Arun Marballi

In last month's column, I addressed the worrisome situation of insecure SCADA (Supervisory Control and Data Acquisition) devices that manage numerous infrastructural processes such as water supply, power distribution, nuclear power plants, etc., and how the vendors of these devices tend to ignore the threat of someone exploiting software defects to access the core of these processes and take over their control.

In the same vein, we recently heard about the Large Hadron Collider's computer systems being hacked into and the Web site being defaced. Coming on top of rumblings about this massive scientific experiment leading to the potential destruction of the planet, one couldn't help but feel a foreboding sense of disquiet. And then a couple of weeks ago, I came across a report from Heise Security from United Kingdom, which noted that vendors of medical implants such as insulin pumps and sensors for bodily functions are increasingly using wireless software updates for effecting changes thereby avoiding surgery by not requiring incisions.

A common thread runs through each of these three situations and that thread is the exposure of a sensitive device or process to potential unauthorized public access in the interest of increasing convenience for a few users.

The problem is not in increasing the convenience but in doing so without due diligence to prevent unauthorized access. Now, some Chinese researchers have come up with a design for the medical implants that will use the patients' heartbeats as a key for encrypting external messages sent to the implants thus reducing the risk of hacking - a step in the right direction indeed! Perhaps, the makers of SCADA devices and the institutions that control the computers for the Hadron Collider and other similar machines will take heed and isolate these machines from direct access via the Internet to avoid the risk of these devices being hacked into as well.

Speaking of Internet-based hacking, I am sure that all of you have heard of the hacker who got into Sarah Palin's Yahoo e-mail account and exposed her private as well as official e-mail. Although hacking into someone's Yahoo e-mail account is a crime and cannot be condoned, I would like to state that all e-mail messages when sent out from your machine follow a route that includes stops at numerous Internet based servers making copies along the way. Anyone with access to these servers that knows their way around can discover and read these e-mails - hence, the notion of privacy on Internet e-mail is just an illusion.

Although all e-mail messages follow similar routes as they navigate from outbox to inbox, e-mails that have been encrypted, although visible on the servers, are not legible. Now free Internet based e-mail systems such as Yahoo and Hotmail do not offer encryption; hence, it is a mistake to use them for e-mails containing sensitive information. Additionally, as e-mail messages traverse the network between servers, their content can be read easily with network devices called sniffers. So, folks, keep this in mind the next time you click the send button to dispatch your e-mail message.

When it comes to hacking into someone's account, one of the first vectors of attack is to use the password reset links. Most of these links ask simple questions such as mother's maiden name, name of your pet or the city you were born in. Some of this information is easily obtained by doing a Google search on that person; more so in the case of a person with a public presence. Institutional Web sites such as online banking Web sites, typically will send your password or password hint to your e-mail account on record.

The e-mail account password reset, however, will typically ask answers for the security questions or provide you with a password hint right there on the screen. In either case, it is possible for someone with knowledge about the person to guess their way into the e-mail account. The password reset links therefore have been found to provide the weakest link that enable hacking.

There are of course ways to eliminate this risk by using "strong" passwords - passwords created by seemingly random combinations of Alphabets, Numbers and special characters (!, (@, #, $, etc.) and you can actually check the strength of your password at the following Web site: Microsoft Password Checker

Arun Marballi has worked in the Information Technology arena for more than 20 years with extensive experience in software development, process design and network/workstation management. For comments, questions, tips or suggestions, e-mail [email protected].

Home