(eBook) - Hack - BlackICE Guide to Computer Security

8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security

1/40

L A C K

GUIDE TO COMPUTER SECURITY


2/40

COPYRIGHT u I

BlackICE Guide to Computer Security, Version 2.5

Copyright 2001, Network ICE Corporation

All Rights Reserved

Authors: Susanna Breiling, Andrew Plato, Kimi Winters

The use and copying of this product is subject to a license agreement. Any other use isstrictly prohibited. No part of this publication may be reproduced, transmitted,

transcribed, stored in a retrieval system or translated into any language, in any form, by

any means without the prior written consent of Network ICE Corporation. Information

in this document is subject to change without notice and does not constitute any

commitment on the part of Network ICE Corporation.

Network ICE Corporation may have patents or pending patent applications, trademarks,

copyrights, and other intellectual property rights covering the subject matter of this

document. Furnishing of this document does not in any way grant you license to these

patents, trademarks, copyrights, or any other intellectual property of the Network ICE

Corporation.

BlackICE, ICEcap, ICEpac, InstallPac, Network ICE, and the Network ICE

logo are all trademarks of the Network ICE Corporation.

Windows and Microsoft are registered trademarks, and Windows NT, Windows

2000, Windows 95, Windows 98, Windows Me, and Internet Explorer are all

trademarks of the Microsoft Corporation.

Netscape is a trademark of Netscape Communications Corporation.

Conventions Used in this Manual

Bold The names of screen objects, such as menu choices, field

names, and items in lists.

Italics Italics are used for emphasis or to highlight an important

word or concept.

Monospaced Pathnames, filenames, and code are shown in monospaced

font.

Monospaced BoldMonospaced BoldMonospaced BoldMonospaced Bold Values you must type in are shown in monospaced, bold font.

Monospaced Italics Variables, such as a server name, are shown in monospaced,

italic font. These are usually enclosed in angled brackets

as well.

[Inside Brackets] Keyboard keys, such as [ENTER] or [Page Up] are shown

inside brackets.

NOTE: NoteNotes include important information about the operation or

use of the product.

WARNING: WarningWarnings contain critical information that may cause harm to

your computer or the proper operation of the product.

TIP: Tip Helpful information about optimizing or using the software.


3/40

CONTENTS u II

TABLE OF CONTENTS

SECTION 1: INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1

The Hacker Threat ..............................................................................................................2How Hackers Exploit the Internet............................................................................................... 2Who Are Hackers?..................................................................................................................... 2Home Computers The New Target for Hackers...................................................................... 3The Proliferation of Always-On Connections ............................................................................. 3It Will Not Happen To Me........................................................................................................... 3

Introduction to Computer Networking..................................................................................4Connecting to the Internet.......................................................................................................... 4Computer Addresses ................................................................................................................. 5Packet Switching ....................................................................................................................... 5Protocols.................................................................................................................................... 7Ports .......................................................................................................................................... 7

Hacker Attacks ....................................................................................................................9Intrusion Defense ..............................................................................................................11

Detection.................................................................................................................................. 11Monitoring................................................................................................................................ 12Protection................................................................................................................................. 12

SECTION 2: HANDLING INTRUSIONS . . . . . . . . . .. . . . . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . 13

How to Respond to an Attack............................................................................................13Step One Determine the Severity ......................................................................................... 13Step Two Respond ............................................................................................................... 14

Reporting Hackers.............................................................................................................16How to Report a Hacker........................................................................................................... 16

Retaliation Hacking ...........................................................................................................17

SECTION 3: COMPUTER SECURITY . . . . . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . . .. . . . . . . . . . 18

Good Security Practices....................................................................................................18Computer Hardening .........................................................................................................19

Install the latest Security Patches and Service Packs ............................................................. 20Harden Passwords .................................................................................................................. 20Use the NTFS Hard Drive Partition Format.............................................................................. 21Do Not Multi-Boot .................................................................................................................... 21Secure All Shares with Passwords .......................................................................................... 21Disable All Unnecessary Accounts .......................................................................................... 21Explicitly Select Users with Network Access............................................................................ 22Disable Telnet.......................................................................................................................... 22Do Not Install a Web Server .................................................................................................... 23Disable NetBIOS (WINS)......................................................................................................... 23Secure the Registry ................................................................................................................. 24Never Cache Passwords ......................................................................................................... 25Disable Userdata Persistence.................................................................................................. 25

Protecting Home/Office Networks .....................................................................................26Solution One Install NetBEUI Protocol.................................................................................. 26Solution Two Install a Hardware Router................................................................................ 26Solution Three Build a Dual-Interface Proxy Server ............................................................. 27


4/40

CONTENTS u II I

APPENDIX A: FOR MORE HELP . . . . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . 28

Need More advICE?..........................................................................................................28Product Documentation.....................................................................................................29Technical Support .............................................................................................................29

APPENDIX B: GLOSSARY . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . 30


5/40

SECTION 1 uINTRODUCTION u1

INTRODUCTION

With high-speed Internet access becoming a standard feature for many home and office

computers, there is a growing need for smarter, faster computer security. Hackers are

now targeting home and small business users because these systems are rarely well

defended.

This guide is intended for BlackICE users who want to know more about computer

security and hacking in general. This guide is ideal if you are new to computers and/or

the Internet.

For more information about using BlackICE products refer to the following related

documents:

BlackICE DefenderUsers Guide

This guide describes how to use and configure BlackICE

Defender.

BlackICE AdvancedUsers Guide

This guide is intended for advanced users who wish to

customize BlackICE.

Intrusions ReferenceGuide

Detailed information about all the intrusions BlackICE

can detect and block. Includes information about

stopping attacks as well.

These documents are available free of charge on the Network ICE web site at:

http://www.networkice.com/support/documentation.html .
http://www.networkice.com/support/documentation.htmlhttp://www.networkice.com/support/documentation.htmlhttp://www.networkice.com/support/documentation.html


6/40


THE HACKER THREAT In September 2000, a large financial services company had their computer systems

hacked. Credit card numbers for over 20,000 people were stolen1. A similar event

happened in 1999, when hackers hijacked nearly 500 ,000 credit card numbers and

stored them on United States government computers2

.In 1997 a hacker broke into the NASA network and gained access to the space shuttle

control computers. The hacker overloaded some computers causing brief

communication outages while the shuttle Atlantis docked with the damaged Mir space

station. Fortunately, NASA was able to switch over to an alternate system and finished

the mission successfully. However, the intrusion put the space shuttle at risk and

prompted numerous changes in security protocols at NASA.3

If hackers can get into NASA and global financial firms, what is stopping them from

getting your credit card number off your home computer?

How Hackers Exploit the Internet

The Internet is a decentralized collection of computers implementing well-knowntechnology standards. The decentralized nature of the Internet ensures that no single

body, corporation, or government can control it. However, it also means that the

technical details of how the Internet works are freely available to all including

hackers.

Hackers exploit this freedom. They use their knowledge of networking and computers

to break into systems. While most hackers are computer hobbyists looking for a

complex intellectual challenge, some hackers are dedicated criminals and pose a very

real threat to the Internet.

Who Are Hackers?There are a lot of myths surrounding hackers. Hollywood and popular culture often

portray hackers as intelligent outsiders like Neo in the movie The Matrix. In reality,most hackers are not brilliant computer experts, but inexperienced hobbyists using

popular hacking tools they barely understand.

Nevertheless, those hobbyists can still do serious damage. Some of the most prevalent

attacks on the Internet today, Denial of Service (DoS) attacks, are the result of simple

tools in the hands of inexperienced high-school students. These hacks have knocked

out telephone systems and web sites for large companies such as AT&T and Nike,

costing unknown millions in lost revenue and labor to stop the attacks.

