Computer Vulnerabilities
Download
Report
Transcript Computer Vulnerabilities
Computer Vulnerabilities
1. Overview
2. Threats to Computer Systems
3. How Hackers Work
4. Using the Internet Securely
5. How We Make It Easy for the Hackers
6. “Cookies”
7. Weak Passwords
8. E-Mail Pitfalls
9. “Social Engineering”
10.Viruses & Other “Infections”
11.P2P
12.Insecure Modems
13.Security of Hard Drives
14.Security of Laptops
Overview
Computers concentrate tremendous amounts of data in one location where it is
vulnerable to unauthorized disclosure, modification, or destruction. The greater the
concentration, the greater the consequences of any security breach.
The dramatic increase in interconnections between computer networks, and the
popularity of the Internet, have made it easier for countries, groups, or individuals
with malicious intentions to intrude into inadequately protected systems. They can
use that access to steal or make unauthorized changes in sensitive information,
commit fraud, or disrupt operations.
Threats to Computer Systems describes the changing face of computer crime. The
ego-oriented and attention-seeking adolescents who steal information as trophies to
demonstrate their prowess are still common. However, the field is becoming
dominated by professionals who steal information for sale and disgruntled employees
who damage systems or steal information for revenge or profit.
The common saying that "security is everyone's responsibility" is especially true with
computer security. It is essential that you understand the vulnerabilities of this new
medium that is changing the world because YOU -- unknowingly -- can endanger
your entire computer network. Your network is only as secure as its weakest link.
The people who use the computers -- can be just as damaging as weaknesses in the
software or hardware.
Threats to Computer Systems
The nature of computer crime has changed over the years as the technology has
changed and the opportunities for crime have changed. Although thrill-seeking
adolescent hackers are still common, the field is increasingly dominated by
professionals who steal information for sale and disgruntled employees who damage
systems or steal information for revenge or profit.
When Willie Sutton was asked why he robbed banks, he replied, "because that's
where the money is." People attack computers because that's where the information
is, and in our hyper-competitive, hi-tech business and international environment,
information increasingly has great value. Some alienated individuals also gain a
sense of power, control, and self-importance through successful penetration of
computer systems to steal or destroy information or disrupt an organization's
activities.
A common view of computer security is that the threat comes from a vast group of
malicious hackers "out there." The focus of many computer security efforts is on
keeping the outsiders out -- through physical and technical measures such as gates,
guards, locks, firewalls, passwords, etc.
Yet, while the threat from outsiders is indeed as great as generally believed, the
malicious insider with approved access to the system is an even greater threat! This
discussion treats the insider threat and the outsider threat separately.
Insider Threat to Computer Security
Survey after survey has shown that most damage is done by insiders -- people with authorized access to a
computer network. Many insiders have the access and knowledge to compromise or shut down entire
systems and networks.
The Computer Security Institute and FBI cooperate to conduct an annual CSI/FBI Computer Crime and
Security Survey of U.S. corporations, government agencies, financial institutions, and universities.1 Of the
information security professionals who responded to this survey, 80% cited disgruntled and dishonest
employees as the most likely source of attack on their computer system.
Fifty-five percent of respondents reported unauthorized access by insiders, as compared with 30% reporting
system penetration by outsiders. Many companies reported multiple instances of unauthorized access or
system penetration.
As discussed in Reporting Improper, Unreliable, and Suspicious Behavior, you are expected to report
potentially significant, factual information that comes to your attention and that raises potential concerns about
computer security. Reportable behaviors include the following:
–
–
–
–
–
–
Unauthorized entry into any compartmented computer system.
Unauthorized searching/browsing through classified computer libraries.
Unauthorized modification, destruction, manipulation, or denial of access to information residing on a computer system.
Storing or processing classified information on any system not explicitly approved for classified processing.
Attempting to circumvent or defeat security or auditing systems, without prior authorization from the system administrator,
other than as part of a legitimate system testing or security research.
Any other willful violation of rules for the secure operation of your computer network.
Outsider Threat to Computer Security
The Internet has become a boon to intelligence collectors world wide. Your computer
network is at risk from many types of outsiders.
– Freelance information brokers.
– Foreign or domestic competitors.
– Military services from adversary nations who are developing the capability to use the
Internet as a military weapon.
– Terrorist organizations for which organized hacking offers the potential for low cost, low
risk, but high gain actions.
– Crime syndicates and drug cartels.
– Hobbyist hackers who penetrate your system for sport or or to do malicious damage.
– Common thieves who specialize in stealing and reselling laptop computers.
Break-ins occur at an alarming rate because the Internet provides an especially
comfortable and interesting place for hackers. The Internet was not designed with
security in mind. It is a large, intricate network with many software flaws. It is easy to
remain anonymous on the net. Because everything is interconnected, everything is
vulnerable, and an expert intruder can cover his or her tracks by weaving a trail
through a dozen systems in several different countries. Many hacker tools that
required in-depth knowledge a few years ago have been automated and have
become easier to use.
How Hackers Work
When linked to the Internet, you are linked to computers throughout the world – and,
more important, they are linked to you. It’s not apparent to the computer user, but
any link to a site on the Internet is a potential two-way street!
Expert hackers create and pass on to others sophisticated software tools to exploit
both human and technical weaknesses in the security of computer systems -password crackers, war dialers, vulnerability scanners, sniffers, IP spoofers, and
others. Because many of these tools are available on the Internet, relative
newcomers can download and use them, raising the level of sophistication of
hackers of all types.
The hacker’s first goal is to get access to your network in order to read your files.
Ineffective passwords, insecure modems, and what the hackers call “Social
Engineering”. often provide the first opening to a system.
How Hackers Work Cont.
Once inside the system, the hacker’s second goal is to get what is called "root" access. That
usually requires finding a technical weakness. Root access means the hacker has unrestricted
access to the inner workings of the system. With root access the hacker can:
–
–
–
–
–
–
Copy, change or delete any files.
Authorize new users.
Change the system to conceal the hacker’s presence.
Install a "back door" to allow regular future access without going through log-in procedures.
Add a "sniffer" to capture the User IDs and passwords of everyone who accesses the system.
Use the captured User IDs and passwords to attack the networks of other organizations to which the
captured User IDs and passwords provide approved access.
