Chapter 9. Dispelling Some of the Myths

IN THIS CHAPTER

·        When Can Attacks Occur?

·        What Kinds of Attackers Exist?

·        Operating Systems Used by Crackers

·        Is There a Typical Attack?

·        Who Gets Targeted Most Frequently?

·        What Is the Motivation Behind Attacks?

The explosive growth of the Internet has thrust the topic of computer security directly in the face of everyone, whether they work with computers or not. Everywhere we read about viruses, system break-ins, malicious software, and a myriad of other threats. It really comes as no surprise that there is an equal number of hoaxes, myths, and exaggerations that exist about the risks you might face every time your computer is turned on and connected to the Internet. Although you should definitely be concerned about what the risks are, it is just as important to realize when someone is trying to con you, or exaggerate the truth.

If you ever saw the movie The Net, you were drawn into a world where a group of crackers had erased the identity of an innocent person to protect themselves. By using the Internet, they nearly were able to destroy the victim's life without much other than a mouse click or a keystroke. What you and many others might not realize is that this scenario is extremely implausible in today's networked world. Hollywood has turned the black art of cracking into a glamorous place where anyone can control nearly every aspect of the human experience from a desktop computer. Nothing could be further from the truth.

In this chapter, I will help you understand when and where you might be vulnerable, who is actually perpetrating the attacks, why they are doing it, and what the risks are that you actually might face. In doing so maybe I can help you understand better how you are affected by Internet or network security.

When Can Attacks Occur?

I've heard it said many times, "The only secure computer is the one that is left turned off and unplugged." This is actually not far from the truth. The moment a computer system comes online and connects to any network, it becomes a potential target. This doesn't mean that the minute you connect to the Internet, you are immediately being scanned, probed, or attacked. There are several important factors that come into play. I'll cover some of these first.

How Do I Become a Hacker's Target?

The minute you link up to the Internet, you are unwittingly opening yourself up for an attack. In order to become a target, you first have to be discovered or selected by the cracker as his victim. In some cases, you might be attacked at random when someone runs software that randomly selects addresses and launches an attack. Random selection is less common than discovery or targeting. In the case of discovery, the methods used to find out who and where you are, and how vulnerable you might be, are often the same. An attacker runs a port scanner, such as nmap, feeding it a large block of IP addresses to check. The program will then report back to the end user what computers it has found in that range of addresses, what ports are open, and, in the case of nmap, what operating system the remote system is running. Using this informa tion, the attacker now has several potential targets to choose from. With the information he received on the remote operating system and open ports, he can now narrow the scope of the attack to target vulnerabilities already known within the remote system or service. This type of probe is often carried out before any actual cracking attempt is made.

The following shows the output from nmap when scanning one of my own workstations. It also shows you just how easy it is to get a lot of information about a single machine:

[root@server user]# nmap -vO 10.0.0.15

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )

No tcp,udp, or ICMP scantype specified, assuming vanilla tcp connect() scan.

Use -sP if you really don't want to portscan (and just want to

 see what hosts are up).

Host  (10.0.0.15) appears to be up ... good.

Initiating TCP connect() scan against  (10.0.0.15)

Adding TCP port 554 (state open).

Adding TCP port 5900 (state open).

Adding TCP port 1433 (state open).

Adding TCP port 445 (state open).

Adding TCP port 1025 (state open).

Adding TCP port 427 (state open).

Adding TCP port 139 (state open).

Adding TCP port 135 (state open).

Adding TCP port 25 (state open).

Adding TCP port 5800 (state open).

The TCP connect scan took 1 second to scan 1523 ports.

For OSScan assuming that port 25 is open and port 1 is closed and neither are

firewalled

Interesting ports on  (10.0.0.15):

(The 1513 ports scanned but not shown below are in state: closed)

Port       State       Service

25/tcp     open        smtp

135/tcp    open        loc-srv

139/tcp    open        netbios-ssn

427/tcp    open        svrloc

445/tcp    open        microsoft-ds

554/tcp    open        rtsp

1025/tcp   open        listen

1433/tcp   open        ms-sql-s

5800/tcp   open        vnc

5900/tcp   open        vnc

TCP Sequence Prediction: Class=random positive increments

                         Difficulty=9491 (Worthy challenge)

Sequence numbers: B896EAF2 B897E041 B8988355 B89936FB B89A1722 B89B1A0A

Remote operating system guess: Windows 2000 RC1 through final release

Nmap run completed -- 1 IP address (1 host up) scanned in 43 seconds

[root@server user]#

You can see that this machine is running Windows 2000, a Microsoft SQL database server, an e-mail server, and many other services. With this information, it becomes easy for the would-be cracker to do a little research online about vulnerabilities and exploits for your specific system or software. Often, this information also includes code or examples of methods used to exploit the weakness, making the job of the cracker that much easier. Even if the person probing your system is an unskilled cracker, he can improve his attack by employing some of the software programs freely available on the Internet. These programs will test any remote system for hundreds of known vulnerabilities automatically.

