The Boot Process

When you sit down and power the machine on, the first thing that happens is that the system BIOS loads the underlying programs that fire up the computer. The last thing the BIOS does is to load the Master Boot Record (MBR) data into memory.

1. The MBR contains code that locates the system bootable partition.
2. From the system partition, NTLDR executes and gets the operating system startup process rolling.
3. This brings us to the BOOT.INI file. NTLDR locates and reads the BOOT.INI file for information such as which operating system to launch, where to find the appropriate files to launch that system, and boot menu items.
4. The boot menu displays.
5. NTDETECT.COM launches.
6. NTOSKRNL.EXE runs and the HAL is loaded.
7. Low-level system device drivers load.
8. Operating system kernel and subsystems load and initialize.
9. Any remaining drivers and services are loaded, and Windows 2000 is up and running.

Boot Files and Locations:

NTLDR: System  partition root (e.g. “C:\”)
BOOT.INI: System partition root (e.g. “C:\”)
BOOTSECT.DOS: System partition root (e.g. “C:\”) Only needed on multi-boot systems with Windows 9x/Me
NTDETECT.COM: System partition root (e.g. “C:\”)
NTBOOTDD.SYS: System partition root (e.g. “C:\”) Only used if system partition is on SCSI disk with BIOS disabled
NTOSKRNI.EXE: %SystemRoot%\System32 (e.g. “C:\WINNT\System32″)
HAL.DLL: %SystemRoot%\System32 (e.g. “C:\WINNT\System32″)
SYSTEM: %SystemRoot%\System32\Config (e.g. “C:\WINNT\System32\Config“)

System Partition Vs. Boot Partition

One of the more confusing aspects of the Windows NT/2000/XP family lies in the way Microsoft distinguishes between what they call the system partition and the boot partition. Only a few vital files are required to start the boot process, and these files are stored on the system partition. This is the first, active partition on the system: by default, this is the C:\ drive. The boot partition, interestingly, is not the the partition the O/S boots from, but rather the partition that the O/S boots to. The boot partition is the partition that holds the O/S files themselves (in the \WINNT folder).
The system partition and the boot partition can be the same partition (and, if your hard disk drive has only one partition, then they are the same), but they don’t have to be. During Windows NT/2000/XP setup, you can specify any partition as your boot partition. In fact, on systems with more than one O/S installed – multiboot systems – Microsoft highly recommends that you install each O/S on its own partition.
As an example, let’s say you have a system with a single hard disk drive split into two partitions: C:\ and D:\, with Windows 98SE installed on the C:\ drive (i.e. C:\Windows) and Windows 2000 installed on the D:\ drive (i.e. D:\WINNT). The C:\ drive is called the system partition, and the D:\ drive is called the boot partition.

NTFS Permissions

In the NT/2000/XP world, every folder and file on an NTFS partition has a list that contains two sets of data. First, the list details every user and group that has access to that file or folder. Second, the list specifies the level of access that each user or group has to that file and folder. The level of access is defined by a set of restrictions called “Permissions.”

Permissions – These define exactly what a particular account can or cannot do to the file or folder and are thus quite detailed and powerful. You can make it possible, for example, for a person to edit a file but not delete it. You can create a folder and not allow other people to make subfolders.

Ownership – When you create a new file or folder on an NTFS partition, you become the owner of that file or folder. A newly-created file or folder by default gives full permission for everyone to access, delete and otherwise manipulate that file or folder. Owners can do anything they want to the files or folders they own, including changing the permissions to prevent others from accessing them.

Take Ownership – One special permission, however, called Take Ownership, enables anyone with that permission to do just that – seize control of a file or folder. Administrator accounts have Take Ownership permission for everything.

Change Permissions - An account with this permission can take away permissions for other accounts.

Folder Permissions – In Windows NT/2000/XP, every folder in an NTFS partition has a Security tab. Every Security tab contains two main areas. The top area shows the list of accounts that have permissions for that resource: the lower area shows exactly what permissions have been assigned to that account.

Windows permissions are quite powerful and complex. The list of permissions shown in the permission area, for example, is not really permissions, but rather preset combinations of permissions that cover the most common types of access. Click the Advanced button, and then click View/Edit to see the real NTFS permissions; Microsoft calls them special permissions. Even the most advanced NT/2000/XP support people rarely need to access these.

