How They Break In
Let us assume that we don't purposely give our passwords to strangers, let them trick us into doing it, or let them have physical access to our computer. How then, do they get in?
Quite often, we're tempted to think that nobody would be interested in breaking into our personal computer. Today, however, that "personal" computer is part of a world-wide network. We use it to access sensitive resources like financial systems, email systems, and special purpose systems related to our personal or business lives. Control of our "personal" computer means control over those accounts.
Having control over our computer may allow an outside party increased access to others on our network. If our computer is behind a firewall, it may have direct access to other systems behind the same firewall. Software can be run on our computer that allows it to intercept and read network traffic between other, unrelated systems. Even with a modern switched network, this type of network sniffing is possible. So a compromised "personal" computer may allow the compromise of data, accounts, and computers of others on the network.
Even if the computer is only used for game playing, it is still a valuable commodity simply because it is connected to the network. Having control of it would allow a criminal to take actions on it that could lead to their apprehension if they did it from their own computer. Quite often, major compromises are performed through a string of compromised systems helping to protect the identity of the perpetrator(s). Compromised computers were responsible for the widespread distributed denial of service (DDOS) attacks that brought down several major web sites in February 2000. Therefore, even if our computer has no valuable information, it is an attractive base of operations to those who perform computer crime.
Finding our computer, or vulnerabilities on our computer, is quite easy these days. In an academic environment or at home, there are quite often very few network access controls. Anyone around the world can touch our computers in an almost infinite variety of ways. While this provides maximum functionality and communications capabilities, it also means our computer is subject to remote scans and probes. Information gathered by these probes combined with organizational data gleaned from web sites and other public resources, makes it relatively easy to discover and exploit vulnerable computers. Often the scans and compromises are accomplished with easy to use, automated software allowing relatively non-technical people to find and compromise vulnerable computers without expending much effort.
Defense against this type of reconnaissance consists primarily of allowing only as much access as necessary to achieve the goals of the organization.
Non-technical Means - Social Engineering
Some of the same types of behavior used to commit fraud offline are used online to gain access to computer resources. For more information, read
The "Social Engineering" of Internet Fraud
The power, flexibility, and versatility of our computers comes from their ability to be programmed to do whatever we desire (given enough time and clear, unconflicting goals). Desktop systems, in particular, are designed to allow the operator to take whatever action they desire. While this provides immense power, this power is also available to hostile software that may be inadvertently run. If someone can convince us or force us to run their software on our computers, our computers become their computers.
Hostile software may be customized to target an individual system or organization but usually what we hear about is packaged and widely distributed. Viruses, trojans, worms, rootkits, exploit scripts, and other names have been given to various types of hostile software depending upon its functionality and method of spreading. It doesn't really matter how its categorized though. We don't want it run on our computer by any name.
If we run hostile software on most desktop systems, it can do anything we can do at the keyboard and much more. It can read and modify files, send email, or sit quietly collecting information. It can cover its tracks so we don't know its there. It can spread itself to other files or computers. It can allow others to access our computer and remotely control it. It can circumvent any security measures we place on our computer including anti-virus software, personal firewalls, and strong authentication systems.
The software doesn't necessarily consist of a traditional program such as a Windows .exe file. It can be any file which the system recognizes as carrying some type of code and for which an execution engine exists. The seriousness of the threat varies depending upon the access that a system allows to the type of code in question. Prevailing defects may override the default system access controls making what it supposed to be harmless code capable of complete control of our computer. Some examples of executable code include files containing:
How does hostile code get on our computer?
Common misconfigurations include:
Defense consists of Nullifying Unneeded Risk by minimizing access and following best configuration practices.
Most computer access controls are based on the identity of the person trying to use them. Authentication of that person's identity is most commonly done through simple passwords.
One method of assuming the identity of an authorized person is use programs that repeatedly try to login using a sequence of guessed passwords. While this can be time consuming, it is often successful if poor passwords are chosen. Most systems will prevent this type of password guessing by locking an account after a specified number of attempts. However, some applications including Windows 9x shares are not protected in this manner. A person can sit on the other side of the world and try different passwords forever without the owner of the computer knowing it is happening. Defense consists of hard to guess passwords, using a file sharing platform appropriate for the sensitivity of the data it holds, and limiting network access with firewalls.
Another way of assuming an identity is to get a list of encrypted passwords from the system. Then, a program can be run which encrypts every possible combination of characters and compares the result with the encrypted passwords. With today's powerful computers, even a good password can be cracked in a few days. Defense consists of:
Another way to strengthen the authentication process is to use an authentication system which requires two or more factors to prove identity. These other factors may include something we have like a smart card or something innate such as a fingerprint. Adding one or more of these factors to the secret password that we know strengthens the authentication process.
Sometimes access is controlled not by the identity of the person but by the network address of the requesting computer. This type of access control is notoriously weak and often taken advantage of by assuming a spoofed network address. Defenses include:
Safeguarding our passwords is important to retaining control over our data, accounts, and computers.
Computer operators are limited in what they can do to safeguard their password. For networks to work, computers must communicate over the wires. This communication may also expose passwords or entire sessions. See next section.
Assuming an attacker can gain access to a network, they can subvert core TCP/IP and Ethernet protocols in order to redirect or hijack traffic from neighboring computers. This allows them to analyze the traffic for authentication credentials or insert subversive commands into existing sessions. Such attacks will compromise even switched networks and SSL/SSH protected sessions.
Risk mitigation methods include: