How Hackers Do It

(Advocates Brief vol. 14 No. 6, February 2003)

There’s lots of talk about security for the internet and the need for various software protection. It might be useful to review hacker techniques so that the criteria for choosing the appropriate software may be clearer.

If a hacker does not know the target person’s computer address, the hacker will use software that captures all data on internet segments. The hacker need only type in certain information such as “John Smith” with other identifying details if necessary. The software will capture all unencrypted data from that John Smith (including credit card numbers if transmitted). Then the data stream information that goes with any e-mail will give the precise address of the desired John Smith’s computer.

There are a few free downloads for this type of program. One of the favourites is Netranger.

Once the hacker has John Smith’s computer address, he or she will place a small program similar to, and often disguised as, a cookie on the target computer. This “cookie” will phone home to the hacker every time Smith’s computer is online. The hacker then can have complete access and control of that computer just as if he or she were sitting at the keyboard- and be completely undetected by the user.

Hackers do not always have to place a program of their own on the target computer because Microsoft has provided hackers with a labour saving device. Microsoft places a small program in every version of Windows that it calls a web server, and that communicates with a program that is on Microsoft’s home website. Any time a computer with Windows links up with the Microsoft website, its software can automatically gain access to that computer and searches its hard drive for any unauthorized Microsoft programs (Police would need a search warrant!).

Microsoft says that it only uses this software during installation of its software to validate license keys by the Microsoft server but otherwise it is not used to access any other data on a user’s PC. There are critics that do not believe Microsoft restrains the use of this software which makes an unknown and open two way connection between your computer and a website. The question they ask is: would you trust Bill Gates with this kind of software on your computer?

Whether Microsoft uses the software for other purpose or not, hackers say that your computer is easier to hack because of it.

Hackers make small modification to this “web server” so that it permits them easy access to the computer as well as giving them notice when the computer is online.

The protection against unauthorized access to a computer is firewall software. This software in effect nullifies any command that does not originate from the computer’s keyboard and mouse. There are some good, free firewall programs such as Zone Alarm. You can test your computer without charge for signs of hacker invasion at www.grc.com using its ShieldsUP or Leak Test programs. You can download free software to test for spyware at www.lavasoftusa.com.

Microsoft Windows XP now includes a standard firewall component, although by default it is not enabled. It can be enabled through the control panel. Microsoft also provides a baseline security analyzer to check if the PC has the latest Microsoft patches and service packs installed.

There is a lot of hype about web security but it is questionable whether it is a serious concern for most lawyers. A small survey of the Advocate Society’s Technology Task Force Members (7 subjects) indicated that most clients were not concerned about the confidentiality of information used in lawsuits. There weren’t many plans for nuclear submarines involved. Absent intellectual property issues, the information was of little use to outside parties.

The Law Society has prepared “Guidelines on Ethics and the New Technology”. Part III suggests that a lawyer using the internet should become aware of the risk to client confidentiality and, where appropriate, take the necessary steps to protect it. See http://www.lsuc.on.ca/services/pdf/tech guidelines.pdf.

If a client does indicate serious concerns regarding confidential information, it is probably not safe to put that data or any summary of it including references in memos and letters on a computer that is linked to the internet. No fire wall program is effective against very sophisticated hackers.

Hacker Proofing Tips

  • Use fire wall software
  • Delete cookies regularly
  • Disable Microsoft’s “web server” (a techies’ task)
  • Check and install the latest service packs and security updates as published by Microsoft
  • Install intrusion detection software at central sites

There are several myths about hackers created by the media. First and foremost is that professional hackers get caught; they, like professional pick-pockets, rarely do. Second, they are not teens; they are more often middle-aged suits, often retired from the CIA or KGB, and resemble lawyers more than skateboarders.

While the media glorifies teen hackers like “Mafia Boy”, professional hackers, who are undetected by the media, describes them as “script kiddies” meaning they cannot develop hacking programs, they only download free hacking software, learn to use it and get caught.

Professional hackers are used for industrial espionage. CISS reports Canadian businesses are prime targets because of their inventiveness and slack security. Firewall protection is not likely effective against this level of hacker. However, it will keep out the amateur hackers who (having tired of pulling the wings off flies,) break in for the challenge; to cause malicious damage to your data; or make your network crash just for fun.