By Beth Cohen
KLEZ_WORM, Denial of service, NIMDA, the web server system has been corrupted yet again. Will it ever end? The news is filled daily with horror stories about companies who have been crippled by virus attacks and network security breeches. Ever wonder why some are seemingly never affected by security attacks, while others are plagued constantly?
I am concerned, is there anything that I can do to stop attacks? Yes! You are not helpless. “In fact, if you follow some best practices you will block 80-90% of the attacks immediately.” So says Dee Liebenstein Senior Product Manager, Symantec Security Response Team. Learn something about network and computer security threats, then practice good security hygiene, and you will have cut your risk considerably.
According to www.webopedia.com “The pejorative sense of hacker is becoming more prominent largely because the popular press has co-opted the term to refer to individuals who gain unauthorized access to computer systems for the purpose of stealing and corrupting data. Hackers, themselves, maintain that the proper term for such individuals is cracker.” Hacker or cracker, either way they can be bad news for your important company data.
Software until quite recently was not generally built with security in mind. Although the government has been requiring security in computer systems for years, the majority of companies and individuals did not make it a priority. Why? Unless it is carefully designed, it is very difficult to build security that is not intrusive to the user. Think of how many passwords you are required to remember nowadays. How many of you have given up and keep them in a file on your computer? Enough said.
You might be tempted to blame Microsoft for creating the problem because their software is so full of vulnerabilities. Don’t. Almost all commercial software has security holes. So many people use Microsoft products that they make an obvious target. If you are a wily hacker and you want to wreak the most havoc on the computer world why bother writing a virus for Star Office. Yes, there are hardy souls that still use that software, but would anyone else notice or care?
Back in 1987 when the internet started, the Morris Worm was unleashed on the unsuspecting networked computer community. Although it was intended as a warning that such things were possible (little did we know in those days), it was taken very seriously by law enforcement at the time. Since then the number of methods of attacks and possibilities for system compromise has grown exponentially. The threats fall into three main categories: viruses, intrusion, and “denial of service” attacks directly on your network service.
Viruses and worms
What are viruses? They are pieces of code that take advantage of a vulnerability or “hole” in the system or application software itself. Some distinguish a worm as a special type of virus that replicates itself and uses memory, but cannot attach itself to other programs. “But,” according to Dee Liebenstein, “from a systems perspective think of worms spreading from machine to machine, while viruses spread from file to file. Most of things that we call viruses today are really worms.” Most people are familiar with viruses because they tend to affect user’s personal computers directly. Viruses range from the merely annoying like the recent “X97M.Ellar.E”, a MS Excel macro virus, to the extremely destructive, like “[email protected]”, a KLEZ worm variant which insinuates itself into your system and spreads through e-mail address book listings. “Symantec analyses an average of 10 new viruses a day,” says Liebenstein. www.cert.org, www.viruslist.com and www.sans.org are all excellent sources of current information about viruses and worms. In addition, all the commercial virus protection products also maintain sites with the latest information and software updates.
Denial of Service
Recently my company website had so much traffic that many customers could not get to it. A great business success or a “denial of service” attack? Sometimes it is hard to tell the difference. The hackers attack vulnerable systems by sending literally millions of “hits” using up limited computer or network resources, thus blocking the legitimate users from systems. The original CodeRed virus had a payload that caused a Denial of Service attack on the White House Web server. These attacks are particularly difficult to stop or prevent.
Have you checked your website lately? Does it still have the content that you put there? “Website defacement is the most common type of attack. It accounted for 64% of the attacks reported, by far exceeding proprietary information theft at 8%. According to Attrition.org, the number of recorded defacements has recently increased to a current average of 25 defacements per day! London shopping emporium, Harrods recently suffered website defacement. A hacker mapped out where in the store certain ‘items’ could be bought, including the unlikely product, cocaine,” Says Iain Franklin, European Vice President of Entercept Security Technologies.
According to the CERT Coordination Center, part of the Software Engineering Institute at Carnegie Mellon University, “an intruder may use your anonymous ftp area as a place to store illegal copies of commercial software, consuming disk space and generating network traffic which may also result in denial of service.”
If all this is not enough, the latest weapon in the hacker arsenal is the blended threat that uses multiple methods to attack or propagate. The most insidious part is that they are automated, that is, they require no human intervention to propagate. The usual method is by co-opting your e-mail address list and sending copies of itself to everyone, but there are now viruses that can embed themselves into unsuspecting company websites and attack customers when they visit the site.
Some of these blended threats are downright nasty. “Backdoor.Sadmind is a backdoor worm program that may affect systems that are running unpatched versions of Microsoft IIS or Solaris. Lion is a worm that exploits a well known vulnerability in BIND to gain privileged access to Linux systems. Once it has obtained access, Lion runs a “rootkit” to hide its presence, and then proceeds to search for other vulnerable systems. A software update is available for BIND, but many systems remain vulnerable, allowing Lion to spread. CodeRed II has a payload that allows the hacker full remote access to a Web server,” states Liebenstein.
To prevent these threats requires special security practices in addition to the traditional ones.
Beth Cohen is president of Luth Computer Specialists, Inc., a consulting practice specializing in IT infrastructure for smaller companies. She has been in the trenches supporting company IT infrastructure for over 20 years in a number of different fields including architecture, construction, engineering, software, telecommunications, and research. She is currently writing a book IT for the Small Enterprise and pursuing an Information Age MBA from Bentley College.
Reprinted from networking.earthweb.com.