It’s late one evening last July, and a green activity light is blinking on the front of the DSL modem next to my desk. I’m asleep in the next room, but my computer is busy working, tirelessly handling page requests from hundreds of Code Red zombies.
Each one is hoping to find the same thing: a particular file with a particular vulnerability that just might be on my system. If the zombie discovers the file, it will exploit a well-published security hole to copy some files to my computer, install a remote control “back door,” then instruct my system to begin scanning the Internet for other vulnerable systems to compromise in the same fashion.
My hapless computer will then have joined the ranks of thousands of other Windows NT and 2000 computers worldwide, “zombies” that would be used later in a failed Distributed Denial of Service (DDoS) attack on the White House Web site.
The frighteningly swift propagation of Internet “worms” like Code Red, Code Red II and Nimda was made possible primarily due to two factors — the high number of broadband-connected NT systems and the failure of their owners to properly secure them.
In the final part of this series on broadband, I’ll outline some of the risks associated with broadband Internet and also discuss some of the steps you can take to protect your systems from unwanted intrusion or attack.
Exposure
The first and easiest way to assess your level of exposure is to look at your connection to the Internet. Is your computer behind a router or firewall, or is it directly connected to the Net via DSL or cable?
If the latter is the case, the IP address being used by your machine is a “public” (Internet-routable) address that was assigned to your computer by your service provider when your system connected to their network.
This address is probably dynamically assigned, meaning it might change each time you connect. But the key issue here is that, with a public IP address, your computer is sitting (ducklike, perhaps) right out there and therefore fully exposed to all of the other systems on the Internet.
Exposure in and of itself is not necessarily a problem. Indeed, all computers connected to the Internet with open, public IP addresses are equally exposed. However, these systems as a rule are “hardened,” or protected from attack using a variety of tools including software, network devices, packet filters, and more.
It is equally important for broadband users to know what the risks are, and how to protect against them.
The risks
Computers are designed to communicate with each other in a variety of ways. In a Client-Server arrangement, one computer asks another for some information, like when a Web browser asks a Web server for a particular HTML page. In peer-to-peer networking, you share files or other resources in both directions, perhaps printing to a remote computer or sharing a folder on your own hard drive.
As long as your computer has a network card or modem, it is equipped to communicate with other systems. If participating in a private office LAN or home network, this is certainly a good thing. However, the same unprotected system exposed to the Internet faces a number of threats based on common security holes.
Foremost among these are unprotected shared folders or drives, or shares.
All Windows operating systems after v3.1 provide for some form of local file sharing. In today’s systems, sharing files or local printers with remote users is as simple as right-clicking your mouse. However, without properly restrictive access policies in place these shares can easily be accessed by other users over the Internet.
Strong passwords are just as important. For example, on Windows NT Server administrative shares are created at the root level on all hard drives. They are normally hidden from view, but an experienced user can try to access them easily using a pre-defined account such as the Administrator account.
Without strong passwords in place, an intruder can gain access to the entire system drive simply by trying password combinations until finding the correct one.
Hacking tools available today make this a trivial process, particularly if the password for the account is easily guessed, or a word you might find in the dictionary.
Passwords on Internet-connected systems should always contain a combination of letters, numbers and symbols. Also avoid words that are found in the dictionary and simple number combinations. Lastly, the longer the password, the more difficult is it to crack using “brute force” password cracking tools.
One easy way Windows users can prevent access to file shares from the Internet is by removing NetBIOS from all Internet-connected interfaces. NetBIOS runs on top of protocols like TCP/IP and facilitates Windows networking and the use of host names among Windows systems.
Unwanted intrusion can also come from other sources.
Prior to the outbreak of Code Red and similar worms, Windows 2000 shipped with the Internet Information Server (IIS), Microsoft’s standard Web server software, installed and running by default. This saved some headaches for less technically-adept users hoping to maintain a Web server, but also contributed significantly to the spread of malicious worms by populating the Internet with readily-exploitable Web servers.
Many owners of these systems didn’t even know a security patch was required and available, much less how to download and install one.
The best way to stay informed about the security of your systems is to frequently visit your vendor’s Web site and, where available, to subscribe to security bulletins and newsletters.
Microsoft has also made available a number of tools, including the Baseline Security Analyzer, which scans Windows NT, 2000 and XP systems for common security misconfigurations.
Compromising positions
If an intruder gains access to your system via an exposed file share or security hole, there are a variety of things they can do.
Copying or deleting data are some of the actions you might expect of unwanted intruders, but today’s hacker (or, more commonly, “cracker”) probably has bigger plans for your computer.
It is more common today for compromised systems to be surreptitiously used as agents, or zombies, in DDoS attacks. In such cases, a central system exerts control over an army of systems just like yours, using a “back door” installed during the initial attack. This agent runs quietly in the background, completely out of view, and waits for commands from headquarters.
With enough such systems, it is possible to launch a concerted attack against a Web site (or other server) and flood it with bogus requests, effectively denying access to the site by legitimate users. Worst of all, one or more of your own computers may be participating in the attack without you even knowing it.
Countermeasures
There are a number of things you can do to minimize your risk of unwanted intrusion or attack. A good starting point is to put a router between your system(s) and the Internet.
Most routers today use a feature called Network Address Translation (NAT) to hide the address of computers behind the router. As all traffic is mediated by the router, requests from all internal systems appear to be coming from the external interface of the router. This form of “IP masquerading” is a way to put your computer on the Internet without exposing it to the Internet at large.
You should also consider the use of a firewall product for all Internet-connected systems.
Personal firewall products from venders like Symantec, McAfee, and Internet Security Systems provide features such as intrusion detection, packet filtering, and access control. Windows XP even ships with a built-in firewall.
Although no product can guarantee prevention of all attacks, a firewall can be a key component of a comprehensive security framework.
It also goes without saying that virus protection software is critical for protecting yourself from e-mail-borne and other viruses.
Also remember that the effectiveness of your antivirus solution wholly depends on the currency of your virus definition data, which should always be kept up to date.
Similarly, it is very important that you keep your operating system and Internet applications like e-mail and Web browsers up to date with the latest fixes and security patches.
New vulnerabilities are being discovered all the time, and when they are announced, you’ll end up in a race with crackers and other miscreants to see who responds to the news first: you, with a downloaded security patch, or them, with a brand new Trojan horse.
Finally, it’s a good idea to either turn your computer off or disconnect it from the network when not in use. Doing either will ensure that no one has access to it from the Internet.
Security tools on the Net
Network Security (CERT)
www.cert.org/tech_tips/home_networks.html
Coping with Home Network Security Threats (Network Magazine)
www.networkmagazine.com/article/NMG20020106S0003
Navas Cable Modem/DSL Tuning Guide
cable-dsl.home.att.net/#security
Microsoft’s Security Site
www.microsoft.com/security/
Microsoft’s Baseline Security Analyzer
www.microsoft.com/technet/security/tools/Tools/mbsahome.asp
Symantec Worldwide Home Page
www.symantec.com/
McAfee.com
www.mcafee.com
Internet Security Systems
www.iss.net/
The Japan Times: April 25, 2002