When Can Attacks Occur? I've heard it said many times, "The only secure computer is the one that is left turned off and unplugged." This is actually not far from the truth. The moment a computer system comes online and connects to any network, it becomes a potential target. This doesn't mean that the minute you connect to the Internet, you are immediately being scanned, probed, or attacked. There are several important factors that come into play. I'll cover some of these first. How Do I Become a Hacker's Target? The minute you link up to the Internet, you are unwittingly opening yourself up for an attack. In order to become a target, you first have to be discovered or selected by the cracker as his victim. In some cases, you might be attacked at random when someone runs software that randomly selects addresses and launches an attack. Random selection is less common than discovery or targeting. In the case of discovery, the methods used to find out who and where you are, and how vulnerable you might be, are often the same. An attacker runs a port scanner, such as nmap, feeding it a large block of IP addresses to check. The program will then report back to the end user what computers it has found in that range of addresses, what ports are open, and, in the case of nmap, what operating system the remote system is running. Using this informa tion, the attacker now has several potential targets to choose from. With the information he received on the remote operating system and open ports, he can now narrow the scope of the attack to target vulnerabilities already known within the remote system or service. This type of probe is often carried out before any actual cracking attempt is made. The following shows the output from nmap when scanning one of my own workstations. It also shows you just how easy it is to get a lot of information about a single machine: [root@server user]# nmap -vO 10.0.0.15 Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) No tcp,udp, or ICMP scantype specified, assuming vanilla tcp connect() scan. Use -sP if you really don't want to portscan (and just want to see what hosts are up). Host (10.0.0.15) appears to be up ... good. Initiating TCP connect() scan against (10.0.0.15) Adding TCP port 554 (state open). Adding TCP port 5900 (state open). Adding TCP port 1433 (state open). Adding TCP port 445 (state open). Adding TCP port 1025 (state open). Adding TCP port 427 (state open). Adding TCP port 139 (state open). Adding TCP port 135 (state open). Adding TCP port 25 (state open). Adding TCP port 5800 (state open). The TCP connect scan took 1 second to scan 1523 ports. For OSScan assuming that port 25 is open and port 1 is closed and neither are firewalled Interesting ports on (10.0.0.15): (The 1513 ports scanned but not shown below are in state: closed) Port State Service 25/tcp open smtp 135/tcp open loc-srv 139/tcp open netbios-ssn 427/tcp open svrloc 445/tcp open microsoft-ds 554/tcp open rtsp 1025/tcp open listen 1433/tcp open ms-sql-s 5800/tcp open vnc 5900/tcp open vnc TCP Sequence Prediction: Class=random positive increments Difficulty=9491 (Worthy challenge) Sequence numbers: B896EAF2 B897E041 B8988355 B89936FB B89A1722 B89B1A0A Remote operating system guess: Windows 2000 RC1 through final release Nmap run completed -- 1 IP address (1 host up) scanned in 43 seconds [root@server user]# You can see that this machine is running Windows 2000, a Microsoft SQL database server, an e-mail server, and many other services. With this information, it becomes easy for the would-be cracker to do a little research online about vulnerabilities and exploits for your specific system or software. Often, this information also includes code or examples of methods used to exploit the weakness, making the job of the cracker that much easier. Even if the person probing your system is an unskilled cracker, he can improve his attack by employing some of the software programs freely available on the Internet. These programs will test any remote system for hundreds of known vulnerabilities automatically. An attacker can also be someone who has preselected you as his victim. The reasons for this are varied, but they include notoriety, contempt, theft of information, or financial gain. In this scenario, the attacker doesn't need to waste any time searching large network IP blocks to find a victim; he's already got one in mind. Depending on his motivation, he will most likely do a considerable amount of research before actually engaging in any malicious activity. The type of victim you are will determine the amount of caution or stealth employed by the cracker to avoid detection. For example, if the computers you work on belong to the Central Intelligence Agency, a great deal of time and ingenuity will be used by any attacker crazy enough to attempt to penetrate the systems to begin with. Who you are, or for whom you work, also plays an important part in why or how often you might be targeted. A home or small office user is unlikely to be specifically targeted unless there is something worth the time and effort to be gained from doing so. If you happen to be the system administrator for Microsoft, things are very different indeed. Companies such as Microsoft typically log thousands of unsuccessful