Bog'liq Cyber crime and cyber terrorism investigators handbook by Babak
22 CHAPTER 3 New and emerging threats of cyber crime and terrorism
ease of use was their advantage point. One could walk up to the system, reboot the
system and run ones’ programs without any computer security measure other than
the physical access to the room. Multi-user use was added in a simplistic way as seen
from a computer security aspect. For example, the original UNIX/etc/passwd file was
world-readable. It showed the usernames, and their related one-way encrypted pass-
words and the random salt value. The one-way encryption process was supposed to
provide strong system access security as the process was irreversible. The claim was
right; however as the encryption process was public, hackers simply used brute force
processing of all character permutations through the fast password algorithm and
compared the outcome with the encrypted passwords in the password file. Out of the
box thinking resulted in a simple way to reveal usernames and passwords. Moreover,
Moore’s law caused an increase in processing speed each year and thus decreased
the password strength and time needed to break username-password combinations.
Other operating systems at that time allowed the user to interrupt a program
which had access to the password file and created a memory dump containing all
passwords in plain text.
Moreover, similar to earlier mainframes, the operating systems in minis and
midis were not secured against hackers as bad coding practices were used, e.g., buf-
fer overflows and lack of input validation. Providing new functionality in the operat-
ing system had priority over security.
Apple launched its Apple II in 1977. IBM followed with the Personal Computer
(PC) in 1981. The initial disk operating systems did not provide any security other
than a read-only bit to protect against the accidental overwriting of a file. It was per-
sonal computers after all.
Networking of PCs onwards from 1983, e.g., with Novell and LAN Manager, re-
quired more security to be added in hindsight to the PC. The increase in malware such
as viruses and worms required additional security measures to be added to the PC
platform—which was not intended to be secure at all—and its subsequent Windows
operating systems. Major failures in computer security were found in simple access
to the memory of system and other applications, disk scavenging, clear text pass-
words on the network, and too simple implementations of security measures that
dealt with legacy protocols. An example was the legacy support for LAN Manager
in Windows/NT where one easily could determine the length of a users’ password.
In a similar manner, the protection of the Windows/NT password file and file system
was based on internal system protection, it failed when hackers out of the box used
of a Unix-based bootable floppy disk and application to access the system device.
It took until after the millennium before manufacturers like Microsoft started
to take the security of their server operating systems serious. At the same time,
design failures occurred in the encryption processes of wireless networking tech-
nology. The push to the world-wide market and of the new functionality was more
important than proper cyber security. In a fast sequence, the wireless encryption
protocol WEP was shown to be insecure causing the need for their replacement
which was broken soon thereafter. Why did the system designers and program-
mers not learn from the lessons identified with earlier security failures? Why did
they only look for functionality?