Embed Size (px)
Citation preview
October 1993 Computer Audit Update
COVERT LOCAL AREA NETWORK SURVEILLANCE
Ken McLeod
Local Area Networks present a unique challenge to the security professional. Not only does a Local Area Network (LAN) provide an open platform for the exchange of information throughout the organization, but the LAN multiplies exponentially the problems associated with computer fraud and abuse.
This article does not discuss the broad implications of LAN security, or the lack thereof. Discussed herein is the recent development of unique network tools which allow a creative thief to eavesdrop on the entire LAN environment, safe from detection.
A brief introduction to LAN protocols is necessary in order to acquaint the reader with the background of LAN communications and the development of these surveillance tools.
LANs developed in some small part, as a result of the glass house mentality and the emergence of a powerful desktop computer device. Before LAN technology, the only way to effect ively distr ibute computer resources throughout an organizat ion was to use mainframes or minicomputers. Cultures developed within these glass houses, leading to a trench mentality in far too many companies and businesses. Users were scrambling for more power on the desk top and the data processing divisions doled out access to information at astoundingly slow rates.
Once the personal computer was developed and delivered in quantity, it became apparent that users needed to share the information now stored on their desks. Although sneaker net was practical, it was limited by the fastest runner in the company. Out of necessity, LAN technology emerged.
At first, LAN connections were cumbersome and slow. They mostly provided for the storage and retrieval of files. As LAN technology developed from the fi le server through client/server systems, the power of the LAN became awesome. Many LAN operating systems rival the power and complexity of minicomputer systems at significantly reduced cost per user.
With the introduction of LAN technology, the use of secure systems has yet to become commonplace. Now that the administration of LAN security is, for the most part, decentralized, hackers are at their best. How is it done?
Two major problems
Two issues emerge with LAN security, one deal ing wi th the fai lure of the system administrator to act, which will be touched upon here, and the problem of monitoring programs which present a threat not only to the LAN, but to the Wide Area Networks (WANs) attached to these LANs.
For law enforcement practitioners, this second method of LAN covert surveillance presents a unique and almost impossible prosecution hurdle.
The first issue is the failure of the LAN administrator. This is mainly a clerk who knows just a little more than the next person, and is able to invoke the security features of the LAN operating systems.
For example, a popular LAN operating system is installed without a default supervisor password, not an uncommon occurrence. If the new administrator fails to select and use a secure password, LAN security fails. No password, no audit trail, no arrest, no prosecution.
Even more dangerous is the situation when a LAN administrator chooses not to invoke system security. Most of the time this is for reasons such as ease of use and corporate culture.
However, the most dangerous LAN security
@1993 Elsevier Science Publishers Ltd 13
Computer Audit Update October 1993
scenario occurs when the LAN administrator who has invoked every form of LAN security: password security; time and terminal defaults; challenge and response; and biometric devices still finds, often by accident, that the LAN is regu lar ly compromised . Too often the administrator believes the LAN to be only a device sharing system, rather than what it is, a communications system.
Communications schemes
LAN operating systems are general ly designed to operate in conformance with a specific set of protocols. These protocols determine who gets to talk with whom, how or what they can say to each other, and most importantly, how they say it. Things such as speed of the message, the e lect r ica l characteristics of the actual hardware parts and cabling, the message length and its addressing, are parts of the protocol.
Recently, many vendors began to develop operating systems which, for the most part, conducted business along the lines of the International Standards Organization (ISO) Open System Interconnection (OSI) model. Beginning computer science students learn the OSI model like it was the first chapter of the Bible.
The OSI model, consisting of seven well defined layers, allows LAN operating system vendors to develop software programs and hardware devices which work on a multiplicity of diverse platforms. Hence, compliance with the OSI model means enhanced performance and profits.
Some LAN developers, to further enhance performance, developed protocols sometimes referred to as subnets. These subnets allow a specific vendor to tailor their product line to enhance performance. Some of these subnet protocols are: IPX/SPX (Internet Packet Exchange) developed by Novell and based upon the Xerox Network Systems (XNS); NetBIOS (Network Basic Input/Output System), developed by IBM; LU6.2 or APPC (Appl icat ion to
Application Communications); and, subnets such as DECnet, TCP/IP, and DLC.
