Beware of Script Kiddies
Internet security experts call them a host of names: wannabe hackers, Internet vandals, criminals and nuisances. But the term “script-kiddies” may describe them best.
Last March, someone broke into a computer at the National Security Agency in Ft. Meade, Md., and made off with materials from the public affairs office including biographies and some unclassified e-mail correspondence.
Government officials did not appear to consider the breach a security threat. The hackers, however, posted the stolen materials around the Internet with a message boasting about the break-in.
The incident may have embarrassed the NSA, but then, who cares if information in the public affairs office is made public? After all, isn't that the goal?
Sounds like a script kiddie caper.
Maybe, says Chris Shutters, chief engineer with Polivec Inc., Mountain View, Calif., a company that helps businesses to automate information technology (IT) security policies. “That's the kind of thing script kiddies do,” Shutters says. “They want to perform an unauthorized or malicious act against a computer system but often don't have the technical skills to pull it off.”
Script kiddies are a hacker subset. They attack systems when they can, for bragging rights, or political reasons. Unlike their counterparts, script kiddies need technical help.
Skilled hackers often succeed in figuring out ways to break into computer systems. When successful, they sometimes produce scripts or software applications that automate their methods of attack and post them on Internet Web sites for anyone to use.
Script kiddies use these scripts but often don't understand everything the scripts will do, says William Orvis, senior security specialist with the Lawrence Livermore National Laboratory in Livermore, Calif. A script kiddie might want to break into a system and look around — in secret — but could end up shutting the system down by accident, thanks to an unnoticed feature in the script.
The NSA break-in in March had script kiddie fingerprints of a different sort. Whoever carried out that attack felt the urge to brag about it in the media despite the innocuous results.
“A good hacker is like a savvy car thief who can get past a ‘Club’ and other security systems,” says Bill Murray, a spokesperson for the FBI's cyber division. “A script kiddy is more like a car thief testing door handles to find the car that has been left unlocked.”
In other words, to counter script kiddies, system administrators must lock the doors to the computer system.
“We advocate firewalls, anti-virus protection, and strong passwords with more than eight characters combining upper and lower case letters, numbers, and symbols,” Murray says.
Orvis also recommends keeping up-to-date on system patches supplied by operating system vendors. “Suppose someone runs a program called Winnuke and types in the address of an un-patched Windows box on your network,” says Orvis. “The computer will go blue screen.”
Operating system vendors regularly issue patches or security updates designed to protect against specific kinds of attack programs such as Winnuke.
In fact, most of the newer operating systems can update patches on their own — Windows 2000, for example, will automatically check the Microsoft Web site for newly-issued security patches, and the computer can be set to download and install those patches as they become available.
“The fact that a company issues a security update means that someone knows how to do bad things to your system, and that's what leads to scripts,” Shutters says.
In addition to these basic script kiddie defenses, Shutters recommends turning off unnecessary Internet servers connected to a network. “If it's turned off, a script kiddie can't break into it.”
Shutters also points out that network software has grown so complex that system administrators may not know about all the portals a hacker might find to crawl through. “One of our clients built a network system, and the installation process added 14 network services that the administrator didn't know were there,” Shutters says.
Finally, Shutters suggests taking a hacker's view of a system and looking for ways to break in. Many script kiddies use software called vulnerability scanners, he says. By typing a computer's Internet address into the scanner, such a program will search for and report back on weaknesses of a particular server or a series of servers. “Then a script kiddie will launch scripts at those weak spots,” he says. “If a system administrator runs the vulnerability scanner first, it's possible to fix problems before script kiddies find them.”
