Corrections Telecommunication and Technology
F. Warren Benton, Ph.D.
John Jay College of Criminal Justice, CUNY
Reprints from a series published in Corrections Managers' Report.

Access the entire collection at the CTT Web Site.

Computer Network Security: Do you know who is hacking your computer?

by F. Warren Benton, Ph.D.
Copyright Corrections Managers' Report, October/November 1999

During the last five years, computer networks have progressed the last mile into many correctional agencies. Once network servers become available, use builds rapidly. As you begin to perform mission-critical and confidential functions on the network, security and reliability become very important issues. In this column, I will review some of the basic vulnerabilities of networked computers, and suggest resources and strategies to protect you computer and computer network. There are several basic approaches to hacking a computer, and this review is organized around three basic strategies: password attacks, network access and web server attacks, and email attacks. Psionic provides a good technical description of a wide range of attack strategies.

Password Attacks: A common mode of attack involves finding out a user's legitimate user name and password, and then accessing the system using that identity. This type of attack is hard to detect because the user appears legitimate to the system. It is also hard to prevent because password security depends to a great extent to the user. Two good guides to password security are on the Internet at Western Australian Internet Association and at California Polytechnic State University. The basic advise of both essays is:

  • Don't tell anyone your password.
  • Don't write your password down anywhere.
  • When you decide on a password, make sure it can't be guessed.
  • If you think there's even a chance someone else might know your password, change it.
The pages provide excellent advice to users about password security, including a listing of obviously bad passwords such as
  • Password same as the user name
  • Obvious passwords such as "word" or "password"
  • Common names, and
  • Short passwords.
The Cal Poly web page also explains some of the techniques used by hackers to determine passwords. A program called "Crack," for example, has an elaborate process to guess a password by trial and error, using combinations of words from all languages, place names, people names, names of characters in books, jargon, slang, and acronyms. These are tried backwards, in two-word combinations, in combinations with numbers substituted for letters, etc.

Network Access and Web Server Attacks: If your computer is part of a local area network which is connected to the Internet, then your computer is exposed to a range of potential access risks. The primary purpose of the network is to permit users to access resources and send information over the Internet, but the connection can be a two-way street. Hackers can use the network to achieve unauthorized access, over the Internet, to your computers and other network resources.

There are a wide range of ways to achieve unauthorized access. One set of approaches uses your computer network and its connection to the Internet. Some features of networking software can be accessible from outside of your network, allowing outsiders to roam your disk drives or other attached devices. Another set of approaches uses your browser to get access to your computer or your network. Your browser maintains or has access to information about you and your computer which can be used to hack your computer or network. A hacker could also get your browser to launch an "applet" – a program that runs in conjunction with your browser, to hack or roam your computer or network, or to send back information that is not normally accessible from the outside.

The basic solution to these security risks is to maintain a "firewall" which is a combination of equipment and software that limits outside access to networked computers and resources. If you are a Microsoft Windows user, Microsoft Corporation maintains a computer security site with a wide range of user-oriented and technical information, at Microsoft Security. To test the adequacy of protection for your computer and network, there are several commercial web sites that offer free non-destructive tests of your computer. The sites launch an application from the Internet that probes your computer, applying a range of techniques to probe weaknesses in your network security. These sites have a business interest -- they are attempting to sell firewall software to correct the problems that they identify. However, you are under no obligation to buy, and the information that you get can be revealing. The sites are:

Email Attacks: Hackers use email as another major route into the guts of your computer or network. Typically, a file is sent as an attachment to an email message. If the attachment is opened, or sometimes if the message is viewed, a computer virus is launched. A good resource to monitor is CIAC: The Computer Incident Advisory Capability. This service is sponsored by the U.S. Department of Energy and the Lawrence Livermore National Laboratory. If offers general advice and advisory bulletins about computer security vulnerabilities. An interesting section of their site is an advisory about false virus advisories. These are messages that announce fake viruses and computer security viruses. The goal of the message is to disrupt users by convincing them to take unnecessary and sometimes destructive precautionary measures, such as erasing important files for their operating systems, disconnecting computers from the Internet, etc.

Computer security is not an activity for amateurs. While many computer systems and networks, especially in smaller correctional facilities and programs, rely on staff members with special interest and expertise, the field of computer security as technically complex and demanding, and it requires expertise to keep up with emerging technologies. The most important advice for a correctional manager is to rely on technically qualified professionals to provide and maintain network security, and to support them with the resources necessary to do their job.