Regardless of who hacks, the danger is real and growing and not just for big

corporations.

1Associated Press, September 11, 2000, www.associatedpress.com .

2Brunker, Mike, MSNBC, March 17, 2000. www.msnbc.com .

3Associated Press, July 4, 2000 www.associatedp ress.com .


7/40


Home Computers The New Target for HackersIn the past, hackers were not much of a threat to home users. Internet connections were

slow, and the information on most home computers was not worth hacking.

Today, the average home computer is a virtual gold mine of information. Everything

from passwords to financial records offer hackers all sorts of ways to cause trouble.While encryption technologies have made most on-line transactions very safe, they are

never 100% safe. Hackers can break into your computer, steal those encrypted files,

and then use freely available cracking tools to break the encryption and get the data.

Some hackers enjoy using their skills as a way to extract revenge as well. The

anonymity of the Internet often makes people behave differently. An innocuous

message posted to a public forum might incite the ire of hackers who single you out as

their next victim.

The Proliferation of Always-On ConnectionsOne of the prime reasons home computers are becoming targets, is the proliferation of

always-on connections such as cable modems or DSL lines. Whenever your computer

is turned on, these connections are live on the Internet. While you are sleeping, atwork, or at the grocery store, hackers could be probing your Internet connection

looking for weaknesses.

Hackers need time to do their work. Hacking can be a very slow and methodical

process of locating, testing, and then exploiting vulnerabilities on a computer. The

more time a computer is connected to the Internet, the greater the chance that a hacker

will locate your computer and have time to hack it.

It Will Not Happen To MeJust innocent web surfing and sending e-mail cannot be dangerous, right?

Most hackers use automated scans that can examine millions of computers in hours.

From these scans they get a hit list of computers with weak security or easilyexploited vulnerabilities. While you sleep or are at work, a hacker located anywhere

around the world can be breaking into your computer. Without any warning, your

personal files can be ripped off, and a backdoor or virus planted on your computer.

At the hackers discretion he can wipe out your hard drive or use your accounts to

cause serious trouble.

Ever had your computer crash while on-line? Ever wonder why a program or access to

your e-mail suddenly stops working? Sometimes it is not faulty software but hackers

purposefully causing these problems.

If you use chat rooms or play on-line games you are especially vulnerable to attacks.

Also, hackers enjoy targeting inexperienced computer users.

Along with all the great services and information on the Internet, there are also a lot of

mischievous people who want nothing more than to cause problems.


8/40


INTRODUCTION TO COMPUTER NETWORKING To truly understand how to stop hackers, it is important to know how computers

communicate with each other. Computer networking is not a new technology.

Engineers were networking computers together as early as the 1950s. However,

hacking did not become a significant problem until computers became freely accessibleover national and global networks.

This section describes how modern computer systems are networked together. This

section is ideal for readers who are new to the Internet and network security.

Connecting to the InternetThe first part of networking is the connection. There are basically three ways to

connect a computer to the Internet.

n Dial-up modem: This is the most common way to connect. A modem uses a

regular telephone line to dial-up to your Internet Service Provider (ISP). The ISP

authenticates your logon and connects you to the Internet. Modems have only one

significant benefit over other connections in that they are only connected while inuse. This significantly decreases the amount of time the computer is exposed to the

Internet. However, because modem communications must travel over telephone

lines that use older, analog technology, they are significantly slower than

broadband connections. Some DSL connections require dialing up to a server,

however, their fast speed and persistent connection really makes them fall into the

second category of connections.

n Broadband : This category includes cable, DSL, ISDN, wireless, and satellite

connections. While there are technical differences between each of these types,

they share one common feature: persistent connections. Broadband connections are

always-on to the Internet while the connection device has power.

Although some DSL and ISDN connections do require dialing-up, typically users

leave these connections open indefinitely since the communications links do not

automatically disconnect

n Corporate network: This category includes all computers that use a Network

Interface Card (NIC) connected to a corporate network to access the Internet.

Many corporations do not connect each computer individually to the Internet.

Instead, they install powerful networking devices such as routers and switches to

connect all the computers on the corporate network to the Internet. Properly

designed corporate networks also use firewalls to protect their internal network

from hackers.

Whether your computer uses a dial-up modem or a high-speed cable modem, all

networked systems run a high risk of being attacked. While connected, your computer

becomes a part of the Internet and as such can be attacked from other computers.


9/40


Computer AddressesOnce connected, a computer must have an address, so other computers can locate it on

the Internet. Just like a house or apartment has an address, computers on a network

must also identify themselves. Most computers use a combination of the following

address types:n IP Address: An IP address is the basic street address for a computer. These

addresses have 4 numbers, such as 192.168.10.15. Most Internet Service

Providers (ISPs) assign an address to your computer when you log on to the

Internet. Other computers locate your computer by using that address.

Unfortunately, hackers can forge IP addresses (called spoofing) and make the

hackers transmissions appear to be originating from your computer.

n DNS Address: Domain Name System (DNS) is an address translation system that

forms the basis of many Internet sites. Rather than using strings of numbers, DNS

allows computers to locate each other with familiar names. DNS addresses are in

the familiar name.domain.com format. For example, to reach the Network ICE web

site, you only need to remember www.networkice.com. This is a DNS address for

the web server at Network ICE. The master DNS databases are propagated

throughout the Internet so your local Internet Service Provider (ISP) has the correctIP address for the DNS name.

n NetBIOS Address: NetBIOS allows corporate networks to select single words to

identify computers. For example, a computer on the network could be named

MYCOMPUTER, and other users would see this name in the Network Neighborhood

lookup. Although NetBIOS cannot be used across the Internet, the use of NetBIOS

names can present some security vulnerabilities to hackers.

n MAC Address: These addresses are specific and unique to each network hardware

device. Network cards, modems, routers, even network printers have MAC

addresses. MAC addresses help network administrators inventory systems.

However, they can also be useful in tracking down hackers or proving that a hacker

used a particular computer.

Packet SwitchingThe basis for most network and Internet communications is packet switching. Your

computer communicates with other computers on the Internet by using a stream of

packets. All communication is broken up into digital packages that are sent out, one at

a time, through the network connection.

Each packet contains a tiny fragment of the data you are sending. The computer on the

other end puts all the fragments back together.
http://www.networkice.com/http://www.networkice.com/http://www.networkice.com/


10/40


Figure 1 Packets example.

For example, you send a digital photo of your new car to a friend. Before sending the

picture, your computer breaks up the image file into thousands (possibly millions) of

tiny data fragments. Those fragments are then packaged into packets. The packets

are transmitted to your friends computer, which then extracts the data fragments fromthe packets and reassembles the image.

When your computer transmits a packet, it sends them to a router(usually at your ISP).

Routers are the digital equivalent of postal carriers. They look at the address on each

packet and then forward it to the correct place.

Figure 2 Routers on the Internet can direct packets to the correct computer(s).

For example, the picture of your car first went to a local router at your ISP. Then your

ISPs router forwarded it to another router. That other router forwarded the packets to

another, and possibly another router. Sometimes a transmission can hop through 30

or more routers before it gets to its final destination.


11/40


Routers handle enormous quantities of packets and can sometimes get clogged up.

Therefore, if one router is too busy, it can pass off the transmissions to another router

that is available. Likewise, if one router does not know exactly where to send a packet,

it can forward it to a different router that does know. This is why transmissions hop

through many routers.

Since each packet is individually addressed, different routers can handle different

packets in the same transmission. This allows the routers to get your transmission toits destination regardless of the path it has taken. Theoretically, your packets could

bounce all over the country, just to get to your friend next door.

The concept of packets and packet switching is important because hackers can capture

and manipulate packets to carry out certain kinds of attacks.

ProtocolsWhen computers transmit information, they have to encode that information into a

language that other computers can understand. There are two main protocols used on

the Internet: Transmission Control Protocol (TCP) and User Datagram Protocol

(UDP).

n TCP is used for everything from accessing web sites to sending email. TCP

communications form connections with remote computers to send and receive

packets. For example, when you want to download your email, your computer

opens up a TCP connection with your mail server and downloads the mail.

n UDP is virtually identical to TCP except that it lacks the error correcting features

of TCP. UDP is used for interactive, streaming, and otherwise time-sensitive

transmissions. Because there are no error correction procedures with UDP, the

transmissions are a little faster. For example, if you play a multi-player Internet

game like Quake, your computer sends and receives UDP packets to coordinate

your on-screen movements with those of other players on the Internet.

However, protocols are only half the picture. When computers send and transmit

information they also open and close special connection points, or ports, as described

in the next section.

PortsWhen computer applications talk to the Internet, they open and close special

communication channels or ports. For example, web servers transmit all web site

information over TCP port 80. When you access a web server, your computer makes a

request to TCP port 80 on the remote web server. If the server is listening on that port,

it responds to your request and sends the proper web pages back to your computer.

Ports allow for categorization and modularization of network communications.

Applications such as web servers, chat programs, and computer games isolate their

transmission to specific connection ports ensuring their communications do not

interfere with other applications. There are 65535 TCP and 65535 UDP ports available.

When computers communicate, they do not just pick ports at random. Internationalstandards established over the past 30 years assign and manage which ports are used for

which programs. In general, ports are broken down into three categories: system,

application, and private.

n System ports comprise all TCP and UDP ports from 1 to 1023. System ports are

tightly regulated and used for very specific computer functions. For example, port

110 is only for POP3 e-mail communication. Some of the most common system

ports are listed on the next page.


12/40


Common System Ports

Port # Description

21 FTP, File Transfer Protocol

23 Telnet

25 SMTP, Simple Mail Transport Protocol

37 Time, for time servers

53 DNS, Domain Name Services

67-68 Bootstrap, for booting systems over a network

80 HTTP, world wide web

82 XFER

110 POP3, e-mail servers

118 SQL Server

119 NNTP, Internet News Servers137-139 NetBIOS

161-162 SNMP, Simple Network Management Protocol

194 IRC, Internet Relay Chat

389 LDAP, Lightweight Directory Access Protocol

443 HTTPS, secure HTTP communications

n Application ports comprise all TCP and UDP ports from 1024 to 49151. These

ports are registered with international standard committees for use with network

applications. For example, the Yahoo messenger program uses TCP port 5050.

Many computer applications that are not considered vital system applications use

ports in this range.

n Private ports comprise all the ports above 49152. These ports are used for private

or dynamic use, and are unregistered and freely available to any application.


13/40


HACKER ATTACKS Hackers have a wide variety of attacks they can carry out. However, these attacks are

easily categorized into seven kinds. This section summarizes the kinds of attacks

hackers most commonly attempt.

Automated Scans

Description Automatic scans search for open ports or resource shares on yourcomputer.

Method These scans blindly monitor large areas of a network or the Internet forcomputers. When a computer is located, another automated scanner can

examine the target system for open communication ports that the hacker

can exploit.

Danger By itself, a port or resource scan is not very dangerous. Most hackersnever follow up on such scans. However, if a hacker is searching for a

vulnerable system, port and resource scans are almost always a prelude to

something more severe.

Trojan Horse Attacks

Description Like the fabled gift to the residents of Troy, a Trojan Horse is a computerprogram or application that appears to do one thing while hiding

something much more sinister within it. Trojans are dangerous

applications planted on your computer that open up vulnerabilities on

your system.

Method A hacker plants an agentor Trojan Horse virus on your computer.Trojans are planted on computers in a number of ways. One common

method is to send the victim an executable (.exe) file that appears

innocuous. While the victim enjoys a movie, cartoon, or other

distraction, the program installs a Trojan on the computer.

The Trojan either opens up communication ports, or surreptitiously sendsinformation about your system to the hackers computer. The hacker then

exploits your computer using the information he acquired from the Trojan

Horse program.

The most common hacking agents are Back Orifice and SubSeven. These

agents, if properly planted, make a computer completely exposed to

hackers.

Danger Trojan Horse hacks are the most common and dangerous attacks becausethey provide hackers a back door into your computer. There are two

ways to stop these attacks: First, block any communications between the

Trojan agent and the hacker, which BlackICE can do. Second, remove

the agent application, which most virus scanning utilities can do.


14/40


Corrupt Packet Attacks

Description A hacker sends packets to your computer that causes the system to slowdown or crash.

Method There are numerous ways hackers can forge packets with incorrectaddresses or information. Some of these methods merely slow the system

down briefly. Others can cause a system to crash or become seriouslyunstable.

Danger Most new operating systems have defenses for corrupt packet attacks.BlackICE can also stop such attacks.

Password Grinding

Description A hacker uses an automated password generation program to grindaway on a password until it is guessed.

Method There are numerous, freely available tools on the Internet that a hackercan use to crack passwords. Since most operating systems lock out users

if they enter the wrong password too many times, most hackers download

password files and grind them off-line. Most modern computers can

crack encryption systems rather quickly provided the hacker uses the tool

properly.

Danger Password grinding can be very dangerous. Once a hacker has yourpasswords, he can literally do whatever he wants. It is a good idea to

change your passwords frequently and use secure passwords. See Harden

Passwordson page 20 for more information.

Denial of Service (DoS) Attacks

Description A hacker overloads a network connection with billions of packets.

Method DoS attacks are crude, but effective. Quite simply, a hacker with a veryfast Internet connection bombards another system with packets until the

other system collapses. DoS attacks are commonplace for large web

sites.

Danger DoS attacks are hard to stop once they get going. Fortunately, mostintrusion defense systems, like BlackICE, can stop them from

overloading an Internet connection.

Known Vulnerability Attacks

Description A hacker exploits a known weakness in an operating system or Internetenabled application.

Method Computer operating systems are very complex. As such, there are alwayssome holes in the system that hackers can figure out. Once a hole is

discovered, the information spreads rapidly via hacker web sites to other

hackers.

Danger Some system vulnerabilities are very serious and can completely expose

your system to attacks. Updating the operating system with the latestservice packs and security patches stops these attacks.


15/40


Social Intrusions

Description A hacker poses as a system administrator or other authority figure andattempts to coerce you to reveal confidential information.

Method Social intrusions are by far one of the most common ways to get intosystems. They are also the easiest to stop.

The scam is pretty simple. A hacker telephones or sends an e-mail

posing as a police officer, network administrator, or other person of

authority. Usually they say there is some problem and they need your

password to update their files. An unsuspecting user may willingly give

out the information assuming the person is trustworthy. The hacker then

uses the legitimate password to get into the system.

In a 1999 study, a security consulting firm reported that over 80% of the

computer users they contacted willingly revealed confidential

information about themselves or their computer to a person posing as a

system administrator. In many cases, the consultants merely asked for it,

without showing any credentials or explaining the situation.

Danger Social intrusions are extremely dangerous because nothing can stop ahacker armed with legitimate information.

INTRUSION DEFENSE The task of stopping hackers falls upon a class of computer software and hardware

products called Intrusion Detection Systems (IDS), such as BlackICE. IDS products

have three responsibilities: detection, monitoring, and protection. This section

describes how IDSs detect and stop hackers.

DetectionThe most difficult aspect of stopping hackers is merely identifying that an intrusion is

actually occurring. Hackers are clever and know how to disguise their activities inside

the normal traffic of a network. What constitutes an attack versus legitimate use of the

Internet is often very hard to determine. With millions of packets racing by on the

Internet link, locating the 10 packets that are from a hacker is not easy.

