Upload
preda-radu
View
227
Download
1
Embed Size (px)
Citation preview
8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
1/40
L A C K
GUIDE TO COMPUTER SECURITY
8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
2/40
COPYRIGHT u I
BlackICE Guide to Computer Security, Version 2.5
Copyright 2001, Network ICE Corporation
All Rights Reserved
Authors: Susanna Breiling, Andrew Plato, Kimi Winters
The use and copying of this product is subject to a license agreement. Any other use isstrictly prohibited. No part of this publication may be reproduced, transmitted,
transcribed, stored in a retrieval system or translated into any language, in any form, by
any means without the prior written consent of Network ICE Corporation. Information
in this document is subject to change without notice and does not constitute any
commitment on the part of Network ICE Corporation.
Network ICE Corporation may have patents or pending patent applications, trademarks,
copyrights, and other intellectual property rights covering the subject matter of this
document. Furnishing of this document does not in any way grant you license to these
patents, trademarks, copyrights, or any other intellectual property of the Network ICE
Corporation.
BlackICE, ICEcap, ICEpac, InstallPac, Network ICE, and the Network ICE
logo are all trademarks of the Network ICE Corporation.
Windows and Microsoft are registered trademarks, and Windows NT, Windows
2000, Windows 95, Windows 98, Windows Me, and Internet Explorer are all
trademarks of the Microsoft Corporation.
Netscape is a trademark of Netscape Communications Corporation.
Conventions Used in this Manual
Bold The names of screen objects, such as menu choices, field
names, and items in lists.
Italics Italics are used for emphasis or to highlight an important
word or concept.
Monospaced Pathnames, filenames, and code are shown in monospaced
font.
Monospaced BoldMonospaced BoldMonospaced BoldMonospaced Bold Values you must type in are shown in monospaced, bold font.
Monospaced Italics Variables, such as a server name, are shown in monospaced,
italic font. These are usually enclosed in angled brackets
as well.
[Inside Brackets] Keyboard keys, such as [ENTER] or [Page Up] are shown
inside brackets.
NOTE: NoteNotes include important information about the operation or
use of the product.
WARNING: WarningWarnings contain critical information that may cause harm to
your computer or the proper operation of the product.
TIP: Tip Helpful information about optimizing or using the software.
8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
3/40
CONTENTS u II
TABLE OF CONTENTS
SECTION 1: INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
The Hacker Threat ..............................................................................................................2How Hackers Exploit the Internet............................................................................................... 2Who Are Hackers?..................................................................................................................... 2Home Computers The New Target for Hackers...................................................................... 3The Proliferation of Always-On Connections ............................................................................. 3It Will Not Happen To Me........................................................................................................... 3
Introduction to Computer Networking..................................................................................4Connecting to the Internet.......................................................................................................... 4Computer Addresses ................................................................................................................. 5Packet Switching ....................................................................................................................... 5Protocols.................................................................................................................................... 7Ports .......................................................................................................................................... 7
Hacker Attacks ....................................................................................................................9Intrusion Defense ..............................................................................................................11
Detection.................................................................................................................................. 11Monitoring................................................................................................................................ 12Protection................................................................................................................................. 12
SECTION 2: HANDLING INTRUSIONS . . . . . . . . . .. . . . . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . 13
How to Respond to an Attack............................................................................................13Step One Determine the Severity ......................................................................................... 13Step Two Respond ............................................................................................................... 14
Reporting Hackers.............................................................................................................16How to Report a Hacker........................................................................................................... 16
Retaliation Hacking ...........................................................................................................17
SECTION 3: COMPUTER SECURITY . . . . . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . . .. . . . . . . . . . 18
Good Security Practices....................................................................................................18Computer Hardening .........................................................................................................19
Install the latest Security Patches and Service Packs ............................................................. 20Harden Passwords .................................................................................................................. 20Use the NTFS Hard Drive Partition Format.............................................................................. 21Do Not Multi-Boot .................................................................................................................... 21Secure All Shares with Passwords .......................................................................................... 21Disable All Unnecessary Accounts .......................................................................................... 21Explicitly Select Users with Network Access............................................................................ 22Disable Telnet.......................................................................................................................... 22Do Not Install a Web Server .................................................................................................... 23Disable NetBIOS (WINS)......................................................................................................... 23Secure the Registry ................................................................................................................. 24Never Cache Passwords ......................................................................................................... 25Disable Userdata Persistence.................................................................................................. 25
Protecting Home/Office Networks .....................................................................................26Solution One Install NetBEUI Protocol.................................................................................. 26Solution Two Install a Hardware Router................................................................................ 26Solution Three Build a Dual-Interface Proxy Server ............................................................. 27
8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
4/40
CONTENTS u II I
APPENDIX A: FOR MORE HELP . . . . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . 28
Need More advICE?..........................................................................................................28Product Documentation.....................................................................................................29Technical Support .............................................................................................................29
APPENDIX B: GLOSSARY . . . . . . . . . . .. . . . . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . . . . . . . . .. . . . . . . . . .. . . 30
8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
5/40
SECTION 1 uINTRODUCTION u1
INTRODUCTION
With high-speed Internet access becoming a standard feature for many home and office
computers, there is a growing need for smarter, faster computer security. Hackers are
now targeting home and small business users because these systems are rarely well
defended.
This guide is intended for BlackICE users who want to know more about computer
security and hacking in general. This guide is ideal if you are new to computers and/or
the Internet.
For more information about using BlackICE products refer to the following related
documents:
BlackICE DefenderUsers Guide
This guide describes how to use and configure BlackICE
Defender.
BlackICE AdvancedUsers Guide
This guide is intended for advanced users who wish to
customize BlackICE.
Intrusions ReferenceGuide
Detailed information about all the intrusions BlackICE
can detect and block. Includes information about
stopping attacks as well.
These documents are available free of charge on the Network ICE web site at:
http://www.networkice.com/support/documentation.html .
http://www.networkice.com/support/documentation.htmlhttp://www.networkice.com/support/documentation.htmlhttp://www.networkice.com/support/documentation.html8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
6/40
SECTION 1 uINTRODUCTION u2
THE HACKER THREAT In September 2000, a large financial services company had their computer systems
hacked. Credit card numbers for over 20,000 people were stolen1. A similar event
happened in 1999, when hackers hijacked nearly 500 ,000 credit card numbers and
stored them on United States government computers2
.In 1997 a hacker broke into the NASA network and gained access to the space shuttle
control computers. The hacker overloaded some computers causing brief
communication outages while the shuttle Atlantis docked with the damaged Mir space
station. Fortunately, NASA was able to switch over to an alternate system and finished
the mission successfully. However, the intrusion put the space shuttle at risk and
prompted numerous changes in security protocols at NASA.3
If hackers can get into NASA and global financial firms, what is stopping them from
getting your credit card number off your home computer?
How Hackers Exploit the Internet
The Internet is a decentralized collection of computers implementing well-knowntechnology standards. The decentralized nature of the Internet ensures that no single
body, corporation, or government can control it. However, it also means that the
technical details of how the Internet works are freely available to all including
hackers.
Hackers exploit this freedom. They use their knowledge of networking and computers
to break into systems. While most hackers are computer hobbyists looking for a
complex intellectual challenge, some hackers are dedicated criminals and pose a very
real threat to the Internet.
Who Are Hackers?There are a lot of myths surrounding hackers. Hollywood and popular culture often
portray hackers as intelligent outsiders like Neo in the movie The Matrix. In reality,most hackers are not brilliant computer experts, but inexperienced hobbyists using
popular hacking tools they barely understand.
Nevertheless, those hobbyists can still do serious damage. Some of the most prevalent
attacks on the Internet today, Denial of Service (DoS) attacks, are the result of simple
tools in the hands of inexperienced high-school students. These hacks have knocked
out telephone systems and web sites for large companies such as AT&T and Nike,
costing unknown millions in lost revenue and labor to stop the attacks.
Regardless of who hacks, the danger is real and growing and not just for big
corporations.