File Permissions – File permissions are quite similar to folder permissions. Permissions are cumulative, and the accumulate according to inheritance. There is an inheritance relationship between a folder and the files or subfolders that it contains. Permissions that are configured on a folder are passed down, or inherited, to the contents of that folder by default. This means that if you have Full Control on a folder, you get Full Control on the files in that folder. If you look at the bottom of the Security tab, you will see a little check box that says, “Allow inheritable permissions from parent to propagate to this object.” In other words, any files or subfolders created in this folder get the same permissions for the same user/groups that the folder has. This enables you to stop a user from getting a specific permission via inheritance. Windows 2000 and XP (unlike Windows NT) provide explicit Deny functions to each option.

The Geek Squad

Ok… I don’t condone black hat hacking or password stealing, but I found this very interesting. I found this article in the Summer 2008 (Volume 25, #2) issue of 2600, the Hacker Quarterly. While it explains how to capture login and password information, it speaks volumes to the ineptitude of Best Buy’s “Geek Squad.” The article is written by Turgon.

Ahh, the Geek Squad: love them or hate them, they’re here to stay. Best Buy’s computer “task force” can be found in every store, at your home or office, or on the road in their black and white VW Beetles.
A majority of their employees, who are known as Agents, are high school kids with a basic understanding of Windows Vista and XP, but more than a few of them really know their stuff. Some even read and contribute to 2600 Magazine.
What is this article about? Well, it isn’t a rant about incompetence. Sorry guys and gals, but you can find plenty of that on consumerist.com or on countless forums. No, what I am here to talk about is a tiny security issue with huge consequences. Here’s how to wreak havoc in five easy steps:

First Step: Call the Geek Squad at 1-800-433-5778 and set up and appointment for a wireless network security install. This is their cheapest and quickest service. Unfortunately, it will cost you $59; as we’ll see later, though, this is a small price to pay for such a prize.

Second Step: Install a keylogger on your laptop or desktop computer. Software, hardware, doesn’t matter.

Third Step: Reset your wireless router settings to the defaults; disable WEP and WPA, and use the default SSID. Then, sit back and wait for your appointment. A field tech, who we’ll call Double Agent, will show up at your door. He or she will take a look at your situation and secure your router with WPA: piece of cake! Thank the agent for their amazing WPA-typing skills and reject any other additional services they may try to “up-sell.”

Fourth Step: Your hero agent will now sit down at your computer, open a Web browser, and go to https://sts.geeksquad.com/sts. Once there, they will type in their login credentials. The username will be something like 123456; the password will be a case-sensitive combination of letters and numbers. The agent will pull up your name and account on the Geek Squad system, which is called “STS,” and which is able to take credit cards via a shopping cart feature, print receipts, add charges, remove charges, and so on. Your receipt will print out, and the Agent will log out and close the browser.

Fifth Step: With the agent gone, you should first change your WPA key to something else. You’ve now got the agent’s STS login and password.
Thanks to your keylogger, you now have login credentials for STS, giving you access to Geek Squad’s entire customer database of literally millions of customers. Addresses, phone numbers, and e-mail addresses are just the beginning. Most agents, per corporate policy, also log copious notes of every customers’ WPA or WEP key, SSID, IP address, PC make and model, O/S, RAM amount, viruses found, and lots more. The Geek Squad database contains information not only about individuals but also about their numerous small business clients.

Note that agents are required to reset their STS passwords on a regular basis, and a hacked password is easily reset by corporate. Therefore, having an agent’s login credentials is only good for information gathering; once an agent realizes that his password has been changed, he’ll have it reset in minutes. There’s no easy way for an agent to know if an account is being abused, as it’s possible to login from multiple computers or browsers at the same time. One could theoretically have unfettered access for months before the agent is forced to change the password at a server prompt.
Agents are usually clever enough to find keyloggers if they are performing virus removals, system optimizations or upgrades, and similar jobs. The simple fact that they’re only out to encrypt your wireless router means they won’t even look twice to check background programs or physically examine the machine and inspect for hardware loggers.
Best Buy likes to cut corners, and its employees and customers always get the short end of the stick. A workable solution to the security issue I have discussed would be for Best Buy to provide a laptop to its agents for on-site use. Companies like HP, Toshiba or Gateway would probably even split the cost to have these “respected” Geek Squad agents toting their brand’s laptop into impressionable customers’ homes. Other prevention techniques that Best Buy might employ include a server-side upgrade requiring a SecurID token for access to STS or limiting lowly Agents’ access to the huge database of customer information.
For a company at the cutting edge of new technology, Best Buy is setting their Geek Squad brand up for major trouble. There’s huge risk that any of their over 2,000 field agents might enter their credentials into a comprimised computer. There’s also the risk of abuse. At all times, any agent, Best Buy manager, or call center phone jockey has access to an extravagant amount of customer data. I am no whistle blower or disgruntled employee, but corporations like Best Buy are reactionary. They only act on behalf of customers or employees when they get in trouble. When all other methods fail, I turn to the community!

