How They Break In

Let us assume that we don't purposely give our passwords to strangers, let them trick us into doing it, or let them have physical access to our computer. How then, do they get in? 

Motivation and Reconnaissance

Quite often, we're tempted to think that nobody would be interested in breaking into our personal computer. Today, however, that "personal" computer is part of a world-wide network. We use it to access sensitive resources like financial systems, email systems, and special purpose systems related to our personal or business lives. Control of our "personal" computer means control over those accounts.

Having control over our computer may allow an outside party increased access to others on our network. If our computer is behind a firewall, it may have direct access to other systems behind the same firewall. Software can be run on our computer that allows it to intercept and read network traffic between other, unrelated systems. Even with a modern switched network, this type of network sniffing is possible. So a compromised "personal" computer may allow the compromise of data, accounts, and computers of others on the network.

Even if the computer is only used for game playing, it is still a valuable commodity simply because it is connected to the network. Having control of it would allow a criminal to take actions on it that could lead to their apprehension if they did it from their own computer. Quite often, major compromises are performed through a string of compromised systems helping to protect the identity of the perpetrator(s). Compromised computers were responsible for the widespread distributed denial of service (DDOS) attacks that brought down several major web sites in February 2000. Therefore, even if our computer has no valuable information, it is an attractive base of operations to those who perform computer crime. 

Finding our computer, or vulnerabilities on our computer, is quite easy these days. In an academic environment or at home, there are quite often very few network access controls. Anyone around the world can touch our computers in an almost infinite variety of ways. While this provides maximum functionality and communications capabilities, it also means our computer is subject to remote scans and probes. Information gathered by these probes combined with organizational data gleaned from web sites and other public resources, makes it relatively easy to discover and exploit vulnerable computers. Often the scans and compromises are accomplished with easy to use, automated software allowing relatively non-technical people to find and compromise vulnerable computers without expending much effort.

Defense against this type of reconnaissance consists primarily of allowing only as much access as necessary to achieve the goals of the organization.

Non-technical Means - Social Engineering

Some of the same types of behavior used to commit fraud offline are used online to gain access to computer resources. For more information, read

The "Social Engineering" of Internet Fraud
Jonathan J. Rusch
United States Department of Justice

Hostile Software

The power, flexibility, and versatility of our computers comes from their ability to be programmed to do whatever we desire (given enough time and clear, unconflicting goals). Desktop systems, in particular, are designed to allow the operator to take whatever action they desire. While this provides immense power, this power is also available to hostile software that may be inadvertently run. If someone can convince us or force us to run their software on our computers, our computers become their computers. 

Hostile software may be customized to target an individual system or organization but usually what we hear about is packaged and widely distributed. Viruses, trojans, worms, rootkits, exploit scripts, and other names have been given to various types of hostile software depending upon its functionality and method of spreading. It doesn't really matter how its categorized though. We don't want it run on our computer by any name. 

If we run hostile software on most desktop systems, it can do anything we can do at the keyboard and much more. It can read and modify files, send email, or sit quietly collecting information. It can cover its tracks so we don't know its there. It can spread itself to other files or computers. It can allow others to access our computer and remotely control it. It can circumvent any security measures we place on our computer including anti-virus software, personal firewalls, and strong authentication systems.

The software doesn't necessarily consist of a traditional program such as a Windows .exe file. It can be any file which the system recognizes as carrying some type of code and for which an execution engine exists. The seriousness of the threat varies depending upon the access that a system allows to the type of code in question. Prevailing defects may override the default system access controls making what it supposed to be harmless code capable of complete control of our computer. Some examples of executable code include files containing:

• Microsoft Office macro commands.
• Microsoft scripting languages such as Visual Basic for Applications.
• Web scripting languages such as JavaScript and Visual Basic Script.
• Web application languages and components such as Java, JavaBeans, and ActiveX controls.
• Other scripting languages such as perl or unix shell scripts.
• More esoteric file types or code whose file extensions are often tied by the operating system or application to an execution engine allowing automatic code execution. This is generally done for ease of use but may result in inadvertent code execution. For example, take a look at some Windows extensions that may result in program execution.

How does hostile code get on our computer? 

• How We Compromise Our Own Computers by Loading Hostile Software Ourselves

  If we download and run files or open email attachments we are giving control of our computers to the provider of those files. That trust is becoming increasingly risky. It seems that more and more hostile code is circulating these days and tools to produce such code are more common and easy to use. 

  It is difficult to judge the integrity of software code. The apparent sender of email is easily spoofed. Web sites, ftp servers, and email lists routinely circulate copies of code that may have been through several people's hands. The code's path and how its integrity was maintained in the route from the original author to your computer is difficult to ascertain. Easy to use tools exist that allow hostile software to be covertly attached to otherwise normally functioning programs.

  Traditional anti-virus tools can only protect us against hostile programs containing known patterns that the tools have been told to look for. Some folks will be unlucky enough to be the unfortunate discoverers of newly released hostile code. If the code replicates fast enough, a lot of people can be affected before anti-virus products can be updated. If the code stays quiet, it may not be discovered for some time and in the meantime may silently collect our passwords, passwords of neighboring computers seen on the network, or allow others to control our computer for their own purposes. As long as no noticeable action is taken, the person controlling our computer is free to use its resources and any connected to it as he or she sees fit.

  Effective defense primarily consists of refusing to run unknown programs and using a safer account for day to day use.