Some of these subnet protocols have allowed network vendors to develop a unique set of tools, some of which are, or can be, dangerous from a security standpoint. These tools are the subnet monitoring programs.
A subnet monitoring program is similar in operation to a wiretap. The software usually has two parts, a listening portion and a calling portion.
First, the listening part of the program loads onto one or more of the LAN PCs, routinely through a batch file or a network script similar to a batch file. The listening program stays in memory and if set to a silent mode, the person operating the PC generally has no knowledge that his or her PC is monitored covertly.
The second part of the monitoring software is the calling program. This part loads into PC memory by the person who is doing the monitoring, the monitor.
When the calling program is loaded, the monitor then has the ability to link with any PC on the network, or on the internetwork, which had previously loaded the listening program. Once linked with the listening PC, the user has no way of knowing that the video screen of their PC is echoed in its entirety to someone else's computer screen. Most of the monitoring programs also echo keystrokes, enabling the monitor to control a remote PC.
The monitoring programs sell as training and security aids and for this purpose they are effective. A caveat is necessary here. When these programs are advertised as security aids, the intent is to monitor LAN activity for misuse. As such they work. However, in improper hands, and without 100% user knowledge and acceptance of the potential or actuality for LAN monitoring, these monitoring programs severely degrade or completely eliminate LAN security systems.
It's this simple!
This is an example of how a monitoring
14 @1993 Elsevier Science Publishers Ltd
October 1993 Computer Audit Update
program is misused and how these programs can defeat or degrade LAN or WAN security.
User Ken is sitting at his PC which is attached to the LAN, but Ken has yet to log into the system. However, when Ken turned on his PC the batch file, which loads his PC programs, ran the protocol to enable his network interface card and installed the listener covertly into memory. Monitor Bob is now sitting in his office and knowing that Ken has mainframe access, calls Ken and asks him to come to his office, a five minute walk.
Ken, knowing that he has not logged into the network, leaves his office thinking his PC is secure from access. Bob uses the calling program to link to the active network interface card and once attached, logs into the LAN under his own account.
Bob then uses his own LAN privileges to move all the data from the hard drive of Ken's PC to a secure area of the LAN controlled by Bob. Ken never knows what hit him.
Ken may have had sensitive downloaded company records on the disk, personal data such as correspondence, or maybe, a game he downloaded from a local bulletin board system which has now infected the company LAN with a previously dormant virus.
In summary
Hard to believe you say? It's true! This example and others like it abound in the LAN and WAN world. The development of LAN subnet monitoring programs has allowed unauthorized LAN access at an astounding rate.
Absent sophisticated LAN investigators, having incredibly expensive LAN monitoring equipment, people who decide to use and abuse subnet monitoring programs are the wave of the future.
Next time you use your LAN workstations, who is spying on you?
Ken Mcleod is a consulting systems engineer with Infinisys Inc., Phoenix, Arizona, USA.
MONITORING AND REVIEW OF CONTROL SYSTEMS
Stephen Hinde
For computer security policies to be effective, all employees who come in contact with computers must work together to ensure that they are adequately protected and that the prescribed controls are followed. By monitoring adherence to these controls, the organization measures compl iance with these pol ic ies to keep management informed of the risks associated with computer use.
Compliance with the computer security policy results in:
• proper identification and classification of in- formation assets;
consistency and continuity of control - - con- trols must be applied not only during the creation and storage of information, but also during its use and destruction;
effective prevention, timely detection, and timely reporting of information security expo- sures and incidents;
• timely, effective responses to reports of se- curity exposures and incidents;
sufficient audit trails for monitoring and inves- tigation, and evidence of management super- vision of these audit trails.
Continuous monitoring of specific information assets
Information asset owners are responsible for continually monitoring compliance with the controls they specify and the effectiveness of those controls. Regularly produced reports and daily operating procedures are two of the most
@1993 Elsevier Science Publishers Ltd 15