Many current firewall systems use a technology called pattern matching to locate

intrusions. Pattern matching is similar to how virus detection software works. As

packets are received, the IDS compares information in the packets to a database of

known signatures or patterns that hackers typically use.

Many pattern-matching firewalls have trouble keeping pace with modern, high-speed

connections. Comparing a billion packets to a database of 2500 patterns is a very huge

processing task, even for modern computers. This makes many pattern-matching

systems prone to overloading and missing intrusions.

Hackers know this and use methods to purposefully evade pattern-matching firewalls.One method is to fragment transmissions into numerous small packets. Pattern

matching systems need to examine an entire attack to determine if it is dangerous. If

the attack is fragmented into thousands of little packets, the firewall never sees the

complete attack and therefore cannot detect it.


16/40


BlackICE is not a pattern matching firewall. BlackICE uses a patent-pendi ng seven-

layer protocol analysis engine. This engine dynamically analyzes network

transmissions for hacking activities. The BlackICE technology is significantly faster

than pattern-matching systems and many times more reliable. Additionally, BlackICE

can handle badly fragmented attacks.

MonitoringOnce a hackers transmissions are identified, capturing those packets and logging all

contents is a rather easy procedure. Yet many IDS solutions fail to implement even

basic evidence file capturing or logging mechanisms.

Evidence file gathering is crucial to reconstruct what the hacker did. Such evidence

files can also be very useful to law enforcement should it become necessary to pursue a

hacker for criminal activity.

BlackICE includes a powerful network logging and capture function that can collect

information a hacker sends to your computer. This information is logged into specially

coded trace or evidence files, which can then be analyzed using a trace file-decoding

program to determine exactly what the hacker did (or tried to do).

ProtectionThe last aspect of an IDS is to protect the computer from the hacker. Blocking hackers

requires layers of defense systems that ensure all traffic from the hacker is rejected

before it can interact with the computer operating system.

Dynamic Address Protection

The first layer is a dynamic firewall. When an intrusion is detected, all transmissions

from the hackers network (IP) address are blocked. Since hackers can forge addresses

of legitimate systems, the firewall must only block the transmissions long enough for

the hacker to give up.

Standard Packet Protection

One way hackers circumnavigate firewalls is to break up their transactions into manyfragmented packets. Most firewalls are not able to analyze all these fragmented

packets and allow transmissions to pass right through.

The standard packet protection firewall blocks such fragmented packets as well as other

packet manipulation techniques.

Port Blocking

The last layer of defense is to block transmissions on specific network ports. Hackers

often search for open ports to exploit.

BlackICE can be configured to block ports that hackers typically exploit such as

NetBIOS share ports.


17/40

SECTION 2 uHANDLING INTRUSIONS u13

HANDLING INTRUSIONS

Getting hacked is a pretty common problem on the Internet. When you install

BlackICE, you may be surprised at the number of attacks that are logged. Fortunately,

most attacks are pretty innocuous. However, some are not. This section describes how

to handle attacks and secure your computer from hackers.

HOW TO RESPOND TO AN ATTACKBlackICE automatically protects computers from any dangerous network intrusions.

Use the BlackICE Summary Application to monitor who is attempting to attack your

system, and you will likely notice that most of the hacks are really only port scans from

your ISP.

However, if you are experiencing a lot of serious attacks, you have some options for

responding to them.

TIP: See the BlackICE Summary Application Guide for more information aboutblocking intruders and configuring BlackICE.

Step One Determine the SeverityThe first step in dealing with attacks is to consider the relative severity of the attack.

BlackICE events are all ranked on a scale that makes determining severity very easy.

Icon Severity Description10075 Critical event: Red exclamation point. These are deliberate attacks

on your system for the purpose of damaging data, extracting data, or

crashing the computer. Critical events always trigger protection

measures.

7450 Serious event: Orange exclamation point. These are deliberate

attempts to access information on your system without directly

damaging anything. Some serious events trigger protection measures.

4925 Suspicious event: Yellow question mark. These are network activities

that are not immediately threatening, but may indicate that someone is

attempting to locate security vulnerabilities in your system.

Suspicious events do not trigger protection measures.

240 Informational event: Green i. These indicate that a network event

occurred that is not threatening but worthy of taking note.

Informational events do not trigger protection measures.

Informational and suspicious events do not trigger automatic protection measures.

These attacks are not very dangerous. Most are automated port scans that merely

search the computer for vulnerabilities. These attacks do not actually attempt to access

any information on the computer.


18/40


However, hackers usually conduct these scans just before they hack into a computer.

Therefore, if a single intruder is carrying out numerous scans against a computer, there

is a good chance that a hacker is preparing to break into your system.

Step Two Respond

For most attacks, you are not required to do anything. BlackICE takes care of blockingthe intruder. All you need to do is keep an eye on the BlackICE Summary Application.

If a hacker attempts numerous attacks to your computer, there are a few ways to

respond to their attacks.

Option 1 Manually Block the Attacker

BlackICE only blocks intruders when they are directly threatening the operation of your

system. For non-threatening attacks, like port scans, BlackICE does not block the

intruder; it merely reports that the event happened.

However, some hackers carry out repeated, non-threatening attacks merely to be an

annoyance. Therefore, BlackICE provides a way to manually block attackers. Once an

attacker is blocked, he cannot perform any more scans on your system, threatening or

not.

To manually block an intruder, right click on the Intruders name on the Intruders tab,

and then select Block Intruder. From the displayed pop-up menu, select the blocking

duration (For an Hour, For a Day, etc.).

Figure 3 The Intruders Tab in the BlackICE Summary Application

WARNING: Do not block systems from your Internet Service Provider (ISP) or internalnetwork. Most ISPs have automated scans to check the state of users connections.

Blocking scans from your ISP may be a violation of your usage agreement and grounds

for terminating your account. Contact your ISP for help identifying the systems it uses

to scan connections. Most ISPs reveal the DNS address of their system. This address

usually contains the domain name of the ISP (e.g. server.isp.com).


19/40


Option 2 Raise the Protection Level

If you are enduring numerous attacks, use the BlackICE security levels to protect your

network ports. Raising the protection level may interfere with some Internet functions,

especially multimedia content, however this is preferable to having to endure thousands

of attacks.

To raise the protection level, select Edit BlackICE Settings from the Tools menu.Then select the Protection tab.

Figure 4 The Protection tab.

Cautious is ideal for most computers. Raising the security level may cause some

interference with interactive programs such as Internet telephones or games like Quake.

Please see the BlackICE Summary Application Guide for complete details.

Option 3 Upgrade Older Operating Systems

All the major operating systems regularly release updates to their software. The most

current releases and service packs often patch known vulnerabilities. Your operating

system vendors web site is a good place to begin looking for updates.


20/40


REPORTING HACKERS Hackers have to get on the Internet somewhere. Many hackers are kids with standard

accounts on ISPs, or employees taking advantage of their companys high-speed

Internet connection.

The laws regarding hacking and computer security are still in development. However,in many states it is considered theft to break into a persons computer and steal

information. Merely attempting to break into computers is often a violation of an ISPs

terms of usage. ISPs regularly terminate accounts of users who attempt to hack other

computers. Likewise, corporations can terminate employees who improperly abuse

company Internet connections.

One way to stop hackers is to report their activities to their ISP. At a minimum, the

ISP may begin monitoring that user for illegal activity. At best, the ISP may terminate

that users account.

[email protected]

Most ISPs, corporations, and universities have web sites or email addresses where you

can report hacking activities. Typically the email address is something like

[email protected]. Keep in mind that these organizations handle hundreds,possibly thousands of illegal use complaints each day.

