[ISN] 'Hacking Exposed' author sees major threats ahead

InfoSec News isn at c4i.org
Thu Nov 11 04:40:36 EST 2004


by Martin Slofstra 

Stuart McClure has already put hackers in the spotlight. Now he's
ready to shine it on himself.

As the former president and chief executive of security software firm
Foundstone, McClure's profile rose even higher earlier this year when
the company was acquired by McAfee, Inc. McClure, author of the book
Hacking Exposed, has chosen to stay on with McAfee as a vice-president
of risk management and product development.

McClure was in Toronto this week to discuss his transition to the
larger firm and the evolution of IT security in the enterprise.

ITBusiness.ca: Security has been a No. 1 IT issue for quite some time
now. Why does it continue to be top of mind?

Stuart McClure: First, it's nothing that you can actually achieve and
determine that you are successful. Because security is evolving and
changes all the time, and the fact that it is a process, and it's not
something that you can buy or make -- I just don't see it ever going

ITB: Do you then see the threat escalatings and should we be more
worried than ever?

SM: It depends on how you look at security. If you look at it from the
perspective that vendors are better at making their products more
secure, the answer is yes. If you look at it from what it means to me,
and how it will affect me on a day-to-day basis, you have to be more

ITB: Identity theft, spyware and phishing are the security threats de
jour, but how real are they?

SM: Spyware is one of the biggest plagues of this decade. It's a big
threat because there is money to be made. You have businesses that
make a lot of money from understanding and tracking people that buy
and sell, and that use the Internet. And they are getting more and
more sophisticated with technology so low-level that it makes it
difficult to remove. It will only go away if we are regulated at some
point and say, "You cannot do this."

Phishing is something that will hit any company with an online
presence of some sort where they have user names and passwords into
these systems. This is money-driven as well. I got one this week (that
appeared to be from) Citibank. People will send out blanket e-mails
that spoof a bank, for exampe -- "We are having problems with your
account and log into this server and make sure it works."

What do nine out of 10 people do? They'll click it. It looks
incredibly legitimate.

ITB: Most of these scams, though, can't you spot them from a mile

SM: They've gotten very sophisticated. If you weren't savvy, it would
by very hard to tell. The one from Citibank, which I checked out, is
from a server in China, and there is a lot of speculation whether this
is a government-sponsored effort or a commercial effort. It's a big
problem, they want to get your password so they can take over your
identity. I myself have been a victim of identity theft. I know it’s

ITB: How long did it take for you to realize this?

SM: It was a matter of weeks. It came out of an (industry) event. I
moved from San Francisco to Los Angeles, and during the move, I lost
everything in the truck. As soon as that happened, I panicked. I'm at
the new house with no truck. I go through the inventory of everything
in the truck -- passport, social security card and backup driver
license -- you name it. I think to myself I could get hit with
identity theft. I figure out a week later this is a big problem, I
notify all the credit card companies, everything you are supposed to
do. Multiple attempts were made about two weeks after that event. A
number of our employees were hit as well. The speculation was that it
had to be a targeted effort because there were five or six of our
employees that had that problem. It's very real, it happens a lot.  
It's so simple to do this.

ITB: Your book, Hacking Exposed, is now in its fourth edition. Is the
feeling also here that we should be more concerned than ever?

SM: I do think we need to be more aware than ever, but not because
there are more vulnerabilities. It's pretty static now. We are
actually seeing a dip. The bigger concern is that a lot of companies
are trying to consolidate and reduce expenses. So they standardize.  
When you have a homogenous environment, it's much easier for a worm to
get around.

ITB: Meanwhile, the act of hacking itself has gone from more of a
sporting exercise to an act of corporate espionage.

SM: In the last five years, there has definitely been an increase in
organized government hacks and international hacker groups. Oftentimes
you wouldn't even know it. The hacker has been sitting there for
months or it's from the inside. We still get tons of calls, we come in
and clean up a mess, and try to help prevent it happening again in the

ITB: There's a trendiness to computer security violations, isn't
there? A year or two ago, it seems all we heard about were denial of
service attacks.

SM: Or maybe you are hearing less about it. I have a friend at an
Internet Service Provider and he says they are still getting quite a
lot of these. In it's simplest form, it is a cat and mouse game, and
it's trying to be smarter than the hacker. The old adage, "You don't
need to be the most secure house on the block, you just need to be
more secure than your next door neighbour," really holds true here.  
You don't have to be perfect -- there is no such thing anyway. You
need to be the company that says, "We may have hackers that hang
around a door for an hour or two, but then they give up."

ITB: So does this also mean that if a hacker wants to go after a bank,
they'll go out and find the easiest bank to hack.

SM: There are two types of attacks -- direct and random. Random will
self-propagate while directed attacks are very difficult, slow and
could take a long time to produce. They are often monetarily or
politically motivated. But again, because hackers get more
sophisticated, it is a cat and mouse game.

ITB: Does Windows continue to be the most vulnerable platform?

SM: That's actually a bit of a presumption. Earlier this year, I did a
study. I put together a spreadsheet with all vulnerabilities since
1999. You always get the question that Microsoft Windows must be the
least secure because there so many vulnerabilities. I don't know if
that is true. I looked at Linux, Novell and Windows, and once I
normalized the data -- which means if there is an Internet Explorer
vulnerability in Windows, there could be a Mozilla vulnerability in
Linux -- once we normalized that out, Linux had more.

ITB: What should CIOs be thinking about a year out or so?

SM: In terms of future threats, I believe one hundred per cent that we
are going to have a zero-day incident, probably in months, which means
that a worm will hit the Internet or your business where you will not
be able to fix the worm. It will continue to take out more and more
systems. The reason I say that is I looked at all the research I got
from 1999 to 2004, and all the worms, and all the core vulnerabilities
and how quickly the worm came out. It went from vulnerability-to-worm
in 280 days in 1999, to 10 days in 2004, and one of those worms was in
48 hours.

ITB: So they are being developed a lot faster. Could this mean that
some corporations will be ground to a halt?

SM: I'm seriously worried about this. And it will happen, probably
next year.

ITB: But corporations have huge networks with thousands of people and
thousands of access points. Are you saying it could all shut down?

SM: It will probably target Windows or it could target Cisco and it
will exploit something that will keep it spreading. Even if you have
redundant systems, it's not going to matter because if you bring up
the new system, it will just get re-infected.

ITB: So how do you prevent this, besides awareness?

SM: There is only one thing to do, and this is to try to mitigate the
threat as much as possible before it comes out. The problem, though,
is you don't know all the mitigating factors, you can't get 100 per
cent. You can say, I'm going to make sure all my firewalls are
blocking a certain port and all my anti-virus is up to date, but the
bottom line is that it will happen.

ITB: What else should we worry about?

SM: On the worm side, you also need to worry about the multi-platform
variety of some of the worms that are coming out. Some of these worms
are going to very virulent, and they will be known by how well they
change or morph and still survive. We are seeing viruses and worms
getting more sophisticated and more cross-platform. This is not rocket
science, they are not very hard to do.

ITB: They used to be considered nuisance threats, now they seem to be
potentially global enterprise destroying threats.

SM: They certainly have that potential. And if the overstatement gets
the attention to fix it, then it's okay to overstate it. The absolute
reality is that it could happen. I could write it myself. Will
somebody else write it? Yes, Eventually.

More information about the ISN mailing list