1Associated Press, September 11, 2000, www.associatedpress.com .
2Brunker, Mike, MSNBC, March 17, 2000. www.msnbc.com .
3Associated Press, July 4, 2000 www.associatedp ress.com .
8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
7/40
SECTION 1 uINTRODUCTION u3
Home Computers The New Target for HackersIn the past, hackers were not much of a threat to home users. Internet connections were
slow, and the information on most home computers was not worth hacking.
Today, the average home computer is a virtual gold mine of information. Everything
from passwords to financial records offer hackers all sorts of ways to cause trouble.While encryption technologies have made most on-line transactions very safe, they are
never 100% safe. Hackers can break into your computer, steal those encrypted files,
and then use freely available cracking tools to break the encryption and get the data.
Some hackers enjoy using their skills as a way to extract revenge as well. The
anonymity of the Internet often makes people behave differently. An innocuous
message posted to a public forum might incite the ire of hackers who single you out as
their next victim.
The Proliferation of Always-On ConnectionsOne of the prime reasons home computers are becoming targets, is the proliferation of
always-on connections such as cable modems or DSL lines. Whenever your computer
is turned on, these connections are live on the Internet. While you are sleeping, atwork, or at the grocery store, hackers could be probing your Internet connection
looking for weaknesses.
Hackers need time to do their work. Hacking can be a very slow and methodical
process of locating, testing, and then exploiting vulnerabilities on a computer. The
more time a computer is connected to the Internet, the greater the chance that a hacker
will locate your computer and have time to hack it.
It Will Not Happen To MeJust innocent web surfing and sending e-mail cannot be dangerous, right?
Most hackers use automated scans that can examine millions of computers in hours.
From these scans they get a hit list of computers with weak security or easilyexploited vulnerabilities. While you sleep or are at work, a hacker located anywhere
around the world can be breaking into your computer. Without any warning, your
personal files can be ripped off, and a backdoor or virus planted on your computer.
At the hackers discretion he can wipe out your hard drive or use your accounts to
cause serious trouble.
Ever had your computer crash while on-line? Ever wonder why a program or access to
your e-mail suddenly stops working? Sometimes it is not faulty software but hackers
purposefully causing these problems.
If you use chat rooms or play on-line games you are especially vulnerable to attacks.
Also, hackers enjoy targeting inexperienced computer users.
Along with all the great services and information on the Internet, there are also a lot of
mischievous people who want nothing more than to cause problems.
8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
8/40
SECTION 1 uINTRODUCTION u4
INTRODUCTION TO COMPUTER NETWORKING To truly understand how to stop hackers, it is important to know how computers
communicate with each other. Computer networking is not a new technology.
Engineers were networking computers together as early as the 1950s. However,
hacking did not become a significant problem until computers became freely accessibleover national and global networks.
This section describes how modern computer systems are networked together. This
section is ideal for readers who are new to the Internet and network security.
Connecting to the InternetThe first part of networking is the connection. There are basically three ways to
connect a computer to the Internet.
n Dial-up modem: This is the most common way to connect. A modem uses a
regular telephone line to dial-up to your Internet Service Provider (ISP). The ISP
authenticates your logon and connects you to the Internet. Modems have only one
significant benefit over other connections in that they are only connected while inuse. This significantly decreases the amount of time the computer is exposed to the
Internet. However, because modem communications must travel over telephone
lines that use older, analog technology, they are significantly slower than
broadband connections. Some DSL connections require dialing up to a server,
however, their fast speed and persistent connection really makes them fall into the
second category of connections.
n Broadband : This category includes cable, DSL, ISDN, wireless, and satellite
connections. While there are technical differences between each of these types,
they share one common feature: persistent connections. Broadband connections are
always-on to the Internet while the connection device has power.
Although some DSL and ISDN connections do require dialing-up, typically users
leave these connections open indefinitely since the communications links do not
automatically disconnect
n Corporate network: This category includes all computers that use a Network
Interface Card (NIC) connected to a corporate network to access the Internet.
Many corporations do not connect each computer individually to the Internet.
Instead, they install powerful networking devices such as routers and switches to
connect all the computers on the corporate network to the Internet. Properly
designed corporate networks also use firewalls to protect their internal network
from hackers.
Whether your computer uses a dial-up modem or a high-speed cable modem, all
networked systems run a high risk of being attacked. While connected, your computer
becomes a part of the Internet and as such can be attacked from other computers.
8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
9/40
SECTION 1 uINTRODUCTION u5
Computer AddressesOnce connected, a computer must have an address, so other computers can locate it on
the Internet. Just like a house or apartment has an address, computers on a network
must also identify themselves. Most computers use a combination of the following
address types:n IP Address: An IP address is the basic street address for a computer. These
addresses have 4 numbers, such as 192.168.10.15. Most Internet Service
Providers (ISPs) assign an address to your computer when you log on to the
Internet. Other computers locate your computer by using that address.
Unfortunately, hackers can forge IP addresses (called spoofing) and make the
hackers transmissions appear to be originating from your computer.
n DNS Address: Domain Name System (DNS) is an address translation system that
forms the basis of many Internet sites. Rather than using strings of numbers, DNS
allows computers to locate each other with familiar names. DNS addresses are in
the familiar name.domain.com format. For example, to reach the Network ICE web
site, you only need to remember www.networkice.com. This is a DNS address for
the web server at Network ICE. The master DNS databases are propagated
throughout the Internet so your local Internet Service Provider (ISP) has the correctIP address for the DNS name.
n NetBIOS Address: NetBIOS allows corporate networks to select single words to
identify computers. For example, a computer on the network could be named
MYCOMPUTER, and other users would see this name in the Network Neighborhood
lookup. Although NetBIOS cannot be used across the Internet, the use of NetBIOS
names can present some security vulnerabilities to hackers.
n MAC Address: These addresses are specific and unique to each network hardware
device. Network cards, modems, routers, even network printers have MAC
addresses. MAC addresses help network administrators inventory systems.
However, they can also be useful in tracking down hackers or proving that a hacker
used a particular computer.
Packet SwitchingThe basis for most network and Internet communications is packet switching. Your
computer communicates with other computers on the Internet by using a stream of
packets. All communication is broken up into digital packages that are sent out, one at
a time, through the network connection.
Each packet contains a tiny fragment of the data you are sending. The computer on the
other end puts all the fragments back together.
http://www.networkice.com/http://www.networkice.com/http://www.networkice.com/8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
10/40
SECTION 1 uINTRODUCTION u6
Figure 1 Packets example.
For example, you send a digital photo of your new car to a friend. Before sending the
picture, your computer breaks up the image file into thousands (possibly millions) of
tiny data fragments. Those fragments are then packaged into packets. The packets
are transmitted to your friends computer, which then extracts the data fragments fromthe packets and reassembles the image.
When your computer transmits a packet, it sends them to a router(usually at your ISP).
Routers are the digital equivalent of postal carriers. They look at the address on each
packet and then forward it to the correct place.
Figure 2 Routers on the Internet can direct packets to the correct computer(s).
For example, the picture of your car first went to a local router at your ISP. Then your
ISPs router forwarded it to another router. That other router forwarded the packets to
another, and possibly another router. Sometimes a transmission can hop through 30
or more routers before it gets to its final destination.
8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
11/40
SECTION 1 uINTRODUCTION u7
Routers handle enormous quantities of packets and can sometimes get clogged up.
Therefore, if one router is too busy, it can pass off the transmissions to another router
that is available. Likewise, if one router does not know exactly where to send a packet,
it can forward it to a different router that does know. This is why transmissions hop
through many routers.
Since each packet is individually addressed, different routers can handle different
packets in the same transmission. This allows the routers to get your transmission toits destination regardless of the path it has taken. Theoretically, your packets could
bounce all over the country, just to get to your friend next door.
The concept of packets and packet switching is important because hackers can capture
and manipulate packets to carry out certain kinds of attacks.