The initial foothold into the system is the toughest part. Often, the hacker will be working via the
Internet, which is open to everyone, and will be trying to penetrate a network that is protected
by a "firewall." A firewall is a series of programs and devices intended to protect a network from
outside intruders. A strong firewall will identify and authenticate users trying to access the
network from outside, thus limiting access to authorized persons. Sometimes the hacker is an
insider, an employee already behind the firewall who has authorized access to one part of the
system and then hacks his or her way into other protected files within the system.
The hacker’s success in breaching the firewall often comes from some form of human failure -especially weaknesses caused inadvertently by lack of computer security education,
carelessness, or gullibility of computer users. Technical weaknesses in the system obviously
play a role, but even those may be traceable to some form of human error, such as employee
susceptibility to “Social Engineering”. or a systems administrator’s failure to update the firewall
software promptly each time the hackers expose a weakness and the manufacturer makes a
patch available to plug the hole.
How We Make It Easy for the
Hackers
Too many computer users assume their system administrator and the software developers do
everything necessary to keep their network safe. They don’t think they need to worry about
security. THEY ARE WRONG. A network, and every computer on it, is only as secure as its
weakest link. You need to make certain that your network's weakest link is not YOU.
A review of how hackers work shows that uninformed or careless actions by well-intentioned
computer users can undermine the security of your entire network.
Here are some of the mistakes that computer users make too often, and which the hackers and
other computer criminals exploit. Each of these is discussed in a separate topic.
–
–
–
–
Using a weak or ineffective password. You need to understand how to select a strong password and why
PASSWORDS ARE IMPORTANT.
Using an unauthorized or insecure modem. A password and a modem phone number is often all it takes
for a hacker to penetrate your company's firewall. Hackers use a tool called a "war-dialer" to identify
modems.
Responding to people who ask apparently innocent questions about you or your computer. Hackers
often use a plausible pretext to elicit key information from well-meaning but naive employees – a
technique that hackers call “Social Engineering”.
Exposing your system to viruses.
The goal is that you understand your role in protecting the security of the network as a whole.
Protecting the network is not just the job of the technical people. Security is everyone's
responsibility.
Using the Internet Securely
You can do many interesting and useful things on the Internet, both in the office and at home, and you can do
them securely -- if you understand and avoid certain risks. The two main security risks are drawing attention
to yourself as a potential target for intelligence exploitation and unintentional compromise of sensitive
information.
The greatest risk is probably downloading files, as discussed in Viruses and Other "Infections". The wealth of
free software available for downloading from the Internet is exciting but does pose risks. Many organizations
explicitly prohibit downloading and running software from the Internet. If you want to download a program,
check with your system administrator.
When logging in to an Internet site that requires password and user ID, do not use the same password that
you use to log on to your office network. The password for your office network requires the utmost protection,
while the password used to log in to an external web site is vulnerable to interception unless in it encrypted.
Compromise of the one should not compromise the other.
The rapid growth of Internet commerce is driving the development of additional security measures. Protection
mechanisms such as Secure Sockets Layer (SSL) and Secure Electronic Transaction (SET) are growing
rapidly. SSL sits "between" your web browser and the web server you are communicating with. It can
exchange verification of both parties to the communication. It then encrypts sensitive information such as
credit card data when making a purchase or personal information filled in on a form to register with a site. SET
uses digital signatures to ensure that Internet credit card users and merchants are who they say they are.
With SET, your credit card number is never stored on the merchant's computer.
Most browsers have a padlock or key symbol in the lower left corner of the screen to show the security status
of the connection. When the padlock is open or the key is broken, no special security precautions are in
effect. When the padlock is closed or the key is unbroken, information is being encrypted. The number of
teeth in the key signifies the level of encryption. One tooth signifies a 40-bit key; two teeth means a 128 bit
key.
Using the Internet Securely Cont.
Chat Rooms, News Groups, Bulletin Boards
Chatting on the Internet or posting messages to news groups or bulletin boards might seem like
a private pastime, but it is in fact a very public activity. Message sent to "Usenet" discussion
groups are broadcast to anyone, anywhere in the world, who wants to receive them. These
messages are archived so that they are readily searchable by the public. The Deja.com archive
contains messages going back to March 1995.
Foreign intelligence collectors and investigators collecting competitive intelligence regularly troll
bulletin board, chat room and newsgroup postings to identify individuals or information of
potential interest. If someone on the Internet finds that, because of the information you offer,
you could be a good "source," he or she will have no problem finding out more about you.
A knowledgeable information collector can identify a great deal of information about you with
little more than your e-mail address and a newsgroup or chat room posting. One can probably
obtain from online sources your address, phone number, vehicle license plate number, social
security number, date of birth, name of employer, eye color, weight, credit report, real estate
ownership records, and the names, addresses, and phone numbers of nine to fourteen of your
neighbors who may then be called for additional information about you.
Once you are identified as a potential target, a knowledgeable information collector may search
for and read your newsgroup, bulletin board, and chat room postings.
–
Do not post any information on the Internet that calls attention to yourself as a person with access to
proprietary or classified information. This could cause you to become a target.
Using the Internet Securely Cont.
Chat Rooms, News Groups, Bulletin Boards
– Do not try to impress others with how much you know. Specifically:
Do not express any opinion in a way that implies you have insider information, and therefore that
your opinion merits greater credence than the opinions of others.
Do not imply or state outright that you have access to proprietary or classified information. A
statement such as "I can't say any more, because I have a clearance" is an example of security
consciousness gone awry. It targets you as a holder of classified information.
Do not provide information about your work, your employer, or job location.
– The greatest risk on the Internet is when you "chat" in real time with other users, using
typed input that is relayed back and forth. There are several reasons why this can be
dangerous:
Live chat does not allow you time to think carefully before you respond. Once the message is sent,
it's gone forever.
What starts out as a casual information exchange can quickly lead to much more.
Your message on the Internet may be read by tens of thousands of people worldwide.
When chatting on line or exchanging e-mail, remember that the people you are communicating with
are not always who they seem to be. You don't even know what country they are in. Although there
are country codes for Internet addresses, they are not always used. For example, America Online is
international, and you don't know the home country of a person with an aol.com e-mail address.
Some messages are sent anonymously. Unfortunately, it is not always possible to know which are
and which are not. Reputable "remailers" who forward mail anonymously make it clear that their
messages are anonymous. Less responsible remailers, however, substitute phony names and
addressed, but do not so indicate. Because messages can be forwarded from anywhere to
anywhere, you cannot assume anything about message origins. Be wary of responding to
messages from anyone whom you do not know personally.
“Cookies”
Cookie is the deceptively sweet name for a small file that may be placed on your computer’s hard drive, often
without your knowledge, when you visit a web site. The cookie is a unique identifier that enables the site to
which you are linked to recognize that you have been there before. It enables the site to which you are linked
to keep track of you as you go to different pages on that site, or to other sites, and to retrieve from its
database any record of your previous visit or visits to the site.
Cookies are a reminder that surfing the web is not an anonymous activity. Your movements in cyberspace can
be and often are tracked.
Privacy Issues
–
Cookies are controversial because they raise privacy issues. They are put on your computer without your explicit approval
and are used to track where you go on the Internet. Most sites track your movements only within their site, but online
advertising agencies with multiple clients track your movements among all their clients’ sites. When you register to use
many sites and services you are required to provide demographic information about yourself, often including your name,
or an e-mail address that can lead to identification of your name.
–
There is concern that dossiers of personal information on individuals and their behavior in cyberspace could be compiled,
sold to advertisers or insurance companies, and used in ways that violate one’s right to privacy. Privacy advocates argue
that online marketers should be kept out of the "cookie jar," and they urge Internet surfers to "toss their cookies" to protect
themselves from the "Cookie Monster.“
–
There is no question that cookies, and the information they enable others to collect, could be misused. The open
questions are: How often is this information actually being misused? And how much of a threat does this represent? Most
advertisers comply with the Direct Marketing Association’s Marketing Online Privacy Principles. At least one major
advertising agency specializing in Internet advertising has voluntarily opened its practices and systems for third-party
auditing.
“Cookies” Cont.
Options for Dealing with Cookies
Because cookies are controversial, both Netscape and Microsoft browsers offer users options for dealing with
cookies. Depending upon which browser you are using and how current it is, the controls for dealing with
cookies will usually be found on the Edit or View menu, under Options or Preferences. You may then have to
click on a tab called Advanced, Security, or Protocols. There are four possible options, although all options are
not offered by all browsers.
–
–
–
–
Accept All: This is usually the default setting and means that all cookies are accepted.
Accept only cookies that get sent back to the originating server: This means you accept only temporary cookies that are
deleted as soon as you exit a site. They help the site keep track of your activities only while you are connected to it. For
example, such temporary cookies are needed if you want to be able to put multiple purchases into a "shopping basket" as
discussed above.
Disable Cookies: Your computer will not accept any cookies under any circumstances. You will need to turn cookies back
on if you want to use any online services that require them.
Warn me before accepting a cookie: Whenever a site to which you are connected tries to put a cookie on your hard drive,
you are warned and given the option of accepting or rejecting it. The down side of this is that responding to all the
warnings at a busy shopping site can become very tedious.
If you want to look at your cookies, the most common place for them to be located is in a directory
subordinate to the directory where your browser is located. However, they may be in several different
locations, so the most efficient way to find them is to use the Find command and type in cookies. Cookies are
ordinary txt files, so they need to be read with a program such as Wordpad or Notepad.
You may delete all cookies from your computer if you wish, but be sure to close your browser first. Cookies
are held in memory while the browser is open, so deletion while the browser is open will be ineffective.
Remember, however, that deleting all your cookies will cause you to start from scratch with every web site you
normally visit. It may be preferable to delete only those cookies you don’t want or don’t think you need.
Weak Passwords
Your password is the key to your computer -- a key much sought-after by hackers as a means of getting a
foothold into your system. A weak password may give a hacker access not only to your computer, but to the
entire network to which your computer is connected. Treat your password like the key to your home. Would
you leave your home or office unlocked in a high crime area?
Too many passwords are easily guessed, especially if the intruder knows something about their target’s
background. It's not unusual, for example, for office workers to use the word "password" to enter their office
networks. Other commonly used passwords are the computer user's first, last or child's name, Secret, names
of sports teams or sports terms, and repeated characters such as AAAAAA or bbbbbb.
Your computer password is the foundation of your computer security, and it needs to stand up against the
tools that hackers have for cracking it. There are 308 million possible letter combinations for a six letter
password using all upper case or all lower case letters. A readily available password cracker can check all of
them in only 2 minutes 40 seconds. With some combination of both upper and lower case letters, a six letter
password has 19 billion possible combinations. If you increase the password to eight letters and use both
upper and lower case letters, there are 53 trillion possible combinations. Substitute a number for one of the
letters, and there are 218 trillion possible combinations.
Here are some simple guidelines for strong passwords.
–
–
–
–
–
–
It should contain at least eight characters.
It should contain a mix of four different types of characters -- upper case letters, lower case letters, numbers, and special
characters such as !@#$%^&*,;" If there is only one letter or special character, it should not be either the first or last
character in the password.
It should not be a name, a slang word, or any word in the dictionary. It should not include any part of your name or your email address.
You should be able to type it quickly, so that someone looking over your shoulder cannot readily see what you have typed.
It should be changed at least every 90 days to keep undetected intruders from continuing to use it.
Almost all computer operating system software programs on the market today that store passwords in encrypted format
store the last character in the clear. All password cracking programs know this, so that means one less character for them
to crack. This is one of several reasons why numbers and special characters should be toward the middle of your
password, not at the beginning or end.
Weak Passwords Cont.
The password used for logging on to your office computer should be different from the
password you use to log in to a web site on the Internet. The password used to log in to a web
site is far more exposed to potential compromise. Any time you log in over an external network,
your password is vulnerable to being stolen unless it is encrypted. Using a separate and unique
password for your office computer helps protect the security of the office network.
Once you have selected an effective password, protect it. Resist the temptation to write your
password down. If you do, keep it with you until you remember it, then shred it! NEVER leave a
password taped onto a terminal or written on a whiteboard. You wouldn't write your PIN code on
your automated teller machine (ATM) card, would you? You should have different passwords for
different accounts, but not so many passwords that you can't remember them. Do not allow
anyone to observe your password as you enter it during the logon process.
Do not disclose your password to anyone, not even to your systems administrator or
maintenance technician. They have no need to know it. They have their own password with
system privileges that will allow them to work on your account without the need for you to reveal
your password. If a system administrator or maintenance technician asks you for your
password, be suspicious (for reasons discussed under “Social Engineering”.).
Use a password-locked screensaver to make certain no one can perform any activity under
your User ID while you are away from your desk. These can be set up so that they activate after
the computer has been idle for a while. Strange as it may seem, someone coming around to
erase or sabotage your work is not uncommon. Or imagine the trouble you could have if nasty
e-mail messages were sent to your boss or anyone else from your computer, or your account
were used to transfer illegal pornography.
E-Mail Pitfalls
E-mail has several vulnerabilities, each of which is discussed in greater detail below:
Lack of Privacy
– Sending e-mail is like sending a postcard through the mail. Just as the mailman and others
have an opportunity to read a postcard, network eavesdroppers can read your e-mail as it
passes through the Internet from computer to computer. E-mail is transmitted over a public
network where you have no right to expect privacy. It is not like a telephone call, where
privacy rights are protected by law.
– The courts have repeatedly sided with employers who monitor their employees' e-mail or
Internet use. In an American Management Association poll, 47% of major companies
reported that they store and review their employees' e-mail. Organizations do this to protect
themselves against lawsuits, because the organization can be held liable for abusive,
harassing, or otherwise inappropriate messages sent over its computer network. In the
same poll, 25% of companies reported that they have fired employees for misuse of the
Internet or office e-mail. 5
In the past couple years, The New York Times fired 23 employees for exchanging off-color e-mail.
Xerox fired 40 people for inappropriate Internet use. Dow Chemical fired 24 employees and
disciplined another 230 for sending or storing pornographic or violent material by e-mail. 1
Several years ago, Chevron Corp. had to pay $2.2 million to plaintiffs who successfully brought a
suit of sexual harassment, in part because an employee sent an e-mail to coworkers listing the
reasons why beer is better than women. 2
E-Mail Pitfalls Cont.
Inability to Fully Erase
–
–
–
–
–
Remote Access
–
The seemingly informal and temporary aspect of e-mail encourages people to use it to say things they
would never commit to paper. But e-mail is like a cat with nine lives. It keeps coming back. It is almost
impossible to eliminate all traces of an e-mail message.
Most e-mail messages remain retrievable on your hard drive and the recipient’s hard drive long after you
think they have been "deleted," as discussed under Security of Hard Drives.
The recipient may have archived the message or transmitted it to others.
Computer servers routinely make back-ups of user accounts. One of the top priorities for any computersystem manager is to make sure he or she never loses any important information on the computer
network. They archive backup tapes that record everything.
In short, e-mail messages sent years ago may live on in taped storage or on a hard drive beyond the
reach of your delete key. You never know when an impulsive or ill-advised e-mail message will come
back to haunt you. Three and four-year-old e-mail messages have played key roles as evidence in
several high profile court cases.
If you can gain access to your e-mail from afar via the Internet, while traveling, others may be able to do
the same thing without your knowledge. An eavesdropper would only have to know the modem phone
number and then also know, guess, or be able to crack your password. The vulnerability is similar to that
discussed under Voice Mail. See Weak Passwords to learn how easy it is to guess or crack weak
passwords.
Uncertain Origin
–
It is easy to forge an e-mail message so that it appears to come from someone else or from some other
location. Incoming e-mail from someone you do not know is always questionable, as the sender may not
be who he or she claims to be. For example, a marketing survey that purports to come from a U.S.
company may actually originate overseas and be part of a foreign intelligence collection operation. See
Obtaining Information under False Pretenses.
E-Mail Pitfalls Cont.
Ease of Accidental Compromise
When you exchange e-mail with a colleague, it may seem like a cozy, private conversation.
"Legally and technologically, however, you are as exposed as dummies in a department store
window." 3 Classified information must never be sent via e-mail. Sensitive but unclassified
information should be encrypted prior to sending by e-mail whenever practical. Any
inappropriate language of any type must be avoided.
E-mail is so easy to use that it is also easy to thoughtlessly or accidentally send others
information they shouldn’t have. E-mail is a frequent source of security compromise. Here are
two examples. In the first case, the e-mail writer put classified information into what he
mistakenly thought was a private message to a few colleagues with security clearances. The
second is a situation that often arises in offices that have both classified and unclassified
networks.
A few hours after participating in the successful rescue of a F-16 fighter pilot downed in Bosnia,
an excited U.S. Air Force pilot sat down at his computer and banged out a first hand account of
the mission. He hooked up to the Internet and sent the account by e-mail to Air Force friends at
other bases, scooping the media coverage of the rescue. Friends passed it on to their friends
until it was seen by thousands of people and posted on an America Online bulletin board
accessible to millions. The account contained classified radio frequencies, pilot code names,
exact times and weapons loads for the mission, etc. The pilot explained that he had intended
the account to be a personal communication to other cleared officers and not for public review.
But he was badly wrong on two counts. First, you don't put classified information in an
unclassified e-mail message under any circumstances. Second, nothing that goes on the
Internet is personal or private. 4
E-Mail Pitfalls Cont.
Transmission of Viruses
Mail programs generally allow files to be included as attachments to mail messages.
The files that come by mail are files like any other. Any way in which a file can find its
way onto a computer is potentially dangerous. If the attached file is only a text
message, the risk is limited. If the attached file is a program, an executable script, or
a data file which contains a macro, extreme caution should be applied before running
it, as this is the means by which many viruses and other types of malicious logic are
spread.
One of the more dangerous types of malicious logic spread in this manner is a
"Trojan Horse" that allows a remote user to access and control your computer via the
Internet without your knowledge. One of these Trojan Horses was originally
developed as a means of playing pranks on friends. When installed on another
person's computer, you can control that computer via the Internet. For example, you
can make the CD-ROM tray on that person's computer pop out repeatedly for no
discoverable reason, or reverse the functions of the left and right buttons on the
person's mouse. However, you can also read, change, or copy all the person's files
without his or her knowledge. This Trojan Horse can be snuck onto someone's
computer by burying it in a game program or other executable script sent by e-mail.
Happily, all known versions of this Trojan Horse are caught by any good virus
checker. However, about 200 to 300 new viruses are being created each month, so
your virus checker is rarely capable of detecting all malicious logic.
“Social Engineering”
"Social engineering" is hacker-speak for conning legitimate computer users into
providing useful information that helps the hacker gain unauthorized access to their
computer system.
The attacker using social engineering usually poses as a legitimate person in the
organization and tricks computer users into giving useful information. This is usually
done by telephone, but it may also be done by forged e-mail messages or even an
in-person visit.
Most people think computer break-ins are purely technical, the result of technical
flaws in computer systems that the intruders are able to exploit. The truth is,
however, that social engineering often plays a big part in helping an attacker slip
through the initial security barriers. Lack of security awareness or gullibility of
computer users often provides an easy stepping stone into the protected system in
cases when the attacker has no authorized access to the system at all.
In testimony before Congress after he was released from jail, our country's most
notorious computer hacker, Kevin Mitnick, told the lawmakers that the weakest
element in computer security is the human element. "I was so successful in [social
engineering] that I rarely had to resort to a technical attack," Mitnick explained. He
added that "employee training to recognize sophisticated social engineering attacks
is of paramount importance."1
“Social Engineering” Cont.
As an example of how it is done, here is a quick summary of Case 2, a successful
hacking operation based almost entirely on social engineering:
Posing as someone from the public relations department, the hackers called an
executive's secretary and succeeded in obtaining the executive's employee number.
A second call exploited the knowledge of the executive's employee number in order
to obtain the executive's cost center number, which was then used to receive
overnight courier service delivery of the company’s internal phone directory.
The hackers called the office in charge of new employees and were able to obtain a
list of new employees.
Posing as information systems employees, the hackers told the new employees that
they wanted to give them a computer security awareness briefing over the phone.
During this process, the hackers obtained "basic" information including the types of
computer systems used, the software applications used, the employee number, the
employees computer ID, and their password.
Using a "war dialer" together with a call to the company's computer help desk, the
hackers obtained the phone numbers of the company modems.
They then called the modems and used the compromised computer IDs and
passwords to gain access to the system.
“Social Engineering” Cont.
Common “Social Engineering” scenarios
The attacker pretends to be a legitimate end-user who is new to the system or is
simply not very good with computers. The attacker may call systems administrators
or other end-users for help. This "user" may have lost his password, or simply can't
get logged into the system and needs to access the system urgently. The attacker
may sound really lost so as to make the systems administrator feel that he is, for
example, helping a damsel in distress. This often makes people go way out of their
way to help.
The attacker pretends to be a VIP in the company, screaming at administrators to get
what he wants. In such cases, the administrator (or it could be an end-user) may feel
threatened by the caller's authority and give in to the demands.
The attacker takes advantage of a system problem that has come to his attention,
such as a recently publicized security vulnerability in new software. The attacker
gains the user's trust by posing as a system administrator or maintenance technician
offering help. Most computer users are under the mistaken impression that it is okay
to reveal their password to computer technicians.
The attacker posing as a system administrator or maintenance technician can
sometimes persuade a computer user to type in computer commands that the user
does not understand. Such commands may damage the system or create a hole in
the security system that allows the attacker to enter the system at a later time.
Social Engineering” Cont.
Recommendations
Computer security experts recommend the following measures to outsmart a hacker:
– If you cannot personally identify a caller who asks for personal information about you or
anyone else (including badge number or employee number), for information about your
computer system, or for any other sensitive information, do not provide the information.
Insist on verifying the caller’s identity by calling them back at their proper telephone number
as listed in your organization’s telephone directory. This procedure creates minimal
inconvenience to legitimate activity when compared with the scope of potential losses.
– Remember that passwords are sensitive. A password for your personal account should be
known ONLY to you. Systems administrators or maintenance technicians who need to do
something to your account will not require your password. They have their own password
with system privileges that will allow them to work on your account without the need for you
to reveal your password. If a system administrator or maintenance technician asks you for
your password, be suspicious.
– Systems maintenance technicians from outside vendors who come on site should be
accompanied by the local site administrator (who should be known to you). If the site
administrator is not familiar to you, or if the technician comes alone, it is wise to give a call
to your known site administrator to check if the technician should be there. Unfortunately,
many people are reluctant to do this because it makes them look paranoid, and it is
embarrassing to show that they do not trust a visitor.
– If you feel you have thwarted or perhaps been victimized by an attempt at social
engineering, report the incident to your manager and to security personnel immediately.
Viruses & Other "Infections"
A virus is a small, self-contained piece of computer code hidden within another computer program. Like a real
virus, it can reproduce, infect other computers, and then lie dormant for months or years before it strikes. A
virus is only one of several types of "malicious logic" that can harm your computer or your entire network.
Worms, logic bombs, and Trojan Horses are similar "infections" commonly grouped with computer viruses. A
computer worm spreads like a virus but is an independent program rather than hidden inside another
program. A logic bomb is a program normally hidden deep in the main computer and set to activate at some
point in the future, destroying data. A Trojan Horse masquerades as a legitimate software program. It waits
until triggered by some pre-set event or date and then delivers a payload that may include destroying files or
disks.
Some viruses are high-tech pranks not intended to cause damage. For example, a virus may be designed to
conceal itself until a predetermined date, then flash a message on all network computers. Even pranks,
however, are not benign. They steal computer memory, storage, and processing time.
Of greatest concern, of course, are viruses and other devices that are deliberately malicious. They are
intended to cause serious damage such as deleting files, provide access for an outsider to copy your files, or
disrupting the operation of an entire computer network or organization.
From an information security point of view, one of the more dangerous types of malicious logic is a Trojan
Horse that allows a remote user to access and control your computer without your knowledge whenever you
are on the Internet. One of these Trojan Horses was originally developed as a means of playing pranks on
friends. When installed on another person's computer, you can control that computer via the Internet. For
example, you can make the CD-ROM tray on that person's computer pop out repeatedly for no discoverable
reason, or reverse the functions of the left and right buttons on the person's mouse. However, you can also
read, change, or copy all the person's files without his or her knowledge. This Trojan Horse can be snuck onto
someone's computer by burying it in a game program or other executable script sent by e-mail. Happily,
known versions of the program will be caught by a good virus checker.
Viruses & Other "Infections“ Cont.
The virus threat is increasing for several reasons:
–
Creation of viruses is getting easier. The same technology that makes it easier to create legitimate
software is also making it easier to create viruses, and virus construction kits are now available on the
Internet. About 200 to 300 new viruses are being created each month, while the old ones continue to
spread.1
–
The increased use of portable computers, e-mail, remote link-ups to servers, and growing links within
networks and between networks mean that any computer that has a virus is increasingly likely to
communicate with -- and infect -- other computers and servers than would have been true a few years
ago.
–
You can catch a virus by launching an infected application or starting up your computer from a disk that
has infected system files. Once a virus is in memory, it usually infects any application you run, including
network applications (if you have write access to network folders or disks). A properly configured network
is less susceptible to viruses than a stand-alone computer.
–
When you interact with another computer, the virus may automatically reproduce itself in the other
computer. Once a virus infects a single networked computer, the average time required to infect another
workstation in the same network is from 10 to 20 minutes -- meaning a virus can paralyze an entire
organization in a few hours. 3
–
Not all viruses, worms, logic bombs, and Trojan Horses are transmitted through infected software
brought in from outside the organization. Some of the most damaging are implanted by disaffected
insiders. For example:
A computer programmer at a Fort Worth, Texas, insurance firm was convicted of computer sabotage for planting
malicious software code that wiped out 168,000 payroll records two days after he was fired.
Viruses & Other "Infections“ Cont.
Countermeasures
Your organization has policies and tools for countering the threat of viruses. In order to avoid security or
system maintenance problems, many organizations require that all software be installed by a system
administrator. Some organizations require that any diskette you bring into the building be tested for viruses
before being used. Others do not. Consult your system administrator to learn the correct procedures in your
organization.
Be sure you know how your virus detection software works. If it indicates your system has a virus problem,
report it immediately to your system administrator and then to the person you believe may have passed the
virus to you. It is important to remain calm. There are many virus hoaxes as well as real viruses, and a virus
scare can cause as much delay and confusion as an actual virus outbreak. Before announcing the virus
widely, make sure you verify its presence using a virus detection tool, if possible, with the assistance of
technically competent personnel.
The following procedures will help lower the risk of infection or amount of damage if the worst does happen.
–
Don't be promiscuous. Most risk of infection by viruses can be eliminated if you are cautious about what programs are
installed on your computer. If you are unaware of or unsure of the origin of a program, it is wise not to run it. Do not
execute programs or reboot using old diskettes unless you have reformatted them, especially if the old diskettes have
been used to bring software home from a trade show or another security-vulnerable place.
–
Excellent virus-checking and security audit tools are available. Use them and, if possible, set them to run automatically
and regularly. Update your virus checker regularly, as many new viruses are created each month.
–
Notice the unusual. Be familiar with the way your system works. If there is an unexplainable change (for instance, files you
believe should exist are gone, or strange new files are appearing and disk space is "vanishing"), you should check for the
presence of viruses.
–
Back up your files. If worst comes to worst, you can restore your system to its state before it was infected.
Viruses & Other "Infections“ Cont.
Spyware
Is a program monitoring your computer activity while you are online without your permission? Is your name
being stripped from these findings and compiled with the statistics of many other users? Is a summary of your
Net activity being sold to Net advertisers so they may more effectively profile users in order to better target
their advertising?
The answers to these questions and the questions themselves are the subject of a current moral and ethical
debate. Some users find it intrusive or just plain sneaky to discover that they have unwittingly installed a
program/applet/cookie that feeds information about their usage back to a third party. While it cannot be said
that spyware or adware is currently illegal, there has been legislation proposed in the United States about this
ethical dilemma.
If your computer starts to behave strangely or displays any of the symptoms listed below, you may have
spyware or other unwanted software installed on your computer.
–
I see pop-up advertisements all the time. Some unwanted software will bombard you with pop-up ads that aren't related to
a particular Web site you're visiting. These ads are often for adult or other Web sites you may find objectionable. If you
see pop-up ads as soon as you turn on your computer or when you're not even browsing the Web, you may have spyware
or other unwanted software on your computer.
–
My settings have changed. Some unwanted software has the ability to change your home page or search page settings.
This means that the page that opens first when you start your Internet browser or the page that appears when you select
"search" may be pages that you do not recognize. Even if you know how to adjust these settings, you may find that they
revert back every time you restart your computer.
–
My Web browser contains additional components that I didn’t download. Spyware and other unwanted software can add
additional toolbars to your Web browser that you don't want or need. Even if you know how to remove these toolbars, they
may return each time you restart your computer.
–
My computer seems sluggish. The resources Spyware and other unwanted software use to track your activities and
deliver advertisements can slow down your computer and errors in the software can make your computer crash. If you
notice a sudden increase in the number of times a certain program crashes, or if your computer is slower than normal at
performing routine tasks, you may have spyware or other unwanted software on your machine.
P2P
Peer-to-Peer (P2P) file-sharing is now an unavoidable part of Internet life. Because of its large user base,
P2P networks can offer any ordinary user literally billions of files that are available for download with a simple
click of mouse. Anyone connected to one of these networks can share and download virtually any file in
existence, from the latest hot music track and Hollywood blockbuster, to obscure textbook and rare foreign
texts. Best of all, most P2P networks as well as much of their contents are accessible at no cost!
Yet the downside to P2P file sharing is that it is inherently insecure and lives on the fringes of legality. Badlycoded clients, viruses and Trojans and potential lawsuits are just some of the many threats that users must
face when they venture into the untamed wilderness of the P2P world.
Some serious issues facing P2P users include:
1 - Worms, Trojans, Backdoors and Viruses
–
The biggest viral threat comes from the sharing, unintended or not, of infected files. Some users do not know that they
have been infected and they put up their file collection for the world to download, thus putting other users at risk. Others
intentionally distribute malware, ranging from the casual script kiddie who wants to feel empowered, to a hacker to shares
a Trojan to allow him full control over another computer. Harmful files often carry filenames of popular files, masquerading
as a benign object to increase their chance at being downloaded, and waiting for an unsuspecting user to trigger their
nefarious charge.
–
Recently, some viruses were specifically made for P2P distribution. Their effects include installing backdoors on victims'
machines for easy access by remote attackers, putting up entire drives for sharing, and mass-mailing. These worms make
copies of themselves in the P2P client's shared folder and posing as popular files that will entice others to download and
run them.
