Computer Security Class - Notes 1
Overview of Computer Security - Week 1
Class notes from class on Tuesday, 21 October, 2003 at Byte Back.
When most people consider computer security they often think of teenage hackers breaking into computers to steal credit cards. Often identity theft, an increasingly common crime in our interconnected world, is connected to computer security. Many people will think of the latest virus their computer contracted, or sometimes of the time their computer began to behave strangely and they wondered if someone else was watching what they were doing. With the proliferation of home computers, computer security has become a larger and growing field. Computer security covers many different areas of computers and their proper function, but also other areas surrounding those who use computers and computer systems.
To be an effective computer security specialist one has to understand not only what to look out for, but also how systems should function in an optimal environment. Without understanding how a system should work, it is difficult to anticipate ways in which a system could be abused, or circumvent or prevent potential breaches of system and/or computer security. Computer security is a dynamic field. As new systems come online and as older systems become better understood, new revelations are constantly being published. Keeping up with trends in computer security is almost a full time job in and of itself. It is helpful, if you are interested in computer security, to begin monitoring several of the respected web sites and mailing lists about computer security. Bugtraq is an excellent email based mailing list that often breaks the first news about new and emerging threats to computer security. Several of the websites amongst the recommended reading are worth checking at least weekly, if not daily, for breaking news in computer security.
General Types of Security
There are three general areas of computer security that we will discuss to give you a basic understanding of the field of computer security. Each could be the focus of its own in-depth examination and in fact, each comprises their own unique specialty in the computer security field. These are: physical security, application security, and network security.
Physical security is often the most overlooked form of computer security. Physical security involves examining means to direct access to data and computer systems. Once you are aware of the dangers of lacking physical security you will begin to notice how many systems that are wonderfully protected from internet security breaches, can be compromised through weaknesses in physical security.
Access to machines in an organization is the largest concern for physical security. If someone can walk into an organization and sit down at a terminal and begin accessing information, it won't matter if you've got a fancy firewall protecting your data. Machines left on and unlocked in plain view where anyone can access them constitute a major problem for a systems security. Whenever a machine is left unattended it should be locked. Screen savers should be enabled with passwords, and at the very least users should log out of terminals when they aren't being used. It is far too easy for legitimate users to get at valuable organizational data. If someone could get access to a building, either by sweet talking their way through the door ("hey, my name is Bob and I've got a meeting in 5 minutes and I forgot my prox card, could you let me in?") or by getting a job in building maintenance and walking off with a hot swappable hard drive when they're cleaning the network operations center, then there is a problem with physical security.
One of the most common breaches of physical security is users who write down their passwords. Often this infraction is compounded by a user leaving a password somewhere near their computer, or in an unsecured location. It isn't uncommon for users to write passwords on yellow sticky notes and putting them on their monitors. This makes it all too easy for an unauthorized intruder to sit down at a terminal and gain access.
Passwords should never be written down. Often users have to remember many passwords and it becomes difficult to keep them all in memory. If you must record your passwords, look for some sort of secure storage device. A USB drive with encryption and password protection is a good option, or if you can secure a PDA and keep your passwords there that might be another option. Many products exist on the market to aid users in remembering their passwords, look for a solution that keeps your passwords safe from prying eyes, but also helps users remember them. Computer security is a difficult balancing act. Any system can be made extremely secure, but you must be careful to balance security with usability. Users will be more likely to try and circumvent security, or ignore it, if security gets in the way of their productivity.
Physical security isn't limited to just available computers, however. If an organization has an unused Ethernet jack in the open and anyone can plug a laptop into that jack and get a DHCP address and log into an otherwise protected network, there could be major ramifications. The next time you're in a hospital or office building look around and take notice of unused Ethernet jacks. You can find this situation all the time, and it could constitute and easy avenue for a malicious intruder to gain access into your network.
Physical access to any computers at a location should be limited. There are all sorts of advanced devices to prevent unauthorized users from getting access to a machine. Swipe cards, building guards, thumb scanners, and so on, all help increase the physical security of your systems. Be sure to educate users and ask them to challenge questionable activity or unfamiliar people around your networks.
Physical security isn't just limited to your facilities, but also what leaves your facilities. Make sure that any laptops or PDA's that are removed from the location are secured. A laptop that someone takes home could be a great route into your network. If someone writes down critical information on their PDA and then leaves it in a cab, they could provide an easy route into your otherwise secure systems.
