Ethernet Networking- P8 ppsx

A user can add himself or herself to a chat session, or a user can add a remote computer to a chat session assuming that the remote user has the access rights to do so... Remote Control

Figure 9-21: Opening a new TCP/IP connection from a Windows PC

Figure 9-22: Opening a new TCP/IP connection from a Macintosh

Note: If a Macintosh has multiple monitors, then Tim- buktu Pro shows only the start-up m o n i t o r - t h a t is, the one containing the menu bar

Remote Control 199

Figure 9-23" Opening a new AppleTalk connection

Figure 9-24" A Macintosh screen in a Timbuktu Pro window on a Windows PC

Figure 9-25: A Windows 95 screen in a Timbuktu Pro window on a Macintosh

Messaging

Timbuktu Pro provides two ways to exchange real-time messages The first

is through a relatively standard chat room interface, such as that in Figure 9-27 A user can add himself or herself to a chat session, or a user can add

a remote computer to a chat session (assuming that the remote user has the access rights to do so)

Remote Control 201

Figure 9-26: Using Timbuktu Pro to exchange files

Figure 9-27: Timbuktu Pro chat

If networked computers are equipped with microphones and speakers, Timbuktu Pro provides an intercom service that allows users to speak with each other (see Figure 9-28) This can be an alternative to a long-distance phone call when the remote user has dialed in to the network from some other location, perhaps using a dedicated line (If the remote user is paying long-distance charges to connect to the network, of course there would be

no savings.)

Figure 9-28" Establishing a Timbuktu Pro intercom session

This chapter is an overview of both security threats and security fixes It can't provide everything you need to know, but it will alert you to things you should watch and resources you should have at your fingertips

203

Security Threats to Home and Small Offices

Is anyone really out there to get you, with your small network? Yes, they are Well, not necessarily you in particular, but certainly the resources that your network can provide to help them with their larger attacks You may also have content on your network that someone would want to steal And just as important, there may be legal requirements for privacy that you must enforce

From where does the danger come? Over the Internet and from your inter- nal network You have to be aware of dangers from both sources

Malware

Malware is short for "malicious software," any software that could do something nasty to your network There are several types of malware, each

of which propagates differently and has a different goal:

Virus: A virus is a self-propagating piece of software that runs

as an executable program on a target machine It is not, howev-

er, a stand-alone piece of software It must piggyback on some- thing else, such as a piece of e-mail or other application program, and is "installed" on a victim machine when the user accesses the host software A virus's effect can be relatively

b e n i g n ~ s u c h as displaying a dialog b o x ~ o r it can be seri- ously destructive, deleting files from a hard disk, causing a computer to reboot repeatedly, and so on Some viruses are known to be polymorphic, meaning that they can change them- selves as they propagate so that each copy looks a bit different from all others

Worm: A worm is a self-propagating piece of stand-alone soft- ware that has effects similar to a virus It can cause of a denial

of service attack or can damage items stored on a computer

Trojan horse: A Trojan horse is a piece of software that appears

to be one thing, but is, in fact, another Some Trojan horses are installed by crackers for their use as back doors into a system they have cracked Others might record a user's keystrokes to a file that can be retrieved later by a system cracker

Security Threats to Home and Small Offices 205

I~ S p y w a r e : Spyware originally was intended as a tool for share- ware authors to include advertising in their software as a way to raise revenue The spyware (originally called adware) was to be installed with the shareware, show pop-up advertising, a n d ~ most i m p o r t a n t ~ s e n d information about the computer on which it was running back to the advertiser The idea was that the advertiser would collect only demographic information for use in targeted advertising campaigns However, today spyware collects private information without the knowledge or consent

of the person whose information is being collected and uses the victim's own Internet bandwidth to transmit the information Malware is easily disseminated Not only can it be delivered through e-mail, but it travels quite nicely on removable media, such as floppy disks, CDs, DVDs, and USB flash drives

i~ O v e r w h e l m a s e r v e r : The attack can flood a single server with

so much traffic that legitimate users can't access the server

I~ B r i n g d o w n a server: The attack can cause a server to crash You can't prevent an attacker from launching a DoS attack, but you can de- tect one in progress and take steps to mitigate its impact In addition, you can prevent hosts on your network from being unwitting parties to a dis- tributed DoS, a DoS attack in which the source is multiple computers The earliest DoS attacks were launched from a single source computer They are attractive types of attacks to system crackers because they don't require any account access The attacker launches packets from his or her machine that compromise the victim by taking advantage of the victim's natural behavior to communication requests

