Steve’s Views Rotating Header Image

April, 2006:

Viruses, Worms, Firewalls and Security

There are some things to be aware of when it comes to firewalls. Here’s a technical description brought down to layman language. I’m taking certain technical liberties (or inaccuracies) to keep it simple.

The best of firewalls cannot block what is looking like legitimate communication. All it does is block access to most, and let some through.

Network communication is done with compact data called a packet. If you imagine a truck with its paperwork showing where to pick it up and where to deliver it. This is called header information. Then in the back is the payload. The data that is being transmitted.

Usually it takes many trucks / packets to deliver all the data as the typical payload only carries about 1500 bytes. (One byte being one character, or letter, number or symbol.) A typical web page should not contain more than about 100,000 bytes (100K). The reason is the time it takes to download across the Internet. Too much takes too long. Of course that number is going up as more and more people are able to download larger amounts due to increasing transmission speeds.

OK, so we have the header information telling the driver where to deliver the 1500 or so bytes of payload. It does contain various other little tidbits but we don’t have to worry about it.

If you visit a website, you are now sending out a truck with the request to get a webpage from your computer to a remote server online. When the page shows up on your monitor that means the remote server delivered information through the firewall to your computer.

The modern firewall keeps track of outgoing requests, noting the time, origin and destination. Then if a reply returns it checks to see if it’s from a requested destination within the timeframe. This is called stateful inspection.

On network communication there is a standard method of starting up a connection. A packet is sent out saying I’m an origination. I wish to start a communication.

It’s received and another packet is returned back to the originating computer saying I got your request. Next the originator would send a new communication saying here is what I want from you. Which in turn is acknowledged. This is referred to as handshaking. If both shake then both knows all is well and a connection can be go on.

All the time there is a stream of packets flowing from each side with requests and acknowledgments, ensuring they are in good communication with each other.

Older firewalls simply looked to see if a packet arrived that said it was a response to an established connection. Not having any notes of requests that went out the firewall would not know any better and let it in. These days probably all firewalls do statefull inspection.

Real crackers (criminal hackers) are people who knows things like exactly how network communications should work and try to find flaws in implementations so that they can gain additional access or information out of a device.

A hacker (knowledgeable computer person) is a person who knows things like exactly how network communications should work and try to find flaws in implementations so that they can gain additional access or information out of a device.

Wait a minute! That’s the same definition!

The difference is really how it is used. Being a hacker is a good thing because you can find faults and fix them. A cracker has criminal intent. The definitions tend to float around but the criminal intent is a pretty good definition.

So what a cracker might do is hack into a website and plant some instructions that when executed installs some software on your computer.

When you then visit the website you happily download the page and his instructions into your computer. Where your browser faithfully executes the instructions.

The result is limited to the capabilities of your browser and what your computer will let the browser do.

Under windoze you can quite easily get it to give away total control of the computer. That has a lot to do with the fact that the user is usually running as the Administrator. Whom has full unfettered access to the computer.

Never mind all the various security design flaws that microsoft has made in its quest for functionality.

When you run as a user with limited access the viral instructions have limited capabilities too. This is a good thing. 🙂

So always run as a normal user! Only run as root when needed, and never browse the Internet as root.

Now, there are actually more than one type of firewall.

The most common one is called a packet filter. It filters packets according to IP address and port, source and destination. A good one can also filter according to the type of packet.

It looks at where it came from, where it’s going and executes the filter rule that covers that request.

Another type is called proxy firewall. It receives a requests and then generates its own requests to the remote server. When it comes back it receives it and generates its own reply.

This method stops bad requests hidden within a good request. The firewall acts like a proxy for you. You have given it rights to do things for you. Not unlike an efficient secretary.

Then we have application firewalls. It looks at what the application is trying to do and decides according to what it has learned to be normal acceptable behavior. When a computer tries to do things differently, which a cracker almost always does, it’s noted and the packets are stopped.

Due to the relative effectiveness of modern packet filters that is the most prevalent one. Ideally you have all three. Forming several layers that all have to be circumvented to gain access.

Application firewalls are usually pretty expensive. They need to know a lot and work very fast.

The network industry has seen a lot of developments where devices gain new capabilities, like a router having a firewall and a switch built-in.

(A switch is a communication hub. It lets different computers get together and access each other. It used to be called hub. The problem with hubs were that when a packet arrived at the hub it was regenerated to all ports on the hub. Generating a lot of extra noise as it was usually only one computer that needed to receive it.

A switch knows who is connected, and can route packets to the correct port and not simply broadcast it to all, all the time. A great improvement.

A typical attack by a cracker is often to first establish what type of device is it reaching. What brand and model would be nice to know. With that information he can then see what known vulnerabilities there are. Then try to exploit them.

Exploits always entails doing things wrong. (Unless it’s a really really dumb flaw.) The cracker will do the unexpected in hopes to break the “concentration” of the device, find a flaw in the software, causing some unusual response.

The most common one is called bugger overflow if you type poorly. For all others its called buffer overflow.

A buffer is a place which temporarily holds information, before it moves along. A data entry field is a good example. It may ask for the name of someone. By entering maybe 1000 characters the program may get overwhelmed and simply continue writing all of it into memory. These 1000 bytes would not be random characters, but actual instructions.

