Bug Watch: are you safe from hackers?

Bug Watch: Each week vnunet.com asks a different expert from the IT security world to give their views on recent virus and security issues, with advice, warnings and information on the latest threats. This week's expert is Matt Tomlinson, business development director at MIS Corporate Defence Solutions.

The end of last week saw further exploitation of UK company websites by what is a recurring threat in the IT world - the hacker. Five companies were hacked last week, but not by bored 'script kiddies', or those who do it just for fun. Three of the hacks were executed by GForce, a group which aims to raise awareness of the Indian government's treatment of Kashmir nationals.

The other two sites were hacked by an activist called Herbless. These sites were altered to show a statement from Herbless about the alleged vulnerabilities he discovered and how companies should contact him for his assistance on how to make them more secure. Some would say he is offering a public service, while others would say that he is looking for work by illegal means.

This week Dan Brumleve, a 22-year-old American, has hit the 'hacker market' with a new security headache for IT users. By developing Brown Orifice he has exposed the threat of a malicious Java-based 'http demon', which allows files to be read off a user's system as long as Netscape is running.

Although not a hack in the traditional sense, Brumleve has opened up the arena for hackers by producing a tool to exploit, which in turn produces a direct compromise for those using Netscape. Many would argue he too is on the outlook for a prospective employer through this potentially dangerous piece of information that he has developed and then released.

Although companies with correct security policies may be quite confident that they will not be hacked from outside, it is the internal threat that many will have overlooked.

Perimeter security such as firewalls can scan for malicious Java content. However, intranets without sufficient security can be left open to a disgruntled employee or can simply be opened up to attack by accident.

Written changes cannot occur because of Java securities, but all files from the user's hard drive can be accessed and downloaded, causing a headache for internal issues. There is no way of telling if someone is browsing your hard drive as you work. The only way that it can be detected is through auditing machines.

Home users are also at risk, perhaps more so than any other. Once Java is enabled, the exploiter can access sensitive material, email and even rack up huge telephone bills through the modem connection.

While waiting for a patch to be developed, the only way to combat these problems, however impractical, is to stop accessing material through Java. In other words, stop using the technology that brings everything to life. For added security, and as a measure of best practice, make sure any sensitive data is locked away in an encrypted environment.

Next edition: 18 August