attack attempts every day. There are some fairly obvious reasons for this. The first one is simply name recognition. Just about anyone to ever operate a computer knows of Microsoft. Launching a successful attack against Microsoft would bring a cracker or group of crackers some considerable bragging rights. Microsoft is also one of the wealthiest computer software companies on the planet. The monetary and intellectual worth of source code and design documentation, financial data, and business information housed on the systems at Microsoft are, no doubt, very high indeed. Some of the more shady competitors of Microsoft would likely pay a good deal of money to get their hands on information like that. In October 2000, Microsoft fell victim to hackers via the Internet. Apparently, an employee opened an e-mail inside Microsoft that had an attached Trojan, which was then used by the attacker to gain entry into MS's corporate network. Although Microsoft denies any damage was done, it is rumored that source code and other proprietary information was leaked and made public. You can read all about it at http://www.abcnews.go.com/sections/tech/DailyNews/microsoft_hacked001027.html It should also be mentioned that it is possible to make yourself a target just by participating in the use of a popular network service, such as IRC (Internet Relay Chat). IRC is often the home base and the battlefield for many cracking groups, large and small. IRC network operators often must go to great lengths to keep abuse on their systems to a minimum. In retaliation, the attackers target the IRC service providers and innocent users of the service. As of late, the IRC network Undernet, one of the largest free IRC services worldwide, has been the victim of continual assaults. These have escalated to the point that the service operators are ready to pull the plug permanently. More information about the January 2001 Undernet IRC attacks can be found at http://www.newsfactor.com/perl/story/6655.html Dial-Up Versus Persistent Connections How you make your connection to the Internet plays a significant role in how easy it is to find and target you, and there are trade-offs for each method. The most popular connection methods include dial-up connections, modems or ISDN, or persistent ("always-on") connections, such as a cable modem or any type of DSL (Digital Subscriber Line). When you use a modem to connect to an Internet Service Provider (ISP), you typically dial into a modem bank at the ISP and its systems pick an IP address for you from a pool of addresses assigned to it. This address is required to make a TCP/IP connection, and is unique for every host connecting to the Internet. The immediate benefit of this is that, every time you dial up and connect to the Internet, you have a different IP address, and this makes specifically targeting you a lot more difficult. On the downside, a dial-up connection is slow, unreliable, and, in most cases, extremely vulnerable to denial of service attacks, as you will see later in this chapter. Dial-up connections are quickly becoming less common. With cable modems, DSL, and other high-speed Internet access technologies, anyone from almost anywhere can enjoy a very fast and considerably stable Internet connection. In most cases, these connections are considered "always-on," which indicates that every time your computer is turned on, it is connected to the Internet. This is great for end-user convenience. I certainly enjoy being able to sit down and get to work immediately online. This also puts you at considerable risk for an attacker out on the Internet to target you and attempt to break into your machine or take it offline. Many always-on connections assign you a static IP address. This is really nice for people who need to be able to connect to their computer remotely, but it also makes it really easy for your machine to be found on the Internet. It also helps make it easy to find you again later on, if the attacker decides he isn't through with you. Even if you don't have a static IP address, an always-on connection usually does not change its address often enough to be hard to find. Tip I used a cable modem for some time from @Home AT&T that was supposed to automatically change addresses every few hours. The entire time I had this connection, the address never changed, contrary to what I had been told when I purchased the service. Which Computer Operating Systems Are Vulnerable? Everyone that uses a computer for anything will eventually find an operating system that they are most comfortable with, and that they most enjoy using. The average computer user rarely uses system security as a basis from which to make this choice. These users are typically drawn to a particular interface, or by the available applications for the operating system. Even when security is an issue, many people are led to believe that their OS of choice is somehow more secure than another. The truth is simply that every operating system is vulnerable in one way or another. Computer users will stubbornly defend their OS over another, and most often bash the other systems available, especially where it concerns system security. It doesn't matter whether you run Windows, or Linux, or any other operating