A distributed DoS attack uses multiple source computers to disrupt its vic- tims This does not mean that the attack is coming from multiple attackers,

however The most typical architecture, in fact, is a single attacker or small group of attackers who trigger the attack by activating malware previously installed on computers throughout the world (zombies)

In most cases, DoS attacks don't damage what is stored on a network's hosts, but they can cause major losses of business revenue because they prevent an organization from functioning normally It is therefore impor- tant to monitor your network for DoS activity

Authentication Vulnerabilities

For most networks, users are authenticated (identified as being who they say they are) by supplying a user name and password Once an authorized pair is recognized by the computer, the human has access to all system re- sources available to that user name But passwords aren't necessarily an adequate means of authenticating users Poor passwords make it easy for

a hacker to gain access to user accounts, which the hacker can then further manipulate to upgrade to a system administrator account

General wisdom says that users should create strong p a s s w o r d s ~ m o r e on strong passwords s h o r t l y ~ a n d that passwords should be changed every

60 days or so New passwords should not use any portion of the preceding password For example, users shouldn't take a word and simply add a dif- ferent number at the end each time they recreate their password, nor should they be able to reuse passwords that have been used in the recent past In addition, users should use different passwords for each account

Certainly you want strong passwords, but should passwords be changed so frequently? The theory behind changing passwords frequently is that a moving target is much harder to decipher At the same time, however, a password that is changed frequently is much harder to remember, and when users can't remember their passwords, they write them down You might find a password on a sticky note stuck to a monitor or on a little slip

of paper in the middle drawer of a desk The problem, of course, is exac- erbated when users are dealing with passwords for multiple accounts Current wisdom states that the best user authentication includes three things: something you know (the user name and password), something you have (a physical token), and who you are (biometrics, such as a fingerprint or retina

Security Threats to Home and Small Offices 207

scan) Although biometrics are moving slowly into the mainstream, physical tokens are becoming much more prevalent In fact, U.S banks are now re- quired by law to provide a form of authentication beyond user names and passwords for large business customers to access online banking (Once the banks have worked out procedures for large businesses, expect to see the same thing propagate down to the consumer level.)

Employees and Other Local People

A good portion of the attacks to which a network is subject today don't necessarily involve compromising your security with sophistcated elec- tronic attacks Some involve manipulation by employees and other local people

What can your employees do? They're the ones who have legitimate access

to the network If they can be manipulated into revealing information about their accounts, then a hacker can log into your network This type of attack

is known as social engineering (It is also the technique behind many at- tempts to gather information for identify theft.)

To understand social engineering, think "Mission Impossible" (the TV se- ties) on a small scale The person trying to obtain system access typically engages in a simple role play that tricks someone out of supposedly confi- dential information Here's how such an escapade might play out when a CEO's secretary answers the telephone

SECRETARY: Big Corporation How may I help you?

