This is a "generic" document, its only pourpose is to provide a simple
introduction to the concept of "network" or "computer" security. What
it is and how it works since is good to know something about it.
You're not going to be Security Experts or Certified Crackers by reading
this alone, but it's better than nothing.
Note: I am NOT a security expert myself.
A computer is a machine that is used for a wide range of
activities, we use it to surf the web, balance our checkbooks, store
our pictures, music, keep in touch with friends and family and so
on.
Even if you don't have secret informations (unless you work for
CIA or another governamental organization) I guess you wouldn't
like if someone start rummaging through your mail, books,
bank statements and other similar stuff.
The same goes if somebody is using your machine for his own
personal amusement. More or less like somebody taking your car
for joyriding.
If an unknown person get into your house without invitation and
start snooping around in your books, your drawers and in the
refrigirator, my guess is that you're going to grab him and
throw him out, even if he isn't doing any damage (yet).
Often when a personal computer is cracked (not hacked) into is not
done to get the informations that are inside the machine itself, mostly
is just to have access to another "innocent" machine to be used as
a vector to attack somebody else.
This has two goals: 1) get more machines and 2) complicate the life of
who is trying to stop the cracker.
More or less the same as when a thief steal a car for a robbery:
he is not interested in you, the car is just a mean.
The only 100% safe machine is one that is switched off, unconnected
to any network and locked inside a cupboard.
It is also a 100% useless machine of course. Unfortunately, the
more "safe" is a system, the less usefull it is.
In the following of this document I'll consder a "tipical" system,
connected to a local network (house or company-wide) with some
shared resources (files, e-mail) and connected to the internet.
Let's begin with some theory before going into the practicality.
More often than not we heard technical terms but we have no real
idea of what they mean, it's a good starting point to shed some
light about those terms.
Bandwidth
Is a generical term that usually gives a rough estimate of the speed
at which data are transferred. Most modem (dial-up) connections are
about 56Kbps (Kilo bits per second), faster connections (in the
order of megabits per second) are usually referred as
broadband.
Must be noted that in most cases the "true" speed of the connection
is way lower than advertised and is not constant. Most "home" connections
are in fact shared between multiple users and the maximum speed
available varies wildly during the day.
Broadband
This is a generic term (again) to indicate a connection with an
high bandwidth. Usually broadband connections uses digital
connections through cables.
Cable connections
A cable connection usually is used by an entire office (or more than
a single house network) to connect to the internet using a dedicated
cable. The cable is rented from a networking (or telephone)
company. Cable connections are usually stipulated per-year and with
a bandwidth of abot 5Mbps or higher.
DSL
DSL connections are usually done through the normal phone lines if
these are "modern" enough (optic fiber or new copper), in these
type of connections the data are transmitted digitally, without the
need for a Modem to "translate" the informations from digital to
analog and back. DSL connections for home use are usually known
as ADSL, where the "A" means Asymmetric, this because the bandwidth
available for download operation is usually larger than
the one for upload, this because usually a "personal" use
is more as consumption of data than production. DSL connection
for offices or company are sometimes known as XDSL, or Symmetric
DSL where both the bandwidth up/download are the same.
Dial-Up connections (modem)
This type was the most common type 'till few years ago. It is now
used only where DSL or broadband connections are not available, but
is quickly disappearing by the extensions of other services (Wi-Fi
or Wi-max for example).
Basic difference between a dial-up and a broadband connection is that
the broadband connection is always enabled. The computer is
always connected to the internet, while a dial-up connection is
enabled and disabled on-demand.
What's an IP address?
If your computer is connected to the internet it is also identified
by a number, that number is unique in the whole world and
identify your computer without mistake.
That id number is known as IP address.
There are various way to get such IP address to connect, if you connect
using a dial-up connection, or a broadband connection bought by a
provider, the provider is also responsible to give you a valid IP
address. The Ip could change over time, but as long as you have it
it is unique.
If you connect throught a cable connection, you'll have to buy
one or more IPs from the company providing the connection.