Web Application Vulnerabilities

As programmers add increased functionality to Websites and Web browsers, the potential for security vulnerabilities increases. The biggest danger is the tendency toward integrating the Web browser functionality with other computer applications and even the operating system (O/S) itself. This means if a Web browser security vulnerability is exploited, an authorized user has access to the core system files and data of someone’s computer. The following outlines some of the more popular Web application components and the security vulnerabilities they might create.

JavaScript

JavaScript is a scripting language created by Netscape but it isn’t related to the Java programming language. JavaScript’s code isn’t compiled; instead, it’s interpreted by the Web browser. JavaScript can interact with HTML source code, enabling Web authors to create Websites with dynamic content.
Since the appearance of JavaScript, the language has been plagued with security issues. The problems originate from the nature of JavaScript, which allows executable content to be embedded in Webpages. These vulnerabilities include the capability for hackers to read files on a user’s hard drive, and to monitor and intercept a user’s Web activities. Security precautions are required to prevent malicious code from entering, executing, and retrieving data from the underlying systems.
The insecurities of Web browsers that implement JavaScript, rather than its language, are the source of the vulnerabilities. Most security problems discovered in JavaScript implementations require the installation of software patches from the Web browser vendor. JavaScript can also be disabled on your Web browser as an option. Check your Web browser options to disable or enable the use of JavaScript for Websites you access.

Java

Java is an object-oriented, platform-independent programming language created by Sun Microsystems. Java is typically used on Internet Websites to provide small programs called applets, which can be downloaded to a user’s Web browser. Because Java is platform-independent and can run on any type of machine or O/S), it requires the use of a Java Virtual Machine (JVM) to convert the program to the code understood by the local machine. Java programs run in their own special area, called a sandbox, which restricts the applet’s access to certain parts of the system. This prevents malicious or buggy software from accessing critical parts of your system. Hackers, however, are able to program applets that can bypass the security features of the sandbox and can access the data on users’ hard drives. For added security, most Web browsers can be configured to allow only certain access privileges to Java programs.

Signed Applets

Signed Java applets are programs that are authenticated through the use of a digital signature that provides information on where the applet originated. The Web browser reads this signature and checks to see if it comes from a known, trusted source. This allows an applet to have less restrictions put on its operations, as would a normal unsigned applet. An authenticated signed applet is usually given more access over O/S functions to perform an application.

ActiveX

ActiveX is a technology created by Microsoft to create reusable components across Windows applications. This includes increasing the functionality of Internet applications. Similar to components created with Java, ActiveX components can be downloaded to the computer through the Web browser. Unlike Java, which has software controls that only allow programs to run in a certain area of memory and influence. ActiveX functions are controlled by the users themselves. This requires the need for greater security controls because a malicious ActiveX component can be downloaded that could comprimise the security of your system. Users must be more careful when configuring their Web browser to control ActiveX programs.
For Web browsing security, ActiveX uses a form of authentication control based on security levels. The user’s Web browser can be configured to set a certain security level at which ActiveX controls can operate. The lowest level allows all ActiveX components to be downloaded automatically. Increased levels provide warning dialog boxes to alert you of an ActiveX element and enable you to download it or not. ActiveX relies on digital certificates and trusting certificate authorities to authenticate the origin of ActiveX controls.
As always, your Web browser should be updated to the latest version, so the most recent security controls are in place and any previous security vulnerabilities are removed.

Buffer Overflows

Buffer overflow is a programming term used to describe when input data exceeds the limits recognized by a program. For example, a program might only be expecting a certain amount of characters in an input dialog box. If the amount of characters exceeds the limit, the added information might also be processed. This extra code could be malicious in nature and cause the program or even the entire system to crash.
For Internet Web applications, this buffer overflow vulnerability is a common security concern for Web servers and Web browsers. A malicious Web server set up by a hacker can crash the systems of the users connecting to that Website by sending various HTTP buffer overflow data streams to the client. Similarly, a hacker using a simple Web browser can send certain HTTP data to a Web server that overflows its software buffers and crashes the Website.
Buffer overflows are mainly caused by bad programming, which allows illegal data to be entered into the application. Software, especially Internet applications, should be carefully programmed to accept only certain types of data. You should ensure that all your software is current with the latest software patches and service packs to prevent these types of errors. Patches can be downloaded from the software vendor’s Website and installed onto your computer to fix the application.