Furthermore, reporting every system that scans your computer is probably more trouble

than it is worth. Scans and probes are kicked off all the time on the Internet. Simply

accessing a web site might kick off a scan. These are normal networking events and

not always indicative of an attack. It is best to report only those hackers that have

carried out severe or repeated attacks on your system.

Before you complain to a hackers ISP, make sure you have adequate supporting

evidence. This is where the back tracing and evidence logging features of BlackICE

becomes a real asset.

How to Report a HackerIf BlackICE was able to get a DNS name from the hacker

4, then use this to locate the

origin of the intruder. For example, if BlackICE reported an attack from

USER1.SAMPLEISP.COM, the hacker was obviously a user on Sample ISP. Use an Internet

search engine to locate the web site for the origin.

If you are unsure who owns the domain, use the Network Solutions WHOIS server at

www.networksolutions.com/cgi-bin/whois/whois/to lookup a domain name.

Send e-mail to the ISP with your complaint. Please do not call; most ISPs and

corporations do not have the staff to handle individual abuse complaints. When e-

mailing the ISP, make sure to include the following information. You can select the

corresponding attacks from the Attacks tab, or the intruder from the Intruders tab, and

then copy and paste the information into the e-mail.

nExact time the attack occurred.

n Your time zone.

n The type of attack.

n The Intruders IP, DNS, NetBIOS, and MAC addresses, if available.

4If you do not have a DNS name for the hacker it is probably best to just block the

attacker and forget about it. Savvy hackers can hijack connections and spoof IP

addresses, which makes it impossible to report them to anybody who could stop them.


21/40


n Your name, e-mail address, and ISP.

n Attach the following support files to your e-mail. Make sure to explain that the

evidence file is a sniffer type trace file. Most network administrators are familiar

with this file format.

l Back Trace File: Attach the BlackICE back trace file for the intruder. These

files are stored in HostsHostsHostsHosts folder, which is located in the directory where

BlackICE is installed. If you installed BlackICE to the default location, it islocated at: C:C:C:C:\\\\Program FilesProgram FilesProgram FilesProgram Files\\\\Network ICENetwork ICENetwork ICENetwork ICE\\\\BlackICEBlackICEBlackICEBlackICE\\\\HostsHostsHostsHosts. The file names

are the IP address and a .txt extension.

l Evidence File: An evidence file contains network traffic related to the event.

The file is encoded as a sniffer trace file. You will need a trace file decoding

application to view the contents of this file. Windows NT Server includes the

Network Monitor service and tools, which can decode such files. Other third

party vendors also supply such applications. Evidence files are stored in the

folder where BlackICE was installed, the default location is C:C:C:C:\\\\ProgramProgramProgramProgram

Files/Network ICE/BlackICEFiles/Network ICE/BlackICEFiles/Network ICE/BlackICEFiles/Network ICE/BlackICE. By default, the file names are prefixed with

the word evd and the date.

To determine which evidence file is correct for a particular attack, you may need to

correlate the time of the attack with the timestamp on the file(s). If there are numerousfiles within the same time period, you need to decode the file and locate the IP address

of the attacker. Be careful not to send the wrong evidence file to the hackers ISP.

RETALIATION HACKING It is tempting to turn the tables on hackers and hack them back. Network ICE

strongly discourages any attempts at retaliation hacking. It might feel good to

attempt such revenge, but ultimately it is counterproductive and could make matters

worse.

There are four very compelling reasons not to attempt any retaliation hacking.

1. Hacking is probably a violation of your ISPs usage policies. Hacking is one of the

quickest ways to get your Internet account cancelled. This includes corporateInternet connections.

2. Retaliating against a hacker could merely incite the attacker to do more. Most

sophisticated hackers are diligent enough to protect their own systems. Therefore,

if you attempt to hack them back, this could encourage them. Less experienced

hackers may find your retaliation as grounds to broadcast your account to various

hacker forums. This could summon more experienced hackers to zero in on your

system.

3. Hacking is usually not a constructive activity. BlackICE Defender protects your

systems from hackers. Retaliating only wastes time and will probably not stop the

hacker. In the realm of networking countermeas ures, the best offense is a solid

defense.

4. Some hacking tools are actually Trojans themselves. Devious hackers know the

best target for hacking is a person who fancies him/herself a hacker. Therefore,

they may offer you special applications that make hacking easy. In reality, these

programs can contain Trojans that open your computer to hacking from the hacker

who gave you the tool.

Be safe, block the hacker and forget them. BlackICE can take care of the hacker and

protect your computer.


22/40

SECTION 3 uCOMPUTER SECURITY u18

COMPUTER SECURITY

Computer security is no longer something that only worries network engineers. The

hackers of today are highly skilled and ubiquitous. While you surf the Internet, a

hacker from anywhere in the world might be hacking your computer and stealing your

identity.

You have already taken the first step toward stopping hackers with BlackICE.

BlackICE can detect, monitor, and stop hackers before they get into your computer.

For most casual Internet users, BlackICE can protect your computer completely.

However, there are other things you can do to harden your computer from hackers.

This section describes how to further protect your computer from the prying eyes of

hackers.

GOOD SECURITY PRACTICESMost significant hacking problems are easily prevented when users adhere to good

security practices. This section lists some things you can do to make your computer

even more secure.

n Turn computer off when not in use . If you have a DSL or cable modem

connection, turn your computer off when not using it. These always on

connections are particularly vulnerable because they provide more opportunities for

hackers to find your computer.

n Protect network addresses. Never reveal your cable modem, DSL, or ISP

connections IP address or other system networking information to anyone. Your

telephone company and Internet Service Provider should already have this

information. They will never ask you for this information.

n Protect passwords. Never give out a password or any sensitive information to an

unsolicited telephone call or e-mail. Get the persons telephone number and tell

them you will call them back.

n Be careful what goes out over e-mail . Never e-mail sensitive information such as

passwords, credit card information, etc. to people unless you have software

installed that can encrypt your e-mail. There are several good e-mail encryption

programs on the market.

n Know the web sites you visit. Never submit private or sensitive information via a

web page unless the web site uses secure connections. You can identify a secure

connection with a small key icon on the bottom of your browser (Internet

Explorer 3.02 or better) or a closed lock (Netscape 3.0 or better). If a web siteuses a secure connection, it is safe to submit information. Secure web transactions

are quite difficult to crack.

n Be very careful of files e-mailed to you , even those from people you know. One

common way of getting viruses on a computer is to embed them into an e-mail

attachment. While you are laughing at the antics of some dancing baby cartoon,

hackers are opening up your system and stealing your files.


23/40


n Never execute a file sent to you with a *.VBS extension. These are visual basic

scripts that may contain viruses or worms that could plant remotely controlled

hacking programs (Trojans) on your computer.

n Change your passwords regularly. Also, use passwords that are not easy to figure

out. The most difficult passwords to crack are those consisting of non-dictionary

words, upper and lower case letters, numbers, and symbols such as % or #.

n Upgrade your software and operating system regularly. Many older versions ofsoftware, especially web browsers, have well known security deficiencies. When

you upgrade to the latest versions, you get the latest patches and fixes. Check with

your browser and operating system vendor to locate the latest patches and updates.

n Chat rooms. If you use chat rooms or IRC sessions, be careful with any

information you reveal to strangers. Hackers are notorious for address harvesting

from chat rooms and other interactive areas.

n Games. Avoid hosting interactive games like Quake 3 Arena or Half-Life. This

exposes your IP address and can summon hackers (especially if you win!)

n Pay attention to odd computer behavior . If your system starts exhibiting odd

behavior, check the BlackICE summary application for signs of possible attacks.

