A reminder of security basics can provide ammunition for you to take to management. If you haven't tried it, you'd be amazed how much more attention management pays to published articles than they do to their own in-house experts.
True story—I once proved the power of the press by taking my own review of a product to a company president. He’d ignored my advice for months, but immediately gave the magazine page his attention, never noticing the name of the author. He then took the article to several staff members, pointing out the "new" ideas contained in the piece. Someone later told him that I was the author. Fortunately for that employee, the boss had a sense of humor.
One thing I see repeatedly in many companies is an unwillingness to spend much, if anything, on security. An organization typically has to experience a loss or, at a minimum, see graphic proof of how vulnerable it really is, before the company is willing to invest in security.
The fact is, you may be unknowingly revealing your own security information. For example, did you ever think about what information you disclose when you visit Web sites, or what people can learn about your system just by knowing your Web address?
For this reason, you should ensure that you are making the appropriate investments to protect your network. Still need more convincing?
A real world example
If you’re curious about how much information the public can easily obtain relating to your systems, check out www.privacy.net/anonymizer. Test it with a quick visit, and you’ll probably be surprised to discover just how much other people can learn about your systems when your company’s employees visit other Internet sites.
Each time you visit a Web site, your system announces some of the programs you have installed on your PC. Here's just a small part of the report returned on one of my computers:
The following plug-ins are installed on your system:
Comet Cursor - Comet Cursor Plugin v.188.8.131.52 - NP32COMET.DLL
RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit) - RealPlayer(tm) LiveConnect-Enabled Plug-In -
Yahoo! Audio Conferencing Plugin - Yahoo! Audio Conferencing Plugin - npyacs.dll
VSCP Module - VSCP COM/Plugin DLL - npvscp.dll
Shockwave for Director - Macromedia Shockwave for Director Netscape plug-in, version 6.0 - NP32DSW.DLL
Netscape Media Player - Netscape Media Player, Audio Streaming Plugin, v.1.1.1516 - nplau32.dll
Shockwave Flash 2.0 - Shockwave Flash 2.0 r11 - NPSWF32.dll
Quicken 99 for Windows - IPA Plugin stub - NPIPA32S.DLL
LiveAudio - Sound Player for Netscape Navigator, v.1.1.1515 - npaudio.dll
QuickTime Plug-In - QuickTime Plug-In for Win32 v.1.1.0 - NPQTW32.DLL
NPAVI32 Dynamic Link Library - NPAVI32, avi plugin DLL - npavi32.dll
Netscape Default Plug-in - Default Plug-in - npnul32.dll
If that doesn't worry you, just how would you like everyone to know what software your Web server is running?
Turning the tables on privacy.net, I learned that they are most likely running NT 4. How did I obtain this information? Did I spend a day hacking their system? Nope, I simply entered their address at another security-oriented Web site and it returned a report on the software their server is running.
Is your systems information available on the Web?
It’s important to try and keep such information confidential. I even wrote a column about it, and many TechRepublic members agreed with me. But I’ll bet you didn't know there's a Web site that purports distributing this information to anyone who asks.
It doesn't work for every site, and it isn't 100 percent accurate, but it's accurate enough to be scary. To learn more, just go to http://www.netcraft.com/whats/ and enter the URL you are interested in. Since the site records the results and adds it to an ongoing Web Server Survey, you might want to think twice before entering your own address.
Pick some sites you are familiar with, however, and I’ll bet you'll come up with some interesting results. Although hackers want this data, it can also be a useful management information systems (MIS) tool. For example, if your competitor has a smoothly running site, wouldn't it be interesting to know what software they are using?
Interestingly enough, Microsoft's e-mail site, www.hotmail.com, is reportedly running Apache/1.3.6 (UNIX) mod_ssl/2.2.8 SSLeay/0.9.0b.
The report for www.microsoft.com indicates that it is running Windows 2000, as are Dell and NASDAQ.
The search can easily make mistakes, but the errors are usually informative. Since the site examines an HTTP reply returned from the server, it could report on a firewall or a load-balancing device. The site might even provide different results from different searches if the company you are researching uses a number of servers.
The analyzer can also be fooled if the site's Transmission Control Protocol (TCP) stack has been modified. Does this give you any ideas?
I have tested the site against known and unknown systems. I’ve alarmed some system administrators with the results I’ve received. The administrators uniformly refused to give out any server information or even confirm my results. However, if the data from Netcraft wasn’t correct or at least pretty close, I wonder why they got so upset?
John McCormick is a consultant and writer (five books, 14,000 plus articles and columns) who has worked with computers for more than 35 years.
Have a comment?
If you'd like to share your opinion, please post a comment at the bottom of this page or send the editor an e-mail.