External Network Attacks

Connecting a network with an external network, especially the Internet, opens up a world of opportunities to internal users, who can benefit from higher connectivity and faster information−sharing, as well as to adversaries who are interested in gaining access to the network for their malicious activities.

Just as you are careful about whom you let through the door in your house, a secure network must not allow any unauthorized access to the network. External network attacks are often made possible by insufficient Internet or Extranet security.

These attacks are normally conducted by adversaries who cannot gain access to the onsite network hardware and rely on weaknesses in the security that a network uses to protect itself from the outside world.

Each type of attack tries to capitalize on a certain weakness that a network suffers. Some of the common external network attacks are password−based attacks, network traffic−based attacks, application− and virus−based attacks, messaging system−based attacks, and operating system−vulnerability attacks.

Password−Based Attacks

As most computer networks use names of persons as usernames for their account identifiers, there is only a limited set of usernames that a hacker has to try when he or she wants to penetrate a network that is protected using the username and password combination.

In addition to the username limitations, users choose easy−to−remember passwords that often include names of their significant other, pets, or their social security number; such passwords are easy to guess and add vulnerability to network security.

Usernames and passwords usually span a small combination of numbers and letters that can be easily guessed. The vulnerability of username− and password−based authentication systems is further increased by the commonly known conventions for defining the network usernames.

Most IT organizations use either the last name of a user or the last name prefixed with the first letter of their first name as their network login name when creating a network account. Password−based attacks capitalize on this limited entropy of usernames and passwords.

Hackers often use a dictionary attack to conduct a password−based attack on a network, where a known set of usernames and passwords are tried against a network login.

Another common attack is known as a brute−force attack, in which a hacker attempts all possible combinations of letters and numbers and supplies them to a login screen to log on to a network.

For example, in an imaginary network, let's assume that a user Alison Brown is assigned a user−name abrown and she chooses the word Brooklyn as her network login password, the city she was born in.

A hacker finds out that the network on which Alison is a user allows her to log in over the Internet. He or she can try guessing Alison's username by using her first name and the last name.

Once a hacker finds out the correct username, he or she can simply use a dictionary attack with the values that might be significant to the geography and language Alison has associations with. He or she then gains unauthorized access to Alison's network.

It is, therefore, important to ensure that users are required to use hard−to−guess passwords. Many organizations require their employees to frequently change their passwords to reduce the risks associated with password−based attacks.

Network Traffic−Based Attacks

Data travels from one computer to another on a network or among networks in small chunks called packets. These packets are normally visible to all computers that have access to the network.

Network traffic−based attacks use this vulnerability of networks to intrude privacy and tamper with the information on the network. Common examples of network traffic−based attacks are packet sniffing and denial−of−service (DoS) attacks.

  • Packet Sniffing

To conduct a packet−sniffing attack, a hacker uses an application program called packet sniffer. A packet sniffer is a program that captures or intercepts data from information packets as they travel over the network.

For example, during the authentication phase, a hacker can sniff the data transmitted by a user workstation. The sniffed data in this case may include usernames, passwords, and proprietary information that travel over the network in cleartext.

Intruders who gain such information using sniffers can launch widespread attacks on systems by impersonating an authorized user to an authentication server and gaining access to a network that he or she should not have.

The packet sniffer problem is further complicated by the fact that installing and using a packet sniffer normally does not necessarily require administrator−level access to a network computer.

Enterprise networks often use advanced authentication mechanisms for remote network authentication and access, which include multifactor authentication and secure authentication servers.

Home users, who use digital subscriber line (DSL), cable modems, and dialup connections generally have fewer security primitives available to them than enterprise networks, and are at higher risk.

Relative to DSL and traditional dialup users, cable modem users have a higher risk of exposure to packet sniffers as entire neighborhoods of cable modem users are effectively part of the same LAN.

A packet sniffer installed on any cable modem user's computer in a neighborhood may be able to capture data transmitted by any other cable modem in the same neighborhood.

  • Denial of Service (DoS)

Another well−known network traffic−based attack is called a denial−of−service (DoS) attack. This type of attack causes a network computer to crash or to become so busy processing data that you are unable to use it.

An example of DoS is an attack by a hacker on a Web site to make it so busy that it cannot handle the Web site lookup by genuine users. In most cases, the latest operating system and computer hardware patches will prevent this attack.

The definitive clearinghouse for security−related issues is a federally funded research and development center know as the CERT Coordination Center, or the CERT/CC, operated by the Carnegie Mellon University.