All data to be processed must be in memory (RAM) where the processor can get to it. Now if you can get viral instructions into memory it can be executed.

Basically programmers must ensure they put limits on data entry fields to avoid this.

There are of course lots of ways to do the unexpected. Which is why most people will think they are safe when they simply don’t realize the possibilities available to a cracker.

Attempting to break through a firewall by doing the normal thing will seldom work. Unless it’s misconfigured. Having found a flaw he gains unexpected access, which is then used to get further in.

Sometimes a cracker might take 20 steps, sequentially through various cracks found along the way. Following a path that nobody else would ever have though of even trying. By being really knowledgable about computers he manages what is considered impossible by almost everyone. He is by all means very skilled.

The typical mindset of a cracker is also not that of a normal citizen. To him, or very occasionally her, information (or data) is his if he can reach it. It’s your failure to close all the doors, and letting him in. Once reached it’s his, like a rescued ship at sea belongs to the salvager.

A lot of crackers don’t break anything once in. They may even tell you about how they got in, trying to be helpful to society. I know several network managers who never reported the guy as he helped him secure his network.

Below crackers or black hats as they are often known, we have wanna be crackers. They don’t have the know how and are simply running small programs which are written to take advantage of known flaws. These small programs are often called scripts. Basically a series of manual instructions. These wanna bee’s are called script kiddies. (Usually a cracker is a young boored kid, trying to have some fun.)

Enters organized crime stage left.

A few years ago organized crime in Russia realized the potential they have in the Internet. Being in a country in upheaval it was easy to find kids to do the dirty work for a few Rubles.

Soon organized crime worldwide had crackers on their payroll.

A computer Virus is a program that will take advantage of an ignorant user. A virus by definition needs to be executed by a user to work. Thus email attachments became the most popular method of spreading viruses. People are too curious and too willing to be ignorant about things that affect them.

A worm however, is a virus which does not require a user to execute it. It will spread automatically to computers which have some particular flaw in them.

Thanks to the money of organized crime viruses and in particular worms have gotten very sophisticated. Often running some smoke screen as to its actual intent. They also spread across the world at an increasing speed and efficiency.

This has created a digital universe which is very dangerous. It has raised the stakes at both sides, but is still very successful mostly due to ignorance.
Most software developers respond pretty fast to flaws in their code. Poorly or not maintained at all, computers is the breeding ground for viral code to work.

Keeping security patches up to date and having multiple layers of security in place is vital. Simply installing a firewall does not cut it.

You need to know about your vulnerabilities.

This is a problem all in itself as most people have no idea at all as how to approach the problem. Fortunately there are very good open source solutions which can detect past successful attacks, locate flawed configurations and programs.

One very good program is called Nessus. It detects about 10,000 known vulnerabilities across platforms. Others are SNORT which sees attacks in progress, and Tripwire which notices when programs are modified, added or deleted.

Tripwire should be installed after a fresh install and before any network connection is established to ensure you have a “virgin” system.

SNORT can be installed at any time after Tripwire, and Nessus is run after each change in hard or software.

Of the three Tripwire is the most important, then Nessus and finally SNORT.

If you depend on your computer educate yourself a little bit all the time. In time you will quickly cease to be a clueless victim and start being aware of your digital surroundings.

Ensure Linux firewall is running on each Linux box. Use Zonealarm under windows.

Pay attention to changes, like a slower computer, network, Internet connection. Investigate the reason for the change.

There are logs which tells you what has transpired. [Note that a good cracker will erase his trail form the log files. But a too clean log can also be a sign.] If you think you might be “owned” disconnect your network and investigate.

Have a plan of what to do in writing so that the steps are easy to execute.

If you can’t do it find someone who can.

This has to be part of any business plan as a known expense. And on that note, some bad numbers. To keep up with all the threats is a 40 hour / week job.

If you own a business you might not be able to afford a full time security consultant. It may not even be needed if you only have a couple of computers and don’t offer any services like hosting a web server. And have limited Internet activities. But someone needs to keep an eye on it.

What you don’t know will probably bite you sooner or later.

Security is a tradeoff. You spend as much time and resources as is practical. The more security the less functioning things tend to get. Install a good infrastructure and find a good workable balance.

Then have a standard written routine of what to do if violated. Steps that has to be taken, like shutting down the network. Rebuild server, restore backups, check for covert physical devices connected to your internal network. In some states you have to notify clients if you store sensitive information.

You may have backup hard disks ready to take over. This way someone can audit the violated servers/computers once you have recovered all. It will leave the evidence intact on the original disk(s). Having identified the method of access you can now correct it. (There are very good forensics tools under Open Source which are used by security and law officials.)

Unfortunately it’s a pretty big subject. You can subscribe to news from many good sources.

Bruce Schneier is one such expert. He has a newsletter at:
http://www.schneier.com and http://www.counterpane.com

He will educate you about views and practical activities based on real life examples.

https://secure1.securityspace.com/secnews/subscribe.html tracks security issues.

CERT is a good government list to subscribe too:
http://www.us-cert.gov/cas/signup.html

There are high traffic security lists such as Full Disclosure and Bugtraq. A list of tools and readings can be found on:
http://seclists.org/

Be safe,