–
Even more worrisome is the fact that some P2P clients might be harbouring backdoors for questionable purposes. In the
past, a backdoor from Brilliant Digital Entertainment was bundled with KaZaA. This exploit can be turned on remotely to
create an entirely new network unbeknownst to the user. The company intended to use this backdoor to commandeer and
resell unused computing resources like disk space, bandwidth and CPU time, across the whole network, all without
compensating them. Another example is EarthStation 5 (ES5 or ESV), in which users discovered a hidden feature that
enabled the remote deletion of their files on their computers. Though the developers of ES5 claimed that this was the
remnant of an abandoned automatic update feature, many from the P2P community are still suspicious at the makers' true
intentions.
P2P Cont.
2 - Fake files
–
Because anyone can share anything, it is very hard sometimes to tell whether the files one is downloading are indeed the
authentic files. Media giants offer apparently popular music or films to sniff out copyright violators in an effort to try to
protect their products from being distributed illegally online. Anyone who has recently downloaded popular music tracks
from KaZaA and the like can tell you just how many bogus files are out there. More of an annoyance than harm, this
practice is mostly perpetrated by large record labels trying to curb the sharing of copyrighted material and to track which
users attempted to copy them. As well, by flooding the network with useless material they hope to decrease the popularity
of P2P.
–
On a darker note, this trend might encourage some companies with questionable business practices, in the name of
protecting their products from piracy, to go beyond simply releasing decoys and distribute programs posing as working
versions of their products but that secretly sabotage a user's machine.
–
Most P2P clients boast to be able to tell whether a file is authentic or not by generating a unique hash for each file and
using this fingerprint to identify files, but some clients like KaZaA only implement this scheme halfway. The hashes these
clients generate are based on only certain parts of the files, thus many corrupt downloads would have the same fingerprint
as their real counterparts.
3 - Spyware/Adware
–
Many P2P clients claim to be free of charge - but are they? To subsidize the development cost, some developers
partnered up with advertising companies to include spyware and adware in the P2P program. In exchange for a share of
the marketing revenue, the marketers can have access to a large pool of potential consumers that they can track, analyze,
and target with customized advertising. Beside the annoyance of targeted ads, the ability to track a user's online activity
and sending reports back to an online monitor virtually removes the anonymity of the Internet. While some argue that
tracking is harmless since the common user has no covert activity to hide from anyone, it still is a serious violation of
privacy rights.
–
One of the more notorious examples is KaZaA. Bundled with the P2P client is Cydoor, a hidden application that tracks a
user's Internet-related activities. Like many other programs with spyware/adware, KaZaA would no longer run if Cydoor is
removed, forcing users to trade away their privacy in exchange for access to the FastTrack network.
P2P Cont.
4 - Buggy or improperly configured software
–
Not all P2P clients are made the same. Some are developed by ragtag teams following ad-hoc plans, resulting in barely
functional, extremely buggy clients that are prone to security breaches. Even popular software is not immune; in the past,
various FastTrack network clients like KaZaA had vulnerabilities that enabled someone to remotely crash the client.
Recently, a security leak was found in eMule, an eDonkey client, which permitted a remote attacker to execute arbitrary
codes on the victim's machine.
–
In the hands of an inexperienced user, even a well-written P2P client could be doomed to disaster. A P2P novice can
accidentally put a whole hard drive as being shared, enabling any fellow file sharers to gaze at the user's private, perhaps
highly confidential, documents, may they be personal information or business data. A user may also enable features that
could potentially compromise system security. For example, a KaZaA user could set his/her computer as a Supernode, a
feature known to be vulnerable to buffer overflows.
5 - Copyright issues
–
With all the media hype surrounding reports of P2P users being sued by big record companies, one cannot ignore the
issue of copyright violations. Once again, due to the decentralized nature of the network and the fact that no one single
entity has de-facto control of what gets shared, there is an enormous amount of copyrighted works that are being illegally
distributed without the consent of their creators or rightful owners. Coupled with the fact that true online anonymity does
not exist yet, users who inadvertently share copyrighted work can expose themselves to expensive litigations.
–
In the USA, one of the fiercest battles pitting P2P users and copyright holders is music sharing. The Recording Industry
Association of America and its associates are actively prosecuting American file sharers for copyright infringement
because the trade group alleges that music sharing is the principal cause of flagging sales. Though Canada's RIAA
counterpart, SOCAN, was dealt a series of setbacks by various court rulings that prevent it from using U.S. tactics, some
of these decisions are currently being appealed. It should be noted that as of January 2004 it has been deemed legal for
users to download music in Canada provided it is for their own use and not for redistribution or sale.
–
Music is not the only problematic issue when it comes to filesharing. Peer-to-peer networks are teeming with pirated
software and bootlegged movies. Some observers predict that other industry trade groups might follow suite by launching
their own lawsuits against online copyright infringers.
Insecure Modems
A computer presents very little risk if it's by itself. The problem arises when it's hooked up to a modem. A modem is a
communications device that allows your computer to talk with another computer. Modem is short for modulator/demodulator. It
is, basically, a telephone for your computer. It converts the computer's output to a format that can be sent over telephone lines.
If your computer has a modem connected to the Internet, it is like you are living in a high-crime neighborhood. You must take
appropriate precautions. The modem connection can be a significant vulnerability. Any unauthorized modem is a serious
security concern.
Hackers commonly use a tool known as a "war-dialer" to identify the modems at a target organization. A war-dialer is a
computer program that automatically dials phone numbers within a specified range of numbers. Most organizations have a block
of sequential phone numbers. If you have one number for the organization, it is usually correct to assume that most other
numbers are within a limited range of numbers either higher or lower than that number.
By dialing all numbers within the targeted range, the war-dialer identifies which numbers are for computer modems and
determines certain characteristics of those modems. The hacker then uses other tools to attack the modem to gain access to
the computer network. Effective war-dialers can be downloaded from the Internet at no cost.
In one test of corporate security, a computer dialed a block of 1,500 numbers in the space of 16 hours and identified 55
modems.1 As a countermeasure to war-dialers, many organizations have equipment that detects rapid sequential dialing and
shuts it down. On the other hand, some war-dialers are designed to avoid this type of detection.
The problem is that a modem is a means of bypassing the "firewall" that protects your network from outside intruders. A hacker
using a "war-dialer" to identify the modem telephone number and a password cracker to break one weak password can gain
access to the system. Due to the nature of computer networking, once a hacker connects to that one computer, the hacker can
often connect to just about any other computer in the network.2
It is possible to have a secure connection to the Internet, but it must meet certain requirements. The connection must be
configured properly with the latest security equipment, and all employees who are authorized to access their office computers
via the Internet from home or while traveling must use strong passwords. Too often, however, these conditions are not met.