   

• How Our Computers Allow Hostile Software to Be Run By Others

  Servers run software that constantly listens to the network for requests from web browsers, email clients, FTP clients, Napster clients, and the like. If the server software has defects in it, specially formatted network requests may cause the server to do undesirable things...like run code included with the specially formatted network requests. The most common method of breaking into server computers has probably been to force them to run hostile code by sending them these specially formatted network requests that exploit defects in the server's software. For decades, thousands of computers have been compromised through defective web servers, defective ftp servers, defective email servers, defective DNS servers, defective RPC servers, and others.

  As shown on the SANS Top Twenty list and CERT's list of current activity, quite often break-ins continue for months after the defective server code is fixed by the vendor simply because computer owners don't apply the updates to their systems. Obviously, a very effective defense against such attacks is to update our computers regularly.

  With desktop systems increasingly running servers (personal web server, Napster, MS file sharing, etc.) or complex network client programs, the opportunity to take advantage of similar defects on desktop systems is increasing. Specially formatted email messages or web pages may exploit defects to inject hostile code into web browsers and email clients just as specially formatted network traffic does so on servers. Therefore, the importance of timely system updates and patches applies to desktops as well as more traditional servers.

  Another way in which code can be run on our computers without our cooperation is by having our communications sessions with other computers intercepted. In this attack, someone inserts themselves into our computers' conversation and injects their own commands. Defense against this type of attack is similar to defense against network sniffing of passwords which is discussed later.

Misconfigurations

Common misconfigurations include:

• Windows sharing that gives write access to system directories.
• Windows sharing that gives too much read access.
• Windows sharing of sensitive data with weak or no passwords.
• FTP or Web servers running with elevated privileges or insufficient access controls.
• Web servers that don't have example scripts removed.
• NFS servers allowing too much access.
• Running unneeded services that provide a possible entry point. This is particularly common on unix systems. This doesn't cause a compromise directly but a service that isn't being used is very easily forgotten, misconfigured, and/or unpatched.

Defense consists of Nullifying Unneeded Risk by minimizing access and following best configuration practices.

Compromised Identity Authentication

Most computer access controls are based on the identity of the person trying to use them. Authentication of that person's identity is most commonly done through simple passwords.

One method of assuming the identity of an authorized person is use programs that repeatedly try to login using a sequence of guessed passwords. While this can be time consuming, it is often successful if poor passwords are chosen. Most systems will prevent this type of password guessing by locking an account after a specified number of attempts. However, some applications including Windows 9x shares are not protected in this manner. A person can sit on the other side of the world and try different passwords forever without the owner of the computer knowing it is happening. Defense consists of hard to guess passwords, using a file sharing platform appropriate for the sensitivity of the data it holds, and limiting network access with firewalls.

Another way of assuming an identity is to get a list of encrypted passwords from the system. Then, a program can be run which encrypts every possible combination of characters and compares the result with the encrypted passwords. With today's powerful computers, even a good password can be cracked in a few days. Defense consists of:

• Preventing the person from getting the list of encrypted passwords through good system configuration and administration.
• Choosing strong passwords which will take longer to guess.
• Strong encryption systems which take more computing resources and slow the guessing process down.

Another way to strengthen the authentication process is to use an authentication system which requires two or more factors to prove identity. These other factors may include something we have like a smart card or something innate such as a fingerprint. Adding one or more of these factors to the secret password that we know strengthens the authentication process.

Sometimes access is controlled not by the identity of the person but by the network address of the requesting computer. This type of access control is notoriously weak and often taken advantage of by assuming a spoofed network address. Defenses include:

• Not using services that operate in this fashion (unix rsh, rcp, rexec in particular).
• Using a network topology and physical access controls that limit unauthorized connections.
• Anti-spoofing filters.

Safeguarding our passwords is important to retaining control over our data, accounts, and computers.

Computer operators are limited in what they can do to safeguard their password. For networks to work, computers must communicate over the wires. This communication may also expose passwords or entire sessions. See next section.

Vulnerabilities in Network Infrastructure

Assuming an attacker can gain access to a network, they can subvert core TCP/IP and Ethernet protocols in order to redirect or hijack traffic from neighboring computers. This allows them to analyze the traffic for authentication credentials or insert subversive commands into existing sessions. Such attacks will compromise even switched networks and SSL/SSH protected sessions.

Risk mitigation methods include:

• Denying access to the physical network. This is easier said than done. Network access can be gained through several mechanisms including:
  • Through a compromised computer. This is often used as a stepping stone to gain access to other computers on the network. This means every computer on the network affects the security of every other computer.
  • Through a publicly accessible machine.
  • Through a publicly accessible network jack.
  • Through a wireless network.
• Training operators not to ignore warning messages about:
  • Changing SSH host keys
  • SSL certificates
• Hard coding MAC addresses in switches
• Hard coding ARP tables in computers
• Monitoring for suspicious ARP traffic, ARP changes, and switch table changes.
• Inserting a router between untrusted network access points (public, wireless, unsafely operated computers, etc.) and the portions of the network one wishes to protect. Note, however, that computers on the accessible side, including their sessions to the "protected" side, are vulnerable.
• Applications that use encryption to protect their sessions, raise the fence higher.
• One-time passwords raise the fence higher.
• IPSEC

More Information

For defensive recommendations, see the StartSafe and RUNSAFE pages. For more detailed information about particular systems or vulnerabilities take a look at:

• The top twenty list of the current most common ways (although certainly not the only ways) systems are being broken into as compiled by a large number of respected individuals and organizations.
• CERT also maintains an independent list of current activity.
• The JMU Computer Security Frequently Asked Questions list