Once you have the network up and running it will not be long before
you encounter the "evil" forces that lurk on the Internet. There
is a constant array of hackers, viruses, script kiddies and trojans to
keep the home networking enthusiast awake at night. There is hope for us
however in a myriad of products designed to protect us from the top 10
Internet threats to security. In the column at the left you will notice
the different products that can be downloaded and/or purchased for the
purpose of providing security for your network.
If you don’t take an active part in securing your home network, then
you’re at risk. Don’t dismiss the likelihood of a stranger accessing
your computers. If you have a high-speed connection to the Internet, then
you’re probably scanned for common vulnerabilities much more frequently
than you would expect. If you’re still on an old clunky analog
connection, don’t think you’re not at risk either. You may not be
targeted as frequently, but if an attacker has reason to believe you have
something of value, she will take the time to target you.
To help give you a quick idea of how susceptible you may be, I have
heard of some alarming test results on one ATT @Home cable
connection. A poorly configured Windows box running file and print sharing
without a password was accessed in less than 24 hours. The risk is far
more prevalent than you would probably expect; on average, 5-10 scans come
across daily looking for easily exploitable services. The most common scan
that is found is on port 1080--attackers looking for an improperly
configured proxy that can be used to steal a victim’s network identity.
Even @Home does its own share of scanning; it scans this particular subnet
on port 119 (news) about once an hour from "authorized-scan.security.home.net."
The urgent need to protect your home system may seem daunting, perhaps
even scary. It certainly can be both. Consider this: The average
e-commerce business easily spends more in a year on information security
than the average home owner is expected to pay for his/her home over 30
years!
The bottom line is that you shouldn’t expect someone to take care of
your security for you. Just as you diligently lock your car door whenever
you leave it, you should lock up your computer system to keep the bad guys
out.
The Top 10 Security Threats to Any Network (Home
based as well)
1. BIND
weaknesses: nxt, qinv and in.named allow immediate root
compromise.
The Berkeley Internet Name
Domain (BIND) package is the most widely used an implementation of Domain
Name Service (DNS) -- the critical means by which we all locate systems on
the Internet by name (e.g., www.sans.org) without having to know specific
IP addresses -- and this makes it a favorite target for attack. Sadly,
according to a mid-1999 survey, about 50% of all DNS servers connected to
the Internet are running vulnerable versions of BIND.
2.
Vulnerable CGI programs and application extensions (e.g., ColdFusion)
installed on web servers.
Most web servers support Common Gateway Interface (CGI) programs to
provide interactivity in web pages, such as data collection and
verification. Many web servers come with sample CGI programs installed by
default. Unfortunately, many CGI programmers fail to consider ways in
which their programs may be misused or subverted to execute malicious
commands. Vulnerable CGI programs present a particularly attractive target
to intruders because they are relatively easy to locate, and they operate
with the privileges and power of the web server software itself. Intruders
are known to have exploited vulnerable CGI programs to vandalize web
pages, steal credit card information, and set up back doors to enable
future intrusions, even if the CGI programs are secured.
3.
Remote Procedure Call (RPC) weaknesses in rpc.ttdbserverd (ToolTalk),
rpc.cmsd (Calendar Manager), and rpc.statd that allow immediate root
compromise
Remote procedure calls (RPC) allow programs on one computer to execute
programs on a second computer. They are widely-used to access network
services such as shared files in NFS. Multiple vulnerabilities caused by
flaws in RPC, are being actively exploited. There is compelling evidence
that the vast majority of the distributed denial of service attacks
launched during 1999 and early 2000 were executed by systems that had been
victimized because they had the RPC vulnerabilities. The broadly
successful attack on U.S. military systems during the Solar Sunrise
incident also exploited an RPC flaw found on hundreds of Department of
Defense systems.
4. RDS
security hole in the Microsoft Internet Information Server (IIS)
Microsoft’s Internet Information Server (IIS) is the web server
software found on most web sites deployed on Microsoft Windows NT and
Windows 2000 servers. Programming flaws in IIS’s Remote Data Services (RDS)
are being employed by malicious users to run remote commands with
administrator privileges. Some participants who developed the "Top
Ten" list believe that exploits of other IIS flaws, such as .HTR
files, are at least as common as exploits of RDS. Prudence dictates that
organizations using IIS install patches or upgrades to correct all known
IIS security flaws when they install patches or upgrades to fix the RDS
flaw.
5.
Sendmail and MIME buffer overflows as well as pipe attacks that allow
immediate root compromise.
Sendmail is the program that sends, receives, and forwards most
electronic mail processed on UNIX and Linux computers. Sendmail’s
widespread use on the Internet makes it a prime target of attackers.
Several flaws have been found over the years. The very first advisory
issued by CERT/CC in 1988 made reference to an exploitable weakness in
sendmail. In one of the most common exploits, the attacker sends a crafted
mail message to the machine running Sendmail, and Sendmail reads the
message as instructions requiring the victim machine to send its password
file to the attacker’s machine (or to another victim) where the
passwords can be cracked.
6.
sadmind and mountd
Sadmind allows remote administration access to Solaris systems,
providing graphical access to system administration functions. Mountd
controls and arbitrates access to NFS mounts on UNIX hosts. Buffer
overflows in these applications can be exploited allowing attackers to
gain control with root access
7.Global file sharing and inappropriate information sharing via
NetBIOS and Windows NT ports 135->139 (445 in Windows2000), or UNIX NFS
exports on port 2049, or Macintosh Web sharing or AppleShare/IP on ports
80, 427, and 548.
This is very important information for home networks. These services allow
file sharing over networks. When improperly configured, they can expose
critical system files or give full file system access to any hostile party
connected to the network. Many computer owners and administrators use
these services to make their file systems readable and writeable in an
effort to improve the convenience of data access. Administrators of a
government computer site used for software development for mission
planning made their files world readable so people at a different
government facility could get easy access. Within two days, other people
had discovered the open file shares and stolen the mission planning
software.
When file sharing is enabled on Windows machines they become vulnerable
to both information theft and certain types of quick-moving viruses. A
recently released virus called the 911 Worm uses file shares on Windows 95
and 98 systems to propagate and causes the victim’s computer to dial 911
on its modem. Macintosh computers are also vulnerable to file sharing
exploits.
The same NetBIOS mechanisms that permit Windows File Sharing may also
be used to enumerate sensitive system information from NT systems. User
and Group information (usernames, last logon dates, password policy, RAS
information), system information, and certain Registry keys may be
accessed via a "null session" connection to the NetBIOS Session
Service. This information is typically used to mount a password guessing
or brute force password attack against the NT target.
8.
User IDs, especially root/administrator with no passwords or weak
passwords.
Some systems come with "demo" or "guest" accounts
with no passwords or with widely-known default passwords. Service workers
often leave maintenance accounts with no passwords, and some database
management systems install administration accounts with default passwords.
In addition, busy system administrators often select system passwords that
are easily guessable ("love," "money,"
"wizard" are common) or just use a blank password. Default
passwords provide effortless access for attackers. Many attackers try
default passwords and then try to guess passwords before resorting to more
sophisticated methods. Compromised user accounts get the attackers inside
the firewall and inside the target machine. Once inside, most attackers
can use widely-accessible exploits to gain root or administrator access.
9.
IMAP and POP buffer overflow vulnerabilities or incorrect configuration.
IMAP and POP are popular remote access mail protocols, allowing users
to access their e-mail accounts from internal and external networks. The
"open access" nature of these services makes them especially
vulnerable to exploitation because openings are frequently left in
firewalls to allow for external e-mail access. Attackers who exploit flaws
in IMAP or POP often gain instant root-level control.
10.
Default SNMP community strings set to ‘public’ and ‘private.’
The Simple Network Management Protocol (SNMP) is widely used by network
administrators to monitor and administer all types of network-connected
devices ranging from routers to printers to computers. SNMP uses an
unencrypted "community string" as its only authentication
mechanism. Lack of encryption is bad enough, but the default community
string used by the vast majority of SNMP devices is "public",
with a few "clever" network equipment vendors changing the
string to "private". Attackers can use this vulnerability in
SNMP to reconfigure or shut down devices remotely. Sniffed SNMP traffic
can reveal a great deal about the structure of your network, as well as
the systems and devices attached to it. Intruders use such information to
pick targets and plan attacks.
Additional Threat: A
High Priority Bonus Item for Windows Users and Administrators:
Various Scripting Holes in Internet Explorer and Office2000
Recent virus attacks have illustrated how macro and script code could
spread easily through e-mail attachments, and people were admonished to
avoid opening potentially dangerous attachments. However, Windows users
can also spread malicious viruses without opening attachments. Microsoft
Outlook and Outlook Express will execute HTML and script code in an e-mail
in their default installations. In addition, several so-called ActiveX
components are incorrectly executable from an e-mail containing HTML and
script code. Some of the vulnerable controls include the Scriplet.typlib
(ships with IE 4.x and 5.x) and the UA control (Office 2000). Other
vulnerabilities arising from the use of Active Scripting are that an
e-mail could be used to install new software on a users computer.
A relatively benign virus known as the kak worm is already spreading
through these mechanisms. A malicious version of kak can be anticipated at
any time. We recommend that all users and administrators set Outlook and
Outlook Express to read e-mail in the "Restricted Sites Zone"
and then further disable all Active Scripting and ActiveX related settings
in that zone. This is done in the Options dialog's Security tab, but can
be automated using System Policies. Microsoft has made patches available
for the individual problems and is readying a patch which will set the
security settings in Outlook, but apparently has no plans on fixing
Outlook Express.
Some Valuable Tips:
An important element to remember when securing
your information is the importance of strong passwords. Always try to use
a combination of uppercase and lowercase letters as well as numbers and
other extended characters -- just be sure that you pick something that is
memorable. Syllables work well; e.g., "gola3bonu" or
"uwitga9hoolor." Always pick a password with at least 8
characters.
Use a secure screen saver even at home and set
it for a reasonable period delay -- say, 15 minutes. If it gets in
your way, extend the delay.
Encrypt the sensitive files on your system.
Don’t forget to protect access to your
printer -- you don’t want some prankster printing junk (or worse) on
your paper.
Note: The information presented in this
article was gathered from various sources as well as some original work as
well. The following sources were used: SecurityPortal and The SANS
Organization.
|
