Steve’s Views Rotating Header Image

Security

Viruses, Worms, Firewalls and Security

There are some things to be aware of when it comes to firewalls. Here’s a technical description brought down to layman language. I’m taking certain technical liberties (or inaccuracies) to keep it simple.

The best of firewalls cannot block what is looking like legitimate communication. All it does is block access to most, and let some through.

Network communication is done with compact data called a packet. If you imagine a truck with its paperwork showing where to pick it up and where to deliver it. This is called header information. Then in the back is the payload. The data that is being transmitted.

Usually it takes many trucks / packets to deliver all the data as the typical payload only carries about 1500 bytes. (One byte being one character, or letter, number or symbol.) A typical web page should not contain more than about 100,000 bytes (100K). The reason is the time it takes to download across the Internet. Too much takes too long. Of course that number is going up as more and more people are able to download larger amounts due to increasing transmission speeds.

OK, so we have the header information telling the driver where to deliver the 1500 or so bytes of payload. It does contain various other little tidbits but we don’t have to worry about it.

If you visit a website, you are now sending out a truck with the request to get a webpage from your computer to a remote server online. When the page shows up on your monitor that means the remote server delivered information through the firewall to your computer.

The modern firewall keeps track of outgoing requests, noting the time, origin and destination. Then if a reply returns it checks to see if it’s from a requested destination within the timeframe. This is called stateful inspection.

On network communication there is a standard method of starting up a connection. A packet is sent out saying I’m an origination. I wish to start a communication.

It’s received and another packet is returned back to the originating computer saying I got your request. Next the originator would send a new communication saying here is what I want from you. Which in turn is acknowledged. This is referred to as handshaking. If both shake then both knows all is well and a connection can be go on.

All the time there is a stream of packets flowing from each side with requests and acknowledgments, ensuring they are in good communication with each other.

Older firewalls simply looked to see if a packet arrived that said it was a response to an established connection. Not having any notes of requests that went out the firewall would not know any better and let it in. These days probably all firewalls do statefull inspection.

Real crackers (criminal hackers) are people who knows things like exactly how network communications should work and try to find flaws in implementations so that they can gain additional access or information out of a device.

A hacker (knowledgeable computer person) is a person who knows things like exactly how network communications should work and try to find flaws in implementations so that they can gain additional access or information out of a device.

Wait a minute! That’s the same definition!

The difference is really how it is used. Being a hacker is a good thing because you can find faults and fix them. A cracker has criminal intent. The definitions tend to float around but the criminal intent is a pretty good definition.

So what a cracker might do is hack into a website and plant some instructions that when executed installs some software on your computer.

When you then visit the website you happily download the page and his instructions into your computer. Where your browser faithfully executes the instructions.

The result is limited to the capabilities of your browser and what your computer will let the browser do.

Under windoze you can quite easily get it to give away total control of the computer. That has a lot to do with the fact that the user is usually running as the Administrator. Whom has full unfettered access to the computer.

Never mind all the various security design flaws that microsoft has made in its quest for functionality.

When you run as a user with limited access the viral instructions have limited capabilities too. This is a good thing. 🙂

So always run as a normal user! Only run as root when needed, and never browse the Internet as root.

Now, there are actually more than one type of firewall.

The most common one is called a packet filter. It filters packets according to IP address and port, source and destination. A good one can also filter according to the type of packet.

It looks at where it came from, where it’s going and executes the filter rule that covers that request.

Another type is called proxy firewall. It receives a requests and then generates its own requests to the remote server. When it comes back it receives it and generates its own reply.

This method stops bad requests hidden within a good request. The firewall acts like a proxy for you. You have given it rights to do things for you. Not unlike an efficient secretary.

Then we have application firewalls. It looks at what the application is trying to do and decides according to what it has learned to be normal acceptable behavior. When a computer tries to do things differently, which a cracker almost always does, it’s noted and the packets are stopped.

Due to the relative effectiveness of modern packet filters that is the most prevalent one. Ideally you have all three. Forming several layers that all have to be circumvented to gain access.

Application firewalls are usually pretty expensive. They need to know a lot and work very fast.

The network industry has seen a lot of developments where devices gain new capabilities, like a router having a firewall and a switch built-in.

(A switch is a communication hub. It lets different computers get together and access each other. It used to be called hub. The problem with hubs were that when a packet arrived at the hub it was regenerated to all ports on the hub. Generating a lot of extra noise as it was usually only one computer that needed to receive it.

A switch knows who is connected, and can route packets to the correct port and not simply broadcast it to all, all the time. A great improvement.

A typical attack by a cracker is often to first establish what type of device is it reaching. What brand and model would be nice to know. With that information he can then see what known vulnerabilities there are. Then try to exploit them.

Exploits always entails doing things wrong. (Unless it’s a really really dumb flaw.) The cracker will do the unexpected in hopes to break the “concentration” of the device, find a flaw in the software, causing some unusual response.

The most common one is called bugger overflow if you type poorly. For all others its called buffer overflow.

A buffer is a place which temporarily holds information, before it moves along. A data entry field is a good example. It may ask for the name of someone. By entering maybe 1000 characters the program may get overwhelmed and simply continue writing all of it into memory. These 1000 bytes would not be random characters, but actual instructions.

