Tuesday, October 16, 2007

Security and The Cuckoo's Egg

The other day a friend of mine was playing on my laptop. He tried to log onto a networking website in my name. "What's your password?" he said. "Yeah right!" I retorted. I'm not dumb. I don't go around telling everyone my password. He turned to my roommate and said, "What's your password for this?" "I'm not telling you" she said in a flippant voice as she rolled her eyes. "Yeah," I thought, "she knows, too. Surely no one just goes around telling people their passwords. Ha." He laughed at our replies and said, "Actually in one of my classes we talked about how that was one of the easiest ways to crack into a system--to call someone and say, 'Hi it's the system administrators downstairs. We just wanted to install an update of this program on your computer. What's your password?' and amazingly, most people play into the facade." We laughed about it, thinking we were cognitively miles ahead of those people who tell anyone their passwords. Are we?

I'll admit, I'm one of those people who often ignore warnings until something big happens. I used to hate those automated messages telling me, "You must change your password during your next login. The 90 day limit is up." Or the denials to a new password, "Please choose a password that is longer than 8 characters and includes numbers, letters, and characters." I was annoyed that I had to remember bizarre and meaningless passwords and change them all the time. Then I took a computer security class. My eyes were opened, and I realized how easy it can be to crack into a system. In reading The Cuckoo's Egg by Clifford Stoll I was shocked again at how little about programming the hacker actually had to know in order to break into the "most secure networks in America."

Stoll’s book makes the point, as Crystal Ferraro, a security website editor, puts it, that, “In the realm of IT security, ignorance isn't bliss.” (http://searchsecurity.techtarget.com/topics/0,295493,sid14_tax281934,00.html). In Stoll’s experience crackers often got in because of little glitches, such as people forgetting (or deliberately choosing not) to reset the default password, using guest logins, or even reading e-mails with the passwords saved within them. After finishing the book, I have pondered on how to approach this problem of ignorance in the common user and what to do to change this security problem. I believe that the best ways to address these problems are to have a dedicated, knowledgeable system administrator and to educate the system users.

Quite often as Stoll updated and informed other systems involved in the hacking problem, he had to deal with system administrators who weren’t concerned about security, didn’t care about seemingly insignificant hackers, or were just too lazy to change their systems. “…how many other computers are just as wide open? If the Space Division screws up like that, even after we warn them, then how are we ever going to get the word out?” complains Jim Christy, the Air Force OSI, after realizing that despite many warnings system administrators still do not protect their systems against easy invasions. The system administrators have the responsibility to be well-informed and to keep an eye on the comings and goings of those using the system. They should be concerned with security and have a desire to do the best they can to serve the system and keep it secure. Stoll is a good example of a dedicated and motivated system administrator – he did not let even a $.75 accounting error slip past his view. (I’m not suggesting, however, that all system administrators need to sleep under their desks to be dedicated.)

After reading about Stoll’s experiences, however, I also realize that even with the best system administrators in the world, people still have faults. I grew frustrated as Cliff explained how often people made stupid mistakes. I felt his disbelief when I read about the people that were too lazy to change their systems or just did not understand the magnitude of the problem. I now have much more sympathy for system administrators who, despite doing the best work they can to putty up the holes in the system, look down the hall only to realize that those for whom they work have left the front door wide open. System administrators may be technical geniuses and care loyally for their systems, but they cannot always compete with the ignorance or apathy of the users they secure.

Because of the role that the users play in the security of the environment, it is important that they understand their responsibilities. One Internet attorney said, “The best answer…is simply to educate your users. Even if you're already locking down your users' computers and restricting the flow of data via hardware and software controls, education is still worthwhile.” (http://www.ddj.com/mobile/184414530) He also points out that “education is not only effective, it's inexpensive.” Often kind reminders and friendly warnings are not enough--they do not force users to change passwords or create more secure ones. And when password changes or suggestions are mandatory, users usually create files or write the passwords down in accessible places (as Stoll also mentioned in his book). This problem can be overcome through basic education in the realm of security; however, there is a risk that people will sit and listen during a mandatory meeting and then walk away and do exactly what they were doing before. A good way to avoid this is to make sure people understand the consequences of their actions. Security issues become more meaningful when people realize the risks they run with their simple, thoughtless habits. When people truly understand the power they may accidentally give to others, bad habits will more likely change.

Although Stoll’s experience happened several decades ago, the issues are still amazingly prevalent today. Most of us will not have to deal with a hacker trying to siphon military documents from our computers, but we are all faced each day with the issues of computer and network security as we log into sites, send information, and share our passwords. If we make conscious efforts to maintain security and educate those around us, we will be much more successful in that endeavor.

No comments: