Security: Security in a wireless world

Just because most of your users are wireless doesn’t mean they need to operate unsecured.

John Vacca

Adapted from “Computer and Information Security Handbook” (Elsevier Science & Technology books).

Do you think much about the time you spend using a coffee shop’s free Wi-Fi signal to surf, check your e-mail or update your Facebook page? Probably not. But these days, the person sitting next to you quietly sipping her coffee and working away on her laptop can sit back and watch what Web sites you’ve visited, then assume your identity and log on to the sites you visited. How?

A free program called Firesheep can grab from your Web browser the cookies for each site you visit. Those cookies contain identifying information about your computer and site settings for each site you’ve visited, plus your customized private information for each site. Once Firesheep grabs that cookie, a malicious user can use it to log on to sites as you and, in some cases, gain full access to your accounts.

You may be asking yourself, “So what does this have to do with my network?” If the unsuspecting user is wirelessly completing a sales transaction or bank transfer when software like Firesheep snatches the browser cookie, the hacker can log back into your site as the compromised user and drain the user’s account.

Previously, only the most experienced and savvy hackers with expensive tools and plenty of time could do much damage to secured networks. Like professional thieves with custom-made lock picks, hackers today can obtain a frightening array of tools to covertly test your network for weak spots.

These tools range from simple password-stealing malware and keystroke recorders (loggers) to methods of implanting sophisticated parasitic software strings that copy data streams coming in from customers who want to perform an e-commerce transaction with your company. Some of the more widely used tools include:

  • Wireless sniffers: These devices can not only locate wireless signals within a certain range, they can siphon off the data being transmitted over the signals. With the rise in popularity of remote wireless devices, this practice is increasingly responsible for the loss of critical data and represents a significant headache for IT departments.
  • Packet sniffers: Once planted in a network data stream, these tools passively analyze data packets moving in and out of a network interface. Other utilities capture data packets passing through a network interface.
  • Port scanners: A good analogy for these utilities is a thief casing a neighborhood, looking for an open or unlocked door. These utilities send out successive, sequential connection requests to a target system’s ports to see which one responds or is open to the request. Some port scanners let the hacker slow the rate of port scanning—sending connection requests over a longer period of time—so the intrusion attempt is less likely to be noticed. The usual targets of these devices are old, forgotten “backdoors,” or ports inadvertently left unguarded after network modifications.
  • Port knocking: Sometimes network administrators create a secret backdoor method of getting through firewall-protected ports—a secret knock that lets them quickly access the network. Port-knocking tools find these unprotected entries and implant a Trojan horse that listens to network traffic for evidence of that secret knock.
  • Keystroke loggers: These are spyware utilities planted on vulnerable systems that record a user’s keystrokes. Obviously, when someone can sit back and record every keystroke a user makes, it doesn’t take long to obtain important log-on information such as usernames, passwords and ID numbers.
  • Remote administration tools: These programs are embedded on an unsuspecting user’s system and let the hacker take control of that system.
  • Network scanners: These explore networks to see the number and kind of host systems on a network, the services available, the host’s OS, and the type of packet filtering or firewalls being used.
  • Password crackers: These sniff networks for data streams associated with passwords, then employ a brute-force method of peeling away any encryption layers protecting those passwords.

Bots for sale

Three years ago, bots were an emerging threat. Now, organized cyber criminals have begun to create and sell kits on the open market that inexperienced non-programming hackers can use to create their own botnets. They offer a wide variety of easy-to-use (or pre-programmed) modules that specifically target the most lucrative technologies. They often include a management console that can control every infected system and interrogate bot-infected machines. Zeus kit modules are available that help users create viruses that mutate every time they’re implanted in a new host system.

So what are bots? Bots are also known as Internet bots, Web robots or WWW robots. They’re small software applications running automated tasks over the Internet. Usually, they run simple tasks that a human would otherwise have to perform, but at a much faster rate.

When used maliciously, they’re essentially a virus. They get surreptitiously planted in large numbers of unprotected computers. They hijack those computers, usually without the owners’ knowledge, and turn them into slaves to do the cracker’s bidding. These compromised computers, known as bots, are linked in vast and usually untraceable networks called botnets. Botnets are designed to operate in such a way that instructions come from a central PC and are rapidly shared among other “botted” computers in the network.

Newer botnets are now using a “peer-to-peer” method that, because they lack a central identifiable point of control, makes it difficult if not impossible for law enforcement agencies to pinpoint. Because they often cross international boundaries into countries without the means to investigate and shut them down, they can grow with alarming speed. They have become so lucrative that they’re now a hacker’s tool of choice.

There are all kinds of bots. There are bots that harvest e-mail addresses (spambots); viruses and worms; filename modifiers; bots to buy up large numbers of concert seats; and bots that work together in botnets, or coordinated attacks on networked computers. Botnets exist largely because of the number of users who fail to observe basic principles of computer security, such as installing and updating antivirus software, running regular scans for suspicious code, and so on. Thereby, they become unwitting accomplices.

Once taken over and botted, machines are turned into channels through which large volumes of unwanted spam or malicious code can be quickly distributed. Current estimates are that of the 800 million computers on the Internet, up to 40 percent are bots controlled by cyber thieves using them to spread new viruses, send out unwanted spam e-mail, overwhelm Web sites in Denial-of-Service (DoS) attacks, or siphon off sensitive user data from banking or shopping Web sites that look and act like legitimate sites with which customers have previously done business.

Bot controllers, also called herders, can also make money by leasing their networks to others who need a large and untraceable means of sending out massive amounts of advertisements, but don’t have the financial or technical resources to create their own networks. Making matters worse is the fact that botnet technology is available on the Internet for less than $100. This makes it relatively easy to get started in what can be an extremely lucrative business.