ProtocolsWhen computers transmit information, they have to encode that information into a
language that other computers can understand. There are two main protocols used on
the Internet: Transmission Control Protocol (TCP) and User Datagram Protocol
(UDP).
n TCP is used for everything from accessing web sites to sending email. TCP
communications form connections with remote computers to send and receive
packets. For example, when you want to download your email, your computer
opens up a TCP connection with your mail server and downloads the mail.
n UDP is virtually identical to TCP except that it lacks the error correcting features
of TCP. UDP is used for interactive, streaming, and otherwise time-sensitive
transmissions. Because there are no error correction procedures with UDP, the
transmissions are a little faster. For example, if you play a multi-player Internet
game like Quake, your computer sends and receives UDP packets to coordinate
your on-screen movements with those of other players on the Internet.
However, protocols are only half the picture. When computers send and transmit
information they also open and close special connection points, or ports, as described
in the next section.
PortsWhen computer applications talk to the Internet, they open and close special
communication channels or ports. For example, web servers transmit all web site
information over TCP port 80. When you access a web server, your computer makes a
request to TCP port 80 on the remote web server. If the server is listening on that port,
it responds to your request and sends the proper web pages back to your computer.
Ports allow for categorization and modularization of network communications.
Applications such as web servers, chat programs, and computer games isolate their
transmission to specific connection ports ensuring their communications do not
interfere with other applications. There are 65535 TCP and 65535 UDP ports available.
When computers communicate, they do not just pick ports at random. Internationalstandards established over the past 30 years assign and manage which ports are used for
which programs. In general, ports are broken down into three categories: system,
application, and private.
n System ports comprise all TCP and UDP ports from 1 to 1023. System ports are
tightly regulated and used for very specific computer functions. For example, port
110 is only for POP3 e-mail communication. Some of the most common system
ports are listed on the next page.
8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
12/40
SECTION 1 uINTRODUCTION u8
Common System Ports
Port # Description
21 FTP, File Transfer Protocol
23 Telnet
25 SMTP, Simple Mail Transport Protocol
37 Time, for time servers
53 DNS, Domain Name Services
67-68 Bootstrap, for booting systems over a network
80 HTTP, world wide web
82 XFER
110 POP3, e-mail servers
118 SQL Server
119 NNTP, Internet News Servers137-139 NetBIOS
161-162 SNMP, Simple Network Management Protocol
194 IRC, Internet Relay Chat
389 LDAP, Lightweight Directory Access Protocol
443 HTTPS, secure HTTP communications
n Application ports comprise all TCP and UDP ports from 1024 to 49151. These
ports are registered with international standard committees for use with network
applications. For example, the Yahoo messenger program uses TCP port 5050.
Many computer applications that are not considered vital system applications use
ports in this range.
n Private ports comprise all the ports above 49152. These ports are used for private
or dynamic use, and are unregistered and freely available to any application.
8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
13/40
SECTION 1 uINTRODUCTION u9
HACKER ATTACKS Hackers have a wide variety of attacks they can carry out. However, these attacks are
easily categorized into seven kinds. This section summarizes the kinds of attacks
hackers most commonly attempt.
Automated Scans
Description Automatic scans search for open ports or resource shares on yourcomputer.
Method These scans blindly monitor large areas of a network or the Internet forcomputers. When a computer is located, another automated scanner can
examine the target system for open communication ports that the hacker
can exploit.
Danger By itself, a port or resource scan is not very dangerous. Most hackersnever follow up on such scans. However, if a hacker is searching for a
vulnerable system, port and resource scans are almost always a prelude to
something more severe.
Trojan Horse Attacks
Description Like the fabled gift to the residents of Troy, a Trojan Horse is a computerprogram or application that appears to do one thing while hiding
something much more sinister within it. Trojans are dangerous
applications planted on your computer that open up vulnerabilities on
your system.
Method A hacker plants an agentor Trojan Horse virus on your computer.Trojans are planted on computers in a number of ways. One common
method is to send the victim an executable (.exe) file that appears
innocuous. While the victim enjoys a movie, cartoon, or other
distraction, the program installs a Trojan on the computer.
The Trojan either opens up communication ports, or surreptitiously sendsinformation about your system to the hackers computer. The hacker then
exploits your computer using the information he acquired from the Trojan
Horse program.
The most common hacking agents are Back Orifice and SubSeven. These
agents, if properly planted, make a computer completely exposed to
hackers.
Danger Trojan Horse hacks are the most common and dangerous attacks becausethey provide hackers a back door into your computer. There are two
ways to stop these attacks: First, block any communications between the
Trojan agent and the hacker, which BlackICE can do. Second, remove
the agent application, which most virus scanning utilities can do.
8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
14/40
SECTION 1 uINTRODUCTION u10
Corrupt Packet Attacks
Description A hacker sends packets to your computer that causes the system to slowdown or crash.
Method There are numerous ways hackers can forge packets with incorrectaddresses or information. Some of these methods merely slow the system
down briefly. Others can cause a system to crash or become seriouslyunstable.
Danger Most new operating systems have defenses for corrupt packet attacks.BlackICE can also stop such attacks.
Password Grinding
Description A hacker uses an automated password generation program to grindaway on a password until it is guessed.
Method There are numerous, freely available tools on the Internet that a hackercan use to crack passwords. Since most operating systems lock out users
if they enter the wrong password too many times, most hackers download
password files and grind them off-line. Most modern computers can
crack encryption systems rather quickly provided the hacker uses the tool
properly.
Danger Password grinding can be very dangerous. Once a hacker has yourpasswords, he can literally do whatever he wants. It is a good idea to
change your passwords frequently and use secure passwords. See Harden
Passwordson page 20 for more information.
Denial of Service (DoS) Attacks
Description A hacker overloads a network connection with billions of packets.
Method DoS attacks are crude, but effective. Quite simply, a hacker with a veryfast Internet connection bombards another system with packets until the
other system collapses. DoS attacks are commonplace for large web
sites.
Danger DoS attacks are hard to stop once they get going. Fortunately, mostintrusion defense systems, like BlackICE, can stop them from
overloading an Internet connection.
Known Vulnerability Attacks
Description A hacker exploits a known weakness in an operating system or Internetenabled application.
Method Computer operating systems are very complex. As such, there are alwayssome holes in the system that hackers can figure out. Once a hole is
discovered, the information spreads rapidly via hacker web sites to other
hackers.
Danger Some system vulnerabilities are very serious and can completely expose
your system to attacks. Updating the operating system with the latestservice packs and security patches stops these attacks.
8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
15/40
SECTION 1 uINTRODUCTION u11
Social Intrusions
Description A hacker poses as a system administrator or other authority figure andattempts to coerce you to reveal confidential information.
Method Social intrusions are by far one of the most common ways to get intosystems. They are also the easiest to stop.
The scam is pretty simple. A hacker telephones or sends an e-mail
posing as a police officer, network administrator, or other person of
authority. Usually they say there is some problem and they need your
password to update their files. An unsuspecting user may willingly give
out the information assuming the person is trustworthy. The hacker then
uses the legitimate password to get into the system.
In a 1999 study, a security consulting firm reported that over 80% of the
computer users they contacted willingly revealed confidential
information about themselves or their computer to a person posing as a
system administrator. In many cases, the consultants merely asked for it,
without showing any credentials or explaining the situation.
Danger Social intrusions are extremely dangerous because nothing can stop ahacker armed with legitimate information.
INTRUSION DEFENSE The task of stopping hackers falls upon a class of computer software and hardware
products called Intrusion Detection Systems (IDS), such as BlackICE. IDS products
have three responsibilities: detection, monitoring, and protection. This section
describes how IDSs detect and stop hackers.
DetectionThe most difficult aspect of stopping hackers is merely identifying that an intrusion is
actually occurring. Hackers are clever and know how to disguise their activities inside
the normal traffic of a network. What constitutes an attack versus legitimate use of the
Internet is often very hard to determine. With millions of packets racing by on the
Internet link, locating the 10 packets that are from a hacker is not easy.
Many current firewall systems use a technology called pattern matching to locate
intrusions. Pattern matching is similar to how virus detection software works. As
packets are received, the IDS compares information in the packets to a database of
known signatures or patterns that hackers typically use.
