CIS 442- Chapter 6 Network Security

Internet Vulnerabilities A network vulnerability is an inherent weakness in the design, implementation, or use of a hardware component or a software routine. A vulnerability invites attacks and makes the network susceptible to threats. A threat is anything that can disrupt the operation of the network. A threat can even be accidental or an act of nature, but threats are mostly intentional. A threat can damage the network, slow it down, or make it unavailable. Any type of rogue software represents a threat. An attack is a specific approach employed to exploit a known vulnerability. A passive attack is designed to monitor and record network activity in an attempt to collect information to be used later in an active attack. Examples of passive attacks are packet sniffing and traffic analysis. Passive attacks are difficult to detect. An active attack tries to damage a network or its operation. Such attacks are easier to detect, but are also more damaging.

Port Scanning When two programs on different computers exchange data, all the data packets sent between the programs have (among other specifications) the same port number. Accessing a network opens a port and is similar to opening a door. This makes ports especially important for network security. When data packets arrive at a computer from different sources, each stream of packets uses a port number. A port is identified by a 16-bit integer and there can be up to 216 − 1 = 65,535 ports. There are three classes of ports, well known (0 through 1023), registered (1024 through 49,151), and dynamic/private (49,152 through 65,535). The well-known ports are assigned by [IANA port 04] and are normally used by operating system processes. Some examples are FTP (port 21), TELNET (port 23), SMTP (port 25), and HTTP (port 80). Registered ports are typically used by user applications (as opposed to operating system processes) when they have to contact a server, but such ports can also identify named services that have been registered by a third party. Dynamic/private ports are used by user applications, but their use is rare. Such ports do not have any meaning outside of any particular TCP connection.

A port scanner is a program that listens to data arriving at and departing from certain ports on a computer. Port scanning has legitimate uses in managing networks, but is also used heavily by hackers to gather information that identifies open doors to the computer. Information collected by port scanners is used to identify operating system utilities installed in the computer, and exploit known vulnerabilities in those utilities in order to break into the computer. Port scanners are implemented by sophisticated hackers who make them available on the Internet.

In many cases, it is easy to detect the activity of a port scanner simply by checking the log files that are continuously updated by the operating system. Once a port scanner is detected, its transmissions can be traced back to their origin and sometimes stopped. However, the mere activity of port scanning is not illegal. Newer port scanners exploit a vulnerability associated with SYN packets and half-open connections. Those are much harder to detect, because half-open connections are logged by the operating system.

Examples of Port Scanners Vanilla: The scanner attempts to connect to all I/O ports. Strobe: A specialized scan looking only for certain services to exploit. Fragmented packets: The scanner sends fragments of packets. Such fragments can sometimes get through certain packet filters in a firewall. UDP: The scanner looks for open UDP ports. Sweep: The scanner connects to the same port on several (even many) computers. FTP bounce: The scanner goes through an FTP server (to appear legitimate). Stealth scan: The scanner partly disables the log service of the operating system, so it (the operating system) can no longer record the scanner’s activities. Nmap (Network Mapper) is a free open source utility for network exploration and security auditing. Among other checks, it looks for port scanners.

Spoofs The term spoof means to pretend to be someone else, to falsify one’s identity, or to cover tracks. It is no wonder that various spoofing methods are used by hackers to gain access or to obtain information. A computer may be protected from attack by restricting the IP addresses that may send it data. A router may have a list of IP numbers and it allows only data from these numbers to enter the computer. A hacker who has this list may spoof the router by sending data that appears to have come from a legitimate IP address. Someone who doesn’t have the list may discover an allowed IP number by sending the computer data packets with consecutive IP numbers until a packet gains entry to the computer.

Defending against spoofing Filtering. If the computer is part of a local area network, the network has a range of IP addresses. When data is sent outside a local network (uploading), the filter software at the router should block any source IP outside the range of the local network. This prevents someone in the local network from sending spoofed data outside the local network. When data is received (download), the filter should block any packets with source IPs that are within the range of the local network. Encryption and Authentication. There are Internet protocols that specify the details of data encryption and how to authenticate messages. While imperfect, such protocols may help to eliminate simple IP spoofing attacks.

Sequence number spoofing. The TCP protocol specifies the use of sequence numbers within data packets. Each data byte has a sequence number, and the receiver must acknowledge the sequence number of the last contiguous byte it has received. Sequence number spoofing is the case where a hacker can compute or guess the next set of sequence numbers in a data transmission. The hacker can, in such a case, send false packets of data and they will be received with full trust by the client program in the receiving computer. Good defense against this kind of attack is to encrypt the data. If the hacker doesn’t know the encryption key, any false data inserted will not decrypt properly and will therefore be useless to the owner (who can request a retransmission) as well as to the hacker (who can try to corrupt the next transmission).

