|
Hacking made easy
05/08/2002 10:24 - (SA)
Elinor Mills Abreu
Las Vegas - Computer vandals toting nothing more than a Sega game device, handheld computer, or even a compact disc can slip into offices and launch "phone home" attacks via remote computers under their control, speakers at a US hackers convention have said.
Lonely office printers aren't any safer, and can be hacked into through an interment connection via a corporate network, one speaker said at the annual Defcon conference of computer security enthusiasts and mischievous network tinkerers.
Basically, any device that sits on a network "can run malicious code, can be made to do attacks and can do anything you want them to do," said Chris Davis, a security consultant at RedSiren, a computer security firm in Reston, Virginia.
"The idea is any computer can pose a potential threat," he said.
"More and more things are embedded in computers. We could put the same code on a TiVo if we wanted to," Aaron Higbee, a security consultant at Foundstone of Mission Viejo, California. TiVo allows people to record TV programmes while away or while watching other programmes at the same time.
Firewalls - the computer security barriers that organisations depend on to defend against outside intrusions - are worthless against such attacks, Higbee said. While they are configured to block suspicious traffic from getting into the network, they also permit any type of traffic to get out, he said.
To create a tunnel to a remote computer, an attacker must first get physical access to devices or network connections in the building.
Five minutes to create havoc
Sometimes they can rely on unsuspecting souls inside the company to do their dirty work for them by sending them an innocent-looking compact disc that contains tunnelling software.
A disc containing a special program to activate itself can find the network and reach the internet on its own, creating the opening for a hacker to wreak havoc inside the company's network, Davis said.
Another method of unlocking the network door and opening the tunnel is for the hacker to gain physical access to an office building and plug simple devices onto the network.
"Five minutes on the inside is all you need," said Davis, who does penetration testing for companies to see how easy it is to compromise their systems.
The speakers demonstrated for the crowd how an attacker can slip a tunnelling CD into a CD-ROM drive, a Sega Dreamcast gaming console, or a Compaq iPaq, and connect to the network.
Once a connection is established, devices such as the Sega game player can analyse the network for routes data can travel to the internet and establish a secret tunnel to an outside computer controlled by the hacker.
Stop worrying so much about viruses in desktop computers. It's midnight, and do you know what your networked office printer is up to?
With printers, attackers don't even have to enter the building, said Dennis Mattison, a computer scientist at Science Applications International Corp, a top military contractor in the communications research arena based in San Diego.
Printers are increasingly becoming more complex, with more sophisticated software and functions, making them easy and unsuspecting targets, he said.
Still, there is little evidence such attacks have become widespread the experts said. But with more and more devices every day being connected to computer networks, the exposure to such threats makes such attacks inevitable one day.
"These are theoretical attacks," he said.
|
