What you need
to know depends on the degree of security you feel that you want or need.
In this set of pages you will find information on Internet anonymity, and how
to protect your communications and files from third parties, as well as tips
on other important security aspects that may arise through use of the Internet.
This series of pages is intended to help increase your awareness of security and privacy issues. We would also like to debunk some of the myths of computer use and the abilities of government and corporate security agencies to access your information.
Computer security can come at the expense of usability to one degree or another. It is up to you to determine what level of security necessary is for your legal comfort and the potential repercussions for you and others should that security be breached.
Good computer security is no substitute for good sense. Some things were never meant to be written down regardless of how likely it is that they could be recovered. If it must be written down, computers can offer a higher level of security than keeping "hard copies" around for the feds to find during a raid. Computers can also offer a much more secure way to communicate than the phone system.
There are two words to
describe the intruder: hacker and cracker. A hacker is a generic term for a
person who likes getting into things. The benign hacker is the person who likes
to get into his/her own computer and understand how it works. The malicious
hacker is the person who likes getting into other people's systems. The benign
hackers wish that the media would stop bad-mouthing all hackers and use the
term 'cracker' instead. Unfortunately, this is not likely to happen. In any
event, the word used in this FAQ is 'intruder', to generically denote anybody
trying to get into your systems.
Intruders can be classified into two categories.
Outsiders
Intruders from outside
your network, and who may attack you external presence (deface web servers,
forward spam through e-mail servers, etc.). They may also attempt to go around
the firewall to attack machines on the internal network. Outside intruders may
come from the Internet, dial-up lines, physical break-ins, or from partner (vendor,
customer, reseller, etc.) network that is linked to your corporate network.
Insiders
Intruders that legitimately use your internal network. These include users who
misuse priviledges (such as the Social Security employee who marked someone
as being dead because they didn't like that person) or who impersonate higher
privileged users (such as using someone else's terminal). A frequently quoted
statistic is that 80% of security breaches are committed by insiders.
There are several types of intruders Joy riders hack because they can. Vandals
are intent on causing destruction or marking up your web-pages. Profiteers are
intent on profiting from their enterprise, such as rigging the system to give
them money or by stealing corporate data and selling it.
The primary ways a intruder can get into a system
Physical Intrusion If a intruders have physical access to a machine (i.e. they can use the keyboard or take apart the system), they will be able to get in. Techniques range from special privileges the console has, to the ability to physically take apart the system and remove the disk drive (and read/write it on another machine). Even BIOS protection is easy to bypass: virtually all BIOSes have backdoor passwords.
System Intrusion This type of hacking assumes the intruder already has a low-privilege user account on the system. If the system doesn't have the latest security patches, there is a good chance the intruder will be able to use a known exploit in order to gain additional administrative privileges.
Remote Intrusion This type of hacking involves a intruder who attempts to penetrate a system remotely across the network. The intruder begins with no special privileges. There are several forms of this hacking. For example, a intruder has a much more difficult time if there exists a firewall on between him/her and the victim machine.
Note that Network Intrusion Detection Systems are primarily concerned with Remote Intrusion.
Software always has bugs. System Administrators and Programmers can never track down and eliminate all possible holes. Intruders have only to find one hole to break in.
Software bugs are exploited
in the server daemons, the client applications, the operating system, and the
network stack. Software bugs can be classified in the following manner:
Buffer overflows: Almost all the security holes you read about in the press
are due to this problem. A typical example is a programmer who sets aside 256
characters to hold a login username. Surely, the programmer thinks, nobody will
ever have a name longer than that. But a hacker thinks, what happens if I enter
in a false username longer than that? Where do the additional characters go?
If they hackers do the job just right, they can send 300 characters, including
code that will be executed by the server, and voila, they've broken in. Hackers
find these bugs in several ways. First of all, the source code for a lot of
services is available on the net. Hackers routinely look through this code searching
for programs that have buffer overflow problems. Secondly, hackers may look
at the programs themselves to see if such a problem exists, though reading assembly
output is really difficult. Thirdly, hackers will examine every place the program
has input and try to overflow it with random data. If the program crashes, there
is a good chance that carefully constructed input will allow the hacker to break
in. Note that this problem is common in programs written in C/C++, but rare
in programs written in Java.
Unexpected combinations: Programs are usually constructed using many layers of code, including the underlying operating system as the bottom most layer. Intruders can often send input that is meaningless to one layer, but meaningful to another layer. The most common language for processing user input on the web is PERL. Programs written in PERL will usually send this input to other programs for further evaluation. A common hacking technique would be to enter something like "| mail < /etc/passwd". This gets executed because PERL asks the operating system to launch an additional program with that input. However, the operating system intercepts the pipe '|' character and launches the 'mail' program as well, which causes the password file to be emailed to the intruder.