This is The Question, unfortunately, The Answer
is not that easy.
To "hack" into your computer (or anybody else) the cracker has to find
a "door". There are a numbers of ways to do so:
- Using a Bug in any of the softwares that your computer runs.
- Using a virus or a worm installed on your machine.
- Just knock...
Software Bugs
Technically speaking, a "bug" is nothing more than an error in a piece
of software. Software bugs are nothing special, basically every software
has bugs, if you didn't knew that, whenever Word crashes and
tells you that "this software has done something bad", is because of
a bug in word, and not because of some strange event like the
technical support is trying to make you believe.
There can be many different errors in softwares, some makes your
software crash (and sometimes the whole computer with it), some are
simply silently ignored. Somes allow somebody to do things that
the developers didn't intended to do. This last type of bugs can be,
sometimes, used to "take over control" of the system.
Most software are "listening" on the network or making and breaking
connections all the time. Instant Messaging softwares are the kind of
things that always listen.
Viruses, Troyans, Worms and more junk
A Virus is a software that "attach" itself to an existing software and
is run when the user run the original software. A Troyan is a sort of
virus that pretend to be something else, a Worms is a more sophisticated
type of Virus that can "crawl" is way through many computers.
These 3 things have only one thing in common: they brings problems.
Nowadays, "real" viruses are rare things, most of the time what we
get are simply junk softwares, received by e-mails (spam) or downloaded
without knowledge from compromised web server or from web-sites that
are set up on pourpose to distribute viruses (set up on compromised
machines).
Once installed and running a virus/worm can turn a PC into yet another
source for more spam and to spread more viruses, or other things.
Usually these kinds of things require the user's intervention to became
actives, by running an program, clicking on a link or visiting a
web site, but since most users tends to click on everything that
doesn't move is no wonder if they work.
Just knock.
In many cases, to "connect" to a machine the only thing that is
needed is to "knock". Most machines are left with not security, no
password to access them, all the services available with default
configuration. This because the user has no clue about
which services are running, what they do and how to configure
them. Unfortunately, a lot of "system administrator" are nothing
more than user with a powerful machine and no knowledge.
The fact that he got in is already enough, then it depends what kind
of system and how did he got into it.
On a Windows system in most cases any software runs with high privileges,
he can do anything without restrictions. This seems to be changing now
with Vista and new breed of systems, unfortunately in most cases when
a software (legitimate or not) needs to do something more he will simply
show a request to the user that in most cases simply click on "ok"
without noticing what the software is doing. This is insecurity
by overloding the user with continous requests.
On a Unix (MacOS) or Linux system, unless the user is running as "root"
(and there are users that does that), any software run by the user
has low privileges and can't do much damage. However, a software could
try to raise his own privileges to root status. This is not
impossible, but it require an extra-step.
Anyhow, whenever a cracker gain access to a machine what he does
first is to install a rootkit, a collection of tools and
software to allow him to re-enter the system later. Like a thief
making a copy of your house's key to get in again later. Those
rootkits can be a real hassle to find and remove.
Another common cracker activity is to install a "bot", a sort of
software that receive instructions from the internet and allow
the cracker to "remote control" the machine to use it to (again)
send spam or other things.
Let's not ignore then the "normal" activity of searching for
bank accounts numbers, credit cards details and the like...
How to keep undesired people out of your house? Well, first of
all, you close doors and windows. Lock your door, don't let it
open and get an insurance if everything fails.
That means, knows which software are running on your system, knows
what they do, disable and/or remove all the softwares you are not
using or don't want. Keep the system in check.
Run an antivirus to be sure that no critters are amok on
your machine. Install a software to check that all the ports are
closed and only the ones that you use are actually in use.
How do you do this? It depends. On Windows there are many softwares
that can be used, some are expensive and useless, some are
expensive and usefull, some are cheap and useless and some are
cheap and usefull. Almost none are for free and usefull.
On Unix/Linux all the softwares you need are built-into the
system, you only have to use them, read the documentation.
