What are the hacks I need to worry about today?
Jim Reavis
Network World on Security, 11/17/99
While I often like to use my platform in these newsletters to speculate about the future of information security, that does not change the fact that we must keep our systems safe from today's cyberattacks. What are the different major categories of hacks you need to be actively fighting today?
While there are literally thousands of different types of attacks, they fit into a few major categories:
Advertisement: |
Buffer overflow
Buffer overflow attacks are the most common method of compromising hosts on the Internet. Server software contains application logic errors that hackers can exploit by sending string sizes larger than the input buffer, or illegal HTML code, in the case of Web servers.
Hackers can sometimes exploit this problem to gain root authority and/or execute their own programs on the server. Likely target hosts for buffer overflow attacks are often found by port scanning and network probing. These tools can find vulnerable services and fingerprint the operating system to narrow down the attack. Most of the successful attacks occur by exploiting a vulnerability that has been fixed by the vendor, but not patched by the administrator. According to the CERT Coordination Center's most recent report of high-impact security incidents, the top incident pertaining to Windows NT was the Open Database Connectivity vulnerability in Microsoft's Web server, which has been a known issue for over 18 months, and for which Microsoft has issued two separate advisories. The same report listed the most common Unix root compromise situations as being caused by the rpc.cmsd, tooltalk, statd and automountd daemons, all documented issues for at least several months.
Viruses, worms & Trojan Horse programs
While buffer overflows may cause the most host compromises on the Internet, viruses, Trojan Horses and the like certainly cause the most maintenance for IT organizations. According to the most recent weekly report by antivirus vendor Trend Micro, among the most prevalent "in the wild" viruses are:
- Happy99.exe, using a fireworks display as its cover, it sets itself up to replicate via attaching itself to outgoing mail.
- PrettyPark attempts to replicate itself through IRC channels, sending personal security information it can find along the way.
- Melissa - yes, this virus is still recording a large number of infections.
- Several Windows "JOKE" programs, with behavior ranging from turning the screen upside down to personally insulting you.
Like buffer overflow attacks, the most common viruses are those that have been known for quite some time, and are being passed around despite the availability of numerous remedies.
IP Address Spoofing
A fairly sophisticated hacking technique where someone impersonates an internal or trusted external IP address in order to bypass any security systems based upon IP address only. Most firewalls can detect and prevent IP Address Spoofing.
Weak passwords
Password cracking programs are capable of trying several thousand password combinations in a minute, and can exploit poorly chosen passwords. You should force frequent password changes, make password standards difficult (two or more words or phrases, separated by nonalphanumeric characters). Don't forget about passwords for routers, switches and other infrastructure equipment. If necessary, you may need to get your own password cracking tools, such as L0phtcrack, to audit your own passwords.
Denial of Service Attacks
A hacker sending either illegal or large numbers of IP packets that confuse the target system usually causes a Denial of Service attack. The target system will either shut down or spend all of its computing resources on the bad packets, rendering it unusable.
Session Hijacking
Through IP sequence number guessing, a hacker finds an existing connection between two computers already in progress, and hijacks one side's connection. A legitimate user or host will get disconnected and the hacker will inherit whatever access capabilities were present in the session. The cause of this problem is a poor implementation of sequence randomization of the TCP/IP stack in the operating system.
Network Snooping
A hacker may try to use a protocol analyzer or other tool to read network traffic and obtain sensitive data. This can be used to mount other attacks, such as session hijacking, or it may be used to capture clear text usernames and passwords from legacy applications such as telnet.
Guest Accounts
Many Windows-based systems have guest accounts that allow "world" access. This account should be disabled.
Although we may sometimes feel helpless to stop the many types of attacks, vigilance can bring us a long way towards systems sanity. Reducing our time to implement vendor patches down to days or even weeks from the initial release by the vendor will reduce your exposure immensely. Although large bundles of patches, such as service packs, can be unwieldy and even risky to implement, targeted hotfix patches affecting a single service and daemon are usually much safer. While we always preach the virtues of proactive planning, staying tuned in and implementing quick reactive countermeasures is a necessary part of catching today's security issues.
RELATED LINKS
Protect yourself from your software
Check out Network World's Security Alert featuring the latest bugs, viruses and hacks
Archive of Network World on Security newsletters
Network World Security Alert will keep you up to date on the latest security holes and patches, with daily updates from key vendors, security organizations and Network World reporters. See the latest dispatches from the security here.