system. You are potentially vulnerable. There are operating systems that are designed to be secure. For example, OpenBSD is an operating system built from the ground up to be the most secure operating system available. When I checked the OpenBSD Web site, the operating system had gone more than three years without a remote exploit in a standard release. Even with this record, it has had several locally exploitable vulnerabilities. Windows users are often the target of verbal abuse and ridicule by security professionals, script kiddies, and crackers alike. Many Windows users have been driven into some sort of security paranoia, believing that people can connect to their computers, get inside, and wreak all kinds of havoc. In most cases, this is simply not true. Consumer editions of Windows, such as Windows 95/98 and Windows Millennium Edition ship without any network services for a typical installation. This means there is nothing running on the machine that will accept outside network connections. Even Windows NT 4 Workstation or Server, and Windows 2000 Professional install with minimal or no default net work services running. Before the Windows users break out the champagne, let me bring you back down to earth. As soon as you set up any type of network connection under Windows, you are throwing the doors wide open. Windows will install several unneeded components along with a network adapter or a dial-up configuration. Services such as file and print sharing, and, in some cases, Internet connection sharing, are activated without the end user being made aware of it. Some may argue whether these services are needed, but for a standalone Internet connection, they just aren't needed. Windows users also suffer from other glaring security problems that don't even exist on other systems. Viruses, malicious scripts, Trojans, and back doors, plus a weak TCP/IP stack implementation, make Windows extremely vulnerable to a wide variety of attacks. Also, Windows often installs File and Print Sharing over TCP/IP and NetBIOS along with its other networking components, even when you are only a dial-up user. In a normal network environment, this allows Windows users to share files and printers with other people on the same network. Many people might never use or need this feature, and they don't disable it. This can be an open door for anyone on the Internet to access the system and do his dirty work. Some people may not consider UNIX variants such as Linux, FreeBSD, NetBSD, OpenBSD operating systems more commonly found in servers as desktop operating systems, but they are gaining acceptance rapidly in this area. Out of the box, UNIX systems come with all sorts of services installed, such as Telnet, FTP, and httpd (Web server service), including easily exploitable legacy daemons. It is up to you as an end user to assess security after the installation and make necessary changes. A properly secured open source operating system can provide an extremely reliable and secure alternative to expensive commercial operating systems, when properly set up and configured. Macintosh and the Mac OS are not as popular as they were back in the mid-1980s, but they are still widely used, and Mac users are just as stubborn when defending the Mac OS. The Mac OS has grown up into a very robust and powerful operating system. Of course, it, too, has its vulnerabilities. Macs can fall victim to viruses just as easily as any Windows system. Depending on your version of the Mac OS, you can also be targeted because of weaknesses in Apple's Web Sharing and File Sharing. Unless absolutely needed, these features should be permanently disabled. My Firewall Will Stop the Pesky Crackers! The biggest craze in protection from attack has got to be the firewall. A firewall is a device that sits between your computer(s) and another network, such as the Internet, that can be configured to block access to services and data inside the firewall. A properly configured firewall is a great tool for defending your assets from remote attack. It is not, however, the end-all solu tion. A firewall also allows traffic to come through, and because of this, the hole is not completely plugged. Many firewalls also allow you the option of setting up service proxies, which gives the user the ability to allow a dangerous service through, but only through a protected proxy. Recently, I did a security audit for clients who were using a high-end commercial grade firewall. They had left a Telnet proxy service running, and, through it, I was able to penetrate and map their entire network, using the firewall as my point of access. This service allows people to use a simple network Telnet client to pass directly though the firewall without authentication. The people using the system had not correctly configured the firewall, and by doing so, made it easy for anyone outside to get in. Most people don't realize that proper security requires more than just a fancy firewall. With the increase of e-mail based viruses, Trojans, and malicious scripts, firewalls are becoming less effective. The firewall would correctly permit the e-mail traffic to come in, but, by the time anything dangerous is detected, it could be too late. For more information, see Chapter 10, "Firewalls." |