University challenge attracts hackers
The recent Princeton/Yale hacking case demonstrates that even the most unlikely websites are in danger of attack.
The news that Princeton had hacked Yale must have come as a shock to the Ivy League colleges of the US, including most of the staff and students at the two eminent colleges.
In case you didn't know, Princeton is where the computer was invented and it doesn't matter whose version of the story you adhere to.
Both John Von Neumann, the US 'father of the computer', and Alan Turing, the UK 'father of the computer', did their inventive work at Princeton.
One would therefore expect that Princeton might know a thing or two about computers, but sadly not, at least as far as undetected hacking is concerned.
Apparently, at the height of the college admissions season in April of this year, the director of admissions at Princeton, Stephen LeMenager, repeatedly hacked into a Yale website set up to let applicants know whether they had made the grade and got into the college.
As might be expected, Yale officials filed a complaint to the FBI and Princeton placed LeMenager on administrative leave, pending an investigation.
Our immediate concern here has to be for the clear collapse of standards at Princeton.
Anyone who knows anything about gaining surreptitious access to a website is aware that there are identity-cloaking sites on the web, such as IDzap.com and Anonymizer.com, that can be used in order to remain undetected.
There are also many cyber cafes across the world that offer a good level of anonymity. How is it possible that LeMenager, working for such a prestigious pillar of computer education, did not know this?
If we examine what he did - access a Yale website using details of students who had also applied to Princeton - then we must also get deeply concerned about the web designers at Yale.
In order to validate the identity of students accessing the Yale site, they requested the input of name and date of birth: personal data that is not particularly difficult to acquire.
It was so ridiculously easy to achieve untraceable unauthorised entry at the Yale site that one can legitimately accuse both universities of staging a stupidity contest.
This, by the way, is a contest that Princeton just wins by virtue of LeMenager's excuse that he "accessed the Yale site because he was curious about its security". As regards lame excuses, this one takes the biscuit.
In many organisations, and among many individuals, there seems to be a naive assumption that there are no bad guys that are going to take advantage of lax computer security.
Of course, the opposite is true. There is a bewildering number of bad guys out there and some of them are very talented. They have different interests in getting into your computer.
Some may simply like to prove that they can. Some would like to steal valuable data. Some would like to play a few pranks and commit a bit of vandalism, or even a lot. Some may have a specific e-heist in mind. Some may be e-terrorists.
Some may indeed be competitors (as Princeton is to Yale), who are seeking some competitive gain. Some may wish to do nothing more than steal the use of your resources.
When a new computer is connected to the big wide network, there will probably be an attempt to hack it within 20 minutes; further attempts may occur every 20 minutes or so.
This is a recently observed figure that applies if your machine is not a natural target. For a popular target, such as the CIA website, the frequency of hacking attempts is much higher.
Members of the hacking community run scanning software across wide ranges of IP addresses hitting large numbers of machines in a search for known security vulnerabilities.
They may leave such scanners running for days before coming back to look at the results. It's like baiting a series of traps and then coming back some time later to see what you have caught.
If they get into your site, you may never know, because the first act of the hacker is to cover his tracks.
Some hackers have assembled whole grids of machines which they have compromised in this way and which they can use unnoticed when they please. These, by the way, are not necessarily highly talented hackers.
You can learn how to do this kind of thing simply by surfing the web and gathering bits of technical advice from boastful apprentice hackers. The professionals don't broadcast their knowledge.
The threat is getting more sophisticated all the time and most IT organisations are unprepared for it. The threat is a lot more dangerous than the comic interactions of Princeton and Yale might suggest.
When a really damaging security compromise occurs it rarely makes the news because nobody wants to admit that they were caught. But, in truth, it happens all the time.