Security of Hard Drives and Laptops
Secrets in the computer require the same protection as secrets on paper. Information can usually be
recovered from a computer hard drive even after the file has been deleted or erased by the computer user. It
has been estimated that about a third of the average hard drive contains information that has been "deleted"
but is still recoverable.1
Computers on which classified information is prepared must be kept in facilities that meet specified physical
security requirements for processing classified information. If necessary to prepare classified information in a
non-secure environment, use a typewriter or a removable hard drive or laptop that is secured in a safe when
not in use.
Laptop computers are a particular concern owing to their vulnerability to theft.
–
Laptop computers are a prime target for theft from your office, your home, or at airports, hotels, railroad terminals and on
trains while you are traveling. They are an extremely attractive target for all types of thieves, as they are small, can be
carried away without attracting attention, and are easily sold for a good price. They are also a favorite target for
intelligence collectors, as they concentrate so much valuable information in one accessible place.
–
Safeware, the largest insurer of personal computers in the United States, paid claims for the theft of 319,000 laptop
computers during 1999.1 Of course, most laptops are not insured, so this is only a small fraction of the total number of
laptop computers that were stolen during that year.
–
When a laptop is stolen, you don't know whether it was taken for the value of the information on the computer or for the
value of the computer itself. This makes it difficult to assess the damage caused by the loss.
–
This topic offers guidelines for keeping your laptop from being stolen, discusses technical measures for protecting
information on the laptop if it is stolen or entered surreptitiously, and notes special problems relating to traveling overseas
with your laptop.
Security of Laptops Cont.
Protection of Laptops
The basic rule for protecting your laptop is to treat it like your wallet or purse. Your laptop is a more attractive
target for thieves than your wallet or purse, and if you lose your laptop, the cost to you in money and
inconvenience is probably greater than if you lose your wallet or purse. If your laptop has sensitive
government, commercial, or scientific data on it, the loss may be valued in the millions.
Even in your office, unless it is a controlled secure area, it is advisable to keep your laptop out of sight when
not in use, preferably in a locked drawer or cabinet. The Washington, DC police recently formed a task force
to fight a surge in thefts from downtown offices; laptops were the thieves' preferred target.2
Your laptop is especially vulnerable while you are traveling. Here is a summary of basic precautions during
travel.
Disguise your laptop. The distinctive size and shape of a laptop computer make it an easily spotted target for
thieves. Carry it in a briefcase or other, preferably grungy-looking, case.
Never let a laptop out of your sight in an airport or other public area. If you set it down while checking in at the
airport counter or hotel registration desk, lean it against your leg so that you can feel its presence, or hold it
between your feet.
When going through the airport security check, don't place your laptop on the conveyor belt until you are sure
no one in front of you is being delayed. If you are delayed while passing through the checkpoint, keep your
eye on your laptop. See Theft While Traveling for discussion of techniques used to steal laptops at airports.
When traveling by plane or rail, do not ever place the computer (or other valuables) in checked baggage. If
your aircraft departure is delayed and you are directed or invited to deplane and wait in the terminal, take your
computer and other valuables with you. Don't leave them unattended at your seat or in the overhead.
Security of Laptops Cont.
Protection of Laptops
Never store a computer in an airport or train station locker. If you must leave it in a car, lock it in the trunk out
of sight.
Avoid leaving your computer in a hotel room, but if you must do so, at least lower the risk of theft by keeping it
out of sight. Lock it securely in another piece of luggage. Placing the computer in a hotel vault or room safe
should make it secure from theft, but in some foreign countries it may not be secure from access by local
intelligence or security personnel.
Never keep passwords or access phone numbers on the machine or in the case. Do not program your
computer's function keys with sign-on sequences, passwords, access phone numbers, or phone credit card
numbers. If the machine is stolen or lost, these would be valuable prizes.
Back up all files before traveling.
While in any public place, such as an airplane or hotel lobby, don't have up on your laptop screen anything
you don't want the public to know about. A survey of 600 American travelers found that over one-third
admitted looking at someone else's laptop while flying. Younger travelers were the worst offenders, with 49
percent of the men and 40 percent of the women under 40 admitting they look at what their seatmate is
working on. Most are checking to see what their fellow passenger is doing, while others are more interested in
who they are working for.3
Be prepared for the airport security check. You may be directed by airport security personnel to open and turn
on your laptop to demonstrate that it is actually a functioning computer. Be sure the battery is charged or have
the power cord handy. If you can't turn your laptop on, you may not be permitted to take it on board the
aircraft. The airport security X-ray machines will usually not affect hard drives. Floppy diskettes, having less
shielding, may be affected. If possible, pass these to the attendant for hand examination.
It is even more difficult to protect your laptop, and the information on it, when traveling in foreign countries
where your laptop may be targeted as a treasure trove of information.
Security of Laptops Cont.
Technology for Protecting Information on Your Laptop
Due to the very high risk and high cost of laptop theft, many products are being developed to protect the
security of information in your laptop if it is stolen, prevent the surreptitious entry into files on your laptop,
make it more difficult to steal a laptop, or make it easier to find a stolen laptop. Specific products are not
discussed here, as the technology is changing so rapidly. The following general types of products are now
available.
Encryption software. Storing all data files in encrypted form will prevent disclosure of the data even if your
computer is stolen.
Software that hides information on your hard drive, so that it is not found by the average thief who steals your
laptop or, for example, by an intelligence collector who gains surreptitious access to your laptop in your hotel
room.
Various types of locks, keys, and biometric identification devices designed to prevent anyone but you from
using the computer, and perhaps to alert you to any unauthorized attempt to use your computer.
Software utilities that wipe the hard disk clean when deleting sensitive data files. These overwrite the deleted
data making it totally unrecoverable, as opposed to the normal Delete command that only deletes the
"pointer" that allows the computer to find the file on your hard drive. The file itself is not deleted until it is
overwritten by another file. See Security of Hard Drives.
Tracers that identify the location of a stolen laptop. When the stolen laptop is linked to the Internet, it transmits
a signal to a monitoring station that identifies the user's telephone number or Internet account.
Proximity alarms that go off if the laptop gets too far away from its owner or user.
Ask your system administrator or computer security specialist to evaluate which of the available alternatives
best meet your needs.