This is the first in a regular series of security articles and whitepapers from AtomicTangerine, lead investor in SecurityPortal. AtomicTangerine is an independent Venture Consulting firm founded at SRI International, formerly known as Stanford Research Institute.
In the last few months we have seen an increase in the number of reported computer and network attacks. Most of these have been high-profile attacks, such as the "I Love You" email virus and February’s series of distributed denial-of-service (DDoS) attacks against major Web sites. Many companies and universities unwittingly took part in the DDoS attacks: attackers were able to plant "zombie" programs on computers at these institutions, which served essentially as robotic artillery units during the attack. Partly as a result of this recent hacker activity, network security has become a major focus for the corporate IT world.
|"Home users must now effectively become their own Information
What has so far gone largely unnoticed is that security is no longer something that must be considered on the corporate level. There has been a huge rise in the number of digital subscriber line (DSL) and cable Internet connections to private homes. These "always on," high-speed connections to the information superhighway now give home users the same abilities–but also the same responsibilities and liabilities–as any major corporation on the Internet. Home users must now effectively become their own Information Security department.
If you don’t take an active part in securing your home network, then you’re at risk. Don’t dismiss the likelihood of a stranger accessing your computers. If you have a high- speed connection to the Internet, then you’re probably scanned for common vulnerabilities much more frequently than you would expect. If you’re still on an old clunky analog connection, don’t think you’re not at risk either. You may not be targeted as frequently, but if an attacker has reason to believe you have something of value, she will take the time to target you.
To help give you a quick idea of how susceptible you may be, we came up with some alarming test results on one of our own ATT @Home cable connections. A poorly configured Windows box running file and print sharing without a password was accessed in less than 24 hours. The risk is far more prevalent than you would probably expect; on average, 5-10 scans come across daily looking for easily exploitable services. The most common scan that we found was on port 1080–attackers looking for an improperly configured proxy that can be used to steal a victim’s network identity. Even @Home does its own share of scanning; it scans this particular subnet on port 119 (news) about once an hour from "authorized-scan.security.home.net."
|"Entire hard drives may be erased simply to give thrill or excitement
to a script kiddie who thinks such an act brings him closer to hacker
Many attacks are launched by users with very little computer knowledge at all, commonly known as "script kiddies." We’ve found a number of Web sites, chat rooms and online radio stations that are dedicated to sharing knowledge about exploiting common security vulnerabilities. Anyone can be up and running in minutes, scanning for open shares on computers using tools found with a simple Internet search. Entire hard drives may be erased simply to give thrill or excitement to a script kiddie who thinks such an act brings him closer to hacker stardom.
The urgent need to protect your home system may seem daunting, perhaps even scary. It certainly can be both. Consider this: The average e-commerce business easily spends more in a year on information security than the average home owner is expected to pay for his/her home over 30 years!
So what are Joe and Jane Smith, everyday eBay shoppers, supposed to do about securing their home computer?
The good news is that securing your home computer equipment is really much easier–and much cheaper– than you might think. Depending on your needs, you might even find that adding decent security is free. We will be mentioning a few products in the rest of this article. We must point out that these are not meant as endorsements; they are simply examples of the types of products we actually use.
Let’s look at the Smith family’s situation. They have one PC at home with a high-speed (DSL or cable) connection, and they don’t turn it off. They are average, everyday Web surfers running some form of Microsoft Windows. They only need a firewall of some sort to be safe enough. There are many firewall programs available from vendors — many by direct Web download — and many are free or cost less than $50. Some come with frequent updates, much like anti-virus software. The Smiths don’t need a long education in firewall management, either; they simply filter all incoming traffic. Pretty simple, pretty effective, and pretty cheap.
OK, let’s make this a little more difficult. Let’s say that the Smiths’ neighbor, Mr. Jones, has four PCs all networked together. To make it interesting, they are not all Windows machines; let’s run some flavor of Linux/UNIX as well. Heck, let’s run more than one flavor! We’ve got Red Hat and FreeBSD, Windows NT, and Windows 95. Yikes! Now what does our Mr. Jones do?