All data to be processed must be in memory (RAM) where the processor can get to it. Now if you can get viral instructions into memory it can be executed.

Basically programmers must ensure they put limits on data entry fields to avoid this.

There are of course lots of ways to do the unexpected. Which is why most people will think they are safe when they simply don’t realize the possibilities available to a cracker.

Attempting to break through a firewall by doing the normal thing will seldom work. Unless it’s misconfigured. Having found a flaw he gains unexpected access, which is then used to get further in.

Sometimes a cracker might take 20 steps, sequentially through various cracks found along the way. Following a path that nobody else would ever have though of even trying. By being really knowledgable about computers he manages what is considered impossible by almost everyone. He is by all means very skilled.

The typical mindset of a cracker is also not that of a normal citizen. To him, or very occasionally her, information (or data) is his if he can reach it. It’s your failure to close all the doors, and letting him in. Once reached it’s his, like a rescued ship at sea belongs to the salvager.

A lot of crackers don’t break anything once in. They may even tell you about how they got in, trying to be helpful to society. I know several network managers who never reported the guy as he helped him secure his network.

Below crackers or black hats as they are often known, we have wanna be crackers. They don’t have the know how and are simply running small programs which are written to take advantage of known flaws. These small programs are often called scripts. Basically a series of manual instructions. These wanna bee’s are called script kiddies. (Usually a cracker is a young boored kid, trying to have some fun.)

Enters organized crime stage left.

A few years ago organized crime in Russia realized the potential they have in the Internet. Being in a country in upheaval it was easy to find kids to do the dirty work for a few Rubles.

Soon organized crime worldwide had crackers on their payroll.

A computer Virus is a program that will take advantage of an ignorant user. A virus by definition needs to be executed by a user to work. Thus email attachments became the most popular method of spreading viruses. People are too curious and too willing to be ignorant about things that affect them.

A worm however, is a virus which does not require a user to execute it. It will spread automatically to computers which have some particular flaw in them.

Thanks to the money of organized crime viruses and in particular worms have gotten very sophisticated. Often running some smoke screen as to its actual intent. They also spread across the world at an increasing speed and efficiency.

This has created a digital universe which is very dangerous. It has raised the stakes at both sides, but is still very successful mostly due to ignorance.
Most software developers respond pretty fast to flaws in their code. Poorly or not maintained at all, computers is the breeding ground for viral code to work.

Keeping security patches up to date and having multiple layers of security in place is vital. Simply installing a firewall does not cut it.

You need to know about your vulnerabilities.

This is a problem all in itself as most people have no idea at all as how to approach the problem. Fortunately there are very good open source solutions which can detect past successful attacks, locate flawed configurations and programs.

One very good program is called Nessus. It detects about 10,000 known vulnerabilities across platforms. Others are SNORT which sees attacks in progress, and Tripwire which notices when programs are modified, added or deleted.

Tripwire should be installed after a fresh install and before any network connection is established to ensure you have a “virgin” system.

SNORT can be installed at any time after Tripwire, and Nessus is run after each change in hard or software.

Of the three Tripwire is the most important, then Nessus and finally SNORT.

If you depend on your computer educate yourself a little bit all the time. In time you will quickly cease to be a clueless victim and start being aware of your digital surroundings.

Ensure Linux firewall is running on each Linux box. Use Zonealarm under windows.

Pay attention to changes, like a slower computer, network, Internet connection. Investigate the reason for the change.

There are logs which tells you what has transpired. [Note that a good cracker will erase his trail form the log files. But a too clean log can also be a sign.] If you think you might be “owned” disconnect your network and investigate.

Have a plan of what to do in writing so that the steps are easy to execute.

If you can’t do it find someone who can.

This has to be part of any business plan as a known expense. And on that note, some bad numbers. To keep up with all the threats is a 40 hour / week job.

If you own a business you might not be able to afford a full time security consultant. It may not even be needed if you only have a couple of computers and don’t offer any services like hosting a web server. And have limited Internet activities. But someone needs to keep an eye on it.

What you don’t know will probably bite you sooner or later.

Security is a tradeoff. You spend as much time and resources as is practical. The more security the less functioning things tend to get. Install a good infrastructure and find a good workable balance.

Then have a standard written routine of what to do if violated. Steps that has to be taken, like shutting down the network. Rebuild server, restore backups, check for covert physical devices connected to your internal network. In some states you have to notify clients if you store sensitive information.

You may have backup hard disks ready to take over. This way someone can audit the violated servers/computers once you have recovered all. It will leave the evidence intact on the original disk(s). Having identified the method of access you can now correct it. (There are very good forensics tools under Open Source which are used by security and law officials.)

Unfortunately it’s a pretty big subject. You can subscribe to news from many good sources.

Bruce Schneier is one such expert. He has a newsletter at:
http://www.schneier.com and http://www.counterpane.com

He will educate you about views and practical activities based on real life examples.

https://secure1.securityspace.com/secnews/subscribe.html tracks security issues.

