Internet Security - Protection against Hackers

Home

Introduction

This page is primarily about Internet Security or put another way protecting yourself against Hackers. It was added to the technical articles when I realised that the default settings being installed on most new machines, especially those with Network cards installed left many people wide open to being hacked. This is only one of several ways you are at risk but it is one of the worst because others can gain access to information without you even realising it has happened. If a machine is destroyed you know it has happened - the same goes for most virus attacks. Hacking is worse than theft in that you may not be aware that sensitive information such as credit card details, passwords, pins or other financial or personal information has been removed - the first you may know is when your bank account is emptied or your students start to score 100%.

The risks are increasing as people stay longer on-line and hacking tools improve. Conventional wisdom was that your identity changed every time you dialled in to your ISP so the chances of being hacked were remote. That is no longer true and a weak machine can be identified and targeted in minutes. The default Internet/Network configuration on almost every Windows machine leaves it wide open to attack.

Why are we so Vulnerable?

Firstly I will explain a little about what causes this vulnerability in most PCs connected to the Internet. The prime problem is that the Internet was added my Microsoft as an extension of the existing Networking which has been available within the various flavours of Windows over the last ten or so years. The Windows Networking enables one to share resources on your machine, such as files and printers, with others on your Network. This was fine when you knew who would be connected to your Network and there was physical security as well as passwords to limit access. In many configurations, once you had logged on, there were no further hurdles in the form of passwords and often passwords were not set in small networks. The second factor comes from the default settings which are optimised for ease of configuration with scant regard to security - Microsoft rapidly found that calls for support were dramatically reduced if the defaults allowed for connection of everything to everything and passwords were not required.

The end result is potentially disastrous in that many machines are as accessible over the Internet as from any local Network machine and even when a Network is not required or in use the Network components are loaded by default. The user is unaware and again the default is that there is no password even when the machine is turned on. This leaves only statistics to protect you - each Dial-Up session via an ISP lasts only a finite time and with Dial Up connections and the address on the Internet will be a random selection from the ISPs addresses. The protection has been largely eroded by the longer times spent on-line with cheap access via "free" services and the speed with which scanners can probe Internet addresses looking for vulnerable machines.

How real is all this?

Very Real. I have just installed a simple free Firewall on my machine which identifies attempts to access the machine over the Internet. I initially had it set to give a pop-up alert but I am having to divert them to a log file as they are occurring at about 10 minute intervals (11 in the first 24 hours). Some are probably just Internet Noise but the one I traced using the IP number came from a dial up connection in the UK through Telinco which provides services to many ISPs. It was directed at my port 139 which is the access to NetBios file and print sharing. Need I say more!

To give you a feeling for what can be done, this is a boast alleged to have been made by Greg Hoglund, the author of the"Asmodeus" scanner:

"Right now, Asmodeus is capable of scanning ranges of TCP ports on subnets. At the time I originally wrote the socket engine, it was the fastest scanner on the Net. Since that time, a few other scanners have been released which are pretty darned fast. Most of these are commercial and very expensive at that. Asmodeus can keep up. I have scanned entire class C's in less than a minute. You can scan some small countries in one night ;) I believe Asmodeus can stream along at a modest 30,000 sockets per minute under optimum conditions. All of the data that is gleaned from the scan is passed through a user-supplied script. This script allows you to define what security holes will be checked for........"

How can you tell if you are vulnerable?

There are several ways the easiest being to go to a friendly site such as the ShieldsUp! section of the Gibson Research Corporation site which will probe the major vulnerable points and let you know the worst. The alternative is to go through your Network Properties looking for the known vulnerabilities, namely any bindings between the TCP/IP protocol other than to the Dial-Up adapter (when checking in Network Properties leave with Cancel or you will probably need the Windows CD even if you have not made changes).

I have now looked at several other machines which have the default Network Settings, both as configured on delivery or when a Network adapter had been installed - every one would have been wide open if used on the Internet. A further disturbing feature is that the Window Plug and Play has also detected and installed and or reconfigured the Networking settings invisibly in several cases. This seems to have occurred when completely different devices have been installed such as a printer - the Network Settings were then different to those I had initially set up and in one case I found a duplicate adapter had been installed with different settings to the original. I have had the same problem with a duplicate Modem being installed with a new printer.

What can you do?

There are two solutions: Firstly configure your Network Properties with settings that break completely the links between TCP/IP and local networks and File and Print Sharing - this needs a good understanding of configuring Windows systems. This is a reasonably safe solution if you do not have a Local Network and do not have Network Adaptor cards installed and you periodically check that nothing has changed. If you do have a local Network with File and Printer sharing enabled you should have a another line of defence by using unbreakable passwords on File Sharing i.e. alpha numerics which can not be broken by a dictionary based attack.