Cookies

Cookies are special files saved on your computer when you visit a Website. A cookie is used to save information particular to that Website. Cookies are typically used by Websites for tracking demographic or user-specific information pertaining to that site. This information can be used by the Websites themselves or for advertising purposes. For example, the first time you visit a Website, you could be required to register by filling out a Web form. Some information from this form is saved on your computer as a cookie. If you specified your age and gender, this information is read from the cookie the next time you visit that site and the next time you visit that site and the advertising is altered accordingly for your demographic group.
Most cookies contain relatively harmless information, but some of them could contain usernames or passwords for certain Internet and Website accounts. Cookies of this nature are usually encrypted by the distributing site, but those that aren’t are vulnerable to unauthorized users accessing this information.
Most Web browsers let you customize the capability to use cookies or enable more strict controls on their use. Cookies can be disabled completely, but this could cause certain Websites not to work at all in your Web browser.

CGI

Common Gateway Interface (CGI) scripts are programs designed to accept and return data that conforms to the CGI specifications. The programs are typically written in scripting languages, such as PERL, and are the most common way for Web servers to interact dynamically with users. Webpages that contain forms typically use a CGI program to process the form’s data once it’s submitted.
A security concern with CGI is this: each time a CGI script is executed, a new process is started. For some Websites, multiple CGI requests can noticeably slow the server. CGI scripts also are vulnerable to programming bugs, so they should be written with the same care and attention as any software application.
Poorly-programmed CGI scripts can intentionally or unintentionally provide information about the host system that can aid hackers in accessing the Web server. Scripts that utilize user input from Web forms can be used against the client machine. For example, on a server system, a subverted CGI can be used to run malicious code as a privileged user and provide unauthorized access to any part of the system, including sensitive user data, as well as logins and passwords. Another concern of CGI scripting is the capability of the user to input data that can be used to attack the Web server through buffer overflows and malformed requests.

Utilities

The best way to know when a problem is brewing is to know how things perform when all’s well with the system. You need to establish a baseline – a static picture of your network and servers when they are working correctly. One of the common tools used to create a baseline is the Performance Monitor utility that comes with Windows NT/2000/XP (but you can also create baselines using most network management utilities).

PerfMon

Administrators use Performance Monitor (PerfMon) to view the behavior of hardware and other resources on NT/2000/XP machines, either locally or remotely. PerfMon can monitor both real-time and historical data about the performance of your systems. To access the Performance Monitor applet, choose Start/Programs/Administrative Tools/Performance Monitor from any Windows NT machine. Windows 2000/XP machines call the option simply “Performance.”
Once you access Performance Monitor, you need to configure it to display data. The process of configuring Performance Monitor requires you to understand the concept of objects, counters and views. An object in Performance Monitor relates directly to the component of your system that you want to monitor, such as the processor or memory. Each object has different measurable aspects, called counters. Counters, in other words, are the portions of an object that you want to track. as you decide which object(s) to monitor in your system, select one or multiple counters for each object. Add these counters to whichever view you need to use. Performance Monitor can display selected counter information in a variety of views, with each view imparting different types of information. The Log view, for example, lets you store data about your systems to be reviewed later. This is the view used to create a baseline, although the other views (i.e. Chart, Alert, and Report) are useful for troubleshooting problems as they arise.
To access the Log view, either click the Log view button or choose view/Log. To add objects to the Log view, either click the Add To button (the + sign) or choose Edit/Add To Log. In the Add To dialog box, first select the computer to monitor. Choose either the local machine (the default) or a remote machine. To monitor a remote machine, type in the computer name using the Universal Naming Convention (UNC). To monitor a machine named HOUBDC1, for example, you would type \\HOUBDC1 in the computer field. You can also use the Select Computer button (at the right end of the Computer field) to view the available machines and select the one you want to monitor.
While it is often easiest to monitor a machine locally, it is often more accurate to monitor the machines remotely. Performance Monitor running on a machine uses a certain amount of resources to take the measurements and to display data graphically. Especially when you troubleshoot issues with disk performance, memory and paging, or processor use, you should not corrupt your results by monitoring locally. There are some cases where monitoring locally is preferred or required. If you are monitoring network access or networking protocol objects, for example, monitoring locally will affect the readings less than monitoring remotely. Similarly, you must monitor a system locally if you cannot access the system over the network. Finally, when you monitor objects created by a specific application, such as Exchange, you should monitor locally, as the objects related to this application are only created locally and will not be available from another system.
Once you have selected a system to monitor, either locally or remotely, you must select the object to monitor. Select one or more objects to monitor from the list in the Object Field. Note that the Log view is somewhat different from the other views in that you only add objects to the view, not the specific counters for objects.
After you select the objects for Performance Monitor to track and log, select Options/Log Options to save the data to a log file and to start the logging by clicking the Start Log button. The dialog box also gives you the opportunity to select the update method and time.
After you have configured the log to save to a particular file, you can see the log file name, status of the logging process, log interval, and file size of the log in the Performance Monitor dialog box. To stop collecting data in a log, open the Log Options dialog box again and click Stop Log. You can then choose to create a new log file and begin logging again, if necessary. You will also have the ability to view data from one of these saved log files by selecting Options/Data From. In the Data From dialog box, you can choose to continue obtaining data from the current activity or to obtain data from a particular log file.
When you choose to obtain data from a saved log, you go back to that frozen moment in time and add counters to the other views for the objects you chose to save in the log. You may want to select a wide variety of objects, so that when you open the log to display in any of the other views (i.e. Chart, Alert and Report), you can add any counters necessary.

