Return to index: [Subject] [Thread] [Date] [Author]


[Subject Prev][Subject Next][Thread Prev][Thread Next]

Funny that you should have brought this up at this time as the following 
article on security was just received.

Hope this explains some of what you are experiencing.

A. Roger Turk, P.E.(Structural)
Tucson, Arizona

SECURITY WATCH                   

Thursday, June 29, 2000

Network protection commentary by:  McClure & Scambray  

Advertising Sponsor - - - - - - - - - - - - - - - - - - 
New Enterprise Security Website Launched!
Symantec, a world leader in internet security technology,
provides a broad range of content security solutions,
including anti-virus, Internet content and e-mail
filtering, and mobile code detection technologies.
For up-to-the-minute information regarding enterprise
security issues you are facing, visit our website at:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - 


Posted at June 23, 2000 01:01 PM  Pacific

EVER SINCE JACK installed his personal firewall on his
cable modem, he's seen hundreds of port scans hitting
the box. At first he took them seriously, worrying
about what these cybermiscreants were up to. As Jack
quickly learned, finding out the answers to these
questions requires enormous investigative work and can
lead to absolutely nothing.

Trying to track down the knocks on your cyberdoor can
quickly turn into a passion. But each ping, trace
route, port scan, Whois, and American Registry of
Internet Numbers (ARIN) search often reveals only what
little can be done to stop these preludes to an
attack. The final desperate act will inevitably be the
abuse(--nospam--at) inbox black hole that is ISP
abuse reporting. Now imagine that every single
computer banging away at your door is the end of a
long string of computers being used to channel an
attack. Tracking down this last hop reveals only the
tail of an enormous, multiheaded dragon.

The days of direct computer attacks are long gone.
Today, only hacker wanna-bes use their own computers
to direct the attack at the target system. More than a
decade ago, the serious malicious hackers broke into
vulnerable systems not to collect credit card numbers
or turn off the power grid to a city neighborhood.
Instead, they gained access to these systems simply to
use them for further attacks on the Internet. Just as
the distributed DoS (denial of service) attacks in
February required a number of compromised "zombie"
machines to generate the necessary traffic to disable
e-commerce sites, these zombie machines can also be
used as jumping-off points for malicious attacks.

To build this elaborate diving platform, attackers will
scan for vulnerable systems on the Internet. DSL and
@Home customers such as those with AT&T and Pacific
Bell are easy targets. To find these juicy targets,
attackers will look up subnets on ARIN and Network
Solutions, looking for netblocks that house
high-speed, poorly secured home systems. Another
popular target is educational institutions. Using
automated attack scripts, attackers can literally
break into these systems overnight and "own" more than
a hundred systems within hours.

Attacking Windows NT home users begins with port
scanning on TCP ports 135 and/or 139. Once the ports
are open, the attackers will launch the typical
Windows NT-based assaults, including simple password
guessing, input validation attacks, and buffer
overflow attacks. NT systems tend to be juicier
targets than are Windows 9x systems simply because
NT's remote control capabilities are far superior.
Using programs such as netcat, NTRK remote, and
RemotelyAnywhere, attackers can control an NT system
with ease -- and then upload and
kick off the same attacks from that system.

Attacking and controlling Unix systems such as Red Hat
and Mandrake Linux can be even simpler using numerous
remote buffer overflow attacks. Vulnerabilities such
as those in several Unix daemons can be trivially
exploited with publicly available source code. Once
owned, the attackers will set up backdoors and remote
control capabilities, kicking off the same Linux
attack scripts to further invade systems.

And let's not forget about open proxy relays, often
unwittingly left dangling by customers of those very
same consumer-oriented services. With the growing
focus on application-layer vulnerabilities, most
attacks nowadays take the form of a maliciously
malformed URL; it's point-and-shoot simply to bounce
these off of a proxy if it isn't properly configured.
We recently visited a site that had been compromised
by just such a bullet, a single URL anonymously
relayed by a misconfigured SOHO (small office/home
office) proxy device out in the void. Does anyone
remember the infamous Wingate and squid proxy-scanning
tools that circulated the Net about a year ago? Try
turning WinScan (one of the most popular Wingate
scanners) loose on your favorite network and see what
pops up. How many of those do you think were run by
unwitting end-users who thought they were improving
the security of the Internet? Or just browse to and take your pick.

All an attacker needs to begin a reign of terror is
that first vulnerable system. Each subsequent attack
will actually be coming from a compromised system and
not the original attacker. And that is what makes
security-incident response an enormously difficult and
often fruitless task. Tracking down an attempted hack
may turn up your grandmother's computer rather than
the real culprit. Can you see yourself knocking on the
door of an @Home user asking to look at the computer?
The fact is, unless the crime causes more than $5,000
in damage, the FBI won't get involved, and without the
FBI, knocking on the door during Sunday brunch will
have little motivational impact for cooperation.

The solution to the problem of island-hopping is not
trivial, requiring nothing less than absolute security
on all systems attached to the Internet -- not a small
task. So what is the stopgap measure? Tell us what you
think about a resolution
at security_watch(--nospam--at)

Stuart McClure is president and CTO and Joel Scambray
is Managing Principal at security consultant
Foundstone ( ).<<