Thursday, November 12, 2009

Coping with Home Network Security Threats














Coping with Home Network Security Threats



While there are thousands of exploitable vulnerabilities in network-connected home systems, there's a short list of basic types of attacks, which can help make securing those systems a manageable project. These attacks can result in a short list of bad results: loss of data; loss of confidentiality; impersonation or a similar abuse of the system that can be traced back to and blamed on you; and Denial of Service (DoS). Loss of data can include loss of data integrity as well as formatted disk drives and deleted files. Loss of confidentiality can include the exposure of embarrassing or compromising information as well as intercepted secrets. Impersonation can take the form of your system being employed as a "zombie" in attacks on other users, as well as online purchases with your credit card. DoS may simply tie up your computer, but it may also include overloading your access link to the Internet.


The root cause of these threats is that someone else gains the capability to execute software on your system. The most likely means of an attacker's accomplishment of this goal is via a virus or a worm. Viruses duplicate themselves in the file system on executable files so simply shutting down the computer can't eliminate them. On traditional unprotected desktop OSs, including the consumer versions of Windows up to and including Windows ME and MacOS versions through OS 9, viruses that are successfully propagated onto a computer can format drives, erase files, send e-mail, and attack other systems. Viruses can also: install back doors that allow the ready return of control by the attacker; capture passwords and credit card numbers; and basically accomplish any of the bad outcomes described earlier in this article.


Worms differ from viruses in that they spread across networks without piggybacking on an executable host file. The most common vehicles are e-mail attachments and openly shared files. You can stop a pure worm by shutting down any computers it's running on, though some recent worms, such as Code Red and Nimda, include viral components that permit destructive code to start up again after a shutdown. A worm running on your system can perform any of the deleterious actions that a virus can.


A third category of dangerous software is the Trojan Horse, which disguises itself either as something useful—a network login window—or as something interesting—an online game or other form of entertainment. But the software actually captures your password for a later retrieval, or installs other software that allows the attacker to re-contact your computer and take full remote control. Some viruses and worms install Trojan Horses on the computers they infect.




Countermeasures For Evil Executables


Up-to-date anti-virus software will protect against viruses, worms, and Trojan Horses that the anti-virus software providers have identified and neutered. If the anti-virus developers provide solutions before new malware becomes widespread, the risk of infection is minimal. However, viruses or worms that spread quickly may arrive before you get the updated anti-virus version that protects against the latest threat. In that case, your security settings and ultimately the common sense of your users will be the final protective barriers.


At one time, Microsoft Outlook Express' default settings allowed executable e-mail attachments to run automatically when the message was opened. The destructive ILOVEYOU, or VBS.LoveLetter, virus demonstrated the foolishness of those defaults. Early versions of Microsoft Word had automatic macro execution enabled by default, and that loophole was closed only after early macro viruses became widespread.


Browser settings can also help reduce the risk of infection. Internet Explorer has a granular set of options for coping with different executable files, based on the sites that provide them and whether the files have been signed and certified by credible authorities. Windows XP, Windows 2000, MacOS X, and Linux offer administrative options that can prevent the installation and execution of unknown or forbidden software. It's probably impossible to configure earlier versions of MacOS and non-NT Windows in such a way that a well-informed user could be kept from installing arbitrary executable code and defeating any protective measures.


If the OS can't be locked down and the other protective mechanisms fail, the users' common sense is the last barrier. Users and their roommates and family members need to understand the risks of installing software from unknown sources, downloading files, double-clicking on e-mail attachments, deactivating protective software, and changing the system configuration to an insecure state. An enterprise that needs to secure work-at-home and mobile users should quickly migrate its users to OSs with options for tight protective measures. This is because the entire population, including grandmothers, teenage boys, and people who simply aren't interested in computer security, will never learn enough about the subject to protect themselves adequately.






Outside Intrusion



Viruses and worms are created by their lovable authors and launched into the world. They're designed to spread on their own, without further activity on the author's part. Good practices by end users will almost always prevent damage. Intrusion over the Internet is a rather different, scarier threat. In these attacks, the attacker is targeting your system rather than simply launching a destructive bit of software into cyberspace. It's the difference between someone who's rattling your doorknobs or using bolt cutters on your padlocks and someone who arbitrarily sets out land mines, or perhaps whoopee cushions, with no specific target in mind.


Intruders may look for vulnerabilities at random IP destinations or they may scan specific blocks of IP addresses looking for likely targets. It's a no-brainer to use whois to find what the addresses of @Home's cable modem users or SBC's DSL users are. Systems on these hacker-popular networks are probably scanned and Pinged several times a day, though these initial probes cause no harm.


The good news is that external intrusions only succeed against targets that run insecure server processes. Hackers can try all their tools against your system, but if you don't have a server process waiting to answer incoming TCP or UDP requests, or if the server process (or the quivering remnant that's left after a successful takeover attack) neither hands over files, passwords, configuration settings, or other data that should be secure, nor allows itself to be perverted into an attack avenue, there's nothing to worry about.


