26.3 Can You Trust People?

Ultimately, people hack into computers. People delete files and alter system programs. People steal information. You should determine who you trust (and who you don't trust).

26.3.1 Your Employees?

Much of this book has been devoted to techniques that protect computer systems from attacks by outsiders. This focus isn't our only preoccupation: overwhelmingly, companies fear attacks from outsiders more than they fear attacks from the inside. Unfortunately, such fears are often misplaced. Statistics compiled by the FBI and others show that the majority of major economic losses from computer crime appear to involve people on the "inside."

Companies seem to fear attacks from outsiders more than insiders because they fear the unknown. Few managers want to believe that their employees would betray their bosses, or the company as a whole. Few businesses want to believe that their executives would sell themselves out to the competition. As a result, many organizations spend vast sums protecting themselves from external threats, but do little in the way of instituting controls and auditing to catch and prevent problems from the inside.

Not protecting your organization against its own employees is a short-sighted policy. Protecting against insiders automatically buys an organization considerable protection from outsiders as well. After all, what do outside attackers want most of all? They want an account on your computer, an account from which they can unobtrusively investigate your system and probe for vulnerabilities. Employees, executives, and other insiders already have this kind of access to your computers. And according to recent computer industry surveys, attacks from outsiders and from rogue software account for only a small percentage of overall corporate losses; as many as 80% of attacks come from employees and former employees who are dishonest or disgruntled.[7] Often, these are employees who are otherwise trustworthy, but they are confronted with an opportunity while they are under great personal stress.

[7] Moral: try to keep your employees honest and gruntled.

No person in your organization should be placed in a position of absolute trust. Unfortunately, many organizations implicitly trust the person who runs the firm's computer systems. Increasingly, outside auditors are now taking a careful look at the policies and procedures in Information Systems support organizations?making certain that backups are being performed, that employees are accountable for their actions, and that everybody operates within a framework of checks and balances.

26.3.2 Your System Administrator?

The threat of a dishonest system administrator should be obvious enough. After all, who knows better where all the goodies are kept, and where all the alarms are set? However, before you say that you trust your support staff, ask yourself a question: they may be honest, but are they competent?

We know of a case in which a departmental server was thoroughly compromised by at least two different groups of attackers. The system administrator had no idea what had happened, probably because he wasn't very adept at Unix system administration. How were the attackers eventually discovered? During a software audit, the system was revealed to be running software that was inconsistent with what should have been there. What the department expected to find was an old, unpatched version of the software. Investigation revealed that attackers had apparently installed new versions of system commands to keep their environment up to date because the legitimate administrator wasn't doing the job.

Essentially, the attackers were doing a better job of maintaining the machine than the hired staff was. The attackers used the machine to stage attacks against other computers on the Internet.[8]

[8] Since we described this case in the second edition, the phenomenon has become common, at least for PC users at home. Intruders commonly break into unpatched Windows machines on DSL connections owned by people with no knowledge of computer security. The intruders then install various patches and security measures to keep the machines from being taken over by other intruders! The owners seldom notice the changes.

In such cases, you probably have more to fear from incompetent staff than from outsiders. After all, if the staff bungles the backups, reformats the disk drives, and then accidentally erases the only good copies of data you have left, the data is as effectively destroyed as if a professional saboteur had hacked into the system and deleted it.

26.3.3 Your Vendor?

We heard about one case in which a field service technician for a major computer company busily cased sites for later burglaries. He was shown into the building, was given unsupervised access to the equipment rooms, and was able to obtain alarm codes and door-lock combinations over time. When the thefts occurred, police were sure the crime was an inside job; no one immediately realized how "inside" the technician had become.

There are cases in which U.S. military and diplomatic personnel at overseas postings have had computer problems and took their machines to local service centers. When they got home, technicians discovered a wide variety of interesting?and unauthorized?additions to the circuitry.

What about the software you get from the vendor? For instance, AT&T claimed that Ken Thompson's compiler modifications (described earlier in "Trusting Trust") were never in any code that was shipped to customers. How do we know for sure? What's really in the code on your machines?