Fear not — there are more than a few ways to approach this, with only basic differences among them. And again, they can come reasonably cheap. First, Mr. Jones has to decide which of these machines will handle the role of gateway/firewall. The cheap way is to let one of the Linux machines face the outside world, because there are so many good, FREE security programs available for Linux. In fact, one of them — IPCHAINS — is even built into the kernel on many current versions of Linux. Red Hat 6.2 includes it, for example.
If IPCHAINS is not included in your version of Linux, it is freely downloadable on the Web (check your Linux vendor’s Web site). This is basic IP filtering, perhaps not as complete or robust as a good firewall, but darn close. Using IPCHAINS does come with a penalty, though. Although it is cheap, it isn’t easy. Rules for the filters must be thought out and entered manually. Still, if you want to block all incoming traffic, it isn’t brain surgery.
If you go the Linux route, in addition to running IPCHAINS you could also install a firewall. Some firewalls are available free for personal (but not commercial) use (www.firewall4linux.com), and others are available commercially. You’ll need to look at the features, price, availability, ease of installation, and so forth, before you decide which is right for you.
If Windows is to be the gateway, the idea is the same, but the average price may go up on the software. On the other hand, finding what you need and setting it up will probably be easier.
|"The main point about anti-virus software is that you have to keep it
Once the firewall is in place, you’ll still want to have your anti-virus software handy. This shouldn’t add any cost–you already had it, right? The main point about anti-virus software is that you have to keep it up-to-date. Old anti-virus files aren’t very good for new and previously unknown viruses. You might want to think about updating the anti-virus every two weeks or so. Also, for the truly paranoid, additional software can be added that will detect changes to critical files, check for any security holes, send warnings, or take action in case someone should manage to sneak past the front lines. Once again, this isn’t necessarily an expensive proposition. Several books on computer security include CDs with samples of such programs. One such book is "Halting the Hacker: A Practical Guide to Computer Security," but there are many other books that also include security software on CD.
Of course, our Mr. Jones may choose to be more exotic in his solution. He might add a filtering router as the gateway and install firewalls on all of his PCs. He might buy a hardware firewall as the gateway and still install firewalls on all his PCs. He could also set up vastly complex trust relationships across his equipment, and so on. For most of us though, just the basics will do nicely.
Secret Decoder Rings
A great method for another added level of security is the use of encryption. Several tools are available to assist in encrypting; one of the most common is PGP Desktop by NAI (www.nai.com) software. The PGP desktop software provides a quick and easy way to provide high levels of encryption to email, files, network connections and more. PGP is also freely downloadable from MIT (Web.mit.edu/network/pgp.htm l), only for personal use. As always, please pay attention to the conditions spelled out in the licensing.
For the Truly Serious
Let’s look at an example of a paranoid solution to home networking security. Although the details get technical, they provide an example of the possibilities.
In this example, all inbound and outbound Internet traffic is filtered through a Red Hat v6.2 box. The only open local service is SSH (Secure Shell for encrypted Telnet). Internal services are accessed via Red Hat’s built-in port forwarding feature. IPCHAINS is used for Network Address Translation (AKA Masquerading) as well as for creating IP filtering policies. As another line of defense, the HOSTS.DENY and HOSTS.ALLOW files are used to make sure computers that aren’t preauthorized cannot access any services. Internal hosts are then guarded with Norton Internet Security 2000 and have specific filters for communicating with other internal workstations.
On the Red Hat side, Psionic’s Portsentry v1.0 (www.psionic.com) is used to detect port scans. This product integrates well with IPCHAINS and can be used to run scripts and activate DENY rules based on inbound attacks. Portsentry can be used with IPCHAINS to respond to attacks, for example, rerouting the attacker’s traffic back to the attacker. This isn’t recommended; in our case it is used simply to run a trace route, ping and a few other common tools against the attacker. The results are captured to a file stored on another server so that a good snapshot exists of what the attacker looked like at the time of the attempt.