NetWare Monitor

On a NetWare server, most of the critical information you might need to see and document to establish your baseline can be obtained by loading the Monitor application on the server itself (you can view the program remotely on a client PC, but it runs on the server). Novell calls a program that runs on the server in this way a NetWare Loadable Module or NLM, and you issue the command ‘LOAD MONITOR’ at the server’s console prompt to start the program.
The Monitor NLM can display a wide range of information, from memory usage to individual statistics about the NIC’s installed in the server. Many system managers leave Monitor running all the time so that they can keep an eye on things; it can also be used to kick users off the server and see which files they are accessing.

Relationships

An important component of any relational database is how those relations are associated with each other. These associations, or relationships, link relations together in ways that are meaningful to each other, helping to ensure the integrity of the data so that an action taken in one relation does not negatively impact data in another relation.

A relational database supports three primary types of relationships:

One-to-One: A relationship between two relations in which a tuple in the first relation is related to only one tuple in the second relation, and a tuple in the second relation is related to only one tuple in the first relation.

One-to-Many: A relation between two relations in which a tuple in the first relation is related to one or more tuples in the second relation, but a tuple in the second relation is related to only one tuple in the first relation.

Many-to-Many: A relationship between two relations in which a tuple in the first relation is related to one or more tuples in the second relation, and a tuple in the second relation is related to one or more tuples in the first relation.

Note: A many-to-many relationship is physically implemented by adding a third relation between the first and second relation to create two one-to-many relationships.

Attacks

Security of a network and its systems involves protection against a variety of attacks. These attacks might affect only certain areas of your operations or disrupt them as a whole. Some attacks are an attempt to gain access or damage one particular user account or one server. Other attacks try to disrupt the entire network infrastructure itself or prevent customers from accessing a public Website.
Attacks are launched for a variety of reasons. A casual hacker might only be testing the security of the system and doing no damage at all. More malicious users could try to damage parts of your system or cause you to lose valuable data. Other unauthorized users might want access to confidential records, which can also be an act of corporate espionage.
The purpose of the attack isn’t the main concern. The main concern is how to prevent these attacks from succeeding. By being aware of the various types of attacks, tools, and resources used by malicious users, you’re protecting yourself with knowledge. By knowing where and how to expect attacks, you can install preventative measures to protect your system.

Network-Based Attacks
Of the type of attacks that can assault a network and computer system, many attacks are geared toward specific system accounts, system services, or applications. The most damaging and, obviously, the most poopular attacks by hackers involve disrupting the network itself. The network is the infrastructure that allows all systems and devices to communicate with each other, so disrupting those communication lines can be the most damaging attack a network can suffer.

