Sanitypages || Computer Industry Commentary

securely speaking

13 june, 2001
by johnmichael patrick monty monteith

I have noticed in the geek magazines that security is winning Buzzword Bingo on a regular basis. Whether it be security for your work network, your home network, your web server, or your virtual private network connections, all that seems to matter right now is your data security. While I would agree that data security is something to pay attention to, the focus has been somewhat misplaced.
Certainly you have heard about how vulnerable always-on high-bandwidth Internet connections can be. DSL and cable modem users, if you believe what the magazines say, are bound to be hit by fifty hackers within minutes of turning on the connection. Well, the truth is that hackers are usually interested in (a) an easy target, or (b) a personal target. Home Internet users will never fall under category 'b' (which is where most serious attacks happen), and will only fall under 'a' in very rare circumstances.

How likely is it that the major hackers of the world are up all night thinking about hacking into your home computer network? How excited would they be reading your letters to Aunt Martha stored in Word format on your hard drive? Given the choice between spending hours hacking into your home computer or hacking into a Microsoft DNS server, a hacker will take the latter every time.

Let me give you an example of how unlikely it is that a hacker will hit you. I have had a DSL connection at my house in Seattle for over three years and had multiple Windows workstations attached to that connection with no firewall security. How many times were those systems broken into? None. There continues to be two Linux servers attached to that same connection for those three years. Those computers are online 24-7. How many times has it been hacked? One of the servers has never been hacked, and the other was hacked once. After three years. Recovery was as easy as my last backup.

As part of my employment I manage numerous servers that are directly attached to the web, and I have seen numerous hacker attacks. In fact, I run into evidence of hacker attacks on a server on average about once a month. Of course, I monitor a dozen linux web servers (a target that falls under category 'a' and often 'b' as well, and is available for attack 24-7), so this seems like par for the course for my job.

How many workstation attacks have I seen where data was lost or some damage was done? None. After eight years on the Internet, I have yet to see (directly) one workstation get damaged due to hacker attack. I am not saying it cannot happen. It can. I watch it happen to web servers about once a month, so I know what is possible. But, because workstations do not fall under category 'a' or 'b', and are usually not connected 24-7, the chances of damage are actually very small.

That being said, security should be a very big concern to everyone. For example, I own three credit cards, and I have an incorrect charge on one of the three cards about once a month. About as often as someone cracks one of my web servers, actually. The reason I mention the credit cards is because every type of security should be a big concern to everyone. And before I recommend anyone buy or build a firewall for the home network, I recommend the following:

1. Purchase a paper shredding machine, and shred anything that was mailed to you, or has any personal information on it.
2. Never submit any financial data to a web site that does not have the little 'lock' icon in the corner. And, even if it does have the lock icon, be extremely careful with how they treat that data.
3. Backup your computers regularly. (Use a program like Backup Now! to backup your hard drive to CDRW's weekly.)
4. Make certain you keep detailed financial records. Check financial statements regularly and compare to your own records.
5. Run a virus checker on your system. If your computer is on more than a couple hours a day, investing in personal firewall software is a good safeguard.

Item one, paper shredder, I mention because I believe that if you are truly concerned about security, you would shred every piece of paper in your house before throwing it away. It is far easier for someone to walk into your home and take financial document, or steal them from your trash, then it is to break into your computer and get the information.

Item two, data submissions, is listed because web users (and web site operators) need to use common sense when dealing with client data. For example, the other day I purchased a laptop from TigerDirect, and submitted all of the online data and credit card information - and off I went. (By the way, I use a single credit card for all online shopping - and it is American Express, so I know if I run into a problem, as I often do, they will back me up.) A few minutes later I received a text email listing my login and password. So what? Well, when I logged in using that login and password they sent me, I found that the login had my saved credit card information, and I could purchase as much as I wanted. Anyone could have seen that text based email as it passed from sendmail server to sendmail server and went shopping. Fortunately, if that happens I will be fine thanks to American Express. None the less, I sent a nasty email to TigerDirect for generally being idiots.

Item three, backing up data, will assure that even if a hacker or thunderstorm or bad luck destroys your hard drive, you will still not lose your information.

Item four, tracking financial information, will make certain that if someone does get important financial information from you that you will catch them in the act and not suffer.

Item five, the protection software, is just common sense stuff that every computer user should have.

Despite what journalists spew to the masses, you will experience far more heartache due to security problems with credit card information then home data security. Even in the workplace security issues seem strangely over-hyped. Most places of employment are running some firewall, and that will usually be more than enough to keep a hacker at bay.

In fact, no matter how good your security is, if a hacker wants to break in or destroy your network, they will. You can spend millions today to protect your home or corporate network, and you still will be helpless at stopping a D.O.S. (Denial Of Service) attack. Microsoft is constantly facing problems due to these attacks, and no matter how much they spend, they can not stop it. And, trust me, if Microsoft can not stop hackers from getting into their network, you should not bother worrying about it.

If you are concerned about security, follow the tips listed above and you will be fine. If you are truly paranoid, install a personal firewall on your PC, or purchase a hardware firewall. A hardware firewall that does DHCP services (hands out IP addresses to your home network) can be purchased for less than three hundred dollars, and will make your home network a very unattractive place for hackers. Just remember, even though you will read stories about hackers on a daily basis, chances are your PC is not going to suffer any major damage to one before you upgrade to a new one.