At Your Expense

At Your Expense What a little entertainment has meant to the cost of doing business

In the 70's, Bobby stole cars for fun. He was pretty good at it, too; he almost never got caught, and his friends all had a good laugh at how much they were able to get away with.

In the 80's, his younger brother Joey didn't steal cars; but had a bit of success collecting bicycle parts. When he saved up enough money, he bought a computer.

By playing around and discussing what he'd tried with other curious thrill-seekers, he quickly learned to get all kinds of systems to do things they weren't designed to do - like let him make unlimited long-distance phone calls. It was 'quite a rush'; and no one really ever got hurt.

After a while, companies started to figure out that people were misusing their systems, and started engineering ways to control access to their valuable data and technology.

No longer able to connect directly into phone and data systems, people like Joey developed a new technique called 'Social Engineering'… …a fancy way of saying that if you can convince a user -- any user that does have access to a system -- that you are supposed to be there, they will simply let you have access. "Hello, I'm doing a line test; can you forward me to extension 90? Thanks!"

With every employee a potential doorway for hackers, companies began to remove privileges from staff members who might accidentally share their 'keys'… and eventually locked entire staffs down 'just in case'.

OK, now the servers are secure from the outside world. The users can't accidentally let the bad guys in by being too polite to strangers. The email server analyzes messages for known viruses, and each file server is scanned every night for infections. These days, the best way to get to a company's data is to attack from the computers already inside the building.

But to get someone's PC to do your dirty work, you're going to need its 'IP Address'; the number that identifies it on the network. How are you going to get a user to tell you that? You can't just call them up and ask; right? There must be an easier way…

If a hacker gets your user name from a public directory, he could have your IP address within seconds of the first time you log on with Yahoo! , MSN, or AIM instant messaging clients.

PROBLEM: Public Chat Networks Are Not Secure

'Instant messages' are sent in clear, unencrypted text -- and could be monitored by third parties with the right equipment.

Attachments sent during chat sessions are not scanned for viruses before reaching the user (unlike email).

A user can be inundated with unwanted chat requests at a rate of dozens per minute, effectively killing productivity.

Public IM Safety Precautions When it is appropriate to use public instant messaging systems (MSN, Yahoo, AIM), there are steps you can take to reduce risk.

Configure IM client software to accept chat requests only from users included in your 'buddy list'. 'Chat Hackers' usually need to make a connection to identify a target.

Block file transfers completely or allow such transfers only from users specified on your buddy list. If this is not feasible, set it to prompt you before all file transfers.