CERT is a good government list to subscribe too:
http://www.us-cert.gov/cas/signup.html

There are high traffic security lists such as Full Disclosure and Bugtraq. A list of tools and readings can be found on:
http://seclists.org/

Be safe,

Color In Email Dangerous!

“What’s so wrong with using colors and different fonts in email?

This is a question I’m frequently being asked. People say that they feel their messages are more interesting, more effective and in short better, thanks to nicely formatted emails.

Obviously they are right, it’s true!

Unfortunately it’s not the whole picture. (Bare with me, this is easily explained, but takes a few words.)

The design of the Internet did not take into account criminal abuses and activities. Both large and small crime organizations have discovered the criminal potential of the Internet. People in general are naive and like to think the best of people. Which certainly applies to at least 80-98%. It’s that last minor percent that creates the problems for the rest of us.

We have viruses, which are small programs written to take advantage of 1) naive users and 2) commonly existing conditions that allows this program to spread and infect others too. Once infected it causes destruction. A virus by definition requires a user to activate it.

Then we have worms. They are like viruses but they don’t require any user to activate them. They utilize design flaws that can be used automatically, to do their destructive deeds. (In the rest of the document I don’t differentiate between viruses and worms, but I want you to know the difference.)

Depending on how well a computer has been made and configured, the damage may be big or small. A viruses typically spreads VERY fast across the Internet. Wrecking destruction and chaos.

So what does this have to do with colored emails you may ask?

Let me set the scene. When you format the email you are using something which adds instructions that can be understood by the email recipient. These instructions are formatted using the same code as is being used to create the web pages on the Internet.

It uses text that contains links, which when clicked on takes you to another location. This is known as HyperText. The pages are formatted using something called a Markup Language as it allows you to create a layout for a formatted page. Together it’s called HTML. (Hyper Text Markup Language.)

When you start changing colors etc, your email program are using html instructions to do so.

When you have your email program configured to display html emails, you cannot see the instructions that make up the email. These instructions can, and do in the case of viruses, cause destruction. It’s that destructive code that damages your computer, and then spreads to your friends.

Viruses are like chain-mail. They are also primarily infecting through email.

An effective way of not getting infected is to not process the html code in emails. You can turn it off by changing the settings in your email program (Insert instructions for Outlook & O.Express.). It often also applies to pictures. Flaws in the design of the instructions that displays pictures, allows them to contain destructive instructions. Any attached file can obviously also contain viruses.

This paints a sore and dangerous picture. What is one to do?

Frankly, unless you want to be part of the problem you have one recourse. Educate all your friends and relatives about these notes and stop using html in emails.

Using anti-virus software does not fully solve the problem as they are always one step behind the virus writers. The ability to identify a virus as a virus depends on the virus to be found first. With a small exceptions, this requires the virus to be detected before they can even start protecting users against it.

So you see the anti-virus effort is no guarantee at all. It is however a vital start.

Various security tools used to block unwanted communication does not detect viruses either as they are hidden inside what looks like legitimate html emails. Or they are hidden inside html pages on the Internet.

As it is all web pages are also potential carriers of destructive instructions (instructions are also called code regardless of being destructive or not. Programmers usually refers to instructions as code.)

What I’m saying here is that simply visiting the wrong web site could infect you. If that occurs then make sure you contact their ISP and notify them. (Link to how to identify someones ISP.

[This is how you identify the ISP behind a web site. Go to www.internic.net/whois.html and enter the domain name (for example infectedsite.com). At the bottom of the result it says DNS servers. Make a note of the dotted number (for example 123.234.123.123) next to DNS1. Then goto http://arin.net and enter the number in the top window where it says Search Whois). In the result OrgName: will be the heading for the ISP. They will usually have an email address for abuse. Like abuse@isp.com. Send them an email with as many specifics as you have of what happened.]

There are website so infected that they will destroy windows completely and turn it into a door stop. Your only recourse is to completely erase your computer and reinstall windows. (There are other options besides windows but that is beyond this document.)

To be on the Internet and try to remain ignorant is at a minimum dangerous. There were at some point various areas like in Los Angeles, Detroit and New Orleans, where you don’t let women and children walk at night or even during the day. Unfortunately the Internet can be the same for your computer, and any information it may contain.

What you CAN do is to cut down on your vulnerability profile. To cut down on things that are most prone to cause damage. First step is to not write html emails, or display them. Educate friends and family and help creating a grass root activity.

Make sure you have up to date anti-virus software, which checks for updates daily, not weekly or monthly. Keep your computer up to date with security patches.

Finally if you install a program called tripwire you can detect any changes done to files. Tripwire is a program which takes notes of all files and recognizes any changes made to them, and notifies you.

Preferably Tripwire should be installed as soon as the system is built, so as to not allow any existing condition to remain hidden.

All these steps are additional work. But for most of us it’s better than being infected. Plus you become part of the solution, not the problem,as your computer is less likely to spread viruses. More than once have I seen computers becoming reinfected by computers that were infected by that computer in the first place. Or as they say, “What goes around comes around”.

Plus, you would not walk around in traffic, or the bad part of town without paying attention to your surroundings. Be aware of your computers behavior and note if it changes. You may have been infected or broken into.