An attacker can also be someone who has preselected you as his victim. The reasons for this are varied, but they include notoriety, contempt, theft of information, or financial gain. In this scenario, the attacker doesn't need to waste any time searching large network IP blocks to find a victim; he's already got one in mind. Depending on his motivation, he will most likely do a considerable amount of research before actually engaging in any malicious activity. The type of victim you are will determine the amount of caution or stealth employed by the cracker to avoid detection. For example, if the computers you work on belong to the Central Intelligence Agency, a great deal of time and ingenuity will be used by any attacker crazy enough to attempt to penetrate the systems to begin with.

Who you are, or for whom you work, also plays an important part in why or how often you might be targeted. A home or small office user is unlikely to be specifically targeted unless there is something worth the time and effort to be gained from doing so. If you happen to be the system administrator for Microsoft, things are very different indeed. Companies such as Microsoft typically log thousands of unsuccessful attack attempts every day. There are some fairly obvious reasons for this. The first one is simply name recognition. Just about anyone to ever operate a computer knows of Microsoft. Launching a successful attack against Microsoft would bring a cracker or group of crackers some considerable bragging rights. Microsoft is also one of the wealthiest computer software companies on the planet. The monetary and intellectual worth of source code and design documentation, financial data, and business information housed on the systems at Microsoft are, no doubt, very high indeed. Some of the more shady competitors of Microsoft would likely pay a good deal of money to get their hands on information like that.

In October 2000, Microsoft fell victim to hackers via the Internet. Apparently, an employee opened an e-mail inside Microsoft that had an attached Trojan, which was then used by the attacker to gain entry into MS's corporate network. Although Microsoft denies any damage was done, it is rumored that source code and other proprietary information was leaked and made public. You can read all about it at http://www.abcnews.go.com/sections/tech/DailyNews/microsoft_hacked001027.html

It should also be mentioned that it is possible to make yourself a target just by participating in the use of a popular network service, such as IRC (Internet Relay Chat). IRC is often the home base and the battlefield for many cracking groups, large and small. IRC network operators often must go to great lengths to keep abuse on their systems to a minimum. In retaliation, the attackers target the IRC service providers and innocent users of the service. As of late, the IRC network Undernet, one of the largest free IRC services worldwide, has been the victim of continual assaults. These have escalated to the point that the service operators are ready to pull the plug permanently.

More information about the January 2001 Undernet IRC attacks can be found at http://www.newsfactor.com/perl/story/6655.html

Dial-Up Versus Persistent Connections

How you make your connection to the Internet plays a significant role in how easy it is to find and target you, and there are trade-offs for each method. The most popular connection methods include dial-up connections, modems or ISDN, or persistent ("always-on") connections, such as a cable modem or any type of DSL (Digital Subscriber Line).

When you use a modem to connect to an Internet Service Provider (ISP), you typically dial into a modem bank at the ISP and its systems pick an IP address for you from a pool of addresses assigned to it. This address is required to make a TCP/IP connection, and is unique for every host connecting to the Internet. The immediate benefit of this is that, every time you dial up and connect to the Internet, you have a different IP address, and this makes specifically targeting you a lot more difficult. On the downside, a dial-up connection is slow, unreliable, and, in most cases, extremely vulnerable to denial of service attacks, as you will see later in this chapter.

Dial-up connections are quickly becoming less common. With cable modems, DSL, and other high-speed Internet access technologies, anyone from almost anywhere can enjoy a very fast and considerably stable Internet connection. In most cases, these connections are considered "always-on," which indicates that every time your computer is turned on, it is connected to the Internet. This is great for end-user convenience. I certainly enjoy being able to sit down and get to work immediately online. This also puts you at considerable risk for an attacker out on the Internet to target you and attempt to break into your machine or take it offline. Many always-on connections assign you a static IP address. This is really nice for people who need to be able to connect to their computer remotely, but it also makes it really easy for your machine to be found on the Internet. It also helps make it easy to find you again later on, if the attacker decides he isn't through with you. Even if you don't have a static IP address, an always-on connection usually does not change its address often enough to be hard to find.

Tip

I used a cable modem for some time from @Home AT&T that was supposed to automatically change addresses every few hours. The entire time I had this connection, the address never changed, contrary to what I had been told when I purchased the service.

Which Computer Operating Systems Are Vulnerable?

Everyone that uses a computer for anything will eventually find an operating system that they are most comfortable with, and that they most enjoy using. The average computer user rarely uses system security as a basis from which to make this choice. These users are typically drawn to a particular interface, or by the available applications for the operating system. Even when security is an issue, many people are led to believe that their OS of choice is somehow more secure than another. The truth is simply that every operating system is vulnerable in one way or another. Computer users will stubbornly defend their OS over another, and most often bash the other systems available, especially where it concerns system security. It doesn't matter whether you run Windows, or Linux, or any other operating system. You are potentially vulnerable.

There are operating systems that are designed to be secure. For example, OpenBSD is an operating system built from the ground up to be the most secure operating system available. When I checked the OpenBSD Web site, the operating system had gone more than three years without a remote exploit in a standard release. Even with this record, it has had several locally exploitable vulnerabilities.

Windows users are often the target of verbal abuse and ridicule by security professionals, script kiddies, and crackers alike. Many Windows users have been driven into some sort of security paranoia, believing that people can connect to their computers, get inside, and wreak all kinds of havoc. In most cases, this is simply not true.

Consumer editions of Windows, such as Windows 95/98 and Windows Millennium Edition ship without any network services for a typical installation. This means there is nothing running on the machine that will accept outside network connections. Even Windows NT 4 Workstation or Server, and Windows 2000 Professional install with minimal or no default net work services running.

Before the Windows users break out the champagne, let me bring you back down to earth. As soon as you set up any type of network connection under Windows, you are throwing the doors wide open. Windows will install several unneeded components along with a network adapter or a dial-up configuration. Services such as file and print sharing, and, in some cases, Internet connection sharing, are activated without the end user being made aware of it. Some may argue whether these services are needed, but for a standalone Internet connection, they just aren't needed.

Windows users also suffer from other glaring security problems that don't even exist on other systems. Viruses, malicious scripts, Trojans, and back doors, plus a weak TCP/IP stack implementation, make Windows extremely vulnerable to a wide variety of attacks. Also, Windows often installs File and Print Sharing over TCP/IP and NetBIOS along with its other networking components, even when you are only a dial-up user. In a normal network environment, this allows Windows users to share files and printers with other people on the same network. Many people might never use or need this feature, and they don't disable it. This can be an open door for anyone on the Internet to access the system and do his dirty work.

Some people may not consider UNIX variants such as Linux, FreeBSD, NetBSD, OpenBSD—operating systems more commonly found in servers—as desktop operating systems, but they are gaining acceptance rapidly in this area. Out of the box, UNIX systems come with all sorts of services installed, such as Telnet, FTP, and httpd (Web server service), including easily exploitable legacy daemons. It is up to you as an end user to assess security after the installation and make necessary changes. A properly secured open source operating system can provide an extremely reliable and secure alternative to expensive commercial operating systems, when properly set up and configured.

Macintosh and the Mac OS are not as popular as they were back in the mid-1980s, but they are still widely used, and Mac users are just as stubborn when defending the Mac OS. The Mac OS has grown up into a very robust and powerful operating system. Of course, it, too, has its vulnerabilities. Macs can fall victim to viruses just as easily as any Windows system. Depending on your version of the Mac OS, you can also be targeted because of weaknesses in Apple's Web Sharing and File Sharing. Unless absolutely needed, these features should be permanently disabled.

My Firewall Will Stop the Pesky Crackers!

The biggest craze in protection from attack has got to be the firewall. A firewall is a device that sits between your computer(s) and another network, such as the Internet, that can be configured to block access to services and data inside the firewall. A properly configured firewall is a great tool for defending your assets from remote attack. It is not, however, the end-all solu tion. A firewall also allows traffic to come through, and because of this, the hole is not completely plugged. Many firewalls also allow you the option of setting up service proxies, which gives the user the ability to allow a dangerous service through, but only through a protected proxy.

Recently, I did a security audit for clients who were using a high-end commercial grade firewall. They had left a Telnet proxy service running, and, through it, I was able to penetrate and map their entire network, using the firewall as my point of access. This service allows people to use a simple network Telnet client to pass directly though the firewall without authentication. The people using the system had not correctly configured the firewall, and by doing so, made it easy for anyone outside to get in. Most people don't realize that proper security requires more than just a fancy firewall. With the increase of e-mail–based viruses, Trojans, and malicious scripts, firewalls are becoming less effective. The firewall would correctly permit the e-mail traffic to come in, but, by the time anything dangerous is detected, it could be too late. For more information, see Chapter 10, "Firewalls."

What Kinds of Attackers Exist?

There are as many definitions out there for network attackers as there are for attacks. Most commonly, you will hear people refer to these individuals as hackers, crackers, script kiddies, black and white hats, and many other names. I will touch on the most common types here.

Script Kiddies—Your Biggest Threat?

The most common and prolific type of attacker today is the script kiddie. These people get their name from the simple fact that they are most often young, unskilled crackers who find and use scripts and utilities other skilled attackers have written and released free to anyone on the Internet. Mom and Dad got the kiddies an AOL account, and the first keyword they went looking for on a search engine was "hacking." With all the glorification of hacking in the media and on the Internet, and the relative safety of perpetrating this type of crime, young people are easily lured to this dark underworld. There are thousands of Web sites with material and information for the young, enterprising cracker to get started with.

Often, many of the attacks proliferated by script kiddies are unsuccessful, or maybe just mildly annoying to the victim. However, because of their relentless persistence, they will and often do eventually find systems that they can break into, damage, and attack more computers from. There is no love in the security community for this type of cracker. Script kiddies are more likely to attack systems and maliciously damage data than any other type of cracker. Even professional crackers speak about this group with ill will.

Black Hats—"The Dark Side"

Black hats are generally considered "The Dark Side" of the hacking community. These people are generally highly skilled with computers, programming, and network security and administration. They are the crackers who rarely get caught, who take their time and target specific systems for specific reasons. Often, these are the people who discover the vulnerabilities you and I read about, and they often will code the exploit that allows the system to be attacked or penetrated (which eventually the script kiddies get hold of and use against other unsuspecting victims).

Black hat crackers do not often talk about or boast about their skills or activities. They are generally secretive in nature. I have heard some people refer to them as the Ninja of the Internet. Black hat groups often hold cracking conferences, such as DEFCON, where they get together to share and learn from each other. A lot of security professionals love to attend these conferences also, as does the FBI. Not surprisingly, the crackers don't use their real names at these events.