Denial of Service
Denial of Service (DoS) attacks have been well-publicized recently because of their capability to easily deny access toa particular Web or Internet site. In a DoS attack, a hacker overloads a specific server with data, so it can’t process the data fast enough to keep up. System performance slows to a crawl because it simply can’t keep up with the flood of data being sent to it. This affects the Website’s capability to service legitimate requests because the client won’t receive any responses to their queries. This type of attack can also be performed on entire networks, as the DoS attack is targeted at the central router or firewall where all data passes through. The network traffic becomes so high that nothing can get in or out of the network. This type of attack is more common than attacking a single server because the network bandwidth is being attacked, which effectively denies access to all systems on that network rather than only one.
A more organized and devastating attack is a Distributed DoS attack, where the flood of data originates from multiple hosts at the same time. The combined effects quickly overload any server or network device. As opposed to a single origin of a DoS attack, a network administrator can’t pinpoint and deny access by the one host because the attacks will be coming from multiple hosts, distributed throughout the Internet. Usually, these originating hosts aren’t willfully engaged in the attack. Hackers can secretly install software on an insecure server somewhere else on the Internet and use that to remotely flood another host with data. This effectively hides the true origin of the attack, especially when the Internet Protocol (IP) addresses are spoofed to show a different originating address than the actual origin of the attack.
The most common form of attack uses simple TCP/IP protocol utilities such as Packet Internet Groper (ping). Ping is a command used to find out if a certain host (classified as a destination host) is functioning and communicating with the network. A user sends a ping or query packet to the destination host. The destination host sends back an acknowledgement that it is indeed working and on the network. Used in a DoS attack, a malicious user can send a continuous stream of rapid ping attempts. The host is then overloaded by having to acknowledge every ping, rendering it unable to process legitimate requests.
Another type of DoS attack is the synchronous idle character (SYN) flood. SYN is an aspect of the TCP/IP protocol that allows systems to synchronize with each other while communicating. One system sends a SYN packet and this is acknowledged by the other system. This process can be abused by a hacker by sending forged SYN packets to a host, which is unable to reply to the request because the return address is incorrect. This causes the host to halt communications while waiting for the other system to reply. If the host is flooded with a high number of forged SYN packets, it will be overloaded and unable to respond to legitimate requests.
DoS attacks can be difficult to stop and prevent, but some simple configuration changes on the local routers and firewalls can help prevent these types of attacks. The simplest way of protecting against ping flood types of attacks is to disable the Internet Control Message Protocol (ICMP) protocol at the firewall or router level, so the host won’t acknowledge any ping attempts from outside the network.
Other types of attacks, such as SYN floods, are caused by vulnerabilities in the network protocols themselves. The TCP/IP implementation of your operating system should be upgraded to the latest version by installing recent service packs and security patches. Some firewalls and other security products also contain the capability to detect network flood attacks, can actively block them, and can try to trace them back to a source.

Back Door
A Back Door traditionally is defined as a way for software programmers to access a program while bypassing its authentication schemes. The back door is coded in by the programmer during development so, at a later time, they can break into their own program without having to authenticate to the system through normal access methods. This is helpful to programmers because they needn’t access the program as they normally would in a typical user mode (where they’d be forced to enter authentication information, such as a username and password).
In hacking terms, a back door program is a program secretly installed on an unsuspecting computer user’s computer so the hacker can later access the user’s computer bypassing any security authentication systems. The back door program runs as a service on the user’s computer and listens on specific network ports not typically used by traditional network services. The hacker runs the client portion of the program on their computer, which then connects to the service on the target computer. Once the connection is established, the hacker can gain full access, including remotely controlling the system. Hackers usually don’t know what specific systems are running the back door, but their programs can scan a network’s IP addresses to see which ones are listening to the specific port for that back door.
Back door software is typically installed as a Trojan Horse as part of some other software package. A user might download a program from the Internet that contains the hidden back door software. To protect your computer against the programs, anti-virus programs can now detect the presence of these back door programs. Personal firewalls can also detect suspicious incoming and outgoing network traffic from your computer. Port-scanning software can also be used to identify any open ports on your system you don’t recognize. The open ports can be cross-referenced with lists of ports used by known back door programs.

