Las Vegas Sun

March 28, 2024

Computer experts warn about holes in software

One of the most self-destructive things companies can do in terms of leaving their data bases vulnerable to hackers is failing to educate their employees about software security holes, a computer security expert said at a Las Vegas conference.

Tim Newsham, security researcher for Boston-based software firm @Stake, said one vulnerable network is called the Wired Equivalent Privacy -- a system based on wireless cards that allow laptop users to share files.

Using this system, laptop users need a password to access the encrypted information available on another computer.

Newsham said some companies don't offer these wireless cards to employees because the current cards have weak encryption.

"When companies don't offer the cards to employees and don't say why, employees (purchase them) and install them anyway without knowing the security risks," Newsham said.

"It's not difficult for a hacker sitting in a parking lot of a business with a laptop to intercept the information (as the files are being passed through the air)," Newsham said during an interview at last week's Black Hat Briefings conference.

The fifth annual Black Hat Briefings conference attracted about 1,300 computer security experts and hackers.

Some local software security experts say most software vulnerabilities lie in the installation of firewalls (software designed to block intruders from accessing computer databases).

"A lot of people install (wireless technology) with little or no security, and that's like leaving your door unlocked," said Eric Reed, a service delivery manager and software security expert for the Las Vegas office of Sprint E/Solutions.

Reed said software hacking is a popular trend and firewall software is going to be the next big growth industry.

"It's not your friendly Internet anymore," Reed said, noting many computer programmers enjoy the challenge of breaking software codes that allow them to access private and personal information.

But trying to secure the Internet from hackers is short-sighted, because anyone who wants to find a way to access your information will ultimately succeed, said Richard Thiemes, an accomplished author of computer applications.

"It's a question of perspective. We can focus on the small changes, but you need to look at the big picture," Thiemes said. "The whole world is a battle space to be managed and controlled through perception management.

"You ultimately can't protect the information ... whether it's information online or offline."

Another growing problem of cyber misperception is called "spoofing," which is when software intruders create a false identity or a "shadow copy" of the web so that unsuspecting users may forfeit credit card numbers or other private information when visiting a site that appears to be a trusted business.

"Most systems are vulnerable to this unless you install intrusion detection systems," said Thomas Olofsson, a computer expert for London-based security firm Defcom.

Some software security experts say there are some simple steps to prevent being spoofed.

Andrew Appel, professor of computer sciences at Princeton University, recommends before clicking on a link, web surfers place their cursor on the link, which will highlight the web address to which they are about to visit.

If that's not the web address of the company they want to visit, they'll know it's a mirror of that site most likely created by an imposter, he said.

Olofsson said financial institutions and credit card companies are the types of companies that spoofers would claim they represent.

Other fraudulent schemes involve thieves posing as real businesses and requesting information from consumers.

Ken Lee, a vice president of administration and the security officer of Henderson-based Silver State Bank, said his company does not electronically request personal information.

"We advise our customers if they get an e-mail (that claims it's from Silver State Bank) asking for private information, they should call the bank and ask to talk to an account manager," Lee said

archive