Unhandled input: Most programs are written to handle valid input. Most programmers do not consider what happens when somebody enters input that doesn't match the specification.
Race conditions: Most systems today are "multitasking/multithreaded". This means that they can execute more than one program at a time. There is a danger if two programs need to access the same data at the same time. Imagine two programs, A and B, who need to modify the same file. In order to modify a file, each program must first read the file into memory, change the contents in memory, then copy the memory back out into the file. The race condition occurs when program A reads the file into memory, then makes the change. However, before A gets to write the file, program B steps in and does the full read/modify/write on the file. Now program A writes its copy back out to the file. Since program A started with a copy before B made its changes, all of B's changes will be lost. Since you need to get the sequence of events in just the right order, race conditions are very rare. Intruders usually have to tries thousands of time before they get it right, and hack into the system.
System configuration bugs
can be classified in the following manner:
Default configurations: Most systems are shipped to customers with default,
easy-to-use configurations. Unfortunately, "easy-to-use" means "easy-to-break-in".
Almost any UNIX or WinNT machine shipped to you can be hacked in easily.
Lazy administrators: A surprising number of machines are configured with an empty root/administrator password. This is because the administrator is too lazy to configure one right now and wants to get the machine up and running quickly with minimal fuss. Unfortunately, they never get around to fixing the password later, allowing intruders easy access. One of the first things a intruder will do on a network is to scan all machines for empty passwords.
Hole creation: Virtually all programs can be configured to run in a non-secure mode. Sometimes administrators will inadvertently open a hole on a machine. Most administration guides will suggest that administrators turn off everything that doesn't absolutely positively need to run on a machine in order to avoid accidental holes. Note that security auditing packages can usually find these holes and notify the administrator.
Trust relationships: Intruders often "island hop" through the network exploiting trust relationships. A network of machines trusting each other is only as secure as its weakest link.
This is a special category
all to itself.
Really weak passwords: Most people use the names of themselves, their children,
spouse/SO, pet, or car model as their password. Then there are the users who
choose "password" or simply nothing. This gives a list of less than
30 possibilities that a intruder can type in for themselves.
Dictionary attacks: Failing the above attack, the intruder can next try a "dictionary attack". In this attack, the intruder will use a program that will try every possible word in the dictionary. Dictionary attacks can be done either by repeatedly logging into systems, or by collecting encrypted passwords and attempting to find a match by similarly encrypting all the passwords in the dictionary. Intruders usually have a copy of the English dictionary as well as foreign language dictionaries for this purpose. They all use additional dictionary-like databases, such as names (see above) and lists of common passwords.
Brute force attacks: Similar to a Dictionary attack, a intruder may try all possible combinations of characters. A short 4-letter password consisting of lower-case letters can be cracked in just a few minutes (roughly, half a million possible combinations). A long 7-character password consisting of upper and lower case, as well as numbers and punctuation (10 trillion combinations) can take months to crack assuming you can try a million combinations a second (in practice, a thousand combinations per second is more likely for a single machine).
Intruders get passwords
in the following ways:
Clear-text sniffing: A number of protocols (Telnet, FTP, HTTP Basic) use clear-text
passwords, meaning that they are not encrypted as the go over the wire between
the client and the server. A intruder with a protocol analyzer can watch the
wire looking for such passwords. No further effort is needed; the intruder can
start immediately using those passwords to log in.
Encrypted sniffing: Most protocols, however, use some sort of encryption on the passwords. In these cases, the intruder will need to carry out a Dictionary or Brute Force attack on the password in order to attempt decryption. Note that you still don't know about the intruder's presence, as he/she has been completely passive and has not transmitted anything on the wire. Password cracking does not require anything to be sent on the wire as intruder's own machine is being used to authenticate your password.
Replay attack: In some cases, intruders do not need to decrypt the password. They can use the encrypted form instead in order to login to systems. This usually requires reprogramming their client software in order to make use of the encrypted password.
Password file stealing: The entire user database is usually stored in a single file on the disk. In UNIX, this file is /etc/passwd (or some mirror of that file), and under WinNT, this is the SAM file. Either way, once a intruder gets hold of this file, he/she can run cracking programs (described above) in order to find some weak passwords within the file.
Observation: One of the traditional problems in password security is that passwords must be long and difficult to guess (in order to make Dictionary and Brute Force cracks unreasonably difficult). However, such passwords are often difficult to remember, so users write them down somewhere. Intruders can often search a persons work site in order to find passwords written on little pieces of paper (usually under the keyboard). Intruders can also train themselves to watch typed in passwords behind a user's back.
Social Engineering: A common (successful) technique is to simply call the user and say "Hi, this is Bob from MIS. We're trying to track down some problems on the network and they appear to be coming from your machine. What password are you using?" Many users will give up their password in this situation. (Most corporations have a policy where they tell users to never give out their password, even to their own MIS departments, but this technique is still successful. One easy way around this is for MIS to call the new employee 6-months have being hired and ask for their password, then criticize them for giving it to them in a manner they will not forget :-)
Browser attacksWeb
It seems that all of Microsoft's and Netscape's web browsers have security holes
(though, of course, the latest ones never have any that we know about -- yet).