Session hijacking This type of attack occurs when a hacker gains privileged access to a network device, such as a router, that serves as a gateway between the server and client. The hacker can, in such a case, use IP spoofing to take over the entire session of data transmission and send any information, rogue programs, and corrupt data to the client’s computer. An alternative is to use “blind” hijacking, where the hacker guesses the responses of the computers at B and C. The hacker can, in such a case, send a command and cannot see the response, but can guess the response to many commands. A typical command is to set a password allowing access to B and C from somewhere else on the network.

DNS A domain name server (DNS) is a computer used specifically for networking. It has a dictionary with IP addresses and the corresponding URLs. When a computer wants to send data, it has to prepare packets with the IP address of the receiving computer. The human user normally knows the URL (a meaningful string), so the sending application has to connect to the DNS first, send it the URL, and receive the corresponding IP address. Only then can the application send data with the proper IP and TCP headers. This is why, when we want to browse a certain URL, the browser often displays the message “looking for... ” for a few seconds.

One threat related to DNS is man in the middle (MIM). A hacker may register a domain name, such as aple.com, that is similar to an existing popular URL. When a user mistypes aple instead of apple, the browser receives from the DNS computer the IP address of the hacker’s site, and connects to that site. Now the hacker is in control. His site can display information similar to that displayed by the real site, while also sending its own malicious software. The hacker can even retrieve from apple.com the web pages the user wants, then forward them, perhaps modified, to the user

A common MIM attack involves denial-of- service (DoS) against a network node by flooding it with messages and so preventing it from responding to legitimate users and visitors. This attack can be directed either against a server computer to force it to crash, or against the network connection to cause heavy packet loss.

DNS Poisoning Another threat related to DNS is DNS poisoning. In the past, the most common DNS software was the Berkeley Internet name daemon (BIND). Early versions of this software had weaknesses that made it easy for a hacker to modify the IP addresses associated with any URLs. Once a hacker changes the IP associated with, say apple.com. Anyone trying to connect to that URL will be connected to the hacker’s site, with potentially disastrous results. A well-known example of DNS poisoning is the defacing, in 2001, of the Web site of RSA Security. The anonymous hijacker rerouted visitors from RSAsecurity.com to a fake site that looked like the RSA site but was different in significant ways. Anyone who noticed the differences in the Web site, assumed that RSA Security, an important developer of encryption techniques and products, had been compromised. In fact, only the DNS was attacked and corrupted.

Spam Spam is unwanted, unsolicited sent in bulk to many unwilling recipients. Most of it is commercial advertising for doubtful products, get-rich- quick schemes, or quasi-legal or health services. Spam is named after the 12-oz cans of spicy ham made by the Hormel company since By itself, spam is nuisance, not a security concern, but it can be exploited for a DoS attack. A central computer dedicated to sending and receiving for a large organization can be attacked by sending its many users massive quantities of identical messages. This consumes valuable network bandwidth, it overloads the CPU, eats up disk space on the server, and can cause it to crash (by overflowing some data structure) or freeze (by keeping the CPU permanently occupied with receiving, logging, sending, and forwarding the spam messages).

It may come as a surprise to many that most spam messages are sent from computers (mostly private personal computers on high-speed cable or DSL networks) that have been infected by special strains of viruses. Such a virus hijacks the infected computer and turns it into a spam proxie (a special case of zombie). A major spammer may at any time own such a botnet and control thousands of spam proxies that serve him obediently and send millions of spam messages anonymously. The sobig virus (technically a worm, see year 2003 in Appendix C) was the first specimen of malicious software designed to create spam proxies, but similar viruses (mostly variants of the original sobig) are implemented and released all the time and manage to infect tens of thousands of computers worldwide every week. The virus installs special software known as spamware that takes over the computer (essentially hijacking it) and handles the distribution of spam.

URLs such as Specialham.com and Spamforum.biz (both now defunct), which are hosted mostly in Russia and China (but also in Florida), may not look very useful or interesting to a casual visitor or even to security-conscious persons such as readers of this book, but are familiar and very useful to spammers. These sites also carry advertisements for bullet-proof hosting (ISPs, most of them Chinese, that allow spam) and allow spammers to exchange news and information. The news is mostly about steps taken by ISPs and law makers and enforcers in various countries to make the lives of spammers more difficult. Much information is offered on ISPs and networks that close their eyes to spam in return for the high revenues obtained from spammers.