After the data has been gathered, a complete IPCHAINS DENY rule is set on the attacker’s address and stays resident for about a week or two. If the attacker is paying attention, he will see that he was lightly probed and will (we hope) stay away. If the attacker is a repeat offender, he gets added to the permanent DENY rule set. This can require ongoing administration and detailed log review; however, it’s a step worth taking if you’re at risk.
Outside of the tools enabled on the Red Hat box, a few things on an internal NT server are running as well. SurfControl SuperScout (www.jsb.com) is a product that uses sniffer technology to scan and intercept traffic that is not permitted. This product is used primarily to monitor and enforce corporate Internet use, but it also makes a great addition in an assortment of enterprise-level security tools. In addition, SnifferPro (www.nai.com) is used as an internal traffic analyzer and capture utility. SnifferPro gives a real-time, easy-to-read host’s list of recent connections. It logs the total amount of traffic transmitted during the stay, and has a nice matrix of active connections, all without even capturing any packets. Generally, capturing is only enabled when the user is troubleshooting or viewing network problems.
Great! Now we’re secure! We’re happily logging stealth scans hitting our network, noting attempts to log in, and so forth. Now what? Are we done?
An important element to remember when
Use a secure screen saver even at
Encrypt the sensitive files on your
Don’t forget to protect access
Perhaps. Perhaps not.
This may very well be the end, if you’re happy to leave it at that. It would certainly be a valid response to say "No harm, no foul." Many, however, will be tempted to give a would-be attacker a taste of his own medicine. A word to the wise: Along with the responsibilities of securing your equipment, you must realize the liabilities as well. You are responsible for anything that happens on your equipment. Even if an attack is launched from your computer without your knowledge, you could be held accountable. And in today’s insecure Internet, there is no way you can be absolutely sure that the apparent origin of an attack is actually the origin of the attack: someone could be spoofing the IP address and forging packets. Were you to become a cyber-vigilante, you could become part of the problem instead of part of the solution.
Two possible circumstances come to mind. First, you haven’t done anything to secure your network, and you become a zombie in someone else’s attack. Sure, your ISP can take some of the blame, maybe, because it should be able to secure its infrastructure, of which you are only a part. However, don’t expect to be able to hide behind your ISP. Just as any business may possibly face negligence suits, you may as well. If you haven’t done your part, you could be in for a rough ride. Not only is it socially responsible to protect your home computer from being co-opted by the bad guys, but it could keep you out of some nasty legal battles.
Second, you are secure, and you detect some things that are more than just scans. What is your response? Good security starts with a clear policy. A security policy needn’t be overly complicated. You may simply say, "I’m not letting any traffic in." Beyond that, you would need to decide, ahead of time, what your reaction would be to certain situations. It would be a good starting point to contact your ISP when considering your personal security policy (which you should have). Find out what its policies are. If you detect something, what is your ISP likely to act on? Should you report it? Who would you report it to?
You may be inclined to throw back at the attacker what the attacker is throwing at you. Before doing so, keep in mind that your ISP may see you doing this. Also, since you are on the ISP’s network in the first place, you are potentially much easier to track than someone breaking in from the outside. From your ISP’s point of view, allowing your attack out poses a serious liability to the ISP, which may prompt the provider to take action against you. Again, before reacting to an attack, simply log the attempt and contact your ISP. We strongly urge you not to try attacking the attackers using questionable tactics.
The bottom line is that you shouldn’t expect someone to take care of your security for you. Just as you diligently lock your car door whenever you leave it, you should lock up your computer system to keep the bad guys out.
Copyright ) Carl Hallberg & Michael Pavlu. All rights reserved.
SecurityPortal is the world’s foremost on-line resource and services provider for companies and individuals concerned about protecting their information systems and networks.
The Focal Point for Security on the Net ™