A Commentary 

March, 2003

Editor's note: This is in response by Blake Laufer to our "PT the Auditor" comments in the October 2002 issue. See PT's column this month for his response.

There are several issues presented in the article that concern me. The hypothetical PC operating remotely at 3rd and Main the article referenced is suffering from simply a combination of incompetence and indifference to computer security.
Let's clear up a few issues . . .
Remote programs
Remote control programs, like Timbuktu and pcAnywhere, are designed for a remote machine to take control of a PC. Neglected in the previous article is the fact that in order for a machine to take control, there has to be an open Internet connection and that an observer on the workstation sees every mouse movement and keystroke performed by the guest. Since most remote workstations -- including the one the initial article referenced -- are not continuously connected to the network, and considering that even a semi-observant clerk would report any computer that has suddenly taken on an apparent life of its own, the risk here is quite minimal.
Passwords
Passwords are a very strong methodology of protecting information -- still better than most of today's PC-based biometric security measures (fingerprint and retina scanners) but at far less cost. The fact is that it's the dumb human that makes a password easy to break!
Consider this: Is your password written on a sticky note attached to your monitor for all to see? How many times have you been told to change your passwords frequently, and not to use the name of your spouse, child or pet? The trouble is that most people use common, guessable, dictionary-entry words. If you want a secure password, then just do as the experts recommend.
Networks
If you're using the Internet to exchange data with the PC, then you have to consider the ramifications of using a public network for your own private purposes.
Here's what I'm talking about.
You're booking a hotel room on your credit card. Would you prefer to give out your card number and expiration date to the hotel clerk in a private phone call to the reservations line, or would you rather shout your card number and expiration date loudly into your cell phone on a crowded city bus? Obviously the bus is a public environment and less secure for exchanging personal information.
The point I'm trying to make is that the Internet is a public domain and you never know who is listening; to use the Internet for private networking purposes means that you should take at least the most basic of precautions.
The weakest link!
According to Steve Mitnick, perhaps the most notorious hacker in America (he spent five years in prison for his crimes and was prohibited from using a computer for several years afterward): "When I would try to get into these systems, the first line of attack would be what I call a social engineering attack, which really means trying to manipulate somebody over the phone through deception. I was so successful in that line of attack that I rarely had to go towards a technical attack. The human side of computer security is easily exploited and constantly overlooked. Companies spend millions of dollars on firewalls, encryption and secure access devices, and it's money wasted because none of these measures address the weakest link in the security chain."
An insecure world
Here are a few relatively inexpensive suggestions to improve the data security on a remote PC.
* If you don't need the Internet, then disable the connection. Connect to headquarters through a dial-up connection that is answered by a modem in the main office, which then performs an auto-callback to the workstation. Symantec's pcAnywhere provides this functionality, along with other products.
* If you must use the Internet, get Zone Lab's ZoneAlarm or a similar personal firewall package and lock down the computer from unauthorized external access.
* If feasible, set the modem to dial out only or disable the auto-answer for incoming calls.
* Install virus protection and keep it up to date.
* Install the latest patches for your operating system as well as your software.
* Perform frequent backups, and store the backups in an off-site location.
If the PC hardware can handle it, upgrade from Windows 95 to at least Windows 98, or preferably right up to Windows 2000 or Windows ME. These are more secure environments, provide better support for multiple users, and avoid potentially recurring license fees from Microsoft's more recent XP product line.
Train your users on basic computer usage and simple security measures, like never giving out their passwords or allowing other people to use the computer under their login name. If possible, restrict their Internet access to discourage "surfing," checking e-mail and downloading files.
As for those Excel spreadsheets that were mentioned in the previous article: cells containing formulas can easily be marked as "protected" to eliminate tampering.
These recommendations are not expensive, and can be installed and maintained by just about anyone with basic computer knowledge. For an even more secure system, install a Virtual Private Network (VPN) solution.
Audit
PT the Auditor forgot to mention that auditing is a great defense in the case of the remote PC. Check the phone logs to see if the modem is active after hours. Record the activity and failed login attempts on the machine. Enforce periodic password changes. And don't forget to audit those Excel reports against receipts from time to time.

Blake Laufer is a dedicated follower of new technology and Vice President of Research and Technology at T2 Systems, Inc. He can be reached at
blaufer@t2systems.com