Network managers could be facing a new security nightmare because of crackers' new network entrance, a special cookie that silently taps data through the internet port.

A celebrity crack last month shook the World Economic Forum (WEF) in Davos when culprits managed to tap confidential information relating to 1400 rich and famous attendees, such as Bill Gates, Dustin Hoffman and Bill Clinton.

The Forum's unprecedented security precautions failed to prevent a group of four crackers called Virtual Monkeywrench from extracting 80,000 database records, such as information on credit cards, passports, personal cell phones and conference passwords.

A 20-year-old Swiss IT consultant was arrested in Bern and faces charges of data theft, unauthorised access, property damage and abuse of credit cards, according to a police spokesperson. The crackers told a Swiss newspaper that they had found it easy to hack the database with a worm program and said it was a "good sabotage" intended to block "the operation of [WEF's] well-oiled machine".

Security company Baltimore Technologies said the WEF crack highlights the fact that confidential information held on computers can be inadvertently released through companies' email and internet systems.

Easier access

Baltimore warned network managers that crackers are increasingly using worm-like programs to install themselves like a cookie on the network PC of an unaware user.

A legitimate cookie is designed to hold a small amount of information on a computer system so as to make life easier for the user, but its evil twin, the woozle, has a more sinister purpose. It siphons information held on computers while the victim remains unaware of its activity.

The malicious cookie hides behind software such as Visual Basic script animation and tries to install itself when the user opens the attachment.

Most internal security systems warn about installing such programs, but users unaware of possible side effects will easily click 'yes' to see a circulating email joke. The woozle has then found its way into the network.

Once installed on the PC, the woozle quietly filters database information through the internet 'door', which is opened when a user is looking at websites. The information it seeks can range from a simple inventory of applications to a list of user identifications and passwords.

Baltimore's Jonathan Tait explained that woozles may not cause evident damage but could have an unexpected sting. "They are covert thieves stealing information, and on the one hand, you might desire payment or be asked for consent. On the other hand, a woozle could lead to devastating breaches of privacy or confidentiality," he said.

Tait added that it is important for network managers to have a clear email policy regarding the downloading of online information, about which staff are educated. This should be backed up with software such as MIMEsweeper, which helps to enforce this by detecting the transfer of information.

Gordon Buxton, senior developer at Oxford Computer Consultants, said that once a malicious cookie had infiltrated the network, it was very difficult to stop or detect. When it sends out tapped information it pretends to be a browser, which is allowed through the firewall.

Building barricades

"This is how Microsoft was attacked a few months ago," he said. "A cracker managed to get a program installed that sent back information, which is the first step when hacking a network. Then, he looks for user names and passwords and waits for one with authority to access databases."

A woozle makes its way in like a virus, but once installed, it has free play. Databases are especially at risk, as they receive little protection inside the firewall and are open to exploration by malicious programs.

"Programs can monitor how much information is sent from your network, but it is up to the network manager to decide if this is irregular sending," Buxton said. "It requires a lot of will from the network managers, who usually don't have time to waste."

However, Buxton said there are several things network managers can do to minimise the risk. They should never neglect internal security, meaning they should set up user IDs with specific authorisation and enforce passwords beyond plain text. They should also monitor for unusual traffic, and should set up the browser so that users cannot install programs even if they wanted to.

"Stripping a computer to its essential applications and setting Explorer so it won't let you install, is bound to receive significant user resistance. But every program that can be installed means a potential risk," Buxton argued.

However, he recognised that this advice was mainly of use to large corporations who have resources to dedicate to security. For smaller companies, building a 'Fort Knox' would not make much business sense, but Buxton explained that they could help themselves by reading up on the subject.

"Companies should understand what data is important to them, meaning the records that either cannot be replaced or can be held against them. Those are the ones to protect," he said.