The bad news is that there are good reasons for home users to run server processes, and it's not always obvious that a process is a server process. One obvious type of server is peer-to-peer file sharing. A standalone home PC or the PCs on a home network can be configured to share files over the Internet. If you've enabled file sharing for sensitive files without protecting them with a strong password, it won't take any kind of hacker skills to read, copy, or delete your files. Intruders who can write files to your computer can install software and ultimately do what they wish.


Some people writing about Windows security over-cautiously recommend disabling file sharing tout court. There are four separate layers of protection even if file sharing is turned on. First of all, if file sharing isn't bound to TCP/IP, no one on the Internet will see your directories or be able to discern that file sharing is occurring. If you need to share files only on the local network, NetBEUI or IPX/SPX will work fine and remove the temptation of a potentially open file share. Second, you must actively indicate that a drive, directory, or file is to be shared. Items not explicitly marked as shares will not be visible to other clients, though it's possible to enable sharing of an entire volume by selecting it at the root level—most likely an inadvisable practice. Third, setting a Scope ID will make a share invisible to an intruder who doesn't know it. Finally, passwords can (and should) be assigned to shared resources.


File and Printer Sharing for Microsoft Networks turns a Windows 9x system into a file server. Given the installation of updates and the use of strong password choices, even running this server process is reasonably secure. The only other explicit server that comes with consumer Windows OSs is the Personal Web Server. Apparently this program has sufficient code in common with Internet Information Server (IIS), the NT/2000 Web server, that some of the exploits that threaten IIS also require patching on the Personal Web Server.


The most dangerous disguised server is the remote control application. pcANYWHERE, Carbon Copy, Timbuktu, and LapLink are some of the better-known commercial remote control packages. Back Orifice, SubSeven, and NetBus are three of the better known stealth remote control applications. Trojan Horse programs typically install the stealth applications because they give a remote intruder complete control over the system. The commercial products can be protected with passwords, and the power of these systems is so great that there's a high incentive to create strong passwords.


Chat and Instant Messaging (IM) programs can execute server processes on home computers. Internet Relay Chat (IRC), the Internet forerunner of IM, is the source of numerous destructive exploits. It serves as the elementary school for script kiddies, as well as the neighborhood watering hole for more experienced intruders. Napster and its decentralized offspring are essentially file servers with more or less restricted realms of operation. The Gnutella derivatives can be configured to share files almost as profligately as Windows File and Print Sharing. While I don't know of specific exploits affecting home users in these areas, I suspect that watertight security is rarely a high priority for the developers of these not-so-obvious server processes.


While a wireless access point doesn't count as a server in the OSI mindset—it's a layer-2 bridge, after all—a war-driving intruder could pose just as big a threat to corporate data as a hacker who installs SubSeven. Employees installing 802.11 networks can avoid drilling holes in their baseboards, but they may be making their network, and the company data they access, visible to anyone who cares to look for it.






Intrusion Countermeasures


The first line of defense against intruders is a well-patched OS. It's rare that a class of attacks is actually employed before the OS vendors make their patches available. The next preventative step is to understand the implications of configuration choices for any explicit or veiled server processes that run on your computer and configure them as safely as possible, with well-chosen passwords.


The next level of security escalation for broadband households that wish to share Internet access among multiple PCs is to install a Network Address Translation (NAT) router. By presenting a single IP address to the outside world and mapping that address and a particular port to a non-routable address inside the router, the inside machines become invisible to Internet-based attackers. These NAT routers often come with filtering capabilities or even stateful-inspection firewalls that provide an additional level of protection at the price of some complicated installation procedures.


Personal firewalls, which often incorporate some kinds of intrusion detection, are perfect for individual machines connected to the Internet without a NAT router. They can also be installed on each PC in a local network, located outside the router, or run on a dedicated PC between the router and a hub or switch that connects to the client PCs. Some of these software products will detect outbound traffic from stealth remote control processes, providing a valuable backup to preventative efforts. Finally, enterprises whose remote employees have access to the most crucial, sensitive data will probably want to install firewalls at their employees' residences.


Note that certain commonly cited security threats—having a broadband connection and having an always-on Internet connection—are actually not threats at all. If you properly configure and patch the OS and file-sharing applications; guard against viruses, worms, and rogue software they may install; and insulate your home system with a NAT router or a firewall, then the length of time you're connected and the speed of your connection have no impact on your security.






Resources


One of the most sensible and comprehensive sites for safely configuring broadband networks is the Navas Cable Modem/DSL Tuning Guide at http://cable-dsl.home.att.net/#security . This site has especially good advice on File and Printer Sharing for Microsoft Networks, but also discusses Macintosh security, OS/2 security, and the pros and cons of personal and hardware-based firewall products.



Hacking Exposed, Second Edition, by Joel Scambray, Stuart McClure, and George Kurtz, Osborne-McGraw Hill, 2001, ISBN 0-07-212748-1, is the definitive compendium of intruder practices and tools.




This tutorial, number 162, by Steve Steinke, was originally published in the January 2002 issue of Network Magazine.


















No comments: