Threats on the Open Network: Know Your Enemy


By Sarah Gordon
E-mail:[email protected]

This paper was first prepared for the 6 th Annual Executive Information Security Risk Management Symposium, November 8, 1995. © 1996 The Alea Group. This document may not be reproduced in whole or in part, stored on any electronic information system, or otherwise be made available without prior express written consent of the author and publishers.

  1. Introduction
  2. Using Bad Sources
  3. Using Things the Wrong Way
  4. Conclusion
  5. About the Author

Introduction

"I have seen the enemy and he looks a lot like me!"

The Internet is many things to many people. It is variously a place to do research, conduct business, advertise products and discuss issues. It has as many uses as it has users. But for the unwary it also has pitfalls and hidden traps. Some of the hazards are the fault of faults in software, and some are due to poor administration. However, some of the most common security problems are caused by things the we do ourselves. In this paper we will examine some of those problems and see how many of them can be avoided by application of a few basic rules.

The self-inflicted security exposures we will be examining fall into two categories: using the wrong sources and using the right things the wrong way. We will look at each of these areas and see how users can be led astray, and we will give some advice on how minimizing exposure by doing things the right way.

Using the Wrong Sources

The Internet has been described as the world's only functional anarchy. Where the "big three" standalone networks many users meet during their introduction to the Internet (America OnLine, CompuServe and Prodigy) work on a structure that is imposed from the top down [central administration, uniform policies and official helpers], the Internet's structure comes from the bottom up. If someone wants to call himself an expert, there's nobody to stop him. There's no test to take, no authority to certify him.

There are many good, intelligent and informed people who give of their time to help others. But there are also many who are not so good, not so intelligent or not so well informed that also do the same. The result is that there's a lot of bad advice out there. Users following the advice they get from these sources can find themselves in worse trouble than when they started.

Inexpert Experts

The first type of bad advice comes from people who think they know what they're talking about but don't. Whether it's fixing cars, baking cookies or securing computers, people like to give advice. Some of the people who give this advice are experienced and knowledgeable, but some are the ones who should be listening to others instead. Ask how to get rid of a virus and you'll get five answers, four of them wrong. Witness this recent recent exchange on the alt.comp.virus newsgroup (names have been changed to avoid embarrassing anybody further):

From: [email protected] (User)
Subject: Virus from CD-ROM

Hello all, I have a question about viruses. Can I get a virus from a CD-ROM?


From: [email protected] (Bad Advice 1)
Subject: re: Virus from CD-ROM

Hi User. No, you can't get a virus from a CD-ROM. CD-ROMs are read-only, so a virus can't get on them in the first place.


From: [email protected] (Bad Advice 2)
Subject: re: Virus from CD-ROM

User: It's almost impossible to get a virus from a CD-ROM. No professional CD-ROM producer would let a CD be released with viruses on them. They do many checks on them, more than for a floppy. You can quit worrying.


From: [email protected] (Bad Advice 3)
Subject: re: Virus from CD-ROM

People worry too much about viruses! It's all hype from the AV community, who're just trying to sell more software. Viruses don't hurt anybody; even if you do get one, just use a free virus fixer and get rid of it. Geez.

If User listens to the advice from these three "experts", he could be setting himself up for a fall, as there have been several cases of CD-ROMs being released with viruses on them. Viruses can and do cause real damage, inconvenience and loss to individual users and companies. The lesson to be learned from this is that not all advice is equally good; just because someone sounds like he knows what he's saying or believes what he's saying strongly, doesn't mean that his advice is worth taking.

Rumor Central

The second type of bad advice is the persistent rumor. These are constantly floating around the Net. There are several rumors that simply refuse to die, like the story of Craig Shergold, the boy who wants to break the world's record for the most postcards. A new rumor surfaced late last year, about something called the "Good Times Virus". Here is the original message:

 ---------------------------------------------------------------------------
| Here is some important information. Beware of a file called Goodtimes.    |
|                                                                           |
|  Happy Chanukah everyone, and be careful out there. There is a virus on   |
| America Online being sent by E-Mail.  If you get anything called "Good    |
| Times", DON'T read it or download it.  It is a virus that will erase your |
| hard drive.  Forward this to all your friends.  It may help them a lot.   |
 ---------------------------------------------------------------------------

There is no such thing as the Good Times virus as described here, and when the rumor started there was no virus in the wild which could infect email files (this was well before the discovery of Word document viruses). Yet this notice was posted and reposted to every forum imaginable, on the mere strength of rumor. People never stopped to check out whether the story was true, they simply passed it on. Please note the lack of substantiating evidence in the Good Times rumor; no authority is cited, no expert is quoted. This is the distinguishing characteristic of all such rumors.