The Send-Safe program has a feature that speeds up the sending of spam and makes it harder to identify its source. Spamhaus maintains a register of known spam operations (ROKSO) database with names, addresses, and much information on the top 200 spammers.

Why Spam is bad ? It is easy to send. All that a spammer needs is spam software and a fast Internet connection. Many spam messages ask the user to click on a link to be removed from the mailing list. Spammers tend to use computing resources illegally or even to steal them outright. Spam is trash. We have all seen messages advertising worthless merchandise and deceptive or fraudulent services

Avoiding Spam As a simple precaution, try to uncheck all the prechecked boxes before you ask for more information or subscribe to a free service or newsletter. A Web site that collects names and addresses has to have a privacy policy where it states whether it shares this information with other parties. If a site does not display such a policy, or if it has no policy at all, avoid it. Naturally, the worst sites promise privacy and break this promise all the time.

It is also a good idea (practiced by this author) to leave immediately when you see the words “free gift.” These words are a sure sign of something wrong, because a gift, by its very nature, is free. A similar scam to avoid is contests. Contests are very often used as bait to lure unsuspecting users to submit their names, physical addresses, telephone numbers, and addresses.

Protecting s An important technique of collecting addresses is harvesting them (some prefer the term scavenging) from the Whois data base. The spammer can simply try all the IP numbers in order, and examine each result automatically, by special software (that he can constantly tune up and improve), looking for strings that may be addresses. Spammers use spambots, software that crawls the Web, examining Web pages looking for addresses, and harvesting them for future abuse or for sale. An obvious (but alas, not ideal) protection is to obfuscate all addresses in a Web page. Instead of writing an address in your Web site in a form such as it is better to have something like leopold bloom at ulysses dot

Anti Spam tools There are commercial services that provide relief from spam for their members by blocking it. A typical spam-relief service maintains a list of approved senders and asks each of its members to provide their own list of approved senders. The service “sits” between the member and the member’s mail server, and the member uses the same software to send and receive messages. However, the software connects to the service which, in turn, connects to the member’s server. Messages whose senders are in the service’s list of approved senders (or in the individual member’s list) are let through to the member. For any other messages, the service sends the sender a short challenge message, like the one of Figure 7.5, asking the sender to click (just once) on a certain link. If the sender clicks on the link, he is added to the service’s list of approved senders. The idea is that a spammer would not be able or willing to respond to many challenges.

A simple technique to reduce spam is to open several alternate address. When one gets flooded with spam, tell your correspondents to use another one. There are several large companies, such as Yahoo and Hotmail, that provide free addresses, but they are frequently targets of massive spam and various attacks. A common sense idea is to avoid giving out your address as much as possible. If you have a Web site with your address, try to write it in the form john at abc dot com or a similar format. If you set up a message board or a discussion group, try to display just part of any address.

Zombies Certain types of malware are used to capture control of a computer and command it remotely. Such a captured machine is known as a zombie and a set of zombies is termed a botnet. A botnet is an ideal means of hiding the identity of a perpetrator and security experts see more and bigger botnets all the time. It is known that DoS attacks are often carried out after the attacker has gained control of many computers and turned them into zombies. A targeted Web site is flooded with a vast number of meaningless messages sent by computers whose innocent users know nothing about the attack. The attack keeps legitimate users from using the site, causing inconvenience to users and monetary losses to the site’s owners. Such an attack is referred to as distributed denial of service (DDoS). Zombies are also used by spammers to hide their identities. A spammer who controls a zombie computer, sends this slave a (normally stolen) list of addresses and instructs it to send a message (or several messages) hawking useless merchandise, fraudulent schemes, or unwanted services to all the addresses. Zombies are less destructive than viruses or other types of rogue software because they rarely damage data.

More Spam Advice If you have your program set to preview messages (i.e., to show you the contents of the message in a window below the list of ), the spammer may be able to verify that the has been received. If you click on a link to unsubscribe from a mailing list, you have confirmed to the spammer that your address is active. The spammer can then sell your address to others. Spammers can include a “web bug” in an . This is a link that connects to the spammer’sWeb site as soon as the is read or previewed. If you want to avoid letting spammers know that their mail got through, follow the advice given here.

Avoiding Spams Use anti-spam software, update and run it regularly. This software can significantly reduce unwanted , especially if it is programmed to receive feedback from the user/reader and employ it to learn (from the subject line or sender’s address) which messages are spam. Never buy anything advertised by unsolicited because this only encourages future spam. If the sender’s name sounds unfamiliar, delete the without any hesitation. Most spam is just a nuisance, but often it includes viruses and other nasty software.