Do not open mail attachments without passing them to an
antivirus, especially if you don't know what they are. In this
sense Linux/Unix users have an advantage since most of the junk
coming from the internet is Windows-oriented and can do nothing
on non-Windows systems.
Install and configure a firewall, that is a software (or
an hardware device) that restrict or block what kind of connections
can be established from and to the internet. This allow to keep
under control what kind of connections are established and stop
dead worms and viruses in their track.
Passwords restrict the access to some resources on the machine,
only if you know them you can access the resource. Passwords
are very important.
Users hates passwords, they consider them like headaches or a
waste of time. Unfortunately a password is all there is between
us and a succesfull cracking attempt. Not having or using a
password is like to leave the front door of the house wide open.
But also to use an obvious password ain't a good idea.
I've seen way too many users (and administrators) using always
the same password "password" in many systems. Not to speak about
"admin" used as password or the same name of the company for
company-machines.
These kind of passwords are useless, every crackers knows them and
he will try them as first resort when trying to access your
system. If you use such fake passwords you're only kidding
yourself.
In general a password should be difficult enough not to be guessed
but easy enough for you to be remembered without writing it down.
It shouldn't be a dictionary word and contains a combination of
letters and numbers and it should be a minimum of 8 chars long.
Why this dictionary thing (you ask)? Because is way too easy to
write a software that try all the words in a dictionary against
a system until it runs out of words or succeed in gaining access.
That's what computers are good at: automatic processing.
Some systems likes to assign randomly generated passwords, that
are composed by many signs. I'm not really happy with such systems,
they are "safer" than a stupid password, but they are also impossible
to remember for the user that will be forced to write them down
somewhere, defeating the pourpose of a password. Like locking the
door and leave the key under the doormat.
The best password are (imho) combosed by more than one single word
so they compose a small sentence that is easy to remember.
It is much better if you use a foreign language. Weird
capitalization of the words and replacing some letters with
numbers will make the password basically impossible to guess
but still easy to remember.
Be sure that your protections are in place and activated. It
sounds stupid, but in many cases when some system was penetrated
it was through an old bug, because the firewall was simply switched
off or because the password hasn't been changed from the default
one or there was no password.
Keep your system up to date. Apply security patches, check which
versions of the software you run and which versions are available
and what kind of bugs have been discovered in those versions.
Periodically change your passwords. Yes, it is a pain in the
ass, but is one of the best things you can do to make your system
difficult to hack.
Keep you system under control. Is not nice to see that somebody
got into it, but is even worse if you notice it after two
months and is still in it now!
Insurance = Backup! Make a backup every now and then of your
data and keep it in a safe place (not on the same system).
If, despite everything, somebody got into your system, there are
only 3 things you can do:
- make an image of your system for a post-mortem analysis.
- format everything and reinstall from scratch!
- change all the passwords, if you have more users,
communicate the new password to each one individually, don't use
e-mails: is compromised.
Ok, it's bad to say, long and boring to do, but it is the only way
to be safe.
How you take an image of the system? There are various way, with
Unix/Linux systems you can use DD, with windows you'll have to
buy some kind of tools.
Is matter of inspect the image taken after the event and try to figure
out what did go wrong. Where is the "hole" that allowed them in.
Is not easy, sometimes is impossible, but is the only way to learn
how to avoid it in future.
If you're interested in this argument I strongly suggest you to get
a Linux system and play with it for a while. It is for free and has
everything you need. After that, you can read some documents:
O'Reilly
(www.oreilly.com)
has a lot of books about IT security, firewalls and the like.
The Linux documentation project
(http://www.tldp.org)
has documents on building firewalls and general security.
If you don't want too many technicalities but you like a good book I
suggest The cookoo's egg by Cliff Stoll, despite the fact that
was written almost 20 years ago, all the techniques are still perfectly
valid.
A little outdated, but still actual is also
A complete H@cker's handbook, by Dr-K.
And if you write code (for work or for hobby), I strongly suggest you
to read
Exploiting Software,
so you'll know what NOT to do in your code.
|
