9. Security Issues

 

 

In normal situations the main focus of security is to protect access to data systems and the information they contain. When dealing with automated systems security issues could lead to major economic losses through damaged equipment, or even loss of life!

 

Security violations normally come from disgruntled employees, but recently anonymous crackers (incorrectly called hackers in the press) have become a significant threat. Modern operating systems and software are often designed with some security features. Most assume that there is limited physical access to the computer. The most elaborate security system doesn’t work if the the hard drive is stolen. The best strategy to keep a system safe is to understand how hackers can break into a computer. What follows are the most common type of attacks.

 

Social engineering involves the use of people and trust to get access to a computer. This often involves understanding the psychology of trust and exploiting it to get passwords and other information. A common ruse to get an employee password is as follows. Call an employee in a company likely to have a high level of software access, such as a secretary of a high level executive. Claim to be from the IT (Information Technology) department, talk for a while and then ask for help solving a problem with the password account. When agreement is obtained, ask the secretary to change the account password, and let you know what the new one is.

 

Crackers will also practice ’surfing’. Shoulder surfing involves peeking over the shoulder of users as they enter passwords. Garbage surfing involves taking a garbage can before being emptied and searching the contents for useful information, such as credit card numbers. Cubicle surfing involves checking for posted passwords around computers. Some users hate to remember passwords and will post them for all to see (or sometimes taped to the bottom of the keyboard). To protect against these types of problems the following strategies help,

• inform users that their passwords are to be given to NOBODY, especially unseen.

• allow users to select their own password, they are more likely to remember them, and not write them down. Assigning cryptic passwords and changing them often ensures that even the most advanced users will write it down somewhere.

• check user passwords for simplicity. Problem passwords include a single word in the dictionary, a users first/last name, a first/name followed by ’1’, common jargon and popular phrases, curse words, etc.

• watch the activity of simpler users. One easy way to do this is with the command ’last | more’. This will show a list of users, when they logged in, and how they logged in. Look for irregularities, such as a low end user who suddenly starts using telnet and ftp.

• set up access policies for users and equipment. Keep unauthorized people away from secure computers and work areas.

 

The advent of the Internet has made anonymous crackers more common. Most computers can be accessed from the Internet, even if indirectly. Two major threats include a denial of service (DOS) attack and a break-in. DOS attacks involve flooding a site with irregular network packets, sent from other computers (that were victims of break-ins). The outcome of this attack is that network access slows so much it becomes unusable.

 

Break-ins occur when a security hole is found in the operating system, or when a virus or trojan horse is downloaded by a user. Security holes in an operating system often involve network services, such as ftp and mail servers. When planning to break into a computer most crackers will first identify which services are active on a computer. After this they will try to exploit known vulnerabilities to get access to the computer. After breaking in they will try to install software so that they will have future access to the computer, and hide their presence. Most crackers will return to the computer they have broken into numerous times until discovered.

 

Viruses are designed to spread indesciminately and infect computers. Once infected the virus often lays dormant for a while before executing some mission such as spreading to other programs/files, displaying a message, or erasing a hard drive. Like real viruses, the damaging ones often burn-out quickly, the milder ones spread and become a nuisance. Previously these were only spread through downloaded programs, and they could only be activated by somebody running software. Recently viruses have started to exploit holes in consumer oriented software. In simple terms, the same features that make the software easy to use also make it a security threat. This means that users can get viruses from an email message without reading it. Trojan horses are programs that actually do something useful (unlike viruses). but they include some ’unwanted extras’. These might give a cracker access to the system running the trojan horse program, or worse. These can be added to trusted software by modifying the source code of a useful software package, and then releasing it for use. Administrators might download and install the software believing it is the regular version, but instead install the security holes. These security problems can be lessened with the following strategies.

• Networking hardware is available to reduce or eliminate the effects of DOS attacks, this should be considered on any critical internet sites.

• Security holes can be closed by applying software patches are made available when vulnerabilities are discovered. These should be downloaded and applied whenever available. Security advisories are available from (www.cert.net?) and (www.bugtraq.org?).

• Firewalls can be used to shield critical, or vulnerable computers from outside access.

• To avoid viruses (mostly for microsoft computers) - Don’t download and run programs from untrusted sources. Use virus checking software, and keep it updated.

• Don’t use servers for tasks other than serving, especially with convenience software, such as mail readers.

• Avoid trojan horses by only downloading software from a trusted site.

 

When breaking into a computer the goal is to obtain the ’root’ or ’Administrator’ account. If a cracker ever gets a few minutes at the keyboard logged in as ’root’ or ’Administrator’, they can give themselves easy access. System administrators should not leave their account logged in without an automatic screen lock function. The administrator should also track the usage of their account to look for any irregular activities.

 

 

 

 

- most models assume no physical access to hardware, or controlled access.

- prototype intruders

- disgruntled employees (over half)

- inside organization

- know systems

- have access to systems

- problems: leave back doors

- problems: malicious damage

- joyriders

- outsiders

- some technical knowledge

- using general knowledge and holes

- driven by the thrill, fun or peer recognition

- sometimes damage

- some break into computers to hide their tracks while breaking into other computers

- professional

- driven by industrial espionage

- knowledgeable

- normally don’t cause damage but are after information

 

 

- security holes

- users

- give away passwords

- simple passwords

- written passwords

- software flaws

- all software has flaws

- some flaws can be used to control the system

 

- How to break into a system (provided for checking your own system)

1. Pick your target / objective.

2. Research the target with publically available resources. Try to get at least the basic network layout

- use www.arin.net to locate information on the sys-admin

- use DNS lookup to find other machines on the net

- check websites, and other public information sources for details. Search engines can be useful here.

- use a program such as ’nmap’ to identify the operating system, versions, open services, etc.

- try to determine if any others have access to the machine

- try to determine the physical location of the machine, and possible routes for physical access.

- look for ’backdoors’ such as modems

- determine if there are any firewalls

3. (option a) Social engineering - try to convince users or others to give you passwords or access.

3. (option b) Security holes - use known security holes in the operating system to try and break in.

3. (option c) Brute force - try guessing passwords or use auto password generators.

4. Once you have access (as non-root/administrator) use other security holes to boost your privilages to root/administrator.

5. As root/administrator explore the system to see what is available.

6. Install a ’root kit’ to allow a backdoor so that you can get back in later, and cover your tracks. These can also silently watch keystrokes and send passwords, etc back later.

7. Logout.