White Hats—The Good Guys

On the other end of the spectrum are the white hat hackers. These are often security professionals who work very hard to help test and make available security patches, information, and software to the user community to help users become more secure. Often, companies call on white hats to help test and implement security, or to help improve it. Many white hats got their start in the security community as a black hat cracker. For whatever reason, they decided to put their skills to use to help others with system security. A lot of these people have started and continue to run professional security companies.

Operating Systems Used by Crackers

As I mentioned earlier, everyone that uses computers will most likely develop a preference for a particular operating system. In my opinion, you should use what works best for you. There are arguments good and bad for any system you might be interested in using. Here, I will explain why crackers choose to use a particular operating system. In Part VI, "Platforms and Security," you will learn more about specific platform vulnerabilities.

Windows Operating Systems

Windows is arguably the most popular operating system available these days. It is easy to use, and is installed on the majority of systems shipped in the world. Windows has been translated to multiple languages and is run by users all over the world. It certainly doesn't appeal to most users as a cracker OS, but it does get used in this arena. In most cases, script kiddie crackers used the Windows operating system. There are many cracking utilities and such written for the Windows environment. These prepackaged apps generally are not powerful enough to penetrate most systems. Most of these utilities are for mail bombing, denial of service, port scanning, and IRC (Internet Relay Chat) user attacks. Windows is of limited use to intelligent attackers, and, therefore, I only reference it briefly.

Linux/NetBSD/FreeBSD

The open source software movement has given the Internet community and computer users everywhere a plethora of robust and reliable operating systems. The most common ones you will hear of or use are Linux, FreeBSD, or NetBSD, which are popular with both the cracking underground and security professionals alike.

Open source operating systems are very popular simply because they are open source. This means that the end user has full access to the source code of the entire operating system. This allows the user to learn and understand how the system works, how to make it secure, and how to exploit its weaknesses on other computers. Another benefit of it being open source is the speed of patch releases. In most cases, the moment a security issue is released relating to an open source operating system, it will typically be fixed and patched within an hour or less of the initial announcement. This allows the end user to maintain every aspect of system security, including the ability to patch the operating system when necessary. Most crackers using open source operating systems, such as Linux, learned security exploitation techniques while securing and maintaining their own systems.

Another benefit of an open source OS is that the cracker has full access to the network protocol stacks and can manipulate packets easily and efficiently when required. This allows the user to craft very specific exploits that rely on very specific weaknesses in other systems. Most open source operating systems come with a free compiler such as gcc, which allows users to write their own code, compile it, and distribute it all over the Internet. gcc is one of the most powerful C/C++ compilers out there, and it is completely free and has been ported to several platforms.

Many of the best utilities exist and are available free for open source operating systems. Tools for scanning, packet capture and analysis, security auditing, and other related programs have been written directly for these operating systems and are not available in most cases for Windows- or Macintosh-based operating systems.

Another attraction in using open source operating systems is attitude and the perception of others. People who have never become familiar with a POSIX-compliant operating system, such as Linux or FreeBSD, are often intimidated by their complexity. Computer users taking the initiative to learn a powerful operating system such as Linux are usually looked on with respect by those afraid to venture into this territory.

OpenBSD

OpenBSD is billed as the most secure operating system freely available to anyone outside of government agencies. OpenBSD is a BSD–based (Berkeley Software Design), free, and secure version of the UNIX operating system. As I mentioned earlier, this OS has had a long history of excellent security, and, because of this, it makes an ideal operating system for a cracker. Any cracker worth his salt in the cracking community also needs to maintain his own high system security. What better operating system to use than the one with best record of security? Also, OpenBSD is completely open source, giving the same benefits I listed for Linux, NetBSD, and FreeBSD. The same utilities for those operating systems compile and run just fine in OpenBSD. OpenBSD will also run Linux, FreeBSD, and NetBSD software, if the need arises. If you want to be as secure as possible, out-of-the-box OpenBSD wins hands down.

Is There a Typical Attack?

When it comes to being a victim of a network attack, I don't think any one incident can be described as typical. No matter the scale of the attack, being a cracker's victim is a very infuriating experience. It can feel as much of a violation as having your home broken into and robbed. There are several common attacks that anyone can experience at any time. Attacks that an average user is most likely to face in everyday computer use include denial of service, viruses, and malicious scripts or Trojans, or Web site defacement. We'll explore each of these in the following sections. (You'll also learn more about these types of attacks in Part V, "Virtual Weapons of Mass Destruction." ) We'll also briefly look at insider attacks.

Denial of Service

Denial of service attacks (DoS) are the latest big news it seems in network security. A denial of service attack is the intentional overload of a network service or connection with excessive or disruptive data that causes the connection or service to fail. In the late 1990s and early 2000s, many well-known, Web-based companies and services fell victim to this type of attack. The attackers used what is now termed distributed denial of service (DDoS) attacks, wherein multiple coordinated machines are used in tandem to launch a denial of service attack against one host or network.

Depending on the speed of your Internet connection, you might be more susceptible than others. Because a denial of service attack relies on overloading the remote network connection, the slower the connection the victim has, the more likely it is that they can be taken offline. For example, a 56Kbs modem is an easy target for denial of service. When enough data is slammed against such a weak connection, normal network traffic cannot flow properly, often causing serious connection lag and finally disconnection.

One of the biggest problems with this type of attack is the difficulty in tracking and stopping the people perpetrating these attacks. In the case of a DDoS attack, it becomes infinitely harder to determine who is attacking you as the number of machines in the attack multiply. Also, there currently aren't many solutions to warding off this type of attack. Most companies with Internet access only host one route of access to the Internet. When enough data is thrown against this connection for an extended period of time, eventually the connection or the system hosting the connection will fail.

Usually, this type of attack does not direct damage to the affected systems. However, if this is successful against a company that relies on customers visiting their site from the Internet, then there is the obvious possibility of financial loss because of downtime, customer and staff frustration, and recovery costs.

Viruses, Trojans, and Malicious Scripts or Web Content

Almost everyone knows about computer viruses. They have been in existence nearly as long as computers and operating systems. A virus is a small piece of software that is designed to replicate and spread itself from one system to the next. Most known viruses are not malicious in nature. They are generally more annoying than malicious. There are some very dangerous computer viruses in existence, but you are not as likely to come across many of these. In fact, the name virus is now being used to categorize malicious scripts also.

These scripts, often coded in Microsoft Visual Basic, propagate from machine to machine via e-mail, or they are sometimes embedded in a Web site. When the unsuspecting visitor loads the page, the script loads and installs somewhere on the host machine without the user knowing. From there, it will usually replicate, drop its payload, and then try to e-mail everyone in your e-mail address book. Many of these viruses will automatically send everyone listed there a copy of the virus without your control or knowledge. The person receiving this will think it came legitimately from someone they know and trust, open the attachment, and start the process all over again.

In the Internet age, e-mail is the primary distribution method for malicious viruses and scripts. Outlook and Outlook Express (Microsoft e-mail clients) are probably the systems most vulnerable to this type of virus or script transmission mechanism. The best practice is to use a safe email client, and be suspicious of any e-mail attachment.

Back Orifice is a Trojan (for more on Trojan programs see Chapter 18) that has created quite a bit of controversy around the Net. Written and maintained by the Cult of the Dead Cow cracking group, Back Orifice demonstrated the weaknesses of Microsoft operating systems security. When it is installed on a machine, it hides itself and its process so that the host user has no idea it is running there. When it is running, the attacker just needs to run the client program and connect to the affected machine to have complete control and access to everything on the machine. You can easily see the problems that this would present. Back Orifice is often designed to seem like an innocuous piece of friendly software that a computer user could download from the Internet or receive as an email attachment. Thinking it is safe to run, the user executes the program, and it installs Back Orifice (or some other Trojan) quietly in the background while the user is distracted by some sort of cute or interesting front end.

Note

Most known viruses and Trojans only affect Windows or Macintosh operating systems. This is due mostly to the nature of these systems. Security is often an afterthought in most consumer operating systems. Consumer operating systems like Windows do not employ filesystem- and kernel-level process security, so a virus or a Trojan can easily run freely through the system, doing anything it wants.

Web Defacement or "Tagging"

Web defacement is the electronic equivalent of spray-painted graffiti. Although this type of attack isn't usually damaging, it can be frustrating and embarrassing. If you run a high traffic Web site, and a cracker comes along and "tags" it with erroneous, belittling, or socially unacceptable content, people visiting your site will see the tag, too. If you are running a business at the site, your customers might question the integrity of your systems and go somewhere else. Obviously this could constitute a considerable loss to the business that is targeted by this attack.

Web defacement is growing in popularity, especially by small groups or cliques of crackers. It is very similar to gang behavior in most modern cities, except instead of guns and spray paint, crackers use security exploits and Web tagging to harass victims. Many times, the tag left is a greeting to fellow crackers, friends, and often a note to the system administrator telling him to tighten security. I have even looked at defacements where the attacker leaves his email address, inviting the admin to contact him to discuss the weakness in his systems.

If you are interested in seeing examples of Web site defacement, attrition.org keeps an online listing of several, including the actual content of the defaced Web site, and the operating system of the affected Web server. You can view this list at http://www.attrition.org/mirror/attrition/.

Attacks from the Inside

Most people, especially home Internet users, will never experience or need to worry about internal attack. However, it occurs more commonly than any successful remote exploit that exists. This is often simply because the person responsible already has access, either physical or from across your network, to the targets she has chosen to attack.

Also, it takes a lot less work to perpetrate an internal attack. The attacker already knows plenty about the systems and software in place, making it that much easier to thwart security and cause problems. This method is obviously most common in an office or corporate environment. For whatever reasons, most administrators in this type of environment fail to realize the dangers or take action or precaution against this all too common scenario.

Who Gets Targeted Most Frequently?

As mentioned before, there is nothing typical when it comes to having network security compromised and being attacked. With the large number of systems on the Internet, there is no end of potential targets or victims available. There are, however, computers or systems more likely to be attacked than others, and the methods and motivation vary greatly. We'll take a look at motivation later in this chapter. Let's examine the most commonly attacked Internet targets. Hopefully, as we go along, it will become clearer to you why these targets are singled out.