This includes both URL, HTTP, HTML, JavaScript, Frames, Java, and ActiveX attacks.
URL fields can cause a buffer overflow condition, either as it is parsed in
the HTTP header, as it is displayed on the screen, or processed in some form
(such as saved in the cache history). Also, an old bug with Internet Explorer
allowed interaction with a bug whereby the browser would execute .LNK or .URL
commands.
HTTP headers can be used to exploit bugs because some fields are passed to functions that expect only certain information.
HTML can be often exploited, such as the MIME-type overflow in Netscape Communicator's <EMBED> command.
JavaScript is a perennial favorite, and usually tries to exploit the "file upload" function by generating a filename and automatically hidden the "SUBMIT" button. There have been many variations of this bug fixed, then new ways found to circumvent the fixes.
Frames are often used as part of a JavaScript or Java hack (for example, hiding web-pages in 1px by 1px sized screens), but they present special problems. For example, I can include a link to a trustworthy site that uses frames, then replace some of those frames with web pages from my own site, and they will appear to you to be part of that remote site.
Java has a robust security model, but that model has proven to have the occasional bug (though compared to everything else, it has proven to be one of the most secure elements of the whole system). Moreover, its robust security may be its undoing: Normal Java applets have no access to the local system, but sometimes they would be more useful if they did have local access. Thus, the implementation of "trust" models that can more easily be hacked.
ActiveX is even more dangerous than Java as it works purely from a trust model and runs native code. You can even inadvertently catch a virus that was accidentally imbedded in some vendor's code.
Web server attacks
Beyond the execution of CGI programs, web servers have other possible holes.
A large number of self-written web servers (include IIS 1.0 and NetWare 2.x)
have hole whereby a file name can include a series of "../" in the
path name to move elsewhere in the file system, getting any file. Another common
bug is buffer overflow in the request field or in one of the other HTTP fields.
Web server often have bugs related to their interaction with the underlying
operating system. An old hole in Microsoft IIS have been dealing with the fact
that files have two names, a long filename and a short 8.3 hashed equivalent
that could sometimes be accessed bypassing permissions. NTFS (the new file system)
has a feature called "alternate data streams" that is similar to the
Macintosh data and resource forks. You could access the file through its stream
name by appending "::$DATA" in order to see a script rather than run
it.
Servers have long had problems with URLs. For example, the "death by a thousand slashes" problem in older Apache would cause huge CPU loads as it tried to process each directory in a thousand slash URL.
SMTP (SendMail) attacks
SendMail is an extremely
complicated and widely used program, and as a consequence, has been the frequent
source of security holes. In the old days (of the '88 Morris Worm), hackers
would take advantage of a hole in the DEBUG command or the hidden WIZ feature
to break into SMTP. These days, they often try buffer overruns. SMTP also can
be exploited in reconnaissance attacks, such as using the VRFY command to find
user names.
Ping sweeps
This simple scan simply pings a range of IP addresses to find which machines
are alive. Note that more sophisticated scanners will use other protocols (such
as an SNMP sweep) to do the same thing.
TCP scans
Probes for open (listening) TCP ports looking for services the intruder can
exploit. Scans can use normal TCP connections or stealth scans that use half-open
connections (to prevent them from being logged) or FIN scans (never opens a
port, but tests if someone's listening). Scans can be either sequential, randomized,
or configured lists of ports.
UDP scans
These scans are a little bit more difficult because UDP is a connectionless
protocol. The technique is to send a garbage UDP packet to the desired port.
Most machines will respond with an ICMP "destination port unreachable"
message, indicating that no service is listening at that port. However, many
machines throttle ICMP messages, so you can't do this very fast.
OS identification
By sending illegal (or strange) ICMP or TCP packets, an intruder can identify
the operating system. Standards usually state how machines should respond to
legal packets, so machines tend to be uniform in their response to valid input.
However, standards omit (usually intentionally) the response to invalid input.
Thus, each operating system's unique responses to invalid inputs forms a signature
that hackers can use to figure out what the target machine is. This type of
activity occurs at a low level (like stealth TCP scans) that systems do not
log.
Account scans
Tries to log on with accounts
Accounts with no passwords
Accounts with password same as username, or "password".
Default accounts that were shipped with the product (a common problem on SGI,
done to make setup easier)
Accounts installed with software products (common on Microsoft as well as Unix,
caused by products that run under their own special user account).
Anonymous FTP problems (CWD ~root)
Scan for rlogin/rsh/rexec ports, that may supported trusted logins.
Check this Site for more knowledge about the other Side.