CRACKER: Good moming This is John Doe from Standard Software We're the people who supply your accounting software Your IT de- partment has purchased a software upgrade that needs to be installed

on your computer I can do it over the Internet, without even coming into your office and disrupting your work

SECRETARY: Say, that sounds terrific Is there anything I need to do? CRACKER: All I need is your user name and password Then I'll upload the new files

SECRETARY: Sure, no problem My user name is Jane Notsmart; my pass- word is Jane

CRACKER: Thanks, Jane The files will be on their way in just a couple of minutes

The cracker then does exactly what he said he would do: He uploads files

to Jane's machine But the files certainly aren't an upgrade to the account- ing software Instead, they give the cracker root access to the secretary's computer The cracker can come back later, log in to her machine, and cruise through the entire corporate network

Could it really be that easy? Are users really that gullible? Oh, yes, indeed

We humans tend to be very trusting and need to be taught to be suspicious And it's just not the technologically unsophisticated who fall for such so- cial engineering scams Our tendency to trust anyone who says he or she is

in a position of authority provides an opening for clever crackers to trick just about anyone

Note: If you don't believe that humans trust most things said to them by someone who seems to be in a position of authority, visit the historical Web site http://www.age-of-the-sage.org/

documents a classic psychological experiment conducted by Stan- ley Milgram in 1974 that revealed a very disturbing aspect of human behavior

An even more insidious form of social engineering is electronic Social en- gineering can be done via e-mail as well as in person or over the telephone The intent is to trick the person into revealing information such as account names and passwords, bank account numbers, or credit card numbers This

Security Threats to Home and Small Offices 209

FROM THE DESK OF, MR PETER NWA EC BANK OF AFFRICA PLC SEND YOUR REPLY TO THIS EMAIL IF YOU ARE INTERESTED nwa-peter@caramail.cm ATTN:MY FRIEND, I am the manager of b i l l and exchange at the f o r e i g n remittance department of the EC BANK OF AFRICA LAGOS, NIGERIA I am w r i t i n g f o l l o w i n g the impressive i n f o r m a t i o n about you I have the assurance t h a t you are capable and r e l i a b l e enough to champion an impending t r a n s a c t i o n In my department, we discovered an abandoned sum of US$28.5m (twenty eight m i l l i o n and f i v e hundred thousand US d o l l a r s ) , in

an account t h a t belonged to one of our former customers who died along with his

e n t i r e f a m i l y in a plane crash, in November, 1997 Since we received the

i n f o r m a t i o n about his death, we have expected his next of kin to come forward and claim his money, as enshrined in our banking laws and r e g u l a t i o n s So f a r nobody has come forward, and we cannot release the funds unless someone applies

as the next of kin as s t i p u l a t e d in our g u i d e l i n e s U n f o r t u n a t e l y , we have

discovered t h a t a l l his supposed next of kin or r e l a t i o n s died alongside with him in the plane crash, and e f f e c t i v e l y leaving nobody behind f o r the claim I t

is consequent upon t h i s discovery t h a t other o f f i c i a l s and I in my department decided to make t h i s business proposal to you and release the money to you as the next of kin or r e l a t i o n of the deceased person, f o r s a f e t y and subsequent disbursement, since nobody is coming forward f o r i t , and the mnoey is not reverted

i n t o the bank's t r e a s u r y as unclaimed The bank's r e g u l a t i o n s t i p u l a t e s that i f

a f t e r f i v e years, such money remains unclaimed; the money w i l l be reverted to the bank's t r e a s u r y as unclaimed fund The request f o r a f o r e i g n e r as the next

of kin in t h i s t r a n s a c t i o n is predicated upon the f a c t t h a t the said customer was a f o r e i g n n a t i o n a l , and no c i t i z e n of t h i s country can claim to be the next

of kin of a f o r e i g n e r We agree that 30% of the t o t a l sum we be given to you f o r your assistance in f a c i l i t a t i n g t h i s t r a n s a c t i o n My colleagues and I are going

to r e t a i n 60% of the t o t a l sum, and 10% w i l l be set aside f o r the expenses that

we may incur in f a c i l i t a t i n g the remittance To enable us e f f e c t t h i s remittance, you must f i r s t apply as the next of kin of the deceased Your a p p l i c a t i o n w i l l include your bank coordinates, that i s , your bank name, bank address and t e l e x , your bank account You w i l l include your p r i v a t e telephone no and fax no., f o r easy and e f f e c t i v e communication during t h i s process My colleagues and I w i l l