Home and Small Business Internet Users

Home and small business users are just as vulnerable as any large scale dot.com. The biggest difference is that they are more likely to suffer from denial of service or virus type attacks.

The number of home and small business users with always-on connections has increased exponentially in recent years, adding to the probability of attack. Also, for this group of users, Internet or system security is routinely not an issue. Most small businesses do not employ a system administrator, nor can they afford to hire a security professional to address these issues. Home users generally fall into the casual computer users category, with little or no experience in computer security issues. Most home users feel relatively safe running an outdated virus scanner, or installing a personal firewall, which seems to be all the rage lately.

Larger Businesses and Corporations

In recent history, several prominent companies have had their system security attacked in one way or another. Companies such as Yahoo!, eBay, Nike, and Microsoft have been victimized by intrusions, denial of service, Web defacement, and theft of customer and credit card information. If companies like these are vulnerable, why do so many of us believe we are somehow immune? Several well-known network security companies have also been attacked, with varying degrees of success. Almost every day, you can read about another dot.com falling prey to crackers. It makes it hard for me to go online and feel safe about anything anymore.

Government and Military Institutions

Believe it or not, the computer systems of government and military institutions—no matter what nationality—are some of the most popular cracker targets anywhere. These are high profile systems, and, because of that, any attacker going after them faces considerable risk in doing so. In the United States, it is a federal crime to tamper with or attempt to access information systems of the U.S. government or military. Also, these are some of the best-protected systems on the planet. The U.S. Department of Defense logs thousands of attacks on its systems daily. Interestingly, some such attacks actually are successful and undetected, and, in some cases, classified material has been stolen, or government Web sites have been defaced. Many attacks against government computers often originate from another country, making it more difficult to find and prosecute anyone involved.

Financial Institutions

When it comes to picking a target, selecting a financial institution makes more sense to me than most any other objective. I can understand someone wanting to profit from their cracking work a lot more than I can make any sense of someone wanting to cause a remote user to disconnect.

It should be noted right off that banks and other financial institutions often employ some of the best network security in the world. Financial institutions rely heavily on computer equipment and networks to manage finance, and transfer money electronically from one institution to the next. Security can never be an afterthought. When someone's money is at stake, and the institution's reputation, banks spare no expense making sure that everything is as safe and cracker-proof as possible. This doesn't mean that they have not fallen victim; they certainly have on several occasions. Financial institutions realized the need for expert security long before computers and networks came along. It is no surprise then that they work so hard to protect the financial assets of their customers.

Note

The majority of cracks against banks and other financial institutions are inside jobs. Because of the amount of security in place, these too are rarely successful, and the crook ends up vacationing in a federal prison.

What Is the Motivation Behind Attacks?

By now, you might be asking yourself why people do these things to begin with. What is the motivation? As with any form of crime, the attacker is meeting his own needs, for whatever reason, and the motivation varies. There are no doubt thrills associated with breaking into and gaining complete access to others'computer systems. Those who get caught often state that this rush alone is motivation enough. For now, we will take a look at the following motivations:

·        Notoriety

·        Maliciousness or destruction

·        Making a political statement

·        Financial gain and theft

·        Knowledge

Notoriety, or the "Elite" Factor

Probably more common than any other motivating factor for cyber attacks is simply becoming notorious in the cracking community. This is most common with script kiddies and unskilled crackers who want to be the next Kevin Mitnick. Unfortunately, it seems that, even with all the publicity of the consequences, crackers still can't seem to stop cracking into vulnerable systems. For whatever reason, they seek fame from perpetrating some of the most ridiculous and pointless computer crimes known today. In most cases, you can find these people hanging out in obscure channels on IRC bragging to other script kiddies about how elite they are ("3l33t" in script kiddy parlance). Most of these individuals are young teenage boys with a computer, an Internet connection, and far too much free time on their hands.

On a positive note, many of them are skilled computer users, and they eventually grow out of being pranksters to becoming excellent security professionals in the white hat community. As you probably already guessed, those drawn to "The Dark Side" end up very differently indeed. Notoriety or hacker "brand-name" recognition only take you so far. Recently, a well-known 16-year-old Canadian cracker calling himself "mafiaboy" pleaded guilty on several counts of computer crime, and as such will likely be serving prison time soon.

Kevin Mitnick is a well-known cracker who, in the early 1990s, was charged with 25 counts of federal computer and wire fraud violations. He spent nearly five years in federal prison, and has amassed quite a following around the world. For more information, check out http://www.kevinmitnick.com.

Maliciousness and Destruction

Most people would assume that the majority of cracking attempts are destructive in nature, but this is rarely accurate. Depending on the degree of the damage, it might be merely annoying or a complete loss. We'll take a look at a couple of common examples.

Destructive Pranks or Lack of Cause

Some people are just outright malicious. Some crackers are this way, too. They enjoy damaging or destroying things that do not belong to them. They could be best related to someone who randomly throws rocks through windows or sets buildings on fire. Often, the reasons don't make sense, or there is no obvious cause-and-effect relationship. The attacker was merely venting his anger, rage, or frustration on someone completely innocent. When similar attackers gain access to a computer, they will plant destructive viruses, delete important system files or personal documents, or just completely wipe the system's hard drive clean, rendering it useless. If the owner didn't routinely back up his data, the loss can be severe.