Spoofing
One of the more popular methods for hacking a system is spoofing network addresses, which involves modifying the header of a network packet to use the source address of an external or internal host different from the original address. By spoofing the IP address, the destination host could be fooled into thinking the message is from a trusted source. The cause of this problem is that the architecture of Transmission Control Protocol/Internet Protocol (TCP/IP) has no built-in mechanism to verify the source and destination IP addresses of its network packets. A hacker can spoof the IP address to make it look like it’s coming from a different location. It can even be made to look like the IP address of an internal system.
IP spoofing is mainly used by hackers to hide their identity when attacking a network system, especially in a DoS-type attack. By spoofing the IP addresses of the incoming packets, network administrators could have a difficult time determining the real source of the attacks before they can set up a filter to block out that IP address.
Another use for spoofing is the capability to emulate a trusted internal system on the network. As an example, if a local server has an IP address of 192.168.17.5, and only accepts connections from that network, a hacker can modify the source address of the packet to mimic an internal address, such as 192.168.17.12. This way, the server thinks the packets are coming from an internal trusted host, not a system external to the network.
To help prevent spoofing attacks, your router or firewall might be able to filter incoming traffic to restrict network traffic coming into the external interface. By configuring the filter to prevent external packets originating from internal addresses, spoofed addresses can’t enter the network.

Smurf Attack
A Smurf Attack exploits the use of IP broadcast addressing the the Internet Control Message Protocol (ICMP) protocol. ICMP is used by networks, and also through administrative utilities, to exchange information about the state of the network. ICMP is used by the ping utility to contact other systems to see if they’re operational. The destination system returns an echo message in response to a ping message.
A hacker uses a smurf utility to build a network packet with a spoofed IP address that contains an ICMP ping message addressed to an IP broadcast address. A Broadcast Address is one that includes all nodes of a certain network and messages to that address will be seen by all of them. The ping echo responses are sent back to the target address. The amount of pings and echo responses can flood the network with traffic, causing systems on the network to be unresponsive.
To prevent smurf attacks, IP broadcast addressing should be disabled on the network router because this broadcast addressing is only used rarely.

TCP/IP Hijacking
Together with spoofing, an unauthorized user can also effectively hijack a network connection of another user. For example, by monitoring a network transmission, a hacker can analyze the source and destination IP addresses of the two computers. Once hackers know the IP address of one of the participants, they can knock them off their connection using a DoS or other type of attack, and then resume communications or by spoofing the IP address of the disconnected user. The other user is tricked into thinking they are still communicating with the original person. The only real way to prevent this sort of attack from occurring is having some sort of encryption mechanism, such as Internet Protocol Security (IPSec).

Man-in-the-Middle
A Man-in-the-Middle attack is exactly what the name says: a form of hijack attack. In-between the sender and the receiver of a communication, a person in the middle can intercept or listen in on the information being transferred. For example, if a person is talking to someone on the phone and another person listens to the conversation on another phone receiver in the house, this other person is the man-in-the-middle.
These types of attacks usually occur when a network communications line is compromised through the installation of a network packet sniffer, which can analyze network communications packet by packet. Many types of communications use plain, clear text and this is easily read by someone using a packet sniffer. During an encrypted communication, a hacker can intercept the authentication phase of a transmission and obtain the public encryption keys of the participants.
To prevent man-in-the-middle attacks, a unique server host key can be used to prove its identity to a client known as a host. This has been implemented in newer versions of the Secure Shell (SSH) protocol, which was vulnerable to man-in-the-middle attacks in the past.

Replay
A Replay attack occurs when an unauthorized user captures an encrypted or password-protected communication, breaks the encryption or password, and then sends the communication to its original destination, acting as the original sender.
This most often happens with certain types of authentication systems that issue authentication tickets, such as Kerberos. The hacker captures the ticket, breaks the encryption, and then resends the ticket to impersonate the original client.
To prevent reply attacks from succeeding, timestamps or sequence numbers can be implemented. This allows the authentication system to accept only network packets that contain the appropriate stamp or sequence number. If the time stamp is beyond a certain threshold, then the packet is discarded.

Birthday Attack
A Birthday Attack refers to a statistical, mathematical method of breaking an encryption key. The basis of the birthday attack is this: it’s easier for you to find two people who have the same birthday, rather than trying to find one person with a specific birth date. The odds are much more in favor of the former situation and you’ll discover the exact birth date of two people, instead of one.

Brute Force Attack
A Brute Force Attack is just that - an attempt to break a password or encryption scheme through simple repetition of attempts. A wide variety of utilities can perform these attacks. An actual person trying to log in through repeated use of different passwords could be there for many years before finding the combination. Modern hacking utilities can cycle through thousands of combinations of letters and numbers to guess a password.
To prevent brute force attacks on user accounts, the simplest and most efficient way is to set the limits on login attempts.