26.3.4 Your Consultants?

There are currently several people in the field of computer security consulting with pasts that are not quite sterling. These people have led major hacking rings, bragged about breaking into corporate and government computers, and who may have been indicted and prosecuted for computer crimes. Some of them have even done time in jail. Now they do security consulting?and a few even use their past exploits in advertising (although most do not).

How trustworthy are these people? Who better to break into your computer system later on than the person who helped design the defenses? Think about this issue from a liability standpoint: would you hire a confessed arsonist to install your fire alarm system, or a convicted pedophile to run your company's day-care center? He'd certainly know what to protect the children against! What would your insurance company have to say about that? Your stockholders?

Some security consultants are more than simply criminals?they are compulsive system hackers. Why should you believe that they are more trustworthy and have more self control now than they did a few years ago?

If you are careful not to hire suspicious individuals, how about your service provider? Your maintenance organization? Your software vendor? The company hired to clean your offices at night? The temp service that provides you with replacements for your secretary when your secretary goes on leave? Potential computer criminals, and those with unsavory pasts, are as capable of putting on street clothes and holding down a regular job as anyone else. They don't have a scarlet "H" tattooed on their foreheads.

Can you trust references for your hires or consultants? Consider the story (possibly apocryphal) of the consultant at the large bank who found a way to crack security and steal $5 million. He was caught by bank security personnel later, but they couldn't trace the money or discover how he did it. So he struck a deal with the bank: he'd return all but 10% of the money, remain forever silent about the theft, and reveal the flaw he exploited in return for no prosecution and a favorable letter of reference. The bank eagerly agreed, and wrote the loss off as an advertising and training expense. Of course, with the favorable letter, he quickly got a job at the next bank running the same software. After only a few such job changes, he was able to retire with a hefty savings account in Switzerland.

Bankers' Mistrust

Banks and financial institutions have notorious reputations for not reporting computer crimes. We have heard of cases in which bank personnel have traced active hacking attempts to a specific person, or developed evidence showing that someone had penetrated their systems, but they did not report these cases to the police for fear of the resulting publicity.

In other cases, we've heard that bank personnel have paid people off to get them to stop their attacks and keep quiet. Some experts in the industry contend that major banks and trading houses are willing to tolerate a few million dollars in losses per week rather than suffer the perceived bad publicity about a computer theft. To them, a few million a week is less than the interest they make on investments over the course of a few hours: it's below the noise threshold.

Are these stories true? We don't know, but we haven't seen too many cases of banks reporting computer crimes, and we somehow don't think they are immune to attack. If anything, they're bigger targets. However, we do know that bankers tend to be conservative, and they worry that publicity about computer problems is bad for business.

Odd, if true. Think about the fact that when some kid with a gun steals $1,000 from the tellers at a branch office, the crime makes the evening news, pictures are in the newspaper, and a regional alert is issued. No one loses confidence in the bank. But if some hacker steals $5 million as the result of a bug in the software and a lack of ethics...

Who do you entrust with your life's savings?

26.3.5 Response Personnel?

Your system has been hacked. You have a little information, but not much. If someone acts quickly, before logs at remote machines are erased, you might be able to identify the culprit. You get a phone call from someone claiming to be with the CERT/CC, or maybe the FBI. They tell you they learned from the administrator at another site that your systems might have been hacked. They tell you what to look for, then ask what you found on your own. They promise to follow up immediately on the leads you have and ask you to remain silent so as not to let on to the attackers that someone is hot on their trail. You never hear back from them, and later inquiries reveal that no one from the agency involved ever called you.

Does this case sound farfetched? It shouldn't. Administrators at commercial sites, government sites, and even response teams have all received telephone calls from people who falsely claim to be representatives of various agencies. We've also heard that some of these same people have had their email intercepted, copied, and read on its way to their machines. (Usually, a hacked service provider or altered DNS record is all that is needed.) The result? The social engineers working the phones have some additional background information that makes them sound all the more official.

Whom do you trust on the telephone when you get a call? Why?

    Part VI: Appendixes