Many pattern-matching firewalls have trouble keeping pace with modern, high-speed
connections. Comparing a billion packets to a database of 2500 patterns is a very huge
processing task, even for modern computers. This makes many pattern-matching
systems prone to overloading and missing intrusions.
Hackers know this and use methods to purposefully evade pattern-matching firewalls.One method is to fragment transmissions into numerous small packets. Pattern
matching systems need to examine an entire attack to determine if it is dangerous. If
the attack is fragmented into thousands of little packets, the firewall never sees the
complete attack and therefore cannot detect it.
8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
16/40
SECTION 1 uINTRODUCTION u12
BlackICE is not a pattern matching firewall. BlackICE uses a patent-pendi ng seven-
layer protocol analysis engine. This engine dynamically analyzes network
transmissions for hacking activities. The BlackICE technology is significantly faster
than pattern-matching systems and many times more reliable. Additionally, BlackICE
can handle badly fragmented attacks.
MonitoringOnce a hackers transmissions are identified, capturing those packets and logging all
contents is a rather easy procedure. Yet many IDS solutions fail to implement even
basic evidence file capturing or logging mechanisms.
Evidence file gathering is crucial to reconstruct what the hacker did. Such evidence
files can also be very useful to law enforcement should it become necessary to pursue a
hacker for criminal activity.
BlackICE includes a powerful network logging and capture function that can collect
information a hacker sends to your computer. This information is logged into specially
coded trace or evidence files, which can then be analyzed using a trace file-decoding
program to determine exactly what the hacker did (or tried to do).
ProtectionThe last aspect of an IDS is to protect the computer from the hacker. Blocking hackers
requires layers of defense systems that ensure all traffic from the hacker is rejected
before it can interact with the computer operating system.
Dynamic Address Protection
The first layer is a dynamic firewall. When an intrusion is detected, all transmissions
from the hackers network (IP) address are blocked. Since hackers can forge addresses
of legitimate systems, the firewall must only block the transmissions long enough for
the hacker to give up.
Standard Packet Protection
One way hackers circumnavigate firewalls is to break up their transactions into manyfragmented packets. Most firewalls are not able to analyze all these fragmented
packets and allow transmissions to pass right through.
The standard packet protection firewall blocks such fragmented packets as well as other
packet manipulation techniques.
Port Blocking
The last layer of defense is to block transmissions on specific network ports. Hackers
often search for open ports to exploit.
BlackICE can be configured to block ports that hackers typically exploit such as
NetBIOS share ports.
8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
17/40
SECTION 2 uHANDLING INTRUSIONS u13
HANDLING INTRUSIONS
Getting hacked is a pretty common problem on the Internet. When you install
BlackICE, you may be surprised at the number of attacks that are logged. Fortunately,
most attacks are pretty innocuous. However, some are not. This section describes how
to handle attacks and secure your computer from hackers.
HOW TO RESPOND TO AN ATTACKBlackICE automatically protects computers from any dangerous network intrusions.
Use the BlackICE Summary Application to monitor who is attempting to attack your
system, and you will likely notice that most of the hacks are really only port scans from
your ISP.
However, if you are experiencing a lot of serious attacks, you have some options for
responding to them.
TIP: See the BlackICE Summary Application Guide for more information aboutblocking intruders and configuring BlackICE.
Step One Determine the SeverityThe first step in dealing with attacks is to consider the relative severity of the attack.
BlackICE events are all ranked on a scale that makes determining severity very easy.
Icon Severity Description10075 Critical event: Red exclamation point. These are deliberate attacks
on your system for the purpose of damaging data, extracting data, or
crashing the computer. Critical events always trigger protection
measures.
7450 Serious event: Orange exclamation point. These are deliberate
attempts to access information on your system without directly
damaging anything. Some serious events trigger protection measures.
4925 Suspicious event: Yellow question mark. These are network activities
that are not immediately threatening, but may indicate that someone is
attempting to locate security vulnerabilities in your system.
Suspicious events do not trigger protection measures.
240 Informational event: Green i. These indicate that a network event
occurred that is not threatening but worthy of taking note.
Informational events do not trigger protection measures.
Informational and suspicious events do not trigger automatic protection measures.
These attacks are not very dangerous. Most are automated port scans that merely
search the computer for vulnerabilities. These attacks do not actually attempt to access
any information on the computer.
8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
18/40
SECTION 2 uHANDLING INTRUSIONS u14
However, hackers usually conduct these scans just before they hack into a computer.
Therefore, if a single intruder is carrying out numerous scans against a computer, there
is a good chance that a hacker is preparing to break into your system.
Step Two Respond
For most attacks, you are not required to do anything. BlackICE takes care of blockingthe intruder. All you need to do is keep an eye on the BlackICE Summary Application.
If a hacker attempts numerous attacks to your computer, there are a few ways to
respond to their attacks.
Option 1 Manually Block the Attacker
BlackICE only blocks intruders when they are directly threatening the operation of your
system. For non-threatening attacks, like port scans, BlackICE does not block the
intruder; it merely reports that the event happened.
However, some hackers carry out repeated, non-threatening attacks merely to be an
annoyance. Therefore, BlackICE provides a way to manually block attackers. Once an
attacker is blocked, he cannot perform any more scans on your system, threatening or
not.
To manually block an intruder, right click on the Intruders name on the Intruders tab,
and then select Block Intruder. From the displayed pop-up menu, select the blocking
duration (For an Hour, For a Day, etc.).
Figure 3 The Intruders Tab in the BlackICE Summary Application
WARNING: Do not block systems from your Internet Service Provider (ISP) or internalnetwork. Most ISPs have automated scans to check the state of users connections.
Blocking scans from your ISP may be a violation of your usage agreement and grounds
for terminating your account. Contact your ISP for help identifying the systems it uses
to scan connections. Most ISPs reveal the DNS address of their system. This address
usually contains the domain name of the ISP (e.g. server.isp.com).
8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
19/40
SECTION 2 uHANDLING INTRUSIONS u15
Option 2 Raise the Protection Level
If you are enduring numerous attacks, use the BlackICE security levels to protect your
network ports. Raising the protection level may interfere with some Internet functions,
especially multimedia content, however this is preferable to having to endure thousands
of attacks.
To raise the protection level, select Edit BlackICE Settings from the Tools menu.Then select the Protection tab.
Figure 4 The Protection tab.
Cautious is ideal for most computers. Raising the security level may cause some
interference with interactive programs such as Internet telephones or games like Quake.
Please see the BlackICE Summary Application Guide for complete details.
Option 3 Upgrade Older Operating Systems
All the major operating systems regularly release updates to their software. The most
current releases and service packs often patch known vulnerabilities. Your operating
system vendors web site is a good place to begin looking for updates.
8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
20/40
SECTION 2 uHANDLING INTRUSIONS u16
REPORTING HACKERS Hackers have to get on the Internet somewhere. Many hackers are kids with standard
accounts on ISPs, or employees taking advantage of their companys high-speed
Internet connection.
The laws regarding hacking and computer security are still in development. However,in many states it is considered theft to break into a persons computer and steal
information. Merely attempting to break into computers is often a violation of an ISPs
terms of usage. ISPs regularly terminate accounts of users who attempt to hack other
computers. Likewise, corporations can terminate employees who improperly abuse
company Internet connections.
One way to stop hackers is to report their activities to their ISP. At a minimum, the
ISP may begin monitoring that user for illegal activity. At best, the ISP may terminate
that users account.
Most ISPs, corporations, and universities have web sites or email addresses where you
can report hacking activities. Typically the email address is something like
[email protected]. Keep in mind that these organizations handle hundreds,possibly thousands of illegal use complaints each day.
Furthermore, reporting every system that scans your computer is probably more trouble
than it is worth. Scans and probes are kicked off all the time on the Internet. Simply
accessing a web site might kick off a scan. These are normal networking events and
not always indicative of an attack. It is best to report only those hackers that have
carried out severe or repeated attacks on your system.
Before you complain to a hackers ISP, make sure you have adequate supporting
evidence. This is where the back tracing and evidence logging features of BlackICE
becomes a real asset.
How to Report a HackerIf BlackICE was able to get a DNS name from the hacker
4, then use this to locate the
origin of the intruder. For example, if BlackICE reported an attack from
USER1.SAMPLEISP.COM, the hacker was obviously a user on Sample ISP. Use an Internet
search engine to locate the web site for the origin.
If you are unsure who owns the domain, use the Network Solutions WHOIS server at
www.networksolutions.com/cgi-bin/whois/whois/to lookup a domain name.
Send e-mail to the ISP with your complaint. Please do not call; most ISPs and
corporations do not have the staff to handle individual abuse complaints. When e-
mailing the ISP, make sure to include the following information. You can select the
corresponding attacks from the Attacks tab, or the intruder from the Intruders tab, and
then copy and paste the information into the e-mail.
nExact time the attack occurred.
n Your time zone.
n The type of attack.
n The Intruders IP, DNS, NetBIOS, and MAC addresses, if available.
4If you do not have a DNS name for the hacker it is probably best to just block the
attacker and forget about it. Savvy hackers can hijack connections and spoof IP
addresses, which makes it impossible to report them to anybody who could stop them.
8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
21/40
SECTION 2 uHANDLING INTRUSIONS u17
n Your name, e-mail address, and ISP.
n Attach the following support files to your e-mail. Make sure to explain that the
evidence file is a sniffer type trace file. Most network administrators are familiar
with this file format.
l Back Trace File: Attach the BlackICE back trace file for the intruder. These
files are stored in HostsHostsHostsHosts folder, which is located in the directory where
BlackICE is installed. If you installed BlackICE to the default location, it islocated at: C:C:C:C:\\\\Program FilesProgram FilesProgram FilesProgram Files\\\\Network ICENetwork ICENetwork ICENetwork ICE\\\\BlackICEBlackICEBlackICEBlackICE\\\\HostsHostsHostsHosts. The file names
are the IP address and a .txt extension.
l Evidence File: An evidence file contains network traffic related to the event.
The file is encoded as a sniffer trace file. You will need a trace file decoding
application to view the contents of this file. Windows NT Server includes the
Network Monitor service and tools, which can decode such files. Other third
party vendors also supply such applications. Evidence files are stored in the
folder where BlackICE was installed, the default location is C:C:C:C:\\\\ProgramProgramProgramProgram
Files/Network ICE/BlackICEFiles/Network ICE/BlackICEFiles/Network ICE/BlackICEFiles/Network ICE/BlackICE. By default, the file names are prefixed with
the word evd and the date.
To determine which evidence file is correct for a particular attack, you may need to
correlate the time of the attack with the timestamp on the file(s). If there are numerousfiles within the same time period, you need to decode the file and locate the IP address
of the attacker. Be careful not to send the wrong evidence file to the hackers ISP.
RETALIATION HACKING It is tempting to turn the tables on hackers and hack them back. Network ICE
strongly discourages any attempts at retaliation hacking. It might feel good to
attempt such revenge, but ultimately it is counterproductive and could make matters
worse.
There are four very compelling reasons not to attempt any retaliation hacking.
1. Hacking is probably a violation of your ISPs usage policies. Hacking is one of the
quickest ways to get your Internet account cancelled. This includes corporateInternet connections.
2. Retaliating against a hacker could merely incite the attacker to do more. Most
sophisticated hackers are diligent enough to protect their own systems. Therefore,
if you attempt to hack them back, this could encourage them. Less experienced
hackers may find your retaliation as grounds to broadcast your account to various
hacker forums. This could summon more experienced hackers to zero in on your
system.
3. Hacking is usually not a constructive activity. BlackICE Defender protects your
systems from hackers. Retaliating only wastes time and will probably not stop the
hacker. In the realm of networking countermeas ures, the best offense is a solid
defense.
4. Some hacking tools are actually Trojans themselves. Devious hackers know the
best target for hacking is a person who fancies him/herself a hacker. Therefore,
they may offer you special applications that make hacking easy. In reality, these
programs can contain Trojans that open your computer to hacking from the hacker
who gave you the tool.
Be safe, block the hacker and forget them. BlackICE can take care of the hacker and
protect your computer.
8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
22/40
SECTION 3 uCOMPUTER SECURITY u18
COMPUTER SECURITY
Computer security is no longer something that only worries network engineers. The
hackers of today are highly skilled and ubiquitous. While you surf the Internet, a
hacker from anywhere in the world might be hacking your computer and stealing your
identity.
You have already taken the first step toward stopping hackers with BlackICE.
BlackICE can detect, monitor, and stop hackers before they get into your computer.
For most casual Internet users, BlackICE can protect your computer completely.
However, there are other things you can do to harden your computer from hackers.
This section describes how to further protect your computer from the prying eyes of
hackers.
GOOD SECURITY PRACTICESMost significant hacking problems are easily prevented when users adhere to good
security practices. This section lists some things you can do to make your computer
even more secure.
n Turn computer off when not in use . If you have a DSL or cable modem
connection, turn your computer off when not using it. These always on
connections are particularly vulnerable because they provide more opportunities for
hackers to find your computer.
n Protect network addresses. Never reveal your cable modem, DSL, or ISP
connections IP address or other system networking information to anyone. Your
telephone company and Internet Service Provider should already have this
information. They will never ask you for this information.
n Protect passwords. Never give out a password or any sensitive information to an
unsolicited telephone call or e-mail. Get the persons telephone number and tell
them you will call them back.
n Be careful what goes out over e-mail . Never e-mail sensitive information such as
passwords, credit card information, etc. to people unless you have software
installed that can encrypt your e-mail. There are several good e-mail encryption
programs on the market.
n Know the web sites you visit. Never submit private or sensitive information via a
web page unless the web site uses secure connections. You can identify a secure
connection with a small key icon on the bottom of your browser (Internet
Explorer 3.02 or better) or a closed lock (Netscape 3.0 or better). If a web siteuses a secure connection, it is safe to submit information. Secure web transactions
are quite difficult to crack.
n Be very careful of files e-mailed to you , even those from people you know. One
common way of getting viruses on a computer is to embed them into an e-mail
attachment. While you are laughing at the antics of some dancing baby cartoon,
hackers are opening up your system and stealing your files.
8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
23/40
SECTION 3 uCOMPUTER SECURITY u19
n Never execute a file sent to you with a *.VBS extension. These are visual basic
scripts that may contain viruses or worms that could plant remotely controlled
hacking programs (Trojans) on your computer.
n Change your passwords regularly. Also, use passwords that are not easy to figure
out. The most difficult passwords to crack are those consisting of non-dictionary
words, upper and lower case letters, numbers, and symbols such as % or #.
n Upgrade your software and operating system regularly. Many older versions ofsoftware, especially web browsers, have well known security deficiencies. When
you upgrade to the latest versions, you get the latest patches and fixes. Check with
your browser and operating system vendor to locate the latest patches and updates.
n Chat rooms. If you use chat rooms or IRC sessions, be careful with any
information you reveal to strangers. Hackers are notorious for address harvesting
from chat rooms and other interactive areas.
n Games. Avoid hosting interactive games like Quake 3 Arena or Half-Life. This
exposes your IP address and can summon hackers (especially if you win!)
n Pay attention to odd computer behavior . If your system starts exhibiting odd
behavior, check the BlackICE summary application for signs of possible attacks.
Some hackers set off attacks that slowly cause your system to become unstable or
unusable. If this happens a lot, notify your ISP and reboot your machine. Inextreme cases, hackers can damage the operating system on your computer, which
would require re-installing the operating system.
n Beware the Blue Screen of Death. If you are using Windows 2000 or Windows
NT and your system suddenly displays a blue screen, write down the information at
the top of the screen. Proceed to check the BlackICE summary application to see if
any attacks occurred at the time of the problem. If so, contact your ISP. Some
serious Windows errors are the result of hackers or viruses on a system.
n Always shred confidential information, particularly about your computer, before
throwing it away. A dedicated hacker will dig through the trash of companies or
individuals for information that might help them access your system, a practice also
known as dumpster diving.