Dictionary Attack
A Dictionary Attack is a form of the brute force attack. By capturing an encrypted password file that contains all the login names and their corresponding passwords, an unauthorized user can run special programs that compare the file with a list of common, dictionary-based passwords.
By running a comparison of the of the encrypted password file with the hashed values of the common passwords, many users’ login accounts can be unlocked with the revealed passwords.

Social Engineering
The easiest way to discover someone’s password is to often simply ask her. Social Engineering is defined as using and manipulating human behavior to obtain a required result. A user can frequently be easily led to reveal her password or to provide personal information that might reveal her password.
The only way to protect against security abuses because of social engineering is user education, and emphasizing the need to follow security procedures at all times, even when dealing with someone you know within the company.

Web Security, Part One

Given the state of the development of Web applications, I thought it’d be a good idea to cover some aspects of Web security…

SSL/TLS
Although the data on a server might be secured from unauthorized access, the communications pathways between the server and client systems might not. Secure Sockets Layer (SSL) is a protocol that enables communication between systems not to be encrypted. Many Websites have both secured and unsecured areas. The secured areas might provide access to a financial bank account or a database of personal information. This secured area of the Web usually requires authentication to proceed further. To increase security when switching from the unsecured public part of a Website to a secured area, SSL encryption is invoked. SSL must be supported by both the Web server and the client browser to function.
In SSL communications, a process known as a digital handshake occurs. The handshaking phase begins when the server sends a message to the client indicating a secure session must be set up. The client then sends its security information and encryption key to the server, which compares the credentials to its own to find the right match. Next, the server sends authentication information, so the client knows the Web server they’re communicating with is the correct one. This is important because it’s possible, through redirection or other methods, not to be on the Website where you originally thought you were. If you enter your username and password, you might be entering the information into a bogus Website that collects this information to perform unauthorized activity with your accounts. This handshake confirms not only are you who you say you are, but the site you are contacting is what you think it is.
When this handshaking is complete, the client and server then establish encrypted communications throughout the duration of the session. When the client moves to another session, the encrypted session is closed.
Transport Layer Security (TLS) is the next generation of the SSL protocol. TLS builds on the strong security of SSL with more enhanced encryption and authentication techniques. Unfortunately, TLS and SSL aren’t compatiible because a TLS-secured communication can’t interoperate with an SSL communication.

HTTP/HTTPS
Hypertext Transfer Protocol (HTTP) is the protocol used by the World Wide Web. HTTP runs on the Internet’s networking protocol TCP/IP and forms the communications protocols that allow Web browsers to connect to and retrieve content from Web servers. When a user clicks on a Web hyperlink, it tries to connect with the associated Uniform Resource Locator (URL). The browser sends an HTTP request to the corresponding Web server hosting that URL. The Web server returns the content of the Website to the browser through HTTP. HTTP is a stateless protocol, meaning that, with each communication, the link between the browser and the server is created, and then it’s broken when the communication is finished.
Hypertext Transfer Protocol Secure (HTTPS) is a secure means of communicating HTTP data between a Web browser and Web server. HTTPS protects the communication channel by using SSL to provide encrypted and protected communications. When connecting to a Website that uses a secured channel, the URL begins with HTTPS instead of HTTP, such as https://secure.website.com. This is typically used in banking and online shopping transactions, where the transfer of credit card and personal information must be encrypted to prevent unauthorized user from stealing the information. The ability to perform HTTPS communications is usually built into the Web server software itself and the Web page is simply created in a special directory. When a client connects to the secure site, SSL is activated between the server and the client, if the client supports it. In many Web browsers, a secure site is indicated by a small padlock icon in the application task bar.

Securing an FTP Server

Assigning access control rules for the files and directories on the FTP server will ensure greater safety for your files. This way, only privileged user accounts can access sensitive data on the FTP server, while non-privileged user accounts can access only general files.

The following are some recommendations for securing the FTP system:

Run the FTP servers on a separate bastion host on the DMZ.
Use a proxy system to forward requests to the FTP server.
Use PASV mode for the server and clients.
Discourage the use of anonymouse FTP access.
Assign permission to directories and files to enable access control.
Log all access to files so it is easy to trace users.
Use secureFTP or other similar protocols to secure the data and the command channels. A secureFTP protocols uses SSL to encrypt data and the command channel so it is safe from hackers.
If PASV mode clients are not set, use packet filtering to allow only outgoing connections from ports above 1023. This will disable any incoming requests to open a connection on the internal client.