The internet will only be secure if vendors rewrite systems from start to finish, says cyber terrorist tracker Sven Radavics.
And as more devices become web-enabled, the world faces ever greater threats from hacking. Even the fax and photocopier isn’t safe, says Radavics, who says he has successfully penetrated a large copier.
The Sydney-based security specialist has tracked down cyber terrorists in Australia and a child pornography ring in Asia. In New Zealand, he has helped build Telecom’s managed security services platform and worked with Asia Online on its security systems.
His present job, to which he has just been appointed, is Asia-Pacific senior manager (sales engineering) of firewall security company Watchguard Technologies. Kiwi customers are serviced from Australia, with staff making several visits a month here, but Radavics expects a New Zealand presence soon.
The 10-year security specialist says New Zealand firms face the same risks as in any other country. “The biggest issue that people need to understand is that the internet was built for sharing information. Security is only an afterthought, a band-aid,” Radavics says.
“I don’t think we’ll have a fundamentally secure internet until the products [routers and switches] are designed from the beginning with security in mind. This means that vendors will need to rewrite routing operations from scratch, and that’s not going happen in a hurry,” he says.
Radavics says he is sceptical about the new internet protocol, IPV6, and believes IT business is just in the beginning phases of hacking and security.
“Today, we’re where the virus part of the industry was four to five years ago. There’s going to be a lot of excitement before all this is over,” he says.
Radavics blames this on holes in existing systems and the mistaken belief of many that they are safe. Contrary to what they might think, even small firms are at risk. Firms face dangers from disgruntled employees, or former employees who find hacking tools on the web and easily use them to bring down the network.
Cyber vandals, including children, can easily scan sites, find vulnerabilities and upload grafitti on to a corporate website. Newbie hackers can also find hacking guides, which are increasingly available in shops and online, he says.
Radavics says firms also wrongly believe a firewall makes them or their website safe. A site he once visited had a correctly configured -- but not activated -- firewall.
During installation, a firewall often "breaks" something, creating new security vulnerabilities, he claims. When this happens, the firewall is often "yanked" for later attention, which never happens.
Radavics says he is unaware of any totally safe website, despite firewalls. “Some of the world’s biggest corporations, most secure governments and military bodies [have been] caught with their pants down,” he says.
And even obscure devices create dangers, with people becoming increasingly excited about the wired home, with IP in appliance, and in cars. “Anything that can be networked can be hacked and exploited. What good is a firewall in the following example: a company goes out and buys the greatest fax machine that allows anyone from a PC on the corporate network to send faxes without leaving their chair. When you break it all down, the fax machine is just a scanner, a printer, a modem and an IP device. In theory a hacker could connect to the fax machine, exploit a vulnerability in the IP attack and be into the network,” he says.
Radavics says he’s never hacked a fax, but did something similar with a huge photocopier.
“The photocopier allowed modem connections for troubleshooting and maintenance. It had an IP stack so that people could print to it from anywhere. The IP stack supported ftp which allowed me to ‘dial in’, start an ‘outbound’ ftp session which the firewall allowed out [outbound connections are often allowed through firewalls as they are not seen as a security threat] and started downloading trojans. From the copier I ftp’d these files to some internal ftp servers. It was the beginning of a successful hack,” he says.