windows-based computer even remotely secure. I can’t decide what that says the most about: Microsoft’s certification procedures, Microsoft Windows, or this particular person.
The problem that most people have with computers and security, is that a computer can appear to be functioning perfectly, but still be wide open for abuse. Unless you can actually think like the people in China or Russia (not racist…just that’s where the majority of breakin attempts on my servers seem to come from) that would want to break into your computer, you’re never going to know if it’s safe or not.
And unfortunately, most people, including most computer technicians, just aren’t cut out for that kind of thinking.