This is part 1/3 series
The expression burying your head under the sand like an ostrich is very appropriate to describe
the regular behavior and attitudes that local corporate business owners have with their computerized systems
in regard to security.
In a way it is understandable. Why think of something when you cannot do anything to help improve matters?
For once in the history of business, business managers and chief executives are managing information that they
cannot truly guarantee its in their proper control. Actually its in the hands of ; some times geeky, sometimes
excited, young computer enthusiasts in the IT department!
The information is no longer in the cabinet, where it used to be, and the key only with the manager or ceo.
That era is gone. Only sweet talking your "IT guys" do things get moving along as they are supposed to.
Some corporations, notably equity and safaricom have successfully tapped into the pool of young
dynamic IT savvy... name it, like riding a wave, and have been riding in money and profits tallking billion language
within no time. Its a big contrast from timid managers and ceos, of whom, am sorry to say, some cannot type
a small formula in excel to calculate the expenses for a week.
I have been in IT for a very long time; 20 years plus! A good number as a hobbyst. The reason i state that is not
to show off but so that you can listen to me below.
a) The average data security held up in an average local company databases is deplorable.I am not sure what causes this.
If your data is held in access database, on the website you can get a free tool that tells your database password.
I tested the tool. It is free of cost. It reveals the msAccess password in 20 seconds. And the password for Ms Excel sheet
takes 15 seconds. password indeed!
As a ceo or manager and if your data security is critical be careful to say your excel files are confidential if you are only
relying on user password needed to open a file.
b)Do you know that box at windows xp where you write a username and password to go to user profile?
The greater percentage of computer users have faith in this security feature, a faith that can only be equated in a believe in santa.
Test this;
If your computer normally brings for username a name like user,or john, or mary; of which you enter a password to proceed.
In the username rub out the default name that you regularly use.
In its place write "Administrator" and for password do not write anything.Just click okay.
For many readers here it is a shock you can access your windows xp without a password, and, believe it or not with
greater administrative capabilities than your previous username that had a password.
Lesson for ceo/manager:If you have confidential info in your laptop running xp... just make sure the user passwords are
set up properly.
c) You by now know about all kinds of website hack stories; mainly to steal identities and credit card numbers. What you may not
know is that these are the more laborious web based attacks with a desired benefit to attacker. Malicious attacks that may
just want to delete and loose information held on your website is a hundred times easier to achieve.
A command like delete all tables does just that.indiscriminately.
But it requires some trial and error to know the customers information is held in the table called.... can you
guess?..... customers!!!
Practically every programmer in the world keeps information on people who access their system; their
username and passwords , in a table called ....can you guess...... users!
So vulnerable website attacks are not that complex.The hacker is a computer programmer who knows what fellow
programmers think and what names they give to their tables where they store information.
Website attacks mainly use what is called sql injection. This basically means adding, ie injecting, something extra
at the time someone is entering their user name and password eg. to be able to go to emails.
example i may use any nae i want for for username and any name for password eg peter
Only i must add some characters at the end of my password to eg. to read peter ' or '1'='1
It may shock you how many websites around the world and even regular computerized systems that ask for passwords
will allow someone to access their information by adding those few characters at the end of any password entered
with any username written.
When the authentication of password is done by sql means,and the greater majority of computer and web systems do,
the added characters tell the computer not to bother checking out your username and password but just to go in and
enter because you have satisfied criteria that "1 equals 1".
Technical info of what sql Injection are here http://en.wikipedia.org/wiki/SQL_injection
Lesson for managers and ceos: If your web system holds crucial data, have it tooth combed for vulnerable data inputs.
Specifically it should be protected against "sql injections" which are almost always the gateways that hackers use in all the
stories you hear of mega data theft from very secure corporates of the world. including Microsoft! and
believe it or not, the data security gurus at Kaspersky labs.Talk of taking the war to your doorstep.
Do you need a comprehensive professional audit of your computerized system? Are you getting the most you possibly can from
your computerised system? Just contact us for a free quote.
Peter Kamakia
Mitambo ICT Company
POBox 25360-00100
Nairobi
Tel:254-720219320
Kamakia
0 comments:
Post a Comment