Ernst AndYoung Says Hacking Doesnt Take Genius

CHICAGO — The popular picture of hackers is that they’re genius geeks whose mastery of black computer arts enables them to sneak in and out of the deepest corporate vaults.

Actually, it’s worse than that.

With a few weeks of practice, just about anybody who’s capable of changing the settings on a PC can hack into private corporate sites and, once there, be in a position to practice anything from petty theft to outright devastation.

The managers of Ernst & Young’s (E&Y) eXtreme Hacking class gave the Business Journal a quick orientation late last month that demonstrated:

  •  Hacking takes practiced familiarity with the Internet, but no greater intelligence than ordinary library research.
  • Hacking, if sufficiently malicious, can expose a corporate CEO and other top officers to horrendous personal damages.
  •  Hacking is truly simple when corporate security is sloppy.

The good news is that tight security practices can defeat hacking.

The bad news is that many corporations have sloppy security.

for modest-sized firms who reach the Internet via a service provider, the really good news is that most providers’ firewalls are nearly impervious to hacking.

But if yours is a firm that has its own direct connection to the Net, look out.

According to the class supervisor, David Dobratka, the first step in hacking is what’s called a passive scan. One simply looks up a corporation in, say, Dun & Bradstreet, finds it on the Web and then sets forth to establish its “footprint.”

In no sense, he stressed, is this unlawful. The hacker simply is amassing public information about the corporation. One even can download free software to aid in the process. And part of the scan entails trying to determine how many ports the target company has on the Web, and what their addresses are.

An example of a port address is http://biz.yahoo.com/bw/010503/2107_2.html (one of Dun & Bradstreet’s numerous public sites). The scan, however, then entails dialing up addresses and checking their links to other addresses. Working patiently, the hacker too often learns that the target company firm has one or more unguarded ports to its administrative servers — or, worse, that it’s using the same server for both public and private services.

When E&Y’s hacking instructors — among them former accountants, former military intelligence types and former employees of the National Security Agency — take their jobs, they pledge to abide by an explicit code of ethics. Among other things, it prohibits them from free-lancing or personally profiting beyond their E&Y compensation.

And it’s a good thing, because — working with a dummy corporation — they showed the Business Journal how it’s possible to use one’s own laptop to enslave a corporate giant’s administrative server.

And once the hacker has done that, he or she can perform just about any function from downloading personnel records to drastically lowering or raising the prices in its catalogues. Likewise, a corporate hacker can gain access to a competitor’s confidential product development files.

Dan Quealy, of E&Y’s Assurance and Advisory Business Services, said his staff has found that the best way to shape up a corporation’s Internet security is to get to the CEO.

“Getting to the IT people doesn’t do it,” he said, grinning. “They’re usually running around with their hair on fire trying to solve everybody’s computer and network problems. They usually know what needs to be done to protect security, but nobody’s making it their priority.”

But, said Quealy, if E&Y hackers can present the CEO with information about his own credit card accounts gleaned from his own company’s server, things change rapidly — especially when it sinks in to the CEO’s consciousness that massive losses due to hacking could be tied to him personally as a failure to execute his fiduciary responsibility.

Once the CEO sees the importance of security, he added, the corporation’s problem often becomes finding out whether it has unguarded Internet ports. And the bigger the company, he said, the more likely that all the company’s ports aren’t protected.

“We came across one case,” he said, “where an IT type had set up a T-1 line from the office to his house. Go figure.”

He and Dobratka yearn, in a way, for the weeks and months that preceded the arrival of the Y2K.

“Corporations had inventoried everything and they really knew exactly what they had. But since then they’ve gotten sloppy.”

He said it’s easy to understand why. Maintaining security — whether it means regularly changing log-in passwords or regularly upgrading firewall protection or treble checking for unguarded Internet ports — can be deadly dull work.

But, Quealy said, it beats having relations with your workforce torpedoed by a delayed-action logic bomb which, say, scrambles your firm’s 401(k) records or, just as bad, turns all your fulfillment data to gibberish.