Introduction to Security Issues

WyzGuys Computer Tutors

Computer Instruction. Web Design Instruction, and Web Hosting

Introduction to Security Issues

Site Navigation

More Info

Hackers vs. Crackers

The term hacker has been improperly used to describe computer criminals. Eric Raymond has written a wonderful explanation of hacker culture, and defines a hacker below:

There is a community, a shared culture, of expert programmers and networking wizards that traces its history back through decades to the first time-sharing minicomputers and the earliest ARPAnet experiments. The members of this culture originated the term ‘hacker’. Hackers built the Internet. Hackers made the Unix operating system what it is today. Hackers run Usenet. Hackers make the World Wide Web work. If you are part of this culture, if you have contributed to it and other people in it know who you are and call you a hacker, you're a hacker.

Hackers refer to their criminally minded brethren as "crackers." Mr. Raymond continues:

There is another group of people who loudly call themselves hackers, but aren't. These are people (mainly adolescent males) who get a kick out of breaking into computers and phreaking the phone system. Real hackers call these people ‘crackers’ and want nothing to do with them. Real hackers mostly think crackers are lazy, irresponsible, and not very bright, and object that being able to break security doesn't make you a hacker any more than being able to hotwire cars makes you an automotive engineer. Unfortunately, many journalists and writers have been fooled into using the word ‘hacker’ to describe crackers; this irritates real hackers no end.

The basic difference is this: hackers build things, crackers break them.

Origins of Cracking

Originally, crackers were phone phreaks, who used their skills to steal long distance service, which was often resold, and war dialers, who used automatic dialing programs to locate modems and break into the attached computers. Some became virus writers. Early viruses were limited in scope to replicating themselves to fill a hard drive and crash the computer, and were typically spread on infected floppy disks.

Today's cyber-criminals are a loosely organized sub-culture of software designers who write malicious code, which is then inserted into victim systems mainly via e-mail attachments. This code typically will give the cracker remote access privileges into the system. With this capability, more applications can be inserted. Sometimes keyloggers are installed to steal your user IDs, passwords, and credit card numbers. Networks of compromised machines (botnets) are then sold to spammers, who use them to send junk e-mail. Sometimes a botnets are created to be used to send a denial of service attack against a web or application server in order to cash it to crash.

Most of these exploits are designed to make money for the perpetrators. This can take the form of something as innocuous as advertising or merchandise revenue (spam or pop-up storms), to something more serious such as identity theft (keyloggers or phishing scams), or theft by swindle (Nigerian or 419 chain letters).

Major Security Threats

Viruses, worms, Trojan horses, rootkits, adware, spyware - it seems there is no end to the threats your computer faces. Fortunately, a good suite of Internet security programs, like Zone Alarm Internet Security Suite, will protect you from most of them. The dangerous ones are the ones you install yourself. The major dangers to you are:

E-Mail Attachments - Most viruses and worms are spread via e-mail attachments. Often the first step in an exploit is have you "check out this picture" or "try this fun game." Often the e-mail will appear to be from someone you know, but most e-mail worms work this way: after installation, they open your e-mail address book, and mail themselves to everyone they find. So your friend may already be infected. Many of these exploits open a "backdoor" into your computer, which will allow the cracker unlimited remote access to your computer.
Fake Security Alert Windows - These are actually Internet Explorer windows that are designed to look like Windows system alert windows. Clicking on a button will take you to a web site where you will be encourage to use their "free" scanning service or buy a bogus security program. These programs typically install adware or spyware programs, and create the very problems they promised to solve. To see a nice assortment of fake alerts go to Nick's Computer Security web site.
Keyloggers - These are Trojan horse type programs that typically arrive as an e-mail attachment. They keep a record, called a log file, of every keystroke you make on your computer, and regularly sends the log file back to the perpetrator. The log is parsed with a program that is designed to look for web addresses, user IDs, and passwords, as well as 16 digit number strings that could be credit card numbers. With this information they can break into your on-line financial accounts or use or sell your credit card number. Keyloggers can be packaged in a variety of "free" games or software utilities that promoted via spam.
Phishing Exploits - This starts out as an fake email alert from a company you recognize and may do business with. Popular companies are PayPal, eBay, and a variety of banks, brokerages, credit unions, and credit card companies. There will always be a threat of account closure in these e-mails, as well as fractured grammar. There will be a link in the e-mail that will direct you to a very realistic looking web site, where you will be encouraged to type all your personal information into a web form. A clue that you are on a phishing site is the absence of encrypted security, and can be identified by the web address (http instead of https) or the absence of the secure yellow padlock at the lower right hand corner of your browser.
Adware and Spyware - These are usually well written software programs that offer something for free, but come packaged with other applications that track your web surfing habits. Commons sources are file sharing programs like BearShare, LimeWire, and Morpheus, a downloadable games including variants of Texas Hold'em Poker, fun emoticons, and software utilities, especially "security" utilities. The reason these are free is that the software designers are being paid by advertisers or other more nefarious individuals. You may experience home page redirection, and the installation of some kind of search bar on Internet Explorer. Experts believe the malicious software, which pops up ads on screens or spies on PC users, has been surreptitiously put on more than three-quarters of PCs. In an FBI survey published earlier this year, 80 percent of businesses reported spyware trouble, making it the most common security woe after viruses, worms and Trojan horses.
Cryptic Legitimate Security Alerts - This problem occurs after you install a good antivirus, anti-spyware, and firewall product, and you start to get security dialogs popping up that are written using technical terms that average users don't understand.

These firewalls ask users intelligent questions, such as the one you see in Figure 1.

Figure 1 What We Show the User

Figure 2 What the User Actually Sees

The problem is that these dialog boxes were not exactly written by people people. They were written by propeller heads, for propeller heads, because the propeller heads typically do not know any real people. When the average user is confronted with this dialog, he does not actually see it at all. What he sees is a lot like Figure 2. Knowing which response is correct is really a shot in the dark for many people.

Courtesy of Microsoft Technet

Back

More on this topic

Next

Curriculum developed by WyzGuys Computer Tutors

Hosted by WyzHost.com

contact support@wyzhost.com