13 tough questions about computer security

Security novices often ask great questions, and these student queries elicit responses worth a short security course

Page 2 of 4

Question 4: If Stuxnet was the most complex piece of malware ever created, then couldn't the "sons of Stuxnet" wreak havoc across all of the Internet and not just at the Iranian nuclear facility?
This is a huge, huge fear of a lot of people. However, I expect that one day a much less complex piece of malware will "crash" the Internet. Sophisticated malware is needed only for sophisticated scenarios. Crashing the Internet or stealing from banks is easily accomplished with conventional malware. Hackers are likely stealing tens of millions of dollars every day, if not hundreds of millions. They are allowed to get away with it, and the public accepts it as a cost of doing business because they stay below a certain threshold. One day one of them will make a mistake, steal too much, and the world will freak out and finally fix the Internet.

Question 5: It has been widely reported that the NSA put backdoors into a bunch of different programs. How do we know these backdoors have been closed?
Most of them probably haven't been closed. Until we get their complete list of software exploits, which is highly unlikely, we'll never be able to do it. And it's not just the NSA you have to worry about, but every sophisticated government and hacker group. Software is full of exploitable holes that only certain people have knowledge of.

Question 6: We're being taught to hack. What is to stop us from being evil with the knowledge we've been given?
Hacking is actually fairly easy. It's like a cookbook recipe: Once you know how to hack, it's mostly a repeatable process. Most hackers simply mimic what someone else did. They seldom think of anything new. You want to impress me? Do something new. Most hackers are followers.

The smartest hackers are the good guys. It's easy to hack; it's much harder to defend. It's easy to tear down a barn with a saw and a sledgehammer; it's much harder to build the barn. It's even more impressive to build a barn that can resist the saw and the sledgehammer.

You shouldn't hack illegally for the same reason you shouldn't assault someone. It's morally wrong. I've had the skills to hack illegally for over two decades. I get paid to hack legally all the time. Over the past nine years it's never taken me more than an hour to break in (except one time, when it took me three hours). This includes banks, hospitals, government agencies, and Fortune 500 companies. It's not that hard to hack. And guess what? I make a very good living -- far better than I could ever have imagined. I am living the dream.

Legal hacking allowed me to accomplish this, and I don't have to worry about the feds arresting me. If you go the illegal route, it's going to catch up with you eventually. It always does. You can make more money and sleep well at night by hacking legally. You'll have a better career and a better life doing the right thing.

Question 7: I read that no matter how long or complex your password is, that it can be broken by a pass-the-hash attack. True?
In a sense. PtH (pass-the-hash) attacks require that the attacker obtain local administrator status on the box they are stealing hashes from (or obtain domain administrator on a domain controller). If you have that sort of access, then what can't you do?

That said, if attackers steal the ultimate authentication secret -- for example a password, a password hash, a Kerberos token, a ticket, and so on -- they have the ultimate authentication they need to do almost anything. Length of password, hash, digital certificate key, and so on will not protect you.

PtH attacks are a valid concern, but if they went away completely (Windows Server 2012R2 has plenty of PtH defenses built in), it would not stop attackers in the slightest ... because they already own the box. They can just do keylogging, Trojan the machine, or modify the operating system. We should be more concerned about how attackers get that elevated access in the first place, not focused on what they do with it once they have that access. ... Because sky is the limit and there is no defense.

| 1 2 3 4 Page 2
Cybersecurity market research: Top 15 statistics for 2017