IT@TT - Online

Hacking Away

Last year, nearly 52 Indian websites were attacked by hackers, mostly believed to be from across the border in Pakistan. Critical sites including those belonging to the Indian Army, BARC, VSNL and SEBI were part of this little-envied, forced fraternity. Indian cyber enthusiasts, in response, were keen on signing up for the "Indian Cyber Army" if there was any such association. There is of course no such association, at least not yet. Meanwhile, our systems and networks are not safe from hackers.

Hacking today has taken on serious implications. It's morphed from simply using up system resources, 'Net time and saving porn on hard drives to Denial of Service (DoS) attacks, mail bombs and penetration of secure information areas.

Hacking, some veterans say was never a wholly disreputable activity. Preferring the term "cracking" to hacking, these individuals legitimately find security loopholes in software programs. They call themselves "Ethical hackers" or "White hackers" as opposed to "Malicious hackers." Distinguishing between the two, however will depend on what the hacker does after he breaks into the system.

If its any consolation to individuals who perceive themselves as powerless in the face of hacker attacks, corporates are not any better off. According to a CII-PricewaterhouseCoopers survey on IT security in Indian companies, only 57 percent have any informal or no security policy in place. This is in spite of 60 percent of the companies having faced security breaches of some variety over the last year. These violations ranged from unauthorised entry, fraudulent use of telecommunications, virus infections and theft of corporate data to denial of service attacks.

Hackers often fall between the 14-29 years age group, are male and have ample time to spare. You will find amongst them the script kiddies, the technicians and the professionals.

The Script Kiddies
Way below in the hacker's pecking order, script kiddies research hacker sites and work on tools and scripts developed by seasoned hackers. They then scout for systems on the Internet to try their newly acquired skills on. Script kiddies normally hack Web sites and substitute the home pages with messages such as these, "Site hacked by XYZ." Besides being aggravating, there's not much script kiddies can do to actually bring your system down.

The Technicians
Beware. Experienced and skilled, they have excellent programming skills and a thorough understanding of computer networks. They might just be indulging themselves to a little learning. They could also be using your system as a gateway to launch attacks on other systems. They are dangerous mostly because they are unpredictable.

The Industrial spies
Industrial espionage of a different kind is hacking which targets companies for critical financial or research information. These individuals too are skilled and spend time researching tools and methods before attacking. At times, they're even hired by companies to obtain competitor information. Typically banks, e-commerce sites, MNCs and intellectual property-based companies are targets.

Preventing hacker attacks
India's Information Technology Act, 2000 (ITA-2000) has a provision on hacking. And takes cognizance of a significant government initiative against hacking activity. It defines hacking as an act which is likely to cause wrongful loss or damage to the public or any person, destroys or deletes information in a computer resource or diminishes its value or utility or affects it injuriously by any means. Legally, the act is punishable with up to three years or with a fine which may extend up to Rs 2 lakhs, or with both. With this Act, if you can trace the hacker you can nail their hides to a convenient wall.

Software operating on systems that are connected to the Internet is a popular entry point for hackers, especially via their back end components. Make note of all the software you use and bookmark the sites of the software vendors to get their updates and patches. You can also sign up for services that will send you newsletters on updates.

Some sites specialise in computer and network security. They often post system vulnerabilities well before a vendor brings out a fix. L0pht.com and 403-security.org are two sites which can give you the latest on security information.

Try and use unique passwords. These typically should be a combination of alphanumeric, special characters, lowercase and uppercase letters (or use Password Agent, reviewed in it@tt, 9 January 2001 -Ed). Change passwords as often as possible. Do not send credit card information to sites that do not use some form of encryption technology. Install firewall software, to shield entry of unauthorised users via the Internet. Archive your data on removable media at frequent intervals. Also check your computer user logs regularly. This way you can be aware of any unusual activity or usage.

Many people have advocated an Association to help Indian Web site owners secure their sites from such attacks. There is as yet no government protection for the (proposed) Indian Cyber Society. What countries like the US and Switzerland have that India lacks is a "Computer Emergency Response Team" (CERT). Such a CERT, initiated and funded by the government, with more than adequate support from the industry, will certainly help throw many hackers and virus propagators so far off-course so they never return.

Radhika Peddi
[email protected]

Top

Other Articles