Earlier computer hackers were a respected lot–they were the
gurus of the latest technologies and knew how to utilize these to maximum
effect. They were a level above power users and could use technology to obey
their every wish and command.
A movie called "Wargames" changed all that. The
movie showed a young hacker breaking into a high-security defense facility using
a computer and almost setting off World War III. Overnight, the meaning of
"hacker" changed into a dark and evil computer genius who could wreak
havoc due to irresponsibility or malice. Although not entirely accurate, we’ll
continue with this interpretation of the term in this article.
Clear and present danger
Hacking has become a big threat to all network and Website
administrators, as hackers try to gain access to corporate networks as well as
commercial Websites. Nowadays, they try to bring down a site just to show how
weak the security is. There are many ways of doing this and there are many
examples of hacked sites too. I’ll introduce you to some of these methods and
also how to protect yourself from them. Some of the tools and programs I mention
in this article are freely available on the Web and some only at underground
sites.
Without reiterating what has been said, published, or
broadcast a million times already, it simply suffices to say that TCP/IP is the
standard network protocol for most places. And there are a lot of ways one can
exploit a TCP/IP-based network.
Port-scanning tools are one of the easiest ways of finding
out whether a computer can be hacked. Did you know that the default
installations of most popular OSs leave enough holes in the system to make Swiss
cheese look positively solid? Both Windows 2000 and Linux open a lot of insecure
ports by running services like a Web, FTP or telnet server. So, every time you
connect to the Net, you’re a possible target for hackers.
"But my system doesn’t have anything of value" is
not an excuse to leave it unprotected. Hackers can use your open machine as one
node in a Distributed Denial of Service (DDoS) attack against some other site.
This is exactly what happened in the recent attack on Yahoo and other Websites.
Use a personal desktop firewall like ZoneAlarm or any of the ones reviewed in
the PC Quest November 2000 issue.
There are a lot of tools available that’ll tell you how
vulnerable your system or network is. My favorite is a tool on Linux called nmap.
This tool can do a variety of diagnostic tests and provide a lot of information
about the vulnerabilities found and how they can be corrected. It can even guess
the OS running and its version with a very high degree of accuracy. In fact,
this ability alone can let hackers use the known bugs in that OS to get in. Nmap
is a weapon in the hands of both the hacker and the administrator. Check for the
latest news and updates at nmap’s site (www.insecure.org/nmap)
regularly. For people who don’t like console programs, there are a lot of GUIs
available for nmap too.
The November issue of PC Quest carried a lot of information
about using a proxy server and a firewall to let your network be isolated from
the Internet. But many people don’t realize that systems like a corporate Web
or DNS server can also be kept within the firewall. All it requires is some
smart configuration on the firewall, so that the services continue to run, and
are also free from the threat of hacking. Both Linux and Windows based firewall
setups allow you to forward incoming requests to a system on an internal
network.
How they were hacked
You may remember the hacking of the Pentagon by a teenage
Israeli boy. Closer home, recall the leakage of sensitive nuclear test data from
the BARC soon after Pokhran-II.
Recent hack attacks include the ever-popular geek site–Slashdot.org
and, of course, Microsoft. Although both sites were using different OSs–Linux
and Windows respectively–they were vulnerable not because of any fault in the
software, but due to poor security management, improper user instructions, and
may be even overconfidence to some extent.
In the Slashdot case, the culprit was a "test"
machine left with default security access rights. Not only that, the machine was
connected to the Internet and to the main Slashdot servers and database. The
last straw was that this system was running the username and password that was
installed by default, and everyone can know that as the site runs on a GPLed
product. Just imagine how easy life must have been for the hacker. However, in
this case, the hacker was a benevolent one and even went to the extent of
explaining and repairing the security defects after, of course, letting the
world know. But one nagging question remains–was it only a repair, or did he
add or modify something else too? Slashdot’s site administrators have a large
job on their hands.
In the Microsoft hack, the hackers gained access by first
running a Trojan in the company’s internal network. The Trojan was sent as an
executable attachment to someone inside the company. When the program was run,
it wrote itself onto Notepad, and sent the login name and password of that
person to an unknown e-mail address, apparently somewhere in Russia. Soon
afterwards, the hackers gained entry into the internal network using this
login-password combination and were able to grant themselves higher privileges
as well as possibly steal or modify very valuable source code–that of Windows
itself. The ridiculousness of the event has, however, been downplayed both by
Microsoft as well as the media.
The attack was very simplistic in nature. All that was
required to thwart the attempt was a good, regularly updated virus scanning
software on either the company’s e-mail gateway or on every individual’s
desktop. Most modern anti-virus software can detect Trojans pretty well. Also,
user directives from the company that lay down stringent rules regarding e-mail
attachments and the like were required, especially after the Melissa and
ILOVEYOU virus scares.
Security begins at work
If you’ve managed to protect your network or Website from
being hacked so far, maybe it’s because a hacker hasn’t noticed you. So how
do you keep it safe in future as well?
All you need to follow are the rules for good security and
management that I mentioned earlier. Magazines continuously carry articles on
how to secure your network, your Website, and your database. Read these and read
them again. And then implement all the solutions that are possible on your
particular platform. Depending on how important you consider your data to be, be
prepared to shell out some money to make your systems ultra-secure.
Of course, just doing this is not enough. You need to
constantly stay in touch with the latest developments on the security front. Pay
regular visits or subscribe to BugTraqs (www. security focus. com) for your
chosen platforms–OS, Web or database. If an update or service pack is
released, roll these out on the systems. Before this, however, do a test run to
ensure that the patch won’t cause any problems.
Make sure your anti-virus software protects you against the
latest viruses, Trojans, and other malicious code. Update them regularly, and
enforce scanning of all e-mails. If possible, obtain the public and private keys
for all employees with digital certificates from a trusted certifying authority.
Make sure all inter-company e-mails use heavy encryption. Try to get your
important clients into the same loop too, by sending them your digital
certificate and encrypting your mails to them. Ask them to do the same.
On a firewall, close all incoming ports that are not
specifically required in your company. Outgoing ports should also be monitored
very closely for any irregular activity. Log all accesses with details like
time, IP address, or host name, and the request headers.
Finally, if all this sounds a bit farfetched and an overkill
for your company, all I can do is quote the title of a very famous book by a
very famous person, someone who knew what he was talking about–"Only the
Paranoid Survive", written by Andrew Grove, Intel’s CEO.
Vinod Unny
is a technology consultant with iSquare Technologies