Some hackers set off attacks that slowly cause your system to become unstable or

unusable. If this happens a lot, notify your ISP and reboot your machine. Inextreme cases, hackers can damage the operating system on your computer, which

would require re-installing the operating system.

n Beware the Blue Screen of Death. If you are using Windows 2000 or Windows

NT and your system suddenly displays a blue screen, write down the information at

the top of the screen. Proceed to check the BlackICE summary application to see if

any attacks occurred at the time of the problem. If so, contact your ISP. Some

serious Windows errors are the result of hackers or viruses on a system.

n Always shred confidential information, particularly about your computer, before

throwing it away. A dedicated hacker will dig through the trash of companies or

individuals for information that might help them access your system, a practice also

known as dumpster diving.

COMPUTER HARDENING Hardening refers to configuring a computer to be more resistant to attacks. Hardening

aims to make a computer virtually impenetrable to hackers.

This section describes how to harden Windows-based systems. For additional

information about hardening systems, see the Network ICE advICE web site at

www.networkice.com/advice.

Many of these instructions require some advanced understanding of Windows-based

systems. For help performing any of these tasks, refer to the on-line help included with

your copy of Windows. You may also want to refer to the Microsoft on-line

Knowledge Base at support.microsoft.com.

Options for hardening a computer depend on the operating system you are using.Windows NT/2000 and Windows 95/98/Me are technically very different systems even

though they look alike. In this section, hardening options indicate the operating

system(s) where they are applicable.
http://www.networkice.com/advicehttp://www.networkice.com/advicehttp://support.microsoft.com/http://support.microsoft.com/http://support.microsoft.com/http://www.networkice.com/advice


24/40


Install the latest Security Patches and Service Packs

This option is applicable in:

Windows NT/2000 Yes

Windows 95/98/Me Yes

Perhaps the simplest way to make Windows systems safe is to keep up to date on the

latest security fixes. The easiest way to get the latest patches is to use Microsofts

Windows Update web site at www.windowsupdate.com. This site can automatically

detect what is installed on your computer and identify which updates you need to

install. For additional information visit the Microsoft web site at www.microsoft.com.

Harden Passwords


Windows NT/2000 Yes


It is best to use passwords that are extremely difficult to guess. The best passwords are

odd combinations of letters, numbers, and symbols, in both lower and upper case.

Names of pets, family members, and favorite cars might be easy to remember but they

are also easy to hack.

The User Manager in Windows NT/2000 can actually go a step further and require users

to create hardened passwords. It can also establish strict password policies that prevent

hackers from running cracking programs on the operating system. It is a good idea to

implement the following hardening policies on Windows NT/2000 machines.

n Enable lockout on all normal accounts. 3 to 5 attempts is a good limit.

n Force long passwords, at least 6 characters.

n Require unique passwords so that when users change a password, they cannot re-use an old one.

Figure 5 Windows 2000 includes a Local Security Settings feature to control password

policies.
http://www.windowsupdate.com/http://www.windowsupdate.com/http://www.microsoft.com/http://www.microsoft.com/http://www.microsoft.com/http://www.windowsupdate.com/


25/40


n You may also want to install the passfilt.dll file as described at:

msdn.microsoft.com/library/psdk/logauth/pswd_about_9x7w.htm . This special

add-on allows you to define specific rules for passwords. For regular Windows

NT/2000 workstations, this is not necessary. Windows 2000 has password filtering

capabilities built into the operating system. See the documentation included with

Windows for more information about implementing password filtering.

Use the NTFS Hard Drive Partition Format


Windows NT/2000 Yes

Windows 95/98/Me No

Windows NT/2000 systems can access hard drives that use the NTFS format. NTFS is

much more secure than FAT or FAT32 partitions. Use the convert.exe program

located in the directory where Windows NT/2000 is installed to convert a FAT partition

to NTFS.

Do Not Multi-BootThis option is applicable in:

Windows NT/2000 Yes


Use only one operating system. Do not dual boot to any other operating system.

Multiple operating systems may allow a hacker to exploit weaknesses in one operating

system while the other is running.

Secure All Shares with Passwords


Windows NT/2000 Yes


If you create any shared resources, particularly shared hard drives, protect those shares

with passwords. Use passwords that are not easily guessed. The most difficult

passwords to crack are those consisting of non-dictionary words, upper and lower case

letters, numbers, and symbols such as % or #.

Disable All Unnecessary Accounts

This option is applicable in:Windows NT/2000 Yes

Windows 95/98/Me No

Unless your computer requires anonymous access for a web site or database, it is a

good idea to disable all unnecessary accounts, especially the Guest account. If you are

unsure which accounts to disable, at least change the password on these accounts to

something very secure.
http://msdn.microsoft.com/library/psdk/logauth/pswd_about_9x7w.htmhttp://msdn.microsoft.com/library/psdk/logauth/pswd_about_9x7w.htmhttp://msdn.microsoft.com/library/psdk/logauth/pswd_about_9x7w.htm


26/40


Explicitly Select Users with Network Access


Windows NT/2000 Yes

Windows 95/98/Me No

Windows NT/2000 allows you to explicitly select which users can access the system

over the network. It is a good idea to restrict this to only those user groups that should

be allowed to access your computer.

For most DSL and home users, you can completely disable all network access for users.

This will not interfere with local access; only remote access from other computers is

blocked.

Figure 6 Windows NT/2000 allows you to explicitly select the user groups that can access

your computer over the network.

Disable Telnet


Windows NT/2000 Yes

Windows 95/98/Me No

Without a doubt Telnet is the most abused service for hackers. Unless you have a very

specific need to have telnet access to your computer, check the computer services and

specifically disable the telnet service.


27/40


Do Not Install a Web Server


Windows NT/2000 Yes


Unless you are using your computer as a web server, do not install Internet Information

Server or Personal Web Services. These services open the computer up to numerous

attacks as they enable Internet services.

If you do plan to use the system as a web server, enable only those services needed.

For example, if you do not plan on offering FTP services, disable the FTP services.

You may also want to assign non-standard ports to your web services. For example,

configure FTP services to use port 21111 rather than the default 21. This might keep

inexperienced hackers from attempting to break into your FTP server.

Disable NetBIOS (WINS)


Windows NT/2000 Yes


Windows uses an implementation of NetBIOS called Windows Internet Naming Service

or WINS. NetBIOS allows Windows-based computers to access resource shares (hard

drives, printers, etc.) over the network and use the Network Neighborhood lookup.

Unless your computer is connected to other computers on a network, there is no reason

to leave NetBIOS enabled. BlackICE can block all access to the NetBIOS ports.

Uncheck the Allow Internet File Sharing and Allow NetBIOS Neighborhood options

on the Protection tab of the BlackICE Settings dialog box.

Figure 7 The Protection tab.


28/40


WARNING: If you have your home/office computers connected to a local area networkwhere you share files with other computers, you should not disable file sharing. See

Protecting Home/Office Networkson page 26 for more information about how to

protect your home/office LAN from hackers while still allowing file sharing.

Secure the RegistryThis option is applicable in:

Windows NT/2000 Yes

Windows 95/98/Me No

Windows NT and 2000 support remote access to the registry using the Registry Editor

program and a special Windows interface command (Win32 API call).

The following registry key dictates which users/groups can access the registry

remotely:

HKEY_LOCAL_MACHINE\SYSTEM\

CurrentControlSet\Control\SecurePipeServers\Winreg

If this key does not exist, remote access is not restricted, and only the underlying

security on the individual keys control access.

In a default Windows NT Workstation installation, this key does not exist. In a default

Windows NT Server installation, this key exists and grants administrators full control

for remote registry operations.

Another good idea is to alter the security settings on each main key in the registry to

only allow the system and administrators access to the keys. This can be done using

the regedt32.exe program in the system32 folder where Windows NT is installed.

Figure 8 -- Registry Security Settings

For more information about properly securing the registry, refer to the Microsoft web

site.


