By Chad Walker Security threats may change a bit to keep up with changes in technology, but one old maxim still holds true: Computer security is only as good as the weakest link. Ninety-nine times out of 100, the weakest link is a person, not a piece of software.

That weak link may be the administrator who didn’t take the trouble to apply patches for known vulnerabilities, or the employee who didn’t pay attention to warnings about suspicious e-mails. It could also be the employee who was intimidated into disclosing proprietary information by a caller pretending to be an angry superior.

Defective software is a serious problem, as hackers use known vulnerabilities to break into networks. But it is often the case that they can’t use their technical skills to exploit those vulnerabilities until they use their social engineering skills on people sitting at their keyboards.

Social engineering is an increasing threat

Social engineering — nontechnical ways of gaining access to otherwise inaccessible information — has become a bigger threat in recent years. One growing form of social engineering is the use of e-mail to get into networks.

Sending e-mail messages with Trojan horse attachments is a technical way to get into networks, but it is the collection of e-mail addresses that involves social engineering. Hackers who want to target particular companies or people who have access to specific kinds of information can often identify those people at conferences and seminars. They will look for a booth set up by those companies or people and then look for the sheets of paper for people who want to sign up to be on a mailing list. Those people are often also signing up to be on a list of hacker targets.

The hackers can then send e-mails with embedded code designed to gather information from their targets’ networks. The message may have a line in it that says something like “Click here for more information,” which will actually establish a link to a data collection site set up by the hacker. A bigger issue is Microsoft Word attachments that execute Trojan horses when opened. The attachment may include a virus or a worm, but it could also execute a keystroke logger or some other program for opening up a back door into a target’s network.

Opening holes in networks

Even well-protected systems are vulnerable. A system can be as locked down as it can possibly be, but if one employee opens an e-mail attachment that executes a Trojan horse, that employee has opened a hole in the network.

The information that flows out of that hole back to the hacker won’t get much attention because it looks like it’s coming from the account of an authorized user of the network. Any attempt to attack the network directly will be repelled by the firewall. But messages going outside the network from inside usually aren’t looked at.

Let’s say the Trojan horse is built to automatically log a day’s worth of keystrokes and has an internal mail server send each day’s data out to a Hotmail account. The firewall will pay no attention because hundreds of authorized users may use Hotmail accounts every day. International hackers as well as spammers make extensive use of Hotmail, Gmail, Yahoo! Mail, and other free e-mail services. Those services have reduced spam by placing limits on how many e-mail messages can be sent by an account at any one time. But limits don’t hamper the more sophisticated hackers, who are doing targeted e-mails. The free e-mail services do not place limits on how many e-mails can come into an account, and the sophisticated hacker is likely to have 50 to 60 accounts, so that no single account is receiving an attention-getting amount of incoming mail.

Pretexting and dumpster diving

These techniques are illegal, and so are used mostly by international hackers who target the US Department of Defense and its contractors. I personally have never seen an established company use them against competitors. An employee may use such methods, but it’s not likely that any company would authorize them because it would want to avoid prosecution and the bad publicity that came with it.

Established companies doing industrial espionage are more likely to use traditional forms of social engineering. For example, they may try to get information about a contract by getting in touch with employees in a rival company under the guise of a job interview: “We’re looking for people in your field to come work for our company, and you’ve been highly recommended. We’d like to know what kind of work you have been doing. Would you like to come in for an interview?” They may go to bars frequented by employees of a competitor and listen in on conversations, or start conversations. These are common techniques that have been used for years.

As an American company proved late last year, it’s not necessary to use such aggressive methods to get in legal trouble. Pretexting — pretending to be someone else to get personal information — is one kind of social engineering, and it can be illegal. Last year, a company made the news because of the methods it used to track down a leak of proprietary information. Private detectives were able to get enough information about the people they were investigating to convince telephone companies that they were those people and give them access to private telephone records. These methods may have created a worse problem than the one they were trying to solve.

To be honest, that happens all the time. It just so happens that this was a large company doing this, and it became public. But people commit identity theft every day, usually to get financial information. Once you have a name, birth date, and Social Security number, you can pretty much get any information you want. Dumpster diving — looking through trash — is still one of the biggest sources of such personal information, even in the Internet age. People still don’t understand that when they throw something away, it’s still possible for someone else to get it. People who do this don’t just go through dumpsters and trash cans anymore. They also go to recycling centers. There’s a lot of money at stake, so identity thieves are willing to dig through other people’s trash.

Common problems and easy fixes

The most common security problem, though, is still that companies don’t do a very good job of patching their systems. They usually patch their operating systems fairly regularly, but they don’t do as well at patching applications, such as MS Office applications, Apple QuickTime, and AOL Instant Messenger.

What makes that problem worse is that, more and more, employees are adding applications themselves. There can’t be any patch management at all for applications that aren’t sanctioned by the company. That means employees who add unauthorized applications, and then don’t keep them up to date, are exposing the company. International hackers are taking advantage of that by exploiting vulnerabilities in MS Office. This is a national as well as a company security problem. Again it comes back to the weakest link, which is usually the person at the keyboard, not the technology itself.

Passwords are another common vulnerability. When we do an intrusion investigation, we want to do what hackers do: find out which accounts are the easiest to break into. Probably 85 percent of passwords, maybe more, are simple words like “dog,” “cat,” or “yellow.” Accounts protected by passwords like these aren’t really protected at all because they can be cracked so easily. Using a dictionary attack — a search for passwords that are in the dictionary — we have been able to crack as many as 10,000 accounts in half an hour.

Accounts protected by more complicated passwords — ones using lowercase and uppercase letters, numbers, and symbols — can be cracked, too, but that requires something called a brute force attack. That kind of attack searches for every possible combination of characters and tries to match each possible combination to an actual password. Brute force attacks take a lot longer than dictionary attacks, but they will uncover the passwords of the people who are likely to be of greatest interest to hackers.

Security cannot be an add-on

Hackers are getting more sophisticated and there are more of them. They are breaking into networks for their own financial gain, or as part of industrial or government espionage. Much of the information that used to be gained by human intelligence — people recruiting agents, talking to other people — can now be done with less risk by hacking into a system.

Security cannot be an add-on. Every system is vulnerable. Security should be the envelope that encompasses everything. Security is expensive, and many organizations put off buying security technology because of the expense. But good security isn’t nearly as expensive as investigating and cleaning up after an incident.

Chad Walker is the manager of CSC’s North American computer forensic laboratory.