v i s i t your country f o r disbursement according to the agreed r a t i o , when t h i s

t r a n s a c t i o n is concluded Upon the r e c e i p t of your response, I w i l l send to you

by f a x , t h e t e x t of the a p p l i c a t i o n I must not f a i l to bring to your notice the

f a c t t h a t t h i s t r a n s a c t i o n is h i t c h free, and t h a t you should not e n t e r t a i n fear

as you are adequately protected from any form of embarrassment Do respond to t h i s

l e t t e r today through my email address(nwa-peter@caramail.com) to enable us proceed with the t r a n s a c t i o n Yours s i n c e r e l y , MR PETER NWA EC BANK OF AFRICA

Figure 10-1 A typical money-stealing e-mail

The other typical phishing expedition involves fooling the e-mail recipient into thinking he or she has received a legitimate e-mail from a trusted source, such as eBay, PayPal, or the recipient's ISE The e-mail (for exam- ple, Figure 1.0-2) directs the recipient to a Web site (see Figure 10-3) where in this c a s e ~ t h e user is asked to enter everything but his or her driver's license number! When you click the Continue button at the bottom

of the Web page, you receive an error message (see Figure 10-4) You can bet, however, that all the text entered on the preceding page was stored somewhere where the thief could retrieve it

Dear eBay membber , Slnce the number of f r a d u l e n t eBay account take-over has increased wlth lOOK in the l a s t 4 weeks , eBay Inc has declded to v e r l f y

a l l eBay account owners and t h e l r personal i n f o r m a t i o n in order the c l a l f y a l l accounts satus

Thls ls the only tlme you w111 recelve a message from eBay s e c u r l t y theam, and you are to complete a l l requlred f l e l d s shown in the page displayed from the 11nk below

C l l c k the f o l l o w i n g 11nk and complete a11 requlred f l e l d s in order

f o r a b e t t e r account v e r i f i c a t i o n 9

h t t p ' / / u p d a t e - s e c u l r e - e b a y c o m Account c o n f i r m a t i o n ls due 9 If you refuse to coperator you dont leave us any cholce but to shut-down your eBay account,

thank you f o r your cooperation

Figure 10-2: A user ID/password stealing e-mail

Note: The Web page in Figure 10-3 (pages 212-214) has been broken into three parts so that it could be repro- duced in this book in a size that you could read However, when viewed on the Web, it was a single page

As with "live" social engineering attempts, the best defense against phish- ing is good user education It can be difficult for users who aren't techno- logically savvy to look at the routing information of an e-mail or the URL

of a Web page and determine whether the addresses are legitimate There- fore, it is often more effective to stick with behavioral rules, such as "Nev-

er give your user ID and password to anyone" and "Never follow links in e-mails."

Is phishing a big problem? According to the Anti-Phishing Working Group (APWG at http://www.antiphishing.org), it's a very big problem and it's getting worse Consider the following: APWG found that 5 in 100 people respond to phishing e-mails, while only 1 person in 100 responds to spam

Security Threats to Home and Small Offices 211

Figure 10-3" A phishing Web page (continues)

e-mail Add that to its data for 2004, which shows a steady increase in the number of phishing sites from 192 in January to 407 in December The re- sult is a serious challenge to end-user confidence in the e-mails they re-

Figure 10- 3: A phishing Web page (continues)

ceive Some observers believe that users will become so afraid of e-mails from commercial sites that e-commerce will be seriously crippled Al- though such a prediction may well be too extreme, it does highlight the seriousness of phishing attempts that prey on human fears, such as having

an account canceled

It's not unusual for an attack to combine multiple techniques For exam- ple, Web spoofing relies on social engineering to draw victims to the spoofed site In the case of distributed DoS attacks, client malware needs

to be installed on an intermediate system before the DoS attack can be launched This often means that the attacker must gain root or administra- tive access to the machine to install the client, change system configuration files (if necessary), hide the modifications, and erase traces of his or her activity