Disgruntled Employees

Another type of person you don't want to confront at all is a disgruntled employee. Although most people deal with on-the-job anger and frustration in a constructive and mature manner, there are those people who only know how to lash out when they are set off. If the company they work for relies heavily on computers, the computers likely will be used to vent the angry employee's frustration. I already covered insider attacks briefly in this chapter, but it gets much worse when the attacker also has a personal vendetta against the company for which he works. This can result in considerable loss for the company at stake. These days, most companies using computers also have a security policy in place, which outlines the consequences employees might face if they violate system security in any manner. Employees are routinely required to sign and agree to such policies as a condition of their employment. When anger is present, these policies naturally slip the mind of the angry worker as he systematically goes about destroying the data of his employer. I'll also revisit this charming individual in a moment when I discuss financial motivations for attacks.

Making a Political Statement

Earlier we looked at any government being a potential target for computer attack. In many cases, the reason is simply political. Often these attacks come from outside the country that is being victimized, but they also originate quite frequently from citizens of that country. Recently, many small countries in Europe and in third-world areas have been targeted over the Internet in a rash of political attacks on various governments, leaders, and military forces. During the war in Serbia, several small groups from all over the world launched cracking attacks on Serbian computer networks. Most of these failed, mostly because the communication systems of that country were quickly cut off as a result of the fighting. In January 1999, the Indonesian government was blamed for a highly organized attack against computers in Ireland, which brought down the entire East Timor virtual country domain, an Internet commu nity of some 3000 users. Israel and Palestine have been engaging each other in a long "cyber battle" for several months. China has also fallen victim to computer crackers, mostly because of its stance on human rights issues. The new soldier is a computer with an Internet connection. The new battlefield is cyberspace. Wars are being fought there that are just as serious and politically engaging as any in history.

Financial Gain

Everybody wants more money, right? Why should crackers be any different? The digital thieves of the twenty-first century are quickly becoming the most elusive and daunting criminals in the world. The world's vast computer network is synonymous to the wild west enterprises of nineteenth century North America. With so much electronic wealth flowing from one computer to the next, it was only a matter of time before shady characters started finding ways to dip their greedy fingers into the Internet goldmine.

As stated earlier, companies dealing with finance or money in any way rely heavily on computer systems to remain in the business. Now, their customers expect that they can also access this same data from the comfort of their home via the Internet. Most banks now allow full account control from a Web browser over the Internet.

Thousands of companies have moved their ordering and inventory systems online, so that anyone can purchase these products with nothing more than a computer, an Internet connection, and a credit card number. All of this has come into existence only within the last few years, and, as such, the technology and standards driving e-commerce are far from mature, or secure. It really is a cracker's goldmine out there, if he knows where to look. The following sections look at the most common issues.

Theft or Unauthorized Transfer of Funds

Money zips all over the world electronically 24 hours a day. The digital economy is booming, but it's also fragile and prone to criminals just as any bank would be. It also seems a lot easier and safer to rob a bank with a computer than with a gun. Before the Internet existed, stealing from the electronic money stream did happen, most often by an employee with access to the proper systems. In nearly every case I have ever read about, the thief simply set up some sort of dummy account, and set up a process to transfer a portion of the e-money into the dummy account. After doing this for some period of time, the money would be withdrawn or transferred again to an accessible account. This type of theft has been very successful in many cases. Depending on how it is perpetrated, the victims often don't detect the loss of funds for some time, and usually by then it is too late. The banks have to cover such losses through insurance, the cost of which eventually trickles down to honest consumers. With the Internet, a whole new set of possibilities for theft exists. There have been cases of these illegal transfers taking place across international borders, making it difficult to ever recover the stolen funds or prosecute the crook responsible.

Read more about "How to Hack a Bank" by David H. Freedman at http://www.forbes.com/asap/2000/0403/056.html. Mr. Freedman cites a noteworthy example of a 24-year-old programmer in Russia who nailed Citibank for $10 million electronically. He is now serving time in the United States.

Theft of Intellectual Property and Corporate Espionage

A more common, and often undetected, crime occurs every day at companies around the world. With so much money invested in storing important company data on computers, it's easy to see why eventually stealing it and selling it to the competition has become big business. Employees of the target company generally commit this type of computer crime. In some cases, the competition will employ shady characters to penetrate and steal vital trade secrets and other company data. Using this information, they can beat their competition and possibly make a lot of money in the process. With everyone being networked over the Internet these days, imagine how much easier this is. Because most company data is now stored in digital form, all it takes is a simple file transfer or an email, and that company's hard-earned intellectual property has been smuggled undetected to the outside world.

Software companies are particularly susceptible to this. Many software companies put millions of dollars into designing top-of-the-line software packages for other companies to buy. These packages often cost anywhere from a few hundred to several hundred thousand dollars to purchase. More often than not, however, someone inside leaks the software out to the Internet "warez" (pirated software) community, and, within a few hours, it can spread around the world. Although most of the people that pirate this software do not profit from its use or trade, it often ends up being used at companies where no legitimate license is owned. By this, the company can potentially make money using a product it never paid for, which takes money from the pockets of the software company that initially publishes it.