The second solution is to install a Firewall, again this may not be simple to configure but should be taken seriously if you have a Local Network sharing files. It is a must if family/staff economise on passwords on a Networked machine.

Regardless of the solution you adopt you should also consider having all your sensitive and important information encrypted using PGP or similar. This also covers you against theft or local investigation of your business or personal data.

Configuring Windows Networking

This is not trivial to get right and will probably involve you in several passes each involving the Windows CD and restarting the machine before everything is both working and safe. Microsoft try quite hard to prevent you making your machine secure and you will get inappropriate messages asking if you really want to sever some of the important bindings you need to break for security. There is however an excellent guide to what to do on the ShieldsUp! section of Steve Gibson'sGibson Research Corporation site in the section on Network Bondage at http://grc.com/su-bondage.htm which explains what needs to be done, how and why. There is a little more about this on my Painless Networking page and I will extend it in due course.

Some tips on Configuring Windows Networking

Many of the files that Network loads from the CD have been updated on most systems. You will be repeatedly asked if you wish to keep the latest versions. You should always keep the latest versions.
The Network Screens are slightly unusual in that if you click OK to exit you will have to load software from the CD even if you have made no changes at all. Always use cancel if you have just been inspecting settings.
If you access the TCP/IP protocol properties you may be warned that you should make the changes in each Dial-Up connection - ignore it as the changes you need to make to bindings can only be made here.
If you go to the TCP/IP bindings tab to break the Bindings to File and Print Sharing and Client for Microsoft Networks (which you should do to avoid being hacked!) you may be warned you have no Bindings - this is correct.
If you have space on a Hard Drive it is worth copying the Win95 directory from the Windows 95 CD to the hard drive - it is about 70Mbytes. You can then use that instead of loading the CD which is never there when you want it!

Firewalls

Before one can understand what a Firewall does and how it improves ones security one has to understand a little of how information is transferred over the Internet. All Internet communication is accomplished by the exchange of individual "packets" of data. Packets are the fundamental unit of information flow across the Internet. Even through we refer to "connections" between computers, this "connection" is actually comprised of individual packets travelling between those machines. Once a machine has received a packet it sends back an "acknowledgement packet" to let the sending machine know that the data was received. The Packets do not go direct from one machine to another, they go through many intermediate machines on their way like a a letter going through many different post offices on route or a telephone call through many exchanges. The difference is that the message may be divided between many Packets which can even take different routes to their destination.

In order to reach its destination, whether it's another computer two meters or two continents away every Internet Packet must clearly contain a destination address and, so that the receiving computer knows who sent the packet, every packet also contain the address of the originating machine. The address is made up of two parts, the IP address which always identifies a single machine on the Internet (you often see these as blocks of numbers like 123.456.789.012 in your Browser status line) and a port which is associated with a particular service or conversation happening on the machine. Think of an IP address as a computer's switchboard number and a port as an individual phone extension. Software on your PC creates ports to allow specific networking functions. Web access, for example, generally uses port 80, while FTP runs through port 21. To get in, the hacker must find an open port on your machine.

Firewall software inspects each and every packet of data before it's seen by any other software running within your computer. A Firewall therefore has total veto power over your computer's receipt of anything from the Internet. A TCP/IP port is only "open" on your computer if the first arriving packet, which requests the establishment of a connection, is answered by your computer. If the arriving packet is simply ignored, that port of your computer will effectively disappear from the Internet.

The real power of a Firewall is derived from it's ability to be selective about what it lets through and what it blocks. Since every arriving packet must contain the correct IP address of the sender's machine, (in order for the receiver to send back a receipt acknowledgment) the Firewall can be very selective about which packets are admitted and which are dropped. A Firewall can be designed to "filter" the arriving packets based upon any combination of the originating machine's IP address and port and the destination machine's IP address and port. So, for example, if you were running a web server and needed to allow remote machines to connect to your machine on port 80 (http), the Firewall could inspect every arriving packet and only permit connection initiation on your port 80. New connections would be denied on all other ports. The Firewall allows - in the telephone analogy - you to select, depending on who calls and which extension whether you answer, allow the phone to ring or give an unobtainable note.

Firewall technology makes it possible for your home and office computers to safely share their files without any danger of unauthorized intrusion. You simply instruct the Firewall running on your office computer to permit connections on the NetBIOS file sharing ports 137-139 only from the IP address of your home computer. The Firewall running on your home machine would similarly be instructed to permit connections on ports 137-139 only from your office machine's IP address. Thus, either machine can "see" the other's ports, but no one else on the Internet can see them.