Heeding unsubstantiated rumors like this one will either end up with the user feeling foolish at best, or doing something dangerous at worst.

Malicious Helpers

Sometimes the person offering to help you isn't merely clueless or misinformed, but is actively malicious. Yes, it's shocking but true. There are some people out there who don't have your best interests at heart. These are not likely to be found posting in open forums like mailing lists and newsgroups, but are more often lurking on chat systems like IRC or contacting users directly.

Some malicious "helpers" only do their damage when they see a likely target, seizing the opportunity as it comes. They will wait for a user to ask for help, then give advice meant to harm them, either by destroying their files or giving themselves access to the user's account. Typically they will ask the user to execute some arcane command, such as

 '/exec echo
"+ +" >.rhosts'
on IRC. This would open the user's account up to anybody who wanted to rlogin or rsh in from anywhere on the Net.

Some, however, are not content to wait for their prey to come to them. They seek victims out, using whatever method they think they can get away with. Perhaps they will send forged mail from the administrator, or send a spoofed wall message to all users on the host, asking them to change their passwords to a certain string. Here is an example of such a message, using a hacker tool that spoofs wall messages:

Broadcast message from [email protected]...

Hello everybody. We're experiencing some problems with the password file (it got corrupted), and need you to help us out by changing your password to "iamlame". Wait 10 minutes and then change it back to what it was, and everything should be fixed. Thanks!

Admin

In all these cases, the predatory hacker is taking advantage of the willingness of the user to go along with what he's told, and not question whether what he's doing is wise or reasonable.

Knowing Who to Trust

With all this bad information going around, how can a user know who to trust? Well, the Internet may be somewhat of an anarchy, but it's not wholely without order. The first place a user should go is his local administrator. He knows the system, knows its ins and outs. If he has problems he knows who he can turn to for answers.

For matters less localized, there's CERT. They have FAQs, advisories and security tools for every occasion. Just point your web browser at www.cert.org.

Using Things the Wrong Way

The second major class of mistakes users make is using things the wrong way. This covers a lot of territory; administrators and system experts abound with "stupid user" stories. In this paper we'll focus in on one aspect of this problem, ways users misuse their system that make them more vulnerable to attack by hackers.

Users open themselves up to hackers in three basic areas. They use insecure channels for private acts, they extend trust too broadly, and they announce their vulnerability to the world.

Private Acts on Open Channels

The past few years have seen an explosion in the ways hackers spy on users. They "sniff" passwords of any user going through a system. They monitor the sessions of users, seeing everything the user does. They replace programs that are intended to increase security with versions that render them useless. Users need to be more aware than ever before of just how open the Internet really is.

Sniffers

One of the biggest innovations in hacker technology is the password sniffer. The idea is quite simple. Data on the Internet is broken down into packets, which are sent from one system to the next until they reach their destination. Anyone who can sit on a system anywhere along the route the packets take can sift through them looking for ones that interest him. When a user connects to a system, the first thing he must do is log in. The name of the host he's connecting to, his account name and his password are all sent in the first few packets. All the hacker needs to do is grab those first few packets and he has everything he needs to access the account.

If the users are only using their local accounts this is no problem; since the hacker needs root access to do his sniffing, he doesn't really need the passwords of local users. But many users have multiple accounts, and frequently go from one to the other as needed. This means that if the hacker and user are on host A, and the user telnets to host B, the hacker (using his sniffer) now has the user's password to host B. Now that he's on host B he can try to get root and set up a sniffer there too.

The hyper-connected nature of the Internet makes it very convenient for users to hop from system to system. But many of them never realize they're bringing along an uninvited guest.

There are ways to deal with the problem of sniffers. First, try to minimize your exposure by not telnetting from an insecure system. If you absolutely have to, login as soon as you can from a more secure method (dialup if possible) and change your password. If security is a major concern, see if your system has s/key; if not, get your administrator to install it. S/key is a one-time password system. That means that it doesn't matter if a hacker gets your password, because it's useless the second after you've typed it. It's somewhat of a bother to use, but if you do a lot of connecting from "dirty" sites, look into it. S/key can be found at ftp://first.org/software/skey.

Snooping Sessions

The next logical step for a hacker, once he can sniff the start of a session, is to watch the whole thing. This is a fairly recent development, at least for hackers. Put simply, a hacker with root on the same system (or even just a system on the same ethernet) as the user can not only sniff his passwords and read all his files and email, but can watch his whole session just as if he were sitting next to the user. This ability is not at all the fault of the user; however, anything confidential the user types out and the hacker sees, is. This is not to minimize the moral irresponsibility of the hacker or engage in a game of "blame the victim", but to alert users to exercize "due caution" online. If he discusses the unnanounced merger with another firm in a talk session, he should understand the risk involved.

Thankfully, there is a solution to the problem of session snooping. And it's not even hard to deal with. The solution is end-to-end encryption. There are a few software packages that handle this; one of the better ones is called deslogin. Of course you need to make sure the machines at both ends of the session are clean, or else the encryption is just for show. Deslogin can be found at ftp://uu.uu.net/pub/security/des.

Logging Keys

The final area users often fail to take into account when dealing with the openness of the Net is how they manage encryption. PGP is fast becoming a standard on the Internet, and more and more credit card commerce is being done on the Web every day. If a user relies on the security of his service provider to protect his PGP key and passphrase, he might as well not bother encrypting it at all. Trojanizing an ISP's copy of PGP to log passphrases is trivial for any experienced hacker. Doing the same for credit cards on a web browser or HTTP daemon is no tougher. Encryption systems like SSL only secure the path, not the endpoints.

If it's worth encrypting, it's worth doing it right. Always use your home PC for PGP. You're frankly better off doing your credit card purchases offline for now.

Extending Unwarranted Trust

As the Internet grows more and more connected every day, the line between the local system and remote ones begins to blur. Much of this is not under the control of the user, but some of it is. Files that make accessing remote systems easier abound on the Net. For Unix shell users there's the .rhosts file. For ftp users there's .netrc. For X-Windows there's .xhosts. All of these help make the user's environment seamless, adding considerable convenience and power. But for too many users this comes at a price, security. A user that puts a "+ +" in his .rhosts or .xhosts file might as well post his password to alt.2600.

There are other extensions of trust users give unknowingly; ftp'ing the latest IRC client, not knowing that it has a trojan inside it; changing permissions on their home directory to allow others to access their home page or their .plan file, not thinking about all the other files they're also exposing. Users who assume that security is only a concern for administrators may soon find out how wrong they are.

There is no simple answer to all the vulnerabilities discussed here. Users need to carefully examine the decisions they make with their accounts, and keep their eyes out for anything unusual. Things to watch include strange files, odd behavior at login or logout, and especially notice what the system tells you your last login time was.

Broadcasting Victimhood

Sharks can smell blood in the water miles away. Hackers can smell newbies on the Net half a world away. They give themselves away in so many ways. They ask questions that reveal far more about themselves than they intend, things that could be used to compromise their accounts. A question on a security newsgroup about how to choose a good password tells the hacker that if he acts quickly, he can probably guess the password in just a few tries. A request on IRC for the latest toolkit scripts could leave the user with a script that does more than he asked for.

Users need to use their heads and think before they act. Try to find the answer to the question on your own, or turn to someone you trust, like your network or system administrator.

Conclusion

Users can be their own worst enemy. Listening to bad advice, trusting the wrong people and treating their accounts and programs the wrong way will surely trip them up in the end. But they can also be their own best friend, if they use their head, get good advice and use things the way they were meant to be used.

About the Author

Sarah Gordon's work in various areas of IT Security can be found profiled in various publications including the New York Times, Computer Security Journal and Virus Bulletin. She is a frequent speaker at such diverse conferences as those sponsored by NSA/NIST/NCSC and DEFCON. Recently appointed to the Wildlist Board of Directors, she is actively involved in the development of anti-virus software test criteria and methods. She may be reached as [email protected]



Virus Databases Virus Links
Virus Research Security





Test
Drives

Year
2000

Site
Map

Customer
Service

Press
Room

Awards/
Reviews

Global
Resellers

 Home


1061 East Indiantown Road · Suite 500
Jupiter · FL   33477
USA