The Internet piracy community spans the globe. One merely has to enter "warez" in one's favorite search engine and click on some of the results. WARNING: Several of these sites contain nothing more than banner ads to pornography Web sites and other offensive material.

The Internet is littered with "Warez" groups, Web sites, and pirated software. Read more about piracy and how it might affect the Internet economy at http://www.findarticles.com/m0NEW/2000_April_6/61411395/p1/article.jhtml.

Financial data kept by a company can also be worth the criminal act of stealing it and transferring it. Most notably, stocks information, customer databases, and other financial records can be very valuable to the right people.

Credit Card Theft and "Carding"

Most everyone now uses the Internet as a place to buy and sell goods and services of every description. Most often, the transaction is paid for with a credit card. The company selling the products or services receives this credit card information and stores it somewhere electronically in order to maintain records and fulfill the customer's order. Most Web sites offering credit card transactions do so over SSL (Secure Sockets Layer.) This only encrypts the information being transferred between the customer and the company. After the data is in the hands of the company, they can store it in any number of ways. Most often, this information is not stored securely, and is compromised by crackers or criminal employees.

There have been a lot of credit card database thefts in the news lately. In a few cases, the company that had the credit card numbers stolen was storing them unencrypted on the Web server that they used to take the orders from! All the thief had to do was break in and steal a simple text file with all this customer information. It doesn't matter who you are either. Notably, Bill Gates of Microsoft had his number pilfered on two separate occasions.

You might be wondering what good these credit card numbers are to someone other than the card owner. What many people don't understand is that credit card fraud is simple, it's easy, and it's very hard to catch the crook responsible. With the Internet, it has become a great deal easier to commit credit card fraud than without it. Most businesses that accept credit cards numbers for payment do not require any type of verification that the person using the card number is who they say they are. All the thief need do is set up some sort of drop, go shopping, and then meet the deliveries at his drop and collect the goods.

With the Internet being so open and anonymous, it's not hard to take someone's number and go shopping in relative safety. Credit card companies are struggling to catch their breath with the rampant explosion of Internet fraud cases they endure daily. Most people also have credit cards that allow money withdrawals and transfer of funds, creating even more ways for a criminal to take advantage of them. Some people also pay criminals good money for credit card numbers, making it more lucrative than ever to commit fraud.

Cracking for Knowledge

We've covered a lot of reasons someone might be motivated to break into or crack computer systems. One reason that doesn't come up often is the simple pursuit of knowledge. Many crackers are driven by the challenge of figuring out how a system works, how to break into it, and how to make it more secure. For these individuals, it is not about being destructive, or gaining notoriety—it is the thrill of the game. Breaking into a well-protected computer system is like an intense game of chess. It requires intelligence, a lot of abstract and forward thinking, and patience. Often, this type of cracker uses what he learns to be a better administrator, or a better programmer. The things he can learn will often be shared with others in the community, furthering the collective knowledge base that is so critical to those that work in the field of information security.

There are also crackers who use the knowledge they gain to proliferate more attacks on other systems, for whatever reason. The information they glean from penetrating the barriers of other networks is often shared with like-minded people over the Internet, thus propagating the problem. It is almost like a continual game, one side against the other, trying to remain one step ahead of the bad guys.

Breaking In to Break In

Right off, the phrase "breaking in to break in" might not make any sense to you at all, but it will. Many attackers crack systems for the sole purpose of having a compromised system from which to launch other attacks from. This is beneficial in many ways, especially if the cracker has several systems through which he can chain connections, one machine to the next. Think of it as stringing popcorn on fishing line. If each piece of popcorn represents a compromised system, and the line is the network connection from one machine to the next, it is easy to visualize the benefits. The farther away the attacker is from his own home base, and the more machines he's running through to achieve this, the harder it will be for anyone to ever discover his true identity. Each machine the connection is chained through adds another degree of complexity when security managers try to backtrack to find the culprit. If the machines are in different countries, if the connections cross international borders, traversing political and language barriers, it probably isn't even worth trying to track the cracker down at all. The most skilled attackers use methods such as this to keep their identity a complete secret. This helps keep them protected, and at the very least buys them some time should anyone come looking for them.

Summary

This chapter explained in what ways and to whom you might be vulnerable as it pertains to network security. Obviously there are countless variations and methods that can be used against you, but there are also technical limitations on how far and in what direction a security attack can go. This is the age of digital paranoia, and, because of that, there are many doomsayers in the world. Whether it is for attention, or money, or both, many people that don't know what they are talking about spout ridiculous rumors and myths about using computers and the Internet.

As you have read, there are plenty of ways that you can be a victim of Internet security issues. You can be targeted. You can suffer frustration, data, and financial loss. Your personal privacy can easily be violated. You are also completely capable of defending yourself. The most important thing you can do is educate yourself on the risks and the steps that are necessary to effectively combat the hackers and crackers. It is just as important to know what threats don't concern you or your personal or system security, and also when someone is trying to con you.

As with any other problem in the world, ignoring security issues will not make them go away. Using a computer now carries with it some personal responsibility. You are the only one who can take these matters into your own hands to protect yourself. This doesn't mean you need to mortgage your house to buy a top-of-the-line firewall to protect your cable modem or DSL line. By taking a proactive stance about your computer security and remaining current on the latest issues, you can stay one step ahead of those who might want to do you harm.