29/40


Never Cache Passwords


Windows NT/2000 Yes


Windows systems allow you to save passwords for numerous applications. These

passwords are saved in encrypted files or in areas of the registry that a hacker might be

able to access. Once a hacker gets a hold of these files, it is merely a matter of time

before a password grinding utility can extract your passwords from the files.

Therefore, when Windows prompts you to save a password, uncheck the option. It may

be a little inconvenient, but that is better than hackers getting access to your computer.

Disable Userdata Persistence


Windows NT/2000 Yes


Internet Explorer 5.0-5.5 can cache passwords and logon information. This information

could allow a hacker to access web sites you visit, including e-mail. It is a good idea to

disable this feature so Internet Explorer does not save this information locally.

This feature is not available in Internet Explorer 3.02 4.0 or Netscape Navigator.

1. To disable this feature, select Internet Options from the Tools menu in Internet

Explorer.

2. Select the Security tab. Then clickCustom Settings.

3. Scroll down to the Userdata persistence entry and select Disable.

4. ClickOK .

Figure 9 Disable the userdata feature in Internet Explorer 5.0 5.5.


30/40


PROTECTING HOME/OFFICE NETWORKS If your computer is connected to an internal network where you share files between

computers, disabling file sharing and Network Neighborhood makes it impossible for

other users to access files on your computer.

Because BlackICE can handle this blocking for you, if you have a home network you

must reconfigure the network to block NetBIOS access to hackers while still leavingyour internal network free to access file sharing.

There are a few ways to still allow internal file sharing on your home network while

preventing hackers

Solution One Install NetBEUI ProtocolOne solution is to install the NetBEUI protocol on all the computers on your network.NetBEUI is a non-routable protocol for use on internal networks. With NetBEUI and

TCP/IP installed, the network can use NetBEUI for accessing internal shares while still

communicating with the Internet using TCP/IP.

However, NetBEUI is intended for small networks only. If you are installing BlackICE

on a large network, it is not advisable to use NetBEUI, as it cannot be routed acrossmultiple subnets. This may ultimately slow down your communications with remote

computers on your networks.

To use NetBEUI for internal access:

1. Install NetBEUI on all the computers on your internal network.

2. Keep Internet File Sharing and NetBIOS neighborhood enabled in the Edit

BlackICE Settings Protection tab.

3. In the network properties of Windows, disable NetBIOS over TCP/IP. Since the

computers on the internal network communicate and route over the Internet using

TCP/IP, this prevents your computer from reporting any NetBIOS information over

the Internet.

When you disable NetBIOS over TCP/IP, Windows will use NetBEUI for

NetBIOS resolution. Because NetBEUI is non-routable, Windows cannot expose

shared resources to the Internet.

See the documentation included with your copy of Windows for more information about

how to install NetBEUI.

Solution Two Install a Hardware RouterSeveral manufacturers sell DSL/cable modem routers. These routers can isolate your

internal network, providing some protection from hackers while allowing you to keep

NetBIOS enabled.

Additionally, many hardware routers can offer Network Address Translation (NAT)

firewall features. NAT firewalls are quite simple and easy to penetrate, but they stop

many casual or inexperienced hackers from probing your computer for open ports orvulnerabilities.


31/40


Solution Three Build a Dual-Interface Proxy ServerAnother way to solve the sharing problem is to build a dual-interface proxy server and

disable the WINS/NetBIOS interface on the external network interface.

Figure 10 One way to isolate an internal network is to use a dual-interface proxy server

with the WINS/TCP/IP client disabled on the external interface.

Such an arrangement requires some advanced experience with computer networking. It

also requires proxy server software. This solution is ideal for larger networks that

cannot use NetBEUI and need the services of a proxy server.

This arrangement requires two network interface cards in the proxy server computer.

Building a dual-interface proxy server will stop attacks directed at the proxy server

system, but will not protect computers on the internal network. Therefore, make sure to

purchase copies of BlackICE for your internal computers.


32/40

APPENDIX A uFOR MOR E HEL P u28

FOR MORE HELP

NEED MORE ADV ICE?For more help with computer security, visit the Network ICE advICE web site at

http://advice.networkice.com/Advice/default.htm . This site provides in-depth articles

and instructions on securing computers and stopping hackers.

Accessing advICE from BlackICE

The BlackICE Summary Application includes a direct link to the advICE web site. Just

click the advICE button located on the Attacks tab.

Figure 11 BlackICE Summary Application.

To view in-depth information about a particular kind of attack, select the attack in the

attacks list and clickadvICE. A web browser window is opened to the advICE site

displaying a complete description about the attack.
http://www.networkice.com/advicehttp://www.networkice.com/advicehttp://www.networkice.com/advice


33/40

APPENDIX A uFOR MOR E HEL P u29

PRODUCT DOCUMENTATION The latest product documentation is available from the Network ICE web site at

www.networkice.com/support/documentation.html .

TECHNICAL SUPPORT

Web: www.networkice.com/support/online_resources.html

E-mail: [email protected]

For updates and upgrade information, please visit the Network ICE web site at

www.networkice.com. For information on how to download the latest update of

BlackICE Defender please see the BlackICE Summary Application Guide.
http://www.networkice.com/html/documentation_support_.htmlhttp://www.networkice.com/html/documentation_support_.htmlhttp://www.networkice.com/support/online_resources.htmlhttp://www.networkice.com/support/online_resources.htmlmailto:[email protected]/mailto:[email protected]/http://www.networkice.com/http://www.networkice.com/http://www.networkice.com/mailto:[email protected]/http://www.networkice.com/support/online_resources.htmlhttp://www.networkice.com/html/documentation_support_.html


34/40

APPENDIX B uGLOSSARY u30

GLOSSARY

Agent: A computer program that reports information to another computer or allows

another computer access to the local system. Agent software can be used in good ways,

as in the case of BlackICE software reporting intrusion information to an ICEcap server

for reporting and analysis. Agents can also be dangerous as in the case of hacking

programs like SubSeven or Back Orifice that expose backdoors to the computer.

ARP : Address Resolution Protocol. A TCP/IP protocol used to convert an IP address

into a physical address (called a DLC address), such as an Ethernet address. A host

wishing to obtain a physical address broadcasts an ARP request onto the TCP/IP

network. The host on the network that has the IP address in the request then replies

with its physical hardware address.

Attack: See Event.

Authenticity : Proof that the information came from the person or location that

reportedly sent it. One example of authenticati ng software is through digital

signatures.

Back Door: A deliberately planned security breach in a program. Back doors allow

special access to a computer or program. Sometimes back doors can be exploited and

allow a cracker unauthorized access to data.

Back Orifice: Back Orifice is a remote administration tool that allows a user to control

a computer across a TCP/IP connection using a simple console or GUI application.

Back Orifice is a potentially disastrous Trojan horse since it can provide the user

unlimited access to a system.

Blue Screen of Death (BSoD): When a Windows NT based system encounters a

serious error, the entire operating system halts and displays a screen with information

regarding the error. The name comes from the blue color of the error screen.

Brute Force Hacking: A technique used to find passwords or encryption keys. Brute

Force Hacking involves trying every possible combination of letters, numbers, etc. until

the code is broken.

Camping Out: Staying in a "safe" place once a hacker has broken into a system. The

term can be used with a physical location, electronic reference, or an entry point for

future attacks.

Cipher Text: Text that has been scrambled or encrypted so that it cannot be read

without deciphering it. See Encryption

Cookie: A string of characters saved by a web browser on the user's hard disk. Many

web pages send cookies to track specific user information. Cookies can be used toretain information as the user browses a web site. For example, cookies are used to

'remember' the items a shopper may have in a shopping cart.

Countermeasures : Techniques, programs, or other tools that can protect your

computer against threats.