Never respond to spam messages or click on any links in them. Replying to spam—even to unsubscribe from it—confirms to the spammer that your address is a valid one, thereby encouraging more spam. Opt out of any further information or free or attractive offers. When you fill out forms on the Web, uncheck any checkboxes that offer further information or offers. Don’t use the preview mode in your viewer. Spammers can verify that a message has been previewed, even if it hasn’t been opened, because the preview effectively opens the .) Knowing that you have read their messages encourages the spammers. Try to decide whether an message is spam based only on the subject line and sender’s name and address. Use the bcc field if you many people at once. The bcc (blind carbon copy) field hides the list of recipients from any individual recipient. If you include the addresses in the To field, spammers may harvest them and add them to mailing lists.

Restrict the use of your address on the Internet. Don’t publish it on Web sites, newsgroup lists or other online public forums. Spammers have software that crawls the internet to find addresses in such places, harvest them, and add them to mailing lists. Give your main address only to those you trust (and even then be ready for your address to be discovered and abused by spammers). Always have several secondary addresses ready. (Those are easy to open at sites such as Yahoo, Gmail, and addresses.com) When you fill out Web registration forms or surveys on sites with which you don’t want further contact, use a secondary address

Denial of Service Many Internet attacks try to obtain private data or to damage data. In contrast, a denial-of-service attack aims to shut down an entire network, a single server, or a particular Web site. The attack tries to prevent legitimate users of a service from using that service. This can be done by one of the following methods: Flood a network with traffic. This makes it hard or impossible for legitimate users to send or receive data. Disrupt connections between two computers. This prevents remote access to the machines. Attempt to prevent a particular user from accessing a service. Disrupt or prevent network access to a particular computer or network. A hacker may open an account at an ftp site, then store data and retrieve it repeatedly, thereby consuming disk space and monopolizing network services at the site.

DOS types There are three types of denial-of-service, (1) consumption of scarce or nonrenewable resources, (2) destruction or alteration of network information, and (3) physical destruction or alteration of network components. The first type, consumption of scarce resources, relies on the fact that computers and networks need resources such as electrical power, CPU time, memory space, disk space, and network connections. The easiest resource for a hacker to consume is network connectivity. It is possible to tie up the network connections of a computer, such that it waits for some data that never arrives, so it remains hung up. All that the hacker has to do is start opening a connection to a network server but never complete this process. The victim server has reserved a port and a data structure for the connection, but the port remains half open. The hacker (or a group of coordinated attackers) can very quickly tie up all the available ports of a server. In the meantime, other users, legitimate or not, who try to establish connections are denied access. Such an attack is called a SYN flood. Even someone with only a slow computer and slow modem can stop a large server very quickly. Here is a detailed description of this threat.

Ping and ICMP Those are commands that were originally developed for testing connectivity in networks. The original ping program was written as part of UNIX by Mike Muuss and generated so much interest that the ping concept became part of the Internet protocol. If your operating system is experiencing frequent crashes with no apparent cause, it could be the result of this type of attack. The obvious defense against the ping of death is to patch the low-level routine that sends data packets to never send large packets, and patch the routine that receives packets to ignore packets that are too large. In practice, this should be done by the makers of the operating system and issued as a security patch. The second type of DoS threat involves destruction or alteration of network information. An attacker may be able to change the IP number of a victim’s personal computer, change the registration of the operating system, or change prerecorded telephone numbers used by the modem to call outside servers. The third type of DoS threat involves physical destruction or alteration of network components. This can be done by an intruder physically appearing in a computer center and disabling, breaking, or disconnecting cables and other hardware devices. A hacker may also climb a utility pole and disconnect telephone lines or television cables, thereby disrupting service to users in the neighborhood.

Firewalls A firewall is a combination of software and hardware that decides what kinds of requests and what specific data packets can pass to and from a computer or a local network. A firewall for a personal computer is normally fully implemented by software, whereas a small network of computers often found in a home (typically consisting of 2–3 computers and a printer) may use a hardware firewall that’s built into the network’s router. The main task of a firewall is to block certain requests for data transfer, and the firewall makes these decisions based on rules. A firewall starts with some built-in (default) rules, and its user/owner can add, delete, and modify rules. We can say that a firewall enforces an access policy through the rules, and a rule tells the firewall what properties of a data packet to examine and how to decide whether to let the packet through or not.

Firewalls tasks A typical firewall performs the following tasks: (1) limit incoming data, so that data coming from certain senders (or that has certain properties) will be blocked, (2) limit outgoing data, so a program will not be able to send data outside (to call home) without the owner’s knowledge, (3) generate and save a log of all its activities, especially on data packets it has blocked, and (4) do all this fast and be transparent to the user.

