Security

As that was the Uni that the Post Grad student was attending and was helping him before the courts to stop the suppression of his thesis work.

As far as network security goes it is pretty much the same the world over but it does differ between different networks as different companies have different needs so really there are no hard and fast rules in place about what is required but mainly general outlines. For instance medical and bank records are far better protected than records held by most small business this is really where knowledge of the Law becomes necessary as you need to know exactly under what pieces of Legislation they have to comply with.

Obviously total protection would be great but in the real world this just doesn't happen mainly owing to the costs involved. Then there are different protocols used between wired and wireless networks the list just goes on and on.

But you could try the Australian Broadcasting Commission at www.abc.com.au as they ran a program on "Hacking" in the old days sometime last year I'm told unfortunately I was out working at the time so I didn't get to see it so I really do not know if it was any good but from the trailers it was set from the Hackers side and attempted to explain why they did what they did, apparently they had a t least one of the original Hackers involved in making the show {God I wish I could program a VCR at times.} But I had to study all of this when I was at Uni all those years ago sometime around 74 on wards to 82 so everything is a bit vague now as it isn't something that I use at all.

Actually Guru of DOS would probably be useful on the UK side as he lives there and may know a lot more about that incident than me as I only heard about it from a work briefing and I've never actually seen anymore about the whole mess. But it may have received a lot more coverage in the UK than it did over here I'll see if I can get a message to him and ask him can he help.

Col

Thank you Col I checked the Australian Broadcasting Commission site and they still have some on those reports. I will spend some time this week to check them out.

While she may have developed a tool to scan for weaknesses provided she isn't using it without authority she is doing nothing wrong.

Now it really doesn't matter if she sells it or makes it freely available anywhere the same applies as she isn't breaking any laws and it could prove a useful tool to any Network Admin.

Actually I think that this is a hypothetical question as if some one had developed a tool like this they could just about write their own paycheck as they would almost certainly be overnight millionaire's.

But if is a real program the best parallel would be the gun industry they can make and sell guns without breaking any laws as they are not responsible for what a certain individual may do with their product. The same applies here she isn't responsible for what it is used for and if it is a real product she isn't interested in making any money so she is more of a help to the Network Admin?s than a hindrance. If they knownly leave their systems vulnerable they deserve the consequences remember "Slammer" Microsoft put out a article informing everyone to update their code and when it hit Microsoft was one of the first take down, now some could argue that Microsoft was responsible for "Slammer" being written as they made known the weakness that Slammer exploited.

Get the Idea?

Incidently if this tool actually exists e-mail me and let me know where to find it as I would like a copy to play with and test all the networks that I consult for.

Col

I personally don't know of such a tool, but posted this scenario in relation to the discussion on Metasploit Framework 2.0. But thanks for your opinion. As always it is valuable for my research.

This was Col Luck's reply by e-mail:

From what you're describing it's nothing new and cloning plastic cards is a big business world wide. I honestly think that the figures that have been quoted are very much on the consertitive side and even replacing the current crop of credit cards with the so called "Smart Cards" will only mean that the criminals have to change their methods a bit. Recently we had a group here caught with 100,000 blank cards waiting to be stamped and the magnetic strip encoded it was estimated that they had already made well in excess of 20,000 cards and managed to steal several million dollars and we only have around 20 million people over here. It's a lot bigger in the USA and other large countries about the only place that is currently safe is in the back lots of China as there is no possibility of using plastic there.
Now what the banks and other companies don't tell you is that with every transaction not only is the dollar amount sent to the company but exactly what you have bought where and when. So if you walk into your nearest chain store and buy your weekly food on plastic they get to know exactly what you are buying where and what time you prefer to shop. This information is sold on to competitor of the products that you buy so you can be targeted for promotions of their goods.

Now back to your original question it is a very big problem world wide and will only get worse as I mentioned previously with the standard plastic the average person should be able to gain access to your pin number within 15 attempts if they know what they are doing. Now the proposed "Smart Cards" are only a half way measure as they will only store account details and verify with the banks central computer that this account is in fact active much the same thing happens now with the current crop of plastic so while it is passed off as being far more secure it actually is only a way to increase fees as there is no added security involved but the average person will get a warm fuzzy feeling in their stomach knowing that they are now carrying a microprocessor with them instead just a bit of plastic with a magnetic strip. It is only when the amounts available are keyed into the Smart Card technology that things will start to become secure but then it will be the banks responsibility when money is stolen and not the consumers so I honestly can't see that happening in the short term.

Just to give you an idea of how easy cloning these things are the AU Federal Government at great expense developed a counterfeit proof form of plastic money {instead of the old paper type} and it was claimed that it was impossible to fake as there was a clear plastic window with a watermark in it that was only possible to make in the Government mint. Unfortunately the average color photocopier could do just as good a job which was brought home to me when I saw a 12 year old in at his fathers work photocopying one side of a $100.00 note off. Now granted he was only playing but the copy was almost perfect and other than the obvious fact that it was only copied onto normal photocopy paper and not double sided it looked real enough until you touched it. Now if you wanted to do the job properly you could line up a whole swag of notes and duplex them onto film instead of paper and they would be very hard to tell from the real thing particularly if you only saw one at a time. This actually happened as one of there places that I consult for has several copies of these fake bank notes in house so that they can educate their tellers to pick the differences to the real thing. These of course where supplied by the Federal Government to all of the banks after they had been passed off as the real thing and it was only much latter that they where picked up as being fake.

Now if it is possible to do this with bank notes just how difficult do you think it will be to do to pieces of plastic that can be bought almost anywhere blank for company security purposes and programmed as required?

I do believe that part where you say banks selling information about my purchasing habits. It seems that every time I buy something with a credit card, a few months letter I get catalogs of products related to that purchases.

Most likely not as by now he is out of touch with what is going on the the Hacker community but if it was a recent conviction that really showed some flair I'd personally grab him/her as fast as I could and never allow his/her feet to touch the ground.

I did this many years ago with a 15 year old kid who cracked a Defense Department secure area with a monitored line on of all things a Commode 64 which was even then a play toy but he managed to without attracting any notice break into a place over 16.000 times to download one file. When I heard about this I asked could I look up the records and it was expected that I would just pick up the hand out and read the half page spiel. Well I downloaded the whole court transcripts and all the investigation reports and then made immediate arraignments to see this kid with his play toy in a secure office. I got him to attempt to crack my system and find a specific file which was encrypted download it and open it. Well besides the kid being scared witless it only took him 10 minutes to get in through 5 layers of protection that no one had been able to do previously then find the file download it and read it. I had my immediate boos with me at the time and I spirited both the kid and his family out of America to a "Safe Place" where he learned Languages and now I believe works for a much more clandestine organization that what I recruited him for.

So in answer to your question if I was offered a so called "Hacker" depending on exactly what he/she was accused of doing and how they went about it if they where into breaking in andf extracting a copy of data and leave without any sign of being in I'd grab them as fast as possible because they understand just how the system works unlike others who are taught and only half understand what exactly is going on if even that. It is people like this who have a gift that I would not hesitate for one nanosecond to grab and have work for me as the best way of preventing intrusions is to hire people who specialize in this type of thing and that by the very nature of the business means "Hackers" but you really want one that didn't leave tracks to follow. The particular kid that I grabbed was only found out because he published what he stole in his school newspaper otherwise no one would have been any the wiser.

Col