UNAUTHORIZED ACCESS
Like uncharted wilderness, the Internet lacks borders.This inherent openness is what makes the Internet so valuable and yet so vulnerable. Over its short life, the Internet has grown so quickly that the legal system has not been able to keep pace. The security risks posed by networks and the Internet can be grouped into three categories: unauthorized access, information theft, and denial of service.
Hackers, individuals who gain access to computers and networks illegally, are responsible for most cases of unauthorized access. Hackers tend to exploit sites and programs that have poor security measures in place. However, they also gain access to more challenging sites by using sophisticated programs and strategies. Many hackers claim they hack merely because they like the challenge of trying to defeat security measures. They rarely have a more malicious motive, and they generally do not aim to destroy or damage the sites that they invade. In fact, hackers dislike being identified with those who seek to cause damage. They refer to hackers with malicious or criminal intent as crackers.
User IDs and Passwords
To gain entry over the Internet to a secure computer system, most hackers focus on finding a working user ID and password combination. User IDs are easy to come by and are generally not secure information. Sending an email, for example, displays the sender’s user ID in the return address, making it very public. The only missing element is the password. Hackers know from experience which passwords are common; they have programs that generate thousands of likely passwords and they try them systematically over a period of hours or days.
System Backdoors
Programmers can sometimes inadvertently aid hackers by providing unintentional entrance to networks and information systems. One such unintentional entrance is a system “backdoor,” which is a user ID and password that provides the highest level of authorization. Programmers innocently create a “backdoor” in the early days of system development to allow other programmers and team members to access the system to fix problems. Through negligence or by design, the user ID and password are sometimes left behind in the final version of the system. People who know about them can then enter the system, bypassing the securityperhaps years later, when the backdoor has been forgotten.
Spoofing
A sophisticated way to break into a network via the Internet involves spoofing, which is the process of fooling another computer by pretending to send information from a legitimate source. It works by altering the address that the system automatically puts on every message sent. The address is changed to one that the receiving computer is programmed to accept as a trusted source of information.
Spyware
Spyware is a type of software that allows an intruder to spy upon someone else’s computer. This alarming technology takes advantage of loopholes in the computer’s security systems and allows a stranger to witness and record another person’s every mouse click or keystroke on the monitor as it occurs. The spy can record activities and gain access to passwords and credit card information. Spyware generally requires the user to install it on the machine that is being spied upon, so it is highly unlikely that random strangers on the Internet could simply begin watching your computer. In the workplace, however, someone might be able to install the software without the victim’s knowledge. Disguised as an email greeting, for example, the program can operate like a virus that gets the unwary user to install the spyware unknowingly.
INFORMATION THEFT
Information can be a company’s most valuable possession. Stealing corporate information, a crime included in the category of industrial espionage, is unfortunately both easy to do and difficult to detect. This is due in part to the invisible nature of software and data. If a cracker breaks into a company network and manages to download the company database from the network onto a disk, there is no visible sign to the company that anything is amiss. The original database is still in place, working the same way it always has.
Wireless Device Security
The growing number of wireless devices has created a new opportunity for data theft. Wireless devices such as cameras, Web phones, networked computers, PDAs, and input and output peripherals are inherently less secure than wired devices. Security is quite lax, and in some cases nonexistent, in new wireless technologies for handheld computers and cell phone systems. In a rush to match competition, manufacturers have tended to sacrifice security to move a product to the marketplace faster. Already, viruses are appearing in emails for cell phones and PDAs. With little protection available for these new systems, hackers and spies are enjoying a free hand with the new technology. One of the few available security protocols for wireless networks is Wired Equivalent Privacy (WEP), developed in conjunction with the standard for wireless local area networks. Newer versions of WEP with enhanced security features make it more difficult for hackers to intercept and modify data transmissions sent by radio waves or infrared signals.
Data Browsing
Data browsing is a less damaging form of information theft that involves an invasion of privacy. Workers in many organizations have access to networked databases that contain private information about people. Accessing this information without an official reason is against the law. The IRS had a particularly large problem with data browsing in the late 1990s. Some employees were fired and the rest were given specialized training in appropriate conduct.