KLEZ_WORM, Denial of service, NIMDA, the web server system has been
corrupted yet again. Will it ever end? The news is filled daily with
horror stories about companies who have been crippled by virus attacks and
network security breeches. Ever wonder why some are seemingly never
affected by security attacks, while others are plagued constantly?
I am concerned, is there anything that I can do to stop attacks? Yes! You
are not helpless. “In fact, if you follow some best practices you will
block 80-90% of the attacks immediately.” So says Dee Liebenstein Senior
Product Manager, Symantec Security Response Team. Learn something about
network and computer security threats, then practice good security hygiene,
and you will have cut your risk considerably.
According to www.webopedia.com “The pejorative sense of hacker is becoming
more prominent largely because the popular press has co-opted the term to
refer to individuals who gain unauthorized access to computer systems for
the purpose of stealing and corrupting data. Hackers, themselves, maintain
that the proper term for such individuals is cracker.” Hacker or cracker,
either way they can be bad news for your important company data.
Software until quite recently was not generally built with security in
mind. Although the government has been requiring security in computer
systems for years, the majority of companies and individuals did not make
it a priority. Why? Unless it is carefully designed, it is very difficult
to build security that is not intrusive to the user. Think of how many
passwords you are required to remember nowadays. How many of you have
given up and keep them in a file on your computer? Enough said.
You might be tempted to blame Microsoft for creating the problem because
their software is so full of vulnerabilities. Don’t. Almost all
commercial software has security holes. So many people use Microsoft
products that they make an obvious target. If you are a wily hacker and
you want to wreak the most havoc on the computer world why bother writing a
virus for Star Office. Yes, there are hardy souls that still use that
software, but would anyone else notice or care?
Back in 1987 when the internet started, the Morris Worm was unleashed on
the unsuspecting networked computer community. Although it was intended as
a warning that such things were possible (little did we know in those
days), it was taken very seriously by law enforcement at the time. Since
then the number of methods of attacks and possibilities for system
compromise has grown exponentially. The threats fall into three main
categories: viruses, intrusion, and “denial of service” attacks directly on
your network service.
Viruses and worms
What are viruses? They are pieces of code that take advantage of a
vulnerability or “hole” in the system or application software itself. Some
distinguish a worm as a special type of virus that replicates itself and
uses memory, but cannot attach itself to other programs. “But,” according
to Dee Liebenstein, “from a systems perspective think of worms spreading
from machine to machine, while viruses spread from file to file. Most of
things that we call viruses today are really worms.” Most people are
familiar with viruses because they tend to affect user’s personal computers
directly. Viruses range from the merely annoying like the recent
“X97M.Ellar.E”, a MS Excel macro virus, to the extremely destructive, like
“W32.KLEZ.H@MM”, a KLEZ worm variant which insinuates itself into your
system and spreads through e-mail address book listings. “Symantec
analyses an average of 10 new viruses a day,” says Liebenstein.
www.cert.org, www.viruslist.com and www.sans.org are all excellent sources
of current information about viruses and worms. In addition, all the
commercial virus protection products also maintain sites with the latest
information and software updates.
Denial of Service
Recently my company website had so much traffic that many customers could
not get to it. A great business success or a “denial of service” attack?
Sometimes it is hard to tell the difference. The hackers attack vulnerable
systems by sending literally millions of “hits” using up limited computer
or network resources, thus blocking the legitimate users from systems. The
original CodeRed virus had a payload that caused a Denial of Service attack
on the White House Web server. These attacks are particularly difficult to
stop or prevent.
Have you checked your website lately? Does it still have the content that
you put there? “Website defacement is the most common type of attack. It
accounted for 64% of the attacks reported, by far exceeding proprietary
information theft at 8%. According to Attrition.org, the number of
recorded defacements has recently increased to a current average of 25
defacements per day! London shopping emporium, Harrods recently suffered
website defacement. A hacker mapped out where in the store certain ‘items’
could be bought, including the unlikely product, cocaine,” Says Iain
Franklin, European Vice President of Entercept Security Technologies.
According to the CERT Coordination Center, part of the Software
Engineering Institute at Carnegie Mellon University, “an intruder may use
your anonymous ftp area as a place to store illegal copies of commercial
software, consuming disk space and generating network traffic which may
also result in denial of service.”
If all this is not enough, the latest weapon in the hacker arsenal is the
blended threat that uses multiple methods to attack or propagate. The most
insidious part is that they are automated, that is, they require no human
intervention to propagate. The usual method is by co-opting your e-mail
address list and sending copies of itself to everyone, but there are now
viruses that can embed themselves into unsuspecting company websites and
attack customers when they visit the site.
Some of these blended threats are downright nasty. “Backdoor.Sadmind is a
backdoor worm program that may affect systems that are running unpatched
versions of Microsoft IIS or Solaris. Lion is a worm that exploits a well known
vulnerability in BIND to gain privileged access to Linux systems.
Once it has obtained access, Lion runs a “rootkit” to hide its presence,
and then proceeds to search for other vulnerable systems. A software
update is available for BIND, but many systems remain vulnerable, allowing
Lion to spread. CodeRed II has a payload that allows the hacker full remote
access to a Web server,” states Liebenstein.
To prevent these threats requires special security practices in addition to
the traditional ones. Now that we have reviewed many of the potential
threats to your network and systems, next issue we will discuss methods of
reducing the threat by using a combination of software, vigilance, and
Beth Cohen is president of Luth Computer Specialists, Inc., a consulting
practice specializing in IT infrastructure for smaller companies. She has
been in the trenches supporting company IT infrastructure for over 20 years
in a number of different fields including architecture, construction,
engineering, software, telecommunications, and research. She is currently
writing a book IT for the Small Enterprise and pursuing an Information Age
MBA from Bentley College.