COMPUTER HARDENING Hardening refers to configuring a computer to be more resistant to attacks. Hardening
aims to make a computer virtually impenetrable to hackers.
This section describes how to harden Windows-based systems. For additional
information about hardening systems, see the Network ICE advICE web site at
www.networkice.com/advice.
Many of these instructions require some advanced understanding of Windows-based
systems. For help performing any of these tasks, refer to the on-line help included with
your copy of Windows. You may also want to refer to the Microsoft on-line
Knowledge Base at support.microsoft.com.
Options for hardening a computer depend on the operating system you are using.Windows NT/2000 and Windows 95/98/Me are technically very different systems even
though they look alike. In this section, hardening options indicate the operating
system(s) where they are applicable.
http://www.networkice.com/advicehttp://www.networkice.com/advicehttp://support.microsoft.com/http://support.microsoft.com/http://support.microsoft.com/http://www.networkice.com/advice8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
24/40
SECTION 3 uCOMPUTER SECURITY u20
Install the latest Security Patches and Service Packs
This option is applicable in:
Windows NT/2000 Yes
Windows 95/98/Me Yes
Perhaps the simplest way to make Windows systems safe is to keep up to date on the
latest security fixes. The easiest way to get the latest patches is to use Microsofts
Windows Update web site at www.windowsupdate.com. This site can automatically
detect what is installed on your computer and identify which updates you need to
install. For additional information visit the Microsoft web site at www.microsoft.com.
Harden Passwords
This option is applicable in:
Windows NT/2000 Yes
Windows 95/98/Me Yes
It is best to use passwords that are extremely difficult to guess. The best passwords are
odd combinations of letters, numbers, and symbols, in both lower and upper case.
Names of pets, family members, and favorite cars might be easy to remember but they
are also easy to hack.
The User Manager in Windows NT/2000 can actually go a step further and require users
to create hardened passwords. It can also establish strict password policies that prevent
hackers from running cracking programs on the operating system. It is a good idea to
implement the following hardening policies on Windows NT/2000 machines.
n Enable lockout on all normal accounts. 3 to 5 attempts is a good limit.
n Force long passwords, at least 6 characters.
n Require unique passwords so that when users change a password, they cannot re-use an old one.
Figure 5 Windows 2000 includes a Local Security Settings feature to control password
policies.
http://www.windowsupdate.com/http://www.windowsupdate.com/http://www.microsoft.com/http://www.microsoft.com/http://www.microsoft.com/http://www.windowsupdate.com/8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
25/40
SECTION 3 uCOMPUTER SECURITY u21
n You may also want to install the passfilt.dll file as described at:
msdn.microsoft.com/library/psdk/logauth/pswd_about_9x7w.htm . This special
add-on allows you to define specific rules for passwords. For regular Windows
NT/2000 workstations, this is not necessary. Windows 2000 has password filtering
capabilities built into the operating system. See the documentation included with
Windows for more information about implementing password filtering.
Use the NTFS Hard Drive Partition Format
This option is applicable in:
Windows NT/2000 Yes
Windows 95/98/Me No
Windows NT/2000 systems can access hard drives that use the NTFS format. NTFS is
much more secure than FAT or FAT32 partitions. Use the convert.exe program
located in the directory where Windows NT/2000 is installed to convert a FAT partition
to NTFS.
Do Not Multi-BootThis option is applicable in:
Windows NT/2000 Yes
Windows 95/98/Me Yes
Use only one operating system. Do not dual boot to any other operating system.
Multiple operating systems may allow a hacker to exploit weaknesses in one operating
system while the other is running.
Secure All Shares with Passwords
This option is applicable in:
Windows NT/2000 Yes
Windows 95/98/Me Yes
If you create any shared resources, particularly shared hard drives, protect those shares
with passwords. Use passwords that are not easily guessed. The most difficult
passwords to crack are those consisting of non-dictionary words, upper and lower case
letters, numbers, and symbols such as % or #.
Disable All Unnecessary Accounts
This option is applicable in:Windows NT/2000 Yes
Windows 95/98/Me No
Unless your computer requires anonymous access for a web site or database, it is a
good idea to disable all unnecessary accounts, especially the Guest account. If you are
unsure which accounts to disable, at least change the password on these accounts to
something very secure.
http://msdn.microsoft.com/library/psdk/logauth/pswd_about_9x7w.htmhttp://msdn.microsoft.com/library/psdk/logauth/pswd_about_9x7w.htmhttp://msdn.microsoft.com/library/psdk/logauth/pswd_about_9x7w.htm8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
26/40
SECTION 3 uCOMPUTER SECURITY u22
Explicitly Select Users with Network Access
This option is applicable in:
Windows NT/2000 Yes
Windows 95/98/Me No
Windows NT/2000 allows you to explicitly select which users can access the system
over the network. It is a good idea to restrict this to only those user groups that should
be allowed to access your computer.
For most DSL and home users, you can completely disable all network access for users.
This will not interfere with local access; only remote access from other computers is
blocked.
Figure 6 Windows NT/2000 allows you to explicitly select the user groups that can access
your computer over the network.
Disable Telnet
This option is applicable in:
Windows NT/2000 Yes
Windows 95/98/Me No
Without a doubt Telnet is the most abused service for hackers. Unless you have a very
specific need to have telnet access to your computer, check the computer services and
specifically disable the telnet service.
8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
27/40
SECTION 3 uCOMPUTER SECURITY u23
Do Not Install a Web Server
This option is applicable in:
Windows NT/2000 Yes
Windows 95/98/Me Yes
Unless you are using your computer as a web server, do not install Internet Information
Server or Personal Web Services. These services open the computer up to numerous
attacks as they enable Internet services.
If you do plan to use the system as a web server, enable only those services needed.
For example, if you do not plan on offering FTP services, disable the FTP services.
You may also want to assign non-standard ports to your web services. For example,
configure FTP services to use port 21111 rather than the default 21. This might keep
inexperienced hackers from attempting to break into your FTP server.
Disable NetBIOS (WINS)
This option is applicable in:
Windows NT/2000 Yes
Windows 95/98/Me Yes
Windows uses an implementation of NetBIOS called Windows Internet Naming Service
or WINS. NetBIOS allows Windows-based computers to access resource shares (hard
drives, printers, etc.) over the network and use the Network Neighborhood lookup.
Unless your computer is connected to other computers on a network, there is no reason
to leave NetBIOS enabled. BlackICE can block all access to the NetBIOS ports.
Uncheck the Allow Internet File Sharing and Allow NetBIOS Neighborhood options
on the Protection tab of the BlackICE Settings dialog box.
Figure 7 The Protection tab.
8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
28/40
SECTION 3 uCOMPUTER SECURITY u24
WARNING: If you have your home/office computers connected to a local area networkwhere you share files with other computers, you should not disable file sharing. See
Protecting Home/Office Networkson page 26 for more information about how to
protect your home/office LAN from hackers while still allowing file sharing.
Secure the RegistryThis option is applicable in:
Windows NT/2000 Yes
Windows 95/98/Me No
Windows NT and 2000 support remote access to the registry using the Registry Editor
program and a special Windows interface command (Win32 API call).
The following registry key dictates which users/groups can access the registry
remotely:
HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\Control\SecurePipeServers\Winreg
If this key does not exist, remote access is not restricted, and only the underlying
security on the individual keys control access.
In a default Windows NT Workstation installation, this key does not exist. In a default
Windows NT Server installation, this key exists and grants administrators full control
for remote registry operations.
Another good idea is to alter the security settings on each main key in the registry to
only allow the system and administrators access to the keys. This can be done using
the regedt32.exe program in the system32 folder where Windows NT is installed.
Figure 8 -- Registry Security Settings
For more information about properly securing the registry, refer to the Microsoft web
site.
