Spycatcher Steve Ulfelder (In Depth, 08/11/97) Maybe it was his analysis work at the National Security Agency (the U.S. intelligence group that by many accounts makes the Central Intelligence Agency look like a den of Cub Scouts) that taught Ira Winkler to behave like a chameleon. Winkler, who also served a stint as director of technology at the Carlisle, Pa.-based National Computer Security Association (NCSA), is as comfortable talking to hackers as he is talking about them. That can explain the rapt attention Winkler received when he spoke at the recent DEF CON hackers convention in Las Vegas. It also explains why his new book, Corporate Espionage, sold out three times during that show. Whether explaining corporate security to Fortune 100 CEOs, learning new tricks from dropout hackers or appearing on television - he's been on Good Morning America, CNN, MS-NBC and a host of other programs and networks - Winkler is widely recognized as a top expert on online security. Now an independent consultant, Winkler recently spoke with Steve Ulfelder, senior editor of Computerworld's In Depth section, about the subject. CW: So you're just back from DEF CON. What new stuff are the hackers and crackers up to? WINKLER: Same stuff, different year. They're really after Windows NT now, but it's just a different operating system and a different year, because they mostly talk about the same things time and time again. I do think they're getting more concerned about people clamping down, and [there's] no sign of that getting better. CW: Better from the hackers' point of view? WINKLER: Right. And this year, there were many, many more professionals than there were hackers. They [DEF CON organizers] claim they got 1,000 attendees. If they got 1,000 people, at least 600 were what I would call professionals. CW: You mean legitimate information technology professionals who were there to learn something? WINKLER: Yes - professionals who were previously not associated with the hacker community, as opposed to some hackers who got a job later and still stay in touch. CW: Did you pick up on resentment from the old-time hackers that these squares were moving in? WINKLER: I didn't pick up on any of that. I guess I would be considered one of them. [Laughs.] CW: What particular Windows NT holes were people talking about? WINKLER: Password cracking. There are gaping holes in that. The Loft announced Loftcrack. CW: The Loft? WINKLER: That's a group of hackers that decided, "We don't want to get arrested for hacking, we just like to play with computers." So these people in somebody's loft have set up dozens of computers of all different types, where they can experiment in the privacy of their own setup. They've been tearing apart Windows NT just for the fun of it. And they developed Loftcrack, which is a problem with the way the Lan Man password is stored on an NT system. The Lan Man password is a leftover from the IBM Lan Manager, but it's built in to Windows 95 and a bunch of other client access protocols. When you send and store the password, it's stored in Lan Man format as well as the Microsoft format. The Lan Man password provides a back door to the real password. Also, the way the password is sent over the network - even though the password itself is encrypted - if you capture the encrypted password, all you have to do [to get access] is resend the encrypted password. CW: What are some of the more bone-headed security breaches you see? WINKLER: So many things come to mind, it's hard to say. In one penetration test I did, somebody left a note for a temporary [worker] saying, "If you need to access the computer, here's my user ID. And here's the password. And by the way, your boss likes her mail printed up every day. Here's her user ID and password." CW: One of the case studies you present in your new book is a compilation of various penetration tests you performed at the NCSA. WINKLER: Right. That was a social engineering test. CW: Can you give a working definition of "social engineering"? WINKLER: Social engineering means any nontechnical method to get access or information about a computer. My personal definition is using or abusing interpersonal interactions to achieve a desired goal. CW: What are some of the tricks that a social engineer uses? What should people watch out for? WINKLER: One is an espionage technique: You slowly build a person up, get them into the habit of answering questions, then get them to give you something sensitive, then slowly let them down. So if I was a Russian spy and I was going to recruit you, I would start off introducing myself. Then I would slowly ask you questions that are totally unclassified. Then, gradually, I might ask you for a phone number. Then it's like, "Well, one phone number isn't classified." Then I might ask you for another. Then in a few weeks, I might ask you for a phone directory, and then it's like, "Well, I guess I've given him all these numbers - what harm would a phone directory be?" CW: In your case study, you used humor to disarm people. WINKLER: Right. What happens is, you catch people off guard, then you get them even more off guard - act like a friend, make them laugh, make them feel comfortable talking to you. In one case, a woman told me her password was Felix. I go, "Oh, you have a cat, don't you?" She says, "Yeah." Or I'd go, "So, is that password your son's name?" It makes people feel comfortable. A lot of people say social engineering is an art. It's not an art. It's a science. And even though hackers don't know it, they perfect their skills by practice. CW: In your countermeasures chapter, you discuss classifying and controlling information. Who is responsible for this task in organizations, and ideally, who should be responsible for classifying information? WINKLER: Really, the person holding the information is responsible for classifying it. It should be the people who create the information who have release criteria guidelines. So people in human resources should know, "Nobody gets HR information." People in research and development should know, "Hey, nobody besides the R&D team gets access to this." CW: Are intranets causing any new security headaches for corporations? Is there an additional security burden on the IS department? WINKLER: There is, but there doesn't have to be. The real risk that intranets present is that they allow people more access to more information easily. It's not that they didn't have the access to the information before - it's just easier to get to it. CW: So if companies have the appropriate policies in place, those policies should cover intranets. WINKLER: Right. And if you have an intranet, and everything's hyperlinked through on different systems around the company, you should have permissions on there. If you have sensitive data on one computer, make sure you activate the user ID and password feature that's built in to every Mosaic server. CW: You also discuss monitoring Internet activity. What are some of the things that a hacker or spy could learn from an employee's Usenet posts? WINKLER: Oh, that's a mess. Where do I begin? Let's talk about the header alone first. If you're not using a proxy server, or even if you are to a certain extent, I can tell exactly which computer [a post] came from, the type of operating system you're using and the type of software that is running on that system. And if you know the operating system and the application software, you know how to exploit the system. Of course, besides the header, if I see what people are posting, I can kind of guess what the company might be up to. CW: What do you recommend to clients about employee use of Usenet groups and the World Wide Web? WINKLER: I would strongly recommend that if people are to read news, they should do it on their own time from their personal accounts and be instructed not to reference their company in their personal postings. That goes as far as your signature block in your E-mail. Don't put, "This is my CompuServe address, and this is my company-dot-com address." Because I've searched for companies, and even though I might not have found any company posting, I have found people who used the name of their company in the way they sign their message. If employees do go and post, there's always a cost/benefit [analysis] that should be performed. If you don't have a lot of people posting, maybe it's not that bad. However, if you do have people that browse the Internet regularly, you're going to learn a lot about them. CW: You wrote that companies place too much trust in firewalls. Why? WINKLER: The biggest problems have been and always will be from insiders. What difference does a firewall make if the people you're trying to keep out are already in? All studies indicate that over 70% of people who steal information are insiders. And that doesn't account for what happens if your firewall fails. What happens if somebody gets access through a modem? There are hundreds of back doors in any company.