Cracker: Another term for hackers. Generally, the term cracker refers specifically to

a person who maliciously attempts to break encryption, software locks, or network

security.


35/40


Cracker Tools: Programs used to break into computers. Cracker tools are widely

distributed on the Internet. They include password crackers, Trojans, viruses, war-

dialers, and worms.

Cracking: The act of breaking into computers or cracking encryptions.

Cryptoanalysis : The act of analyzing secure documents or systems that are protected

with encryption for the purpose of breaking into the systems or exposing weaknesses.

Decryption: The act of restoring an encrypted file to its original, plain text state.

Denial of Service (DoS): Act of preventing customers, users, clients, or other

machines from accessing data on a computer. Denials of service attacks are usually

accomplished by interrupting or overwhelming the computer with bad or excessive

information requests.

Digital Signature: Digital code that authenticates whomever signed the document or

software. E-mail, software, messages, and other electronic documents can be signed

electronically so that they cannot be altered by anyone else. If someone alters a signed

document, the signature is no longer valid. Digital signatures are created when

someone generates a hash from a message, then encrypts and sends both the hash and

the message to the intended recipient. The recipient decrypts the hash and original

message, makes a new hash on the message itself, and compares the new hash with the

old one. If the hashes are the same, the recipient knows that the message has not beenchanged. Also see Public-keyencryption.

DNS : Domain Name System. A database of domain names and their IP addresses.

DNS is the primary naming system for many distributed networks, including the

Internet.

Encryption : The act of substituting numbers and characters in a file so that the file is

unreadable until it is decrypted. Encryption is usually done using a mathematical

formula that determines how the file is decrypted.

Event: BlackICE can detect numerous network activities. Some activities are direct

attacks on your system, while others might be attacks depending on the circumstances.

Therefore, any activity, regardless of severity is called an event. An event may or may

not be a direct attack on your system. BlackICE categorize s all events into four

severity levels:

Icon Severity Description

100 75 Critical Event: This is a deliberate attack on your system for the

purpose of damaging data, extracting data, or crashing the system.

Critical events always trigger protection measures.

74 50 Serious Event: This is a deliberate attempt to access information on

your system, yet it does not directly damage anything. These events

can trigger protection measures, if applicable.

49 25 Suspicious Event: This is network activity that is not immediately

threatening, but may indicate that someone is attempting to locate

security vulnerabilities in your system. For example, hackers often

scan the available ports or services on a system before attacking it.Suspicious events do not trigger protection measures, and not all

suspicious events are indicative of a true attack.

24 0 Informational Event: This indicates that a network event occurred to

your computer that is not threatening. Informational events do not

trigger protection measures.


36/40


Firewall: A hardware or software barrier that restricts access in and out of a network.

Firewalls are most often used to separate an internal LAN or WAN from the Internet.

See Gateway.

FTP : File Transfer Protocol. A common protocol used for exchanging files between

two sites across a network. FTP is popular on the Internet because it allows for speedy

transfer of large files between two systems. Like all networking protocols, it too has

some significant vulnerabilities.Gateway: A gateway is a system that provides access between two or more networks.

Gateways are typically used to connect unalike networks together. A gateway can also

serve as a firewall between two or more networks.

Grinding: See password grinding.

Hacker: Generally, a hacker is anyone who enjoys experimenting with technology,

including computers and networks. Not all hackers are criminals breaking into

systems. Many are legitimate users and hobbyists. Nevertheless, some are dedicated

criminals or vandals. See Cracker.

HTTP: Hyper Text Transfer Protocol. The most common protocol used on the

Internet. HTTP is the primary protocol used for web sites and web browsers. It is also

prone to certain kinds of attacks.

ICMP: Internet Control Message Protocol. ICMP, an extension to the InternetProtocol (IP), supports packets containing error, control, and informational messages.

The PING command, for example, uses ICMP to test an Internet connection.

IDS : Intrusion Defense System (or Software). A class of networking products devoted

to detecting, monitoring, and blocking attacks from hackers. This often is comprised of

a number of related components such as a firewall and protocol analyzer working

together to stop hackers. BlackICE is an IDS.

Integrity: Proof that the data is the same as originally intended. Unauthorized

software or people have not altered the original information.

Internet Worm: See Worm.

Intruder: Person or software interested in breaking computer security to access,

modify, or damage data. Also see Cracker.

IP: Internet Protocol. Specifies the format of packets, also called datagrams, and the

addressing scheme. Most networks combine IPs with a higher-level protocol called

Transport Control Protocol (TCP), which establishes a virtual connection between a

destination and a source. IP by itself is something like the postal system. It allows you

to address a package and drop it in the system, but there's no direct link between you

and the recipient. TCP/IP, on the other hand, establishes a connection between two

hosts so that they can send messages back and forth for a period of time. Current IP

standards use 4 numbers between 0 and 255 separated by periods to create the 32-bit

numeric IP address. For example, an IP address could be: 38.158.99.13.

IRC : Internet Relay Chat. IRC was developed in the late 1980s as a way for multiple

users on a system to chat over the network. Today IRC is a very popular way to

talk in real time with other people on the Internet. However, IRC is also one avenue

hackers use to get information from you about your system and your company.Moreover, IRC sessions are prone to numerous attacks that, while not dangerous, can

cause your system to crash.

LAN : Local-Area Network. LAN is a computer network that spans a relatively small

area. One LAN connected via telephone lines or radio waves to other LANs over any

distance create a WAN (a Wide-Area network).

Linux: A version of the UNIX operating system.

Logic Bomb: A virus that only activates itself when certain conditions are met. Logic

bombs usually damage files or cause other serious problems when they are activated.


37/40


MAC Address: Media Access Control Address. A unique identification code used in

all networked devices. The MAC address defines a specific network node at the

hardware level and cannot be altered by any software.

Name Resolution: The allocation of an IP address to a host name. See DNS.

NetBIOS: NetworkBasic Input /Output System. NetBIOS is an extension of the DOS

BIOS that enables a PC to connect to and communicate with a LAN (Local Area

Network).

NetBEUI: NetBIOS Extended User Interface. A non-routable networking protocol

developed in the 1980s by IBM. NetBEUI is ideal for smaller, non-subnetted networks

for internal communications. Because NetBEUI is not routable, network transmissions

sent via NetBEUI cannot be transmitted over the Internet.

NAT : NetworkAddress Translation. An Internet standard that enables LAN, WAN

(Wide Area Network), and MAN networks to use extended IP addresses for internal use

by adding an extra number to the IP address. This standard translates internal IP

addresses into external IP addresses and vice versa. In doing so, it generates a type of

firewall by hiding internal IP addresses.

Packet Filter: A filter used in firewalls that scans packets and decides whether to let

them through.

Password Cracker: A program that uses a dictionary of words, phrases, names, etc. toguess a password.

Password Caching: The storage of a user's username and password in a network

administrator database or encrypted file on a computer. Also called password

shadowing.

Password encryption: A system of encrypting electronic files using a single key or

password. Anyone who knows the password can decrypt the file.

Password Grinding: The process of systematically testing all character combinations

on a password until the correct character string is identified. Password grinding is a

very slow, but effective way to crack password files. There are numerous, freely

available computer programs that can grind password files.

Penetration : Gaining access to computers or networks by bypassing security programs

and passwords.

Phreaking: Breaking into phone or other communication systems. Phreaking sites on

the Internet are popular among crackersand other criminals.

Ping: Packet In ternet Groper. PINGis a utility to determine whether a specific IP

address is accessible. It works by sending a packet to the specified address and waiting

for a reply. PING is used primarily to troubleshoot Internet connections.

Ping Attack: An attack that slows down the network until it is unusable. The attacker

sends a "ping" command to the network repeatedly to slow it

Documents

(eBook) - Hack - BlackICE Guide to Computer Security