May 15, 2000
Erect Barriers Against Hackers
It's as simple as picking the right password
Careful selection of a screen name and password is a cheap way to protect a Web site investment against hackers. So, why do so many companies spend thousands even millions perfecting and de-bugging Web sites, then neglect to change the default user names and passwords that came with their software?
Or, just as bad, the webmaster follows the common slacker habit of making his or her name the password a name helpfully credited at the bottom of the homepage!
It's like putting deadbolts on the doors and leaving a key in each one. And if you doubt the importance of such security measures, consider the fate of CD Universe, an online retailer. This past January, the on-line music retailer received an e-mail at its Wallingford, Conn., headquarters from an anonymous hacker who claimed to have snatched more than 300,000 customer credit-card numbers from the company's computers. The hacker, who identified himself as a Russian teen, offered to destroy his copy of the information for $100,000, according to Chain Store Age magazine.
When CD Universe refused to pay, the hacker struck. About 25,000 numbers were posted to a public Web site before it was shut down. Only a handful of fraudulent credit card charges resulted, but American Express and Discover Card took the precaution of reissuing thousands of cards. CD Universe has since plugged the hole in its system, but the damage to its reputation remains.
CD Universe is not alone; other recent hack victims include Microsoft, Staples, Domino's Pizza and eBay. Credit card numbers aren't the only information a semi-skilled hacker might snatch. How would you like to have your customer list stolen? Your payroll scrambled? Or your inventory database deleted?
"Hacks are very common nowadays," says John Bailey, information security manager of Service Merchandise, Brentwood, TN. "Back in the old days, we had only big, bulky mainframes. Hacking back then was very rare because the operating systems were so obscure and complex. It just never happened. But now that computers have become so easy to use, it's running rampant."
The good news is that effective security is not a technical problem. The bad news is it's usually a people problem and, therefore, probably more difficult to fix. Users take a casual attitude toward security, presuming it won't be tested. In addition to changing default screen names and passwords, security experts advise taking these steps:
- Make security a company-wide priority. That means the CEO must understand
the risks and demand the necessary measures.
- Prohibit easy-to-guess passwords such as "hello" and "login" and require
passwords be a minimum length. (Longer passwords take longer to crack.)
- Require passwords to expire at certain intervals, forcing users to change
- Prohibit staff from giving out passwords over the phone. Amazingly, some systems have been breached after the hacker simply called and asked for the password.
- Beware of office security. A determined hacker won't hesitate to penetrate a target's facility if he can find a way. Why reward him by allowing staff to leave passwords taped to their monitors?
- Shred your trash. Hackers have been known to go through dumpsters to find sensitive information.
- by Mark E. Dixon