Trash is also a major concern. "Dumpster diving," or the process of sifting through someone else's trash in search of personal information, passwords, names and addresses, payroll information, etc. is an all too easy way to find a route into a system. Trash with any sensitive or personal information should be shredded, and not just strip shredded, you need to have a confetti shredder that will turn documents into hundreds of tiny, unrecognizable pieces. With identity theft becoming an increasing problem, this practice is best followed at work AND at home. Make sure to shred all your old credit card statements, bills, etc. before you throw them away. If someone found your Verizon DSL bill they might be able to call and trick you into giving them your username and password:
"Hello, this is Bill with Verizon, I'm doing some line checking and wondered if I could get your help. Um, hmmm, yes, now, can I confirm that I'm talking to [read off of stolen bill from trash] Joe Smith. Yes, and can you confirm for me that you live at [reads address from stolen bill], blah blah blah. Yes, now you're customer number [reads customer number off the bill]. Ok, well as I said I'm checking your subnet, you may have noticed your connection has been slow recently, well, I'm looking for some problems. If you could give me your username and password that you use to activate your connection, I'm going to try and trace the problem to your location. Thanks a bunch"
With just a little piece of trash, a malicious attacker could greatly enhance a social engineering attack.
Social engineering is the process of tricking people into giving the attacker information about a system. Often calling one department in an organization and pretending to be someone in a different department is enough to get all sorts of critical information about a system. Social engineering is a con game. It is one of the most difficult parts of computer cracking, and most crackers aren't very good at it because it takes a lot of quick thinking, charisma, and charm. However, social engineering can be one of the easiest ways to get usernames and passwords to a system. Be aware that someone might try and trick you into giving them your username or password or giving away other information about your organization that could be used to social engineer someone else in the organization.
The second type of computer security is called application security. This type of security mainly concerns software and system engineers. Application security is very specific to the type of application you are working with and what technologies you are working with.
Application security involves building secure applications and software. Developers have to learn to look at applications with a critical eye and evaluate how well their product will withstand misuse. You want to make sure a user couldn't misuse the system, use a multi-user system as someone else, alter data they aren't supposed to be able to, etc.
Application security is an extremely critical aspect of computer security, but it is also very specialized. Different problems will face different types of developers. Online application developers will want to make sure things like session variables are protected. Database application developers will want to make sure that users are limited in their roles, and so on. Application security is tied into network security whenever an application functions on a network, or can be abused in a manner so as to function on a network. Code reviews are important, as well as product testing, to determine application security.
Application security is a huge field that could comprise its own study, so for now the small bit of information I have given should suffice. The last part of computer security, and my main focus, is going to be network security. Network security involves computer and system security whenever a computer is tied to a network and/or other computers.
Network security is the most widely recognized field of computer security. Until the growth of the internet network security wasn't even a large field. When computers were all interconnected with modems, network security wasn't as big of an issue. Part of the problem with network security is the constantly growing number of computers and networks joining the internet. The growth of wireless networks is also contributing to a growth in network security issues. Malicious computer hackers used to have to search for a long time before they found a potential target, now with every mom and pop leaving their computer on and constantly online on a DSL line, the number of potential computer security incidents is growing at an alarming rate.
It is useful when discussing network security to break down the types of computers and appliances that one finds in a network. There are three basic types of machines we will look at. Workstations, servers, and other appliances (to include gateways, routers, firewalls, printers, etc.) are three basic types of networked machines.
Basic Types of Networked Machines
A workstation is a computer generally used by a person with physical access. It is the type of computer with a monitor, keyboard and mouse attached to it. A workstation could be your Apple laptop, or a high end Sun Sparc computer. The broadest definition covers any computer used by an individual for personal or business security. The main distinction is that a workstation is used to access network resources, but one that does not typically provide any service of their own. The vast majority of workstations are Microsoft Windows machines, and the very fact that they are so common makes them the most insecure. Because there are so many Windows machines online, Microsoft operating systems have been of particular interest to system hackers. Some of the most destructive worms and viruses have targeted Windows machines, simply because there are so many of them, while Apple machines have remained relatively problem free because they have such a small market share.
Servers are computers that provide network services to client machines. Mail servers, database servers, file servers, and so on are all types of servers. Servers are generally connected to a faster class of network connection due to the high volume of traffic they receive. They are also more likely to be constantly on and available. Due to these two factors, servers are the most common target of hackers. Not only do servers offer good bandwidth and constant availability, they are often equipped with tools to allow for easier remote access and control. Not only servers offer viable routes to interact with, but they also often offer tools like shells, and terminal controls that allow for a remote user to gain complete control. By installing a file transfer protocol (FTP) server on your desktop machine, you are effectively turning it into a server. Thus, some workstations can be considered servers as well. Increasingly, with the power of laptops, many mobile machines could be considered servers as well. Thus the strict definition of 'server' is breaking down as more powerful machines become smaller and networked.
The final class of machine we will look at covers pretty much everything else. Gateways and routers are by far the most common of this class of networked machine that you will find online. Often these machines don't have much capability for remote control or the ability to offer their own server services, so they are mainly the focus of malicious system hackers in so far as they can prove to be valuable routes into other workstations and server. Thus, breaking a firewall server may not allow a malicious user to upload or download files to that machine, or allow a remote user to gain control of the firewall, but tampering with a firewall may give a remote attacker access to other resources that the firewall is guarding.