Symptoms of intrusion

Merely being on the Web puts a target on your back. It’s only a matter of time before you experience your first attack. It could be something as innocent looking as several failed login attempts or as obvious as an attacker having defaced your Web site or crippled your network. It’s important that you go into this knowing you’re vulnerable.

Hackers are going to first look for known weaknesses in the OS or any applications you’re using. Next, they’ll start probing, looking for holes, open ports or forgotten backdoors—faults in your security posture they can quickly or easily exploit.

Arguably one of the most common symptoms of an intrusion—either attempted or successful—is repeated signs that someone is trying to take advantage of your organization’s own security systems. The tools you use to keep watch for suspicious network activity may actually be used against you quite effectively. Tools such as network security and file integrity scanners, which can be invaluable in helping you conduct ongoing assessments of your network’s vulnerability, are also available and can be used by hackers looking for a way into your network.

Large numbers of unsuccessful login attempts are also a good indicator your system has been targeted. You can configure penetration-testing tools with attempt thresholds that, when exceeded, will trigger an alert. They can passively distinguish between legitimate and suspicious activity of a repetitive nature, monitor the time intervals between activities (alerting you when the number exceeds the threshold you set), and build a database of signatures seen multiple times over a given period.

The “human element” (your users) is a constant factor in your network operations. Users will frequently enter a mistyped response but usually correct the error on the next try. However, a sequence of mistyped commands or incorrect login responses (with attempts to recover or reuse them) can be a sign of brute-force intrusion attempts.

Packet inconsistencies—direction (inbound or outbound), originating address or location, and session characteristics (ingoing sessions versus outgoing sessions)—can also be good indicators of an attack. If a packet has an unusual source or has been addressed to an abnormal port, such as an inconsistent service request, it could be a sign of random system scanning. Packets coming from the outside that have local network addresses and request services on the inside can be a sign of an IP spoof attempt.

Sometimes odd or unexpected system behavior is itself a sign. Though this is sometimes difficult to track, you should be aware of activity such as changes to system clocks, servers going down or server processes inexplicably stopping (with system restart attempts), system resource issues (such as unusually high CPU activity or overflows in file systems), audit logs behaving in strange ways (decreasing in size without administrator intervention), or unexpected user access to resources. You should investigate any and all unusual activity—including heavy system use (possible DoS attack) or CPU use (brute-force password-cracking attempts)—at regular times on given days.

What can you do?

It goes without saying that the most secure network—the one that has the least chance of being compromised—is the one that has no direct connection to the outside world. That’s hardly a practical solution, though, as the whole reason you have a Web presence is to do business. And in the game of Internet commerce, your biggest concern isn’t the sheep coming in, but the wolves dressed like sheep coming in with them. So, how do you strike an acceptable balance between keeping your network intrusion-free and keeping it accessible at the same time?

You walk a fine line between network security and user needs. You have to have a good defensive posture that still allows for access. Users and customers can be both the lifeblood of your business and its greatest potential source of infection. Furthermore, if your business thrives on allowing user access, you have no choice but to let them in. It seems like a monumentally difficult task at best.

Every defensive measure you put up will eventually be compromised by the legions of motivated thieves looking to get in. It’s a game of move and countermove. You adjust, they adapt. So you have to start with defenses that can quickly and effectively adapt and change as the outside threats adapt.

First and foremost, you need to ensure your perimeter defenses are as strong as possible. That means keeping up with the rapidly evolving threats around you. The days of relying solely on a firewall that simply does firewall functions are gone. Today’s hackers have figured out how to bypass the firewall by exploiting weaknesses in applications themselves.

Simply being reactive to hits and intrusions isn’t a very good option, either. That’s like standing there waiting for someone to hit you before deciding what to do. You need to be flexible in your approach to the newest technologies, constantly auditing your defenses to ensure that your network’s defensive armor can meet the latest threat. You have to have a dynamic and effective policy of constantly monitoring for suspicious activities. And when you find them, you have to quickly deal with them so someone doesn’t slip something past without your notice. Once that happens, it’s too late.

Another crucial ingredient: You have to educate your users. No matter how good a job you’ve done at tightening up your network security processes and systems, you still have to deal with the weakest link in your armor—your users.

It doesn’t do any good to have bulletproof processes in place if they’re so difficult to manage that users work around them to avoid the difficulty, or if they’re so loosely configured that a casually surfing user who visits an infected site will pass that infection along to your network. The degree of difficulty in securing your network increases dramatically as the number of users goes up.

User education becomes particularly important where mobile computing is concerned. Losing a device, using it in a place (or manner) in which prying eyes can see passwords or data, awareness of hacking tools specifically designed to sniff wireless signals for data, and logging on to unsecured networks are all potential problem areas with which users need to be familiar.

You can also set up decoys—sort of the sacrificial lamb—as bait. These are also known as “honey pots.” These userless networks are specifically set up to draw in an attacker and gain valuable data on the methods, tools and any new malware they might be using.

As you can see, establishing an effective security posture means putting in place the proper infrastructure elements, maintaining vigilance in watching over your networks, and constantly educating and keeping an eye on your users.

John Vacca

John Vacca is an information technology consultant, professional writer, editor, reviewer and internationally known best-selling author based in Pomeroy, Ohio. He has authored more than 50 titles in the areas of advanced storage, computer security and aerospace technology. Vacca was also a configuration management specialist, computer specialist, and the computer security official (CSO) for NASA’s space station program (Freedom) and the International Space Station Program from 1988 until his retirement from NASA in 1995.

For more on this and other Elsevier titles, check out Elsevier Science & Technology books.