This sounds great but what about outgoing calls where you expect information back. It is slightly more complex than the telephone analogy because we are using packets. For example, when you surf the web you need to connect to web servers that might have any IP address (how the http://www.xyz.com is converted to an IP address for you is another story). You wouldn't want all those to be blocked just because you want to block everyone from getting into your machine. It turns out that this is easy for a Firewall too. Since each computer involved in an Internet connection is usually acknowledging the other's data, most packets that flows between the two machines have a bit set in it as a "flag" to denote that it as an acknoledgement. Only the first packet which initiates a new connection would not be acknowledging any previous data from the other machine. In other words, a Firewall can easily determine whether an arriving packet is initiating a new connection, or continuing an existing conversation. Packets arriving as part of an established connection can be allowed to pass through the Firewall, but packets representing new connection attempts can be discarded. Thus, a Firewall can permit the establishment of outbound connections while blocking any new connection attempts from the outside.

There is one more thing that one might want to do and that is to restrict the programs that can access the Internet from within the Firewall and initial connections just in case a virus, hacker, disgruntled employee or industrial spy has left a piece of code on your machine which sends your passwords or data out. The Firewall has no way of knowing what data is being sent but it can filter based on the basis of the application generating the data. In the telephone analogy it is like checking that nobody connects a Fax machine that you do not know about and sends without approval.

The difficulty is not in writing a Firewall program but but in making it user friendly. It must be easy to configure so that it stops everything you do not want to get in whilst allowing you to carry on your normal activities without you having to know the IP address and port number for every connection and details of every program. It should also tell you what it is doing - you do not want to find things stop working without any idea why yet not swamp you with so many warnings etc so you grind to a halt.

Zone Alarm - an Example Firewall

I am going to use Zone Alarm 2.1 as an example of a Firewall program. It is an excellent Freeware Firewall which has rated higher in many independent tests than those commercially available for personal use and is arguably one of the easiest to set up. The latest version has over 6 million users.

Installation is very easy - you download and run a single 1.6 Mbyte file and fill in some registration information and that is it. The next time you reboot the machine it is running and protecting you - there is a new "icon" in the tooltray allowing quick access. The first time it runs it also brings up a screen showing you how to also get a little control panel on the toolbar which is useful whilst you get to know the program. At this point it knows nothing about you programs but it will have already found your local Network. When you first try to connect a program to the Internet such as your browser it will detect and ask if you want to continue and also give you the option to always allow such connections in the future. Each program it detects is added to a list and you can set up any options at a latter stage but if you have allowed it to connect in the future that is usually all you need to do and it will be invisible from then on. I have about 10 programs that it has found including email, FTP and browsers.

Whilst you have been doing this you will probably find that every ten minutes or so you will find an Alert screen saying attempts to connect have been made from outside, some are benign, some are hackers - eventually I turned on the option of sending them to a log file and not popping up on the screen. The Firewall has different Security levels and in the default high security mode there is no response to external "probes" which is what you would normally want although sometimes you will need a lower level as sometimes places you are connected to do some checks for security and to make sure you are still connected. This will be obvious if you turn the Alerts back on and see if there are Alerts coming from a somewhere you are connected with.

Configuration of Zone Alarm with "problem" programs: I have only discovered one "problem" so far on my system with Zone Alarm. When I use FTP to upload to Freeserve's web space the server seems to run checks on my existence and will not work if you work in the highest security "Stealth" mode which does not acknowledge my existence to packets from their web server. All the other web servers I use are quite happy. The first thing to try is lowering the security level to Medium if you have such problems - that still gives good protection and can be raised after your program has run - FTP to Freeserve worked as usual with Medium security. It is then possible to also add such sites to the "local" list which runs by default at medium security to avoid reducing your security whilst using FTP - in the case of Freeserve's FTP there were two addresses which came up as alerts and I added a range covering them in case there were more I had missed. Similar problems have been reported with "chat" programs such as ICQ, MSN Messenger and Netmeeting but judging from my experience with Freeserve it should not be too difficult to configure Zone Alarm to protect you whilst they are in use. I should note that these are not problems with Zone Alarm - it is doing exactly what it should, it is problems with the way programs have been implemented without regard to the increasing use of Firewalls.

Summary

This page has shown that there is a real threat to many PCs from hackers, especially those connected to a local Network or with Network Interface Cards (NICs) installed. It has given two ways to check whether you are at risk and pointed the user towards sources of information to help an experiences Windows user re configure the Network settings. It has also described the advantages of installing a personal Firewall and given some hints on use of Zone Alarm which is free to download for personal use and very good value for small businesses. All the solutions currently presented really need some level of understanding of Windows and Networking although it should be possible to implement them in conjunction with other Technical Articles in the Howto Series including those for Small Firms.