Before delving any further we should take some time to discuss some terminology that we will be using in later chapters of this series. In order to understand computer security it is important to understand the jargon of computer security. The following is a list of some terms that we will encounter:
Black Hat / White Hat:
A black hat hacker is a malicious computer cracker. This is the type of person involved in illegal computer activity. Conversely a "white hat" is a computer security specialist. These are the good guys in the struggle to keep computers safe. There are also "gray hat" hackers that fall somewhere in between.
This is a type of attack that exploits weaknesses in code that allow a user to over-write allocated memory. In many low level computer programming languages, variables must be declared and specific memory must be allocated for those variables. Without effective checking it is sometimes possible to assign more information to a variable than it can hold, causing the allocated space (the buffer) to be overrun, writing information to memory that is used for other programs or operations. With specifically crafter buffer overflows it is possible to cause an operating system or service to execute arbitrary commands (like opening a back door into a system).
Brute force is the most basic way to break into a system. Brute force attacks are simply password guessing attacks. While it is monotonous to sit and guess usernames and passwords by hand, programs will happily try all sorts of combinations for you. Brute force, given enough time, can break into any password protected system. The problem is that this sort of activity is usually easily noticed and quickly controverted.
DoS & DDoS
DOS stands for denial of service, a type of attack. The idea is to send so much network traffic from one machine to another that the target machine slows down, locks up, crashes, or behaves in an unexpected manner. Often this is difficult with one attacking machine, so several attackers usually coordinate their activities to perform a distributed denial of service.
A firewall is a device (hardware or software based) that inspects incoming and outgoing traffic from a machine or system and filters that traffic (incoming and/or outgoing) based on "rules" set up by the firewall administrator. Firewalls are a great first line of defense for network security.
IP Spoofing is the practice of masking your IP address. Doing so is quite difficult by hand, but with programs designed for this purpose it is as simple as the click of a button. IP spoofing is handy when you want to hide the origin of a denial of service attack (and cause return connections to head to other computers, thus freeing your own resources) or to access a machine whose access is limited by IP address.
Elite speak or 'leet (l337) speak, is hacker jargon. It involves the process of substituting numbers and symbols for letters, such as using 4's for A's, 3's for E's and 5's for S's. Thus, "leet hacker" becomes "l337 |-|4C|<3R". If you explore computer security for any significant period of time you will encounter elite speak so you should be familiar with it.
Port scanning is the process of discovering what ports, and thus what services, are available on a remote computer. Port scanning is often the first step in an attack. For instance, if you know how to break into a Microsoft SQL Server, you'll want to look for targets by finding machines with port 1433 open (the MS-SQL port).
Script kiddie is a derogatory term used to refer to wannabes, novices and unskilled black hat hackers. The term is used to refer to someone that downloads and runs pre-built programs (or scripts) without understanding what they are doing.
Sniffing is the process of listening in on an Ethernet or TCP/IP connection. By default Ethernet cards don't listen to any traffic present on a wire not bound specifically for their machine. However, with some modification, Ethernet cards can be made to listen to all traffic, not just that which is destined for their machine, and thus snag usernames and passwords from someone else's connection.
A trojan is a modified program that will perform in a manner different from its original purpose. For instance, a trojaned login program might record user names and passwords in addition to logging users into a system. Installing Trojans is often the first thing an attacker will do once he or she gains access to a system.
Computer viruses are programs with 'infect' or append themselves to parts of a computer. A virus may or may not cause harm to a target machine. The earliest viruses were passed via floppy disk and usually attached themselves to the boot sector of infected computers. Some viruses perform 'logic bomb' type functions whereby they execute malicious code when a certain precondition (such as a date passing) is met. The most effective guard against viruses is user education. Viruses are executable programs and are mainly passed via e-mail and Microsoft Word macro scripts. It is important to NEVER open an attachment to an e-mail from an unknown sender, or any suspicious attachment. Virus checkers will only find viruses AFTER they are on your computer and may not prevent a virus from infecting a host.
The term virus is often used synonymously with worm, but they are two separate things. A worm is a program which replicates itself and passes its code off to new computers. Many worms contain viruses but not all viruses contain worms. The Morris worm is one of the earliest well known worms, and it passed itself through e-mail. The Love Bug is a more recent worm enabled virus. Worms are also executable programs but may propagate by using vulnerabilities in operating systems or programs and do not always need operator interaction to execute or propagate. The main threat caused by worms is system overload caused by worm replication. If a worm tries to replicate too much, or too often it could cause service outages or server crashes. Many worms are completely harmless other than their threat of service denial.
A zombie is a machine under the control of a remote cracker. Zombies are typically used to launch malicious programs and services (like helping to perform a DDoS) to hide the identity of the true attacker.