CERT/CC was originally called the computer emergency response team. The documents at the CERT/CC site describe denial−of−service attacks in greater detail.

Note that in addition to being the target of a DoS attack, it is possible for your computer to be used as a participant in a denial−of−service attack on another system.

In such a case a hacker makes a network computer perform an act that causes a DoS attack on a third computer. Attacks of this nature are called application−based attacks.

Application−and Virus−Based Attacks

A hacker normally conducts application− or virus−based attacks by writing computer programs that can affect the performance of a network or an individual computer.

These programs are often transported to computers operating in a network—using email, for example—and exploit the weaknesses of a computer operating system to damage data and physical equipment.

Examples of such viruses and application programs include Trojan horse viruses and remote network administration programs. Using such applications and viruses, a hacker can also use a naive computer user's computer to attack other computers or networks, leaving blame on the user.

  • Trojan Horse Viruses

Trojan horse viruses are a common way for intruders to trick an authorized computer user into installing backdoor programs. These back doors can allow intruders easy access to your computer without your knowledge, change your system configurations, or infect your computer with a computer virus.

More information about Trojan horses can be found at www.cert.org.

  • Remote Administration Programs

Many operating systems provide remote management of network resources and identities. Though these are very helpful to computer system administrators, these provide a back door to hackers to gain control over an entire network.

For example, on Windows computers, three tools commonly used by intruders to gain remote access to your computer are Back Orifice, Netbus, and SubSeven.

These back door or remote administration programs, once installed, allow other people to access and control your computer. Back Orifice is one of the prime examples of such remote administration programs. For more information on Back Orifice, review the following document at CERT.

  • Being an Intermediary for Another Attack

Intruders frequently use compromised computers (those that have been successfully attacked and are under the control of an intruder) as launching pads for attacking other systems. An example of this is how distributed DoS tools are used.

The intruders install an agent (frequently through a Trojan horse program) that runs on the compromised computer and awaits further instructions.

Then, when a number of agents are running on different computers, a single handler can instruct all of them to launch a DoS attack on another system.

Thus, the end target of the attack is not your own computer, but someone else's—your computer is just a convenient tool in a larger attack. To ensure that a network is secure from such attacks, network users should be discouraged from using programs that are not obtained from a recognized source.

Likewise, all users should be requested to report any strange network behavior to the network administrators, and antivirus software should be run on computers participating in a network on a routine basis.

Messaging System−Based Attacks

For a malicious code to be able to execute on a computer in a network, it must first arrive at the computer from the attacker. The easiest mechanism that is available to a hacker is via messaging systems including emails and chat programs.

  • Email Attachment−Borne Viruses

Viruses and other types of malicious code are often spread as attachments to email messages. Hackers send out emails containing computer viruses to the users on a network that they want to attack.

These attachments are normally computer programs that require users to execute them in order to find out the contents of the attachments. It is not enough that the mail originated from an address you recognize.

The Melissa virus spread precisely because it originated from a familiar address. Also, malicious code might be distributed in amusing or enticing programs. Many recent viruses use these social engineering techniques to spread.

It is a good idea never to run a program unless you know it to be authored by a person or company that you trust. Also, do not send programs of unknown origin to your friends or coworkers simply because they are amusing—they might contain a Trojan horse program.

All inbound and outbound emails should be scanned for viral content, and any email thought to contain a virus should be immediately destroyed.

  • Email Spoofing or Email Forging

Email spoofing is when an email message appears to have originated from one source when it actually was sent from another source. Email spoofing is often an attempt to trick the user into making a damaging statement or releasing sensitive information (such as passwords).

Spoofed email can range from harmless pranks to social engineering ploys. Examples of the latter include email claiming to be from a system administrator requesting users to change their passwords to a specified string and threatening to suspend their account if they do not comply.

Or email claiming to be from a person in authority requesting users to send them a copy of a password file or other sensitive information.

Note that service providers may occasionally request that you change your password, but they usually will not specify what you should change it to.

Also, most legitimate service providers would never ask you to send them any password information via email. If you suspect that you may have received a spoofed email from someone with malicious intent, you should contact your service provider's support personnel immediately.

  • Internet Chat Programs

Internet chat applications, such as instant messaging applications and Internet Relay Chat (IRC) networks, provide a mechanism for information to be transmitted bidirectionally between computers on the Internet.

