Computer and Information Security
Apr 1, 1997 12:00 PM
By JOHN McCUMBER
On The Learning Channel the other night, I overheard the program's announcer describe an upcoming feature on computer crime, so I threw a blank tape in the VCR. Now this would be exciting!
The commercials ended, and I pressed record. The opening of the segment was typical of journalistic pieces I have seen on this subject. The camera pans over stock footage of a room full of computers while the narrator cites the standard, hackneyed list of cyber-threats. Of course, the center of it all is the infamous school-aged hacker with digital mischief on his mind. This was followed by more shots of flickering computer screens accompanied by the staccato sound of computer keyboards in use.
Next, The Learning Channel introduced the primary subject of its segment: an old acquaintance of mine who used to work in government and who now works as a consultant. They showed the ex-government employee and his two assistants in what appears to be someone's basement rumpus room, each staring at his own computer.
The problem journalists face when reporting any computer-related subject is fairly simple: Computer stories make for dull video. They usually have to settle for talking heads.
Twenty-five years ago, when everyone's idea of a computer was either the robot on Lost in Space or the HAL 9000 from 2001: A Space Odyssey, at least you could show a mainframe room full of those spinning 12-inch tape drives and clattering impact printers. Now, most systems just look like the PC you have in your den. Finally, the documentary crew got what they wanted all along - drama. The first one to bite was one of the young assistants. The narrator stated that, even though he looked like a college kid, he was a seasoned computer professional. Unfortunately, he did not live up to the title. He claimed he had been able to easily hack into every system he ever attacked. The other assistant then chimed in about people making dumb decisions, such as easily guessed passwords.
The main plot for the segment was now introduced. The story consisted of some on-camera hacking as the consultants launched penetration tests against two companies they had as clients, which they referred to as targets one and two. The first one they attacked allowed them to Telnet directly into a server and then gain root access by guessing a simple four-letter password. The narrator gleefully explained that this took all of 17 minutes. Then there's the predictable scene of the two young assistants high-fiving each other and whooping it up around the basement.
The next client they attacked, however, was a little more prepared. The film crew followed the consultants for three days as they tried unsuccessfully to hack this second client's system. After showing some shoulder shrugging and harumphing, the journalists allowed the consultants to explain that they could have broken in if they could have used some illegal dirty tricks.
The segment stumbled to its foregone conclusion with some dire warnings about the proliferation of unauthorized hacking and computer extortion. One of the young assistants explained solemnly that there are two types of human threats: the curious prankster and the well-organized, highly-trained group of computer spies. No one asked him how many of each he believes are out there.
I just finished playing the tape for a colleague of mine. I couldn't help but be reminded of my mother's warning from Scripture that pride comes before a fall.
I suppose the computer security business is just not all that sexy. The protection, detection and correction activities I am usually involved in are all destined for the cutting room floor. I have been involved in penetration tests as well, and if anything I do can be categorized as interesting, they can. These tests often make a strong point, but they are a lousy substitute for a reasoned risk management program. How many of you pay red teams to penetrate your defenses? If the penetration experts succeed, what does that prove?
Ultimately, I just hope I am never caught on camera crowing about my perfect record. Even if I were to succeed, I know my mother would disapprove, and she'd be right.
About the author John McCumber is a computer security consultant with Trident Data Systems, Fairfax, Va. He holds adjunct faculty status at the Defense Intelligence College, Eastern Michigan University, James Madison University and the DOD Security Institute