8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
29/40
SECTION 3 uCOMPUTER SECURITY u25
Never Cache Passwords
This option is applicable in:
Windows NT/2000 Yes
Windows 95/98/Me Yes
Windows systems allow you to save passwords for numerous applications. These
passwords are saved in encrypted files or in areas of the registry that a hacker might be
able to access. Once a hacker gets a hold of these files, it is merely a matter of time
before a password grinding utility can extract your passwords from the files.
Therefore, when Windows prompts you to save a password, uncheck the option. It may
be a little inconvenient, but that is better than hackers getting access to your computer.
Disable Userdata Persistence
This option is applicable in:
Windows NT/2000 Yes
Windows 95/98/Me Yes
Internet Explorer 5.0-5.5 can cache passwords and logon information. This information
could allow a hacker to access web sites you visit, including e-mail. It is a good idea to
disable this feature so Internet Explorer does not save this information locally.
This feature is not available in Internet Explorer 3.02 4.0 or Netscape Navigator.
1. To disable this feature, select Internet Options from the Tools menu in Internet
Explorer.
2. Select the Security tab. Then clickCustom Settings.
3. Scroll down to the Userdata persistence entry and select Disable.
4. ClickOK .
Figure 9 Disable the userdata feature in Internet Explorer 5.0 5.5.
8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
30/40
SECTION 3 uCOMPUTER SECURITY u26
PROTECTING HOME/OFFICE NETWORKS If your computer is connected to an internal network where you share files between
computers, disabling file sharing and Network Neighborhood makes it impossible for
other users to access files on your computer.
Because BlackICE can handle this blocking for you, if you have a home network you
must reconfigure the network to block NetBIOS access to hackers while still leavingyour internal network free to access file sharing.
There are a few ways to still allow internal file sharing on your home network while
preventing hackers
Solution One Install NetBEUI ProtocolOne solution is to install the NetBEUI protocol on all the computers on your network.NetBEUI is a non-routable protocol for use on internal networks. With NetBEUI and
TCP/IP installed, the network can use NetBEUI for accessing internal shares while still
communicating with the Internet using TCP/IP.
However, NetBEUI is intended for small networks only. If you are installing BlackICE
on a large network, it is not advisable to use NetBEUI, as it cannot be routed acrossmultiple subnets. This may ultimately slow down your communications with remote
computers on your networks.
To use NetBEUI for internal access:
1. Install NetBEUI on all the computers on your internal network.
2. Keep Internet File Sharing and NetBIOS neighborhood enabled in the Edit
BlackICE Settings Protection tab.
3. In the network properties of Windows, disable NetBIOS over TCP/IP. Since the
computers on the internal network communicate and route over the Internet using
TCP/IP, this prevents your computer from reporting any NetBIOS information over
the Internet.
When you disable NetBIOS over TCP/IP, Windows will use NetBEUI for
NetBIOS resolution. Because NetBEUI is non-routable, Windows cannot expose
shared resources to the Internet.
See the documentation included with your copy of Windows for more information about
how to install NetBEUI.
Solution Two Install a Hardware RouterSeveral manufacturers sell DSL/cable modem routers. These routers can isolate your
internal network, providing some protection from hackers while allowing you to keep
NetBIOS enabled.
Additionally, many hardware routers can offer Network Address Translation (NAT)
firewall features. NAT firewalls are quite simple and easy to penetrate, but they stop
many casual or inexperienced hackers from probing your computer for open ports orvulnerabilities.
8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
31/40
SECTION 3 uCOMPUTER SECURITY u27
Solution Three Build a Dual-Interface Proxy ServerAnother way to solve the sharing problem is to build a dual-interface proxy server and
disable the WINS/NetBIOS interface on the external network interface.
Figure 10 One way to isolate an internal network is to use a dual-interface proxy server
with the WINS/TCP/IP client disabled on the external interface.
Such an arrangement requires some advanced experience with computer networking. It
also requires proxy server software. This solution is ideal for larger networks that
cannot use NetBEUI and need the services of a proxy server.
This arrangement requires two network interface cards in the proxy server computer.
Building a dual-interface proxy server will stop attacks directed at the proxy server
system, but will not protect computers on the internal network. Therefore, make sure to
purchase copies of BlackICE for your internal computers.
8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
32/40
APPENDIX A uFOR MOR E HEL P u28
FOR MORE HELP
NEED MORE ADV ICE?For more help with computer security, visit the Network ICE advICE web site at
http://advice.networkice.com/Advice/default.htm . This site provides in-depth articles
and instructions on securing computers and stopping hackers.
Accessing advICE from BlackICE
The BlackICE Summary Application includes a direct link to the advICE web site. Just
click the advICE button located on the Attacks tab.
Figure 11 BlackICE Summary Application.
To view in-depth information about a particular kind of attack, select the attack in the
attacks list and clickadvICE. A web browser window is opened to the advICE site
displaying a complete description about the attack.
http://www.networkice.com/advicehttp://www.networkice.com/advicehttp://www.networkice.com/advice8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
33/40
APPENDIX A uFOR MOR E HEL P u29
PRODUCT DOCUMENTATION The latest product documentation is available from the Network ICE web site at
www.networkice.com/support/documentation.html .
TECHNICAL SUPPORT
Web: www.networkice.com/support/online_resources.html
E-mail: [email protected]
For updates and upgrade information, please visit the Network ICE web site at
www.networkice.com. For information on how to download the latest update of
BlackICE Defender please see the BlackICE Summary Application Guide.
http://www.networkice.com/html/documentation_support_.htmlhttp://www.networkice.com/html/documentation_support_.htmlhttp://www.networkice.com/support/online_resources.htmlhttp://www.networkice.com/support/online_resources.htmlmailto:[email protected]/mailto:[email protected]/http://www.networkice.com/http://www.networkice.com/http://www.networkice.com/mailto:[email protected]/http://www.networkice.com/support/online_resources.htmlhttp://www.networkice.com/html/documentation_support_.html8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
34/40
APPENDIX B uGLOSSARY u30
GLOSSARY
Agent: A computer program that reports information to another computer or allows
another computer access to the local system. Agent software can be used in good ways,
as in the case of BlackICE software reporting intrusion information to an ICEcap server
for reporting and analysis. Agents can also be dangerous as in the case of hacking
programs like SubSeven or Back Orifice that expose backdoors to the computer.
ARP : Address Resolution Protocol. A TCP/IP protocol used to convert an IP address
into a physical address (called a DLC address), such as an Ethernet address. A host
wishing to obtain a physical address broadcasts an ARP request onto the TCP/IP
network. The host on the network that has the IP address in the request then replies
with its physical hardware address.
Attack: See Event.
Authenticity : Proof that the information came from the person or location that
reportedly sent it. One example of authenticati ng software is through digital
signatures.
Back Door: A deliberately planned security breach in a program. Back doors allow
special access to a computer or program. Sometimes back doors can be exploited and
allow a cracker unauthorized access to data.
Back Orifice: Back Orifice is a remote administration tool that allows a user to control
a computer across a TCP/IP connection using a simple console or GUI application.
Back Orifice is a potentially disastrous Trojan horse since it can provide the user
unlimited access to a system.
Blue Screen of Death (BSoD): When a Windows NT based system encounters a
serious error, the entire operating system halts and displays a screen with information
regarding the error. The name comes from the blue color of the error screen.
Brute Force Hacking: A technique used to find passwords or encryption keys. Brute
Force Hacking involves trying every possible combination of letters, numbers, etc. until
the code is broken.
Camping Out: Staying in a "safe" place once a hacker has broken into a system. The
term can be used with a physical location, electronic reference, or an entry point for
future attacks.
Cipher Text: Text that has been scrambled or encrypted so that it cannot be read
without deciphering it. See Encryption
Cookie: A string of characters saved by a web browser on the user's hard disk. Many
web pages send cookies to track specific user information. Cookies can be used toretain information as the user browses a web site. For example, cookies are used to
'remember' the items a shopper may have in a shopping cart.