Chat clients provide groups of individuals with the means to exchange dialog, Web URLs, and in many cases, files of any type. Because many chat clients allow for the exchange of executable code, they present risks similar to those of email clients.

As with email clients, care should be taken to limit the chat client's ability to execute downloaded files. As always, you should be wary of exchanging files with unknown parties.

Operating System−Vulnerability Attacks

Besides applications− and network architecture−based attacks, computer operating systems may provide easy point−of−attack to the hackers. These weaknesses are generally features that lack security features.

  • Unauthenticated File−Sharing

Most networks are equipped with file servers that enable file− and directory−sharing among computer users. File servers are normally equipped with decent security to deter attacks.

On the other hand, most individual workstations and computers on a network also provide file−sharing that is normally not secured by network−wide ACLs. These unprotected shared directories are vulnerable to attacks by external users.

For example, intruders can exploit unprotected Windows networking shares in an automated way to place tools on large numbers of Windows−based computers attached to the Internet.

Because site security on the Internet is interdependent, a compromised computer not only creates problems for the computer's owner, but it is also a threat to other sites on the Internet.

The greater immediate risk to the Internet community is the potentially large number of computers attached to the Internet with unprotected Windows networking shares combined with distributed attack tools such as Trojan horse applications.

  • Web Browser and Mobile Code (Java/JavaScript/ActiveX)

Web browsers have opened up a new arena for hackers and virus developers. A client browsing on the Internet may accidentally execute a program that can have serious negative effects on the computer and the network.

There have been reports of problems with mobile code (for example, Java, JavaScript, and ActiveX). These are programming languages that let Web developers write code that is executed by your Web browser.

Although the code is generally useful, it can be used by intruders to gather information (such as which Web sites you visit) or to run malicious code on your computer. It is possible to disable Java, JavaScript, and ActiveX in your Web browser.

We recommend that you do so if you are browsing Web sites that you are not familiar with or do not trust. Also be aware of the risks involved in the use of mobile code within email programs.

Many email programs use the same code as Web browsers to display HTML. Thus, vulnerabilities that affect Java, JavaScript, and ActiveX are often applicable to email as well as to Web pages.

  • Hidden File Extensions

Many operating systems use filename extensions to distinguish one type of file from others. Microsoft Windows uses three−letter extensions for identifying a file type.

For example, backup.exe could be considered (as filename depicts) an application program that should perform backup operations. Windows operating systems contain an option to "Hide file extensions for known file types."

The option is enabled by default, but a user may choose to disable this option in order to have file extensions displayed by Windows. Many email−borne viruses are known to exploit hidden file extensions.

The first major attack that took advantage of a hidden file extension was the V B S / Love Letter worm , which contained an email attachment named "LOVE−LETTER−FOR−YOU.TXT.vbs."

When a user first sees this file, he or she thinks that this is a text file and double clicks on the file icon to open the document, but since it is a virus file written in Visual Basic, it starts executing on the user computer and sends emails to all contacts listed in the user's Microsoft Outlook address book.

Securing a Network from External Attacks

Authentication policies must be strongly enforced. Users must be discouraged from sharing passwords with other individuals, and users should be asked to choose passwords that are hard to guess.

Antivirus software should be properly installed and run on all computers, and the virus software should be upgraded frequently to prevent attack from new viruses.

When connecting a private LAN to an external network, certain vital computers must be placed in a demilitarized zone (DMZ). A DMZ is that part of the network that is directly connected to an external network or the Internet.

Computers in the DMZ are at the highest risk of being hacked into and attacked, so they should be connected to the private LAN through firewalls and routers. Firewalls ensure that only authorized computers in the DMZ or the outer network have access to the private LAN.

Firewalls are network devices that do not allow network traffic from outside the network to reach the protected private network. Routers ensure that only traffic addressed to the private network flows from the DMZ to the private LAN.

Both firewalls and routers are normally installed such that they monitor both inbound and outbound (from private LAN to the DMZ) network traffic. This ensures that no one from outside can access the computers inside the private LAN and also that no one from inside can engage in activities that are not permitted.

LAN connections to external networks must be provided through a reliable and trusted link. For example, if a LAN is connected to the Internet, the company providing the Internet connection must be trustworthy.

The history and security policies of the ISP should be carefully reviewed to ensure that your data would be safe when moving through their infrastructure. The least possible exposure of the private LAN should be allowed. Only those computers that are required to be accessible from the Internet should be exposed.