The trouble with networked computers is not a great army of skilled crackers toiling night and day to penetrate and misuse your systems. There is no great army of skilled crackers. It takes only a small number of skilled people to find exploits, then write cracking tools that any halfwit script kiddie can download and use.
Security will always be reactive. You're on the job, trying to do something useful. They are thinking of nothing but how to wreak havoc. The best defense is to know your network inside out, and to acquire a deep understanding of how things work. We'll always be playing catch-up, but a little creative thinking can reap big benefits. Today's theme: Exploring The Obvious. I know, much of this will be old hat to you. I'll wager there are people in your sphere who believe things better when they are in print, so here they are.
Giving Away The Store
It takes a lot of skill and persistence to discover weaknesses in software, and to figure out how to use those weaknesses to penetrate and take control of a system. Most times it's not necessary- the common analogy is why try to pick the sophisticated lock on the front door, when the back and side doors are wide open?
Take a survey of all the information on your company and systems that is publicly available. Truly amazing what a person can find from the comfort of their PC. Start with WHOIS. Seems benign enough- contact persons, with mailing address, maybe email, telephone, and fax. Those phone numbers are choice morsels for targeting a range of numbers to wardial, trolling for modems. Sometimes this leaks over to your neighboring businesses. A common option for small businesses that cannot afford their own dedicated PBX is to use a shared system. So an entire office building or business park will share a predictable range of numbers.
Even more helpful is posting company directories publicly.
Another weakness is lazy administration. In the last office I rented, every new phone extension on the shared PBX had the same default password. If the user didn't change it- well, even a junior phone phreak won't take more than a minute or two to exploit this for free long-distance, eavesdropping, and other mischief.
Speaking of people, what is the weakest link in any security scheme? Bingo! People! Kevin Mitnick wasn't such a great technical genius, he was a good con man. His technique for getting account information from people was devilish: he asked. There's that ole WHOIS again, naming names. A voice on the phone to one of your users, a guy with a name tag, a spoofed email will likely be accepted without question. A lot of times having the right name isn't even necessary, nobody knows from nuthin' in a large company.
Googling For Holes
The real fun starts on the Internet. More than one of my clients about died of shock when they saw what was out there about them. Start with Google Groups. Do a simple search on your company name. Make sure you're sitting down. You may find:
- Leet haxorz sharing exploits and giggles at your expense
- Your own intemperate posts, still there for all to see years later. This is the "Haunted By the Ghosts of Usenet Past" syndrome
- Customers complaining about you
- Employees using their real names, and company name, saying all sorts of incautious things
After your pulse and respiration return to normal, you'll realize this is a valuable source of information. Just another monitoring tool. Sometimes the first knowledge of a successful intrusion comes from this kind of search. Once an exploit is made, the news will spread far and wide, with bragging and insults.
Forums and mail lists are standard components in any sysadmin's toolkit, they are vital for getting answers. But have a clue- signing on with real names is foolish. The world does not need to know the real identity of the inexperienced person with the unpatched, faulty system. That's rolling out the welcome mat to the wrong people.
Other things to look for are press releases and news articles that give away too much. It's really amazing what people who should know better blab to the world. It is unnecessary to give away technical details of your network infrastructure.
Web, FTP, Email
I am an advocate of deceitful banners. If you don't want to lie, just omit information. Here is a typical Apache banner:
The requested URL /foo was not found on this server.
Apache/2.0.43 Server at www.foo.org Port 80
Now really. This tells an attacker too much, never reveal version information. Don't even need to be some kind of ace cracker using obscure command-line tools- just type a bad URL in a browser. There are other ways to get this information, but you might as well make them work for it. Some Apache admins like to have a little fun with spoofed banners:
The requested URL /foo was not found on this server.
Microsoft IIS/4.0 Server at www.foo.com Port 80
While some find this funny, it may invite a barrage of IIS-targeted attacks on your server. Which are still infesting the Internet in large numbers, so maybe it doesn't matter anyway.
Look what telnet can dig up with bad commands:
$ telnet www.foo.com 80
HTTP/1.1 400 Bad Request
Date: Tue, 26 Nov 2002 18:31:03 GMT
Server: Apache/1.3.23 (Unix) (Red-Hat/Linux) mod_ssl/2.8.7 OpenSSL/0.9.6b DAV/1.0.3 PHP/4.1.2
Oh my, if this is all true information, it's a shopping list to take straight to the 'sploitz store. Might as well fling your doors wide open and invite the world in.
Perhaps our theme should be "Them Darned Users." Passwords on stickies, carelessness with laptops, incautious blabbing, deliberate malice.... "It is impossible to make things foolproof, because fools are ingenious." An extremely useful document is the Site Security Handbook, RFC 2196. Also highly recommended is the book "Hacking Exposed", by McClure, Scambray and Kurtz.
I can't tell you everything, the moral is think creatively, and be surprised by nothing. Feel free to send me your fave horror stories and good ideas, I'll publish them in a follow-up article.