Countermeasures : Techniques, programs, or other tools that can protect your
computer against threats.
Cracker: Another term for hackers. Generally, the term cracker refers specifically to
a person who maliciously attempts to break encryption, software locks, or network
security.
8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
35/40
APPENDIX B uGLOSSARY u31
Cracker Tools: Programs used to break into computers. Cracker tools are widely
distributed on the Internet. They include password crackers, Trojans, viruses, war-
dialers, and worms.
Cracking: The act of breaking into computers or cracking encryptions.
Cryptoanalysis : The act of analyzing secure documents or systems that are protected
with encryption for the purpose of breaking into the systems or exposing weaknesses.
Decryption: The act of restoring an encrypted file to its original, plain text state.
Denial of Service (DoS): Act of preventing customers, users, clients, or other
machines from accessing data on a computer. Denials of service attacks are usually
accomplished by interrupting or overwhelming the computer with bad or excessive
information requests.
Digital Signature: Digital code that authenticates whomever signed the document or
software. E-mail, software, messages, and other electronic documents can be signed
electronically so that they cannot be altered by anyone else. If someone alters a signed
document, the signature is no longer valid. Digital signatures are created when
someone generates a hash from a message, then encrypts and sends both the hash and
the message to the intended recipient. The recipient decrypts the hash and original
message, makes a new hash on the message itself, and compares the new hash with the
old one. If the hashes are the same, the recipient knows that the message has not beenchanged. Also see Public-keyencryption.
DNS : Domain Name System. A database of domain names and their IP addresses.
DNS is the primary naming system for many distributed networks, including the
Internet.
Encryption : The act of substituting numbers and characters in a file so that the file is
unreadable until it is decrypted. Encryption is usually done using a mathematical
formula that determines how the file is decrypted.
Event: BlackICE can detect numerous network activities. Some activities are direct
attacks on your system, while others might be attacks depending on the circumstances.
Therefore, any activity, regardless of severity is called an event. An event may or may
not be a direct attack on your system. BlackICE categorize s all events into four
severity levels:
Icon Severity Description
100 75 Critical Event: This is a deliberate attack on your system for the
purpose of damaging data, extracting data, or crashing the system.
Critical events always trigger protection measures.
74 50 Serious Event: This is a deliberate attempt to access information on
your system, yet it does not directly damage anything. These events
can trigger protection measures, if applicable.
49 25 Suspicious Event: This is network activity that is not immediately
threatening, but may indicate that someone is attempting to locate
security vulnerabilities in your system. For example, hackers often
scan the available ports or services on a system before attacking it.Suspicious events do not trigger protection measures, and not all
suspicious events are indicative of a true attack.
24 0 Informational Event: This indicates that a network event occurred to
your computer that is not threatening. Informational events do not
trigger protection measures.
8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
36/40
APPENDIX B uGLOSSARY u32
Firewall: A hardware or software barrier that restricts access in and out of a network.
Firewalls are most often used to separate an internal LAN or WAN from the Internet.
See Gateway.
FTP : File Transfer Protocol. A common protocol used for exchanging files between
two sites across a network. FTP is popular on the Internet because it allows for speedy
transfer of large files between two systems. Like all networking protocols, it too has
some significant vulnerabilities.Gateway: A gateway is a system that provides access between two or more networks.
Gateways are typically used to connect unalike networks together. A gateway can also
serve as a firewall between two or more networks.
Grinding: See password grinding.
Hacker: Generally, a hacker is anyone who enjoys experimenting with technology,
including computers and networks. Not all hackers are criminals breaking into
systems. Many are legitimate users and hobbyists. Nevertheless, some are dedicated
criminals or vandals. See Cracker.
HTTP: Hyper Text Transfer Protocol. The most common protocol used on the
Internet. HTTP is the primary protocol used for web sites and web browsers. It is also
prone to certain kinds of attacks.
ICMP: Internet Control Message Protocol. ICMP, an extension to the InternetProtocol (IP), supports packets containing error, control, and informational messages.
The PING command, for example, uses ICMP to test an Internet connection.
IDS : Intrusion Defense System (or Software). A class of networking products devoted
to detecting, monitoring, and blocking attacks from hackers. This often is comprised of
a number of related components such as a firewall and protocol analyzer working
together to stop hackers. BlackICE is an IDS.
Integrity: Proof that the data is the same as originally intended. Unauthorized
software or people have not altered the original information.
Internet Worm: See Worm.
Intruder: Person or software interested in breaking computer security to access,
modify, or damage data. Also see Cracker.
IP: Internet Protocol. Specifies the format of packets, also called datagrams, and the
addressing scheme. Most networks combine IPs with a higher-level protocol called
Transport Control Protocol (TCP), which establishes a virtual connection between a
destination and a source. IP by itself is something like the postal system. It allows you
to address a package and drop it in the system, but there's no direct link between you
and the recipient. TCP/IP, on the other hand, establishes a connection between two
hosts so that they can send messages back and forth for a period of time. Current IP
standards use 4 numbers between 0 and 255 separated by periods to create the 32-bit
numeric IP address. For example, an IP address could be: 38.158.99.13.
IRC : Internet Relay Chat. IRC was developed in the late 1980s as a way for multiple
users on a system to chat over the network. Today IRC is a very popular way to
talk in real time with other people on the Internet. However, IRC is also one avenue
hackers use to get information from you about your system and your company.Moreover, IRC sessions are prone to numerous attacks that, while not dangerous, can
cause your system to crash.
LAN : Local-Area Network. LAN is a computer network that spans a relatively small
area. One LAN connected via telephone lines or radio waves to other LANs over any
distance create a WAN (a Wide-Area network).
Linux: A version of the UNIX operating system.
Logic Bomb: A virus that only activates itself when certain conditions are met. Logic
bombs usually damage files or cause other serious problems when they are activated.
8/8/2019 (eBook) - Hack - BlackICE Guide to Computer Security
37/40
APPENDIX B uGLOSSARY u33
MAC Address: Media Access Control Address. A unique identification code used in
all networked devices. The MAC address defines a specific network node at the
hardware level and cannot be altered by any software.
Name Resolution: The allocation of an IP address to a host name. See DNS.
NetBIOS: NetworkBasic Input /Output System. NetBIOS is an extension of the DOS
BIOS that enables a PC to connect to and communicate with a LAN (Local Area
Network).
NetBEUI: NetBIOS Extended User Interface. A non-routable networking protocol
developed in the 1980s by IBM. NetBEUI is ideal for smaller, non-subnetted networks
for internal communications. Because NetBEUI is not routable, network transmissions
sent via NetBEUI cannot be transmitted over the Internet.
NAT : NetworkAddress Translation. An Internet standard that enables LAN, WAN
(Wide Area Network), and MAN networks to use extended IP addresses for internal use
by adding an extra number to the IP address. This standard translates internal IP
addresses into external IP addresses and vice versa. In doing so, it generates a type of
firewall by hiding internal IP addresses.
Packet Filter: A filter used in firewalls that scans packets and decides whether to let
them through.
Password Cracker: A program that uses a dictionary of words, phrases, names, etc. toguess a password.
Password Caching: The storage of a user's username and password in a network
administrator database or encrypted file on a computer. Also called password
shadowing.
Password encryption: A system of encrypting electronic files using a single key or
password. Anyone who knows the password can decrypt the file.
Password Grinding: The process of systematically testing all character combinations
on a password until the correct character string is identified. Password grinding is a
very slow, but effective way to crack password files. There are numerous, freely
available computer programs that can grind password files.
Penetration : Gaining access to computers or networks by bypassing security programs
and passwords.
Phreaking: Breaking into phone or other communication systems. Phreaking sites on
the Internet are popular among crackersand other criminals.
Ping: Packet In ternet Groper. PINGis a utility to determine whether a specific IP
address is accessible. It works by sending a packet to the specified address and waiting
for a reply. PING is used primarily to troubleshoot Internet connections.
Ping Attack: An attack that slows down the network until it is unusable. The attacker
sends a "ping" command to the network repeatedly to slow it