A firewall rule specifies a set of conditions and what action to take when a condition occurs. A complex rule can check several conditions, while a simple rule is limited to just one condition. Rules can also be hierarchical. In such a case, each rule is simple and checks one condition, but a rule can have several child rules, each checking one condition. This way, each rule is simple, but the overall performance can be complex.

Examples of actions are “delete,” to delete a data packet, “pass,” to let it through (into or out of the computer), “drop,” to drop the connection (in case of a DoS attack that tries to hang up the connection), and “log,” to log the data packet and then apply the next rule to it. (For incoming data packets, the “drop” action sends a TCP RESET command to the sender, while for an outgoing packet the same action sends a small TCP FIN packet.) The two main components of a firewall are the gate and the choke (there can be several such pairs in a large firewall). The gate transfers or blocks the data and the choke is the filter that decides which data to block. Those familiar with firewalls like to compare the gate to a security checkpoint and the choke to a security guard.

Firewall extra tasks A modern firewall may also include rules for checking the data of a data packet, not just the fields of its header. This useful feature is referred to as content filtering. Another advanced task is to limit the amount of data (the bandwidth) allocated to certain users or to certain applications. This way, a firewall can help in bandwidth management. Bandwidth accounting is another important task performed by modern firewalls. The owner/operator of a local network needs to know how the network is used over time. Another important picture that a good firewall can paint is the pattern of connection logging.

Router attacks A router is an important component of a computer network, even a small network used in a home. Even if there is only one computer, a router is still useful. Perhaps the simplest attack on a router is to change the DNS server it uses. Every time the computer user wants to connect to the Internet, the URL typed by the user has to be translated to an IP address. There are many DNS servers that maintain lists of pairs (URL, IP), and they supply the needed IP addresses. Sending the router to a malicious DNS server can be the key to a whole slew of other attacks.

A more complex threat is posed if someone can modify the programs that run the router. Those programs are firmware and router makers issue firmware updates from time to time. Imagine someone slipping malware into a new firmware update issued by the router manufacturer and made available in its website, waiting to be downloaded by router owners. Once a router is updated, the malware in it can send its controller copies of any data sent and received by the computer. It can even send executable code to all the devices attached to the router, all without the router owner’s knowledge. Even more dangerous exploits are possible, but they may require some “help” from the user. Both hackers and security researchers have proved that a router can be attacked and compromised if the user can be enticed to click on a bad link or if the user neglects to change the router’s password from the default (usually admin).

Router usage advices Reset the router (even a brand new one) to its factory state. Update the router with the latest firmware available in the manufacturer’s website. Change the default password to a new, secure one. The router may have features to support devices that you don’t have. Turn those features off. Turn off all features that allow the device to be administered from anything other than the device(s) plugged directly into the router.

The URL-shortening threat The Internet is big. There are many sites and even more files. Each file on the Internet (as also on a computer) must have a unique name, which is why many URLs are long. Special URL-shortening services exist to alleviate this problem. Examples are tinyurl.com, bit.ly, and is.gd. These services are useful but they also pose a security threat. Someone sends you a short URL that should take you to an interesting site whose URL is long. Instead, the short URL takes you to an infected website.

PDF JBIG2 flaw. In 1993, Adobe introduced the portable document format (PDF), a file format for documents. The format is independent of the application software, hardware, and operating system used to create or view the document. A PDF file includes a complete description of the document including text, fonts, illustrations (images in vector graphics format), and bitmaps. Each type of data in the file is compressed with an algorithm designed specifically for that type. Together with the format specification, Adobe also released appropriate software that it collectively named “Acrobat.” Adobe Acrobat is a family of computer programs designed to view, create, manipulate, and manage PDF files. Most of the programs in this family are commercial, but Adobe Reader (for viewing and printing of PDF files) is free and can be downloaded from Adobe’s web site. The Acrobat family and especially the Reader are widely used to present and exchange platform independent documents.

Flash weakness Adobe Flash is a popular multimedia application for adding animation and interactivity to Web pages. Originally designed and implemented in 1996 by Jonathan Gay who called it SmartSketch, the program was acquired by Macromedia in the same year and its name changed to Flash. Since 2007, it has been developed and distributed by Adobe Systems. Flash is commonly used to create animation, advertisements, and other videos that are included in Web pages. In July 2009, a weakness (that became known as zero-day vulnerability) was discovered in Flash player versions 9 and 10 by an anonymous hacker.