C OPYRIGHT u I
T ABLE OF C ONTENTS
SECTION 1: I N T R O D U C T I O N .................................................................................... 1
The Hacker Threat ..............................................................................................................2
How Hackers Exploit the Internet............................................................................................... 2
Who Are Hackers?..................................................................................................................... 2
Home Computers – The New Target for Hackers...................................................................... 3
The Proliferation of Always-On Connections ............................................................................. 3
It Will Not Happen To Me........................................................................................................... 3
Introduction to Computer Networking..................................................................................4
Connecting to the Internet.......................................................................................................... 4
Computer Addresses ................................................................................................................. 5
Packet Switching ....................................................................................................................... 5
Protocols.................................................................................................................................... 7
Ports .......................................................................................................................................... 7
Hacker Attacks ....................................................................................................................9
Intrusion Defense ..............................................................................................................11
Detection.................................................................................................................................. 11
Monitoring ................................................................................................................................ 12
Protection................................................................................................................................. 12
SECTION 2: H AN D L I N G I N T R U S I O N S ....................................................................... 13
How to Respond to an Attack............................................................................................13
Step One – Determine the Severity ......................................................................................... 13
Step Two – Respond ............................................................................................................... 14
Reporting Hackers.............................................................................................................16
How to Report a Hacker........................................................................................................... 16
Retaliation Hacking ...........................................................................................................17
SECTION 3: C O M P U T E R S E C U R I T Y ......................................................................... 18
Good Security Practices ....................................................................................................18
Computer Hardening .........................................................................................................19
Install the latest Security Patches and Service Packs ............................................................. 20
Harden Passwords .................................................................................................................. 20
Use the NTFS Hard Drive Partition Format.............................................................................. 21
Do Not Multi-Boot .................................................................................................................... 21
Secure All Shares with Passwords .......................................................................................... 21
Disable All Unnecessary Accounts .......................................................................................... 21
Explicitly Select Users with Network Access............................................................................ 22
Disable Telnet.......................................................................................................................... 22
Do Not Install a Web Server .................................................................................................... 23
Disable NetBIOS (WINS)......................................................................................................... 23
Secure the Registry ................................................................................................................. 24
Never Cache Passwords ......................................................................................................... 25
Disable Userdata Persistence.................................................................................................. 25
Protecting Home/Office Networks .....................................................................................26
Solution One – Install NetBEUI Protocol.................................................................................. 26
Solution Two – Install a Hardware Router................................................................................ 26
Solution Three – Build a Dual-Interface Proxy Server ............................................................. 27
C ONTENTS u II
APPENDIX A: F O R M O R E H E L P ............................................................................... 28
Need More advICE? ..........................................................................................................28
Product Documentation.....................................................................................................29
Technical Support .............................................................................................................29
APPENDIX B: G L O S S AR Y ....................................................................................... 30
C ONTENTS u III
INTRODUCTION
With high-speed Internet access becoming a standard feature for many home and office
computers, there is a growing need for smarter, faster computer security. Hackers are
now targeting home and small business users because these systems are rarely well
defended.
This guide is intended for BlackICE users who want to know more about computer
security and hacking in general. This guide is ideal if you are new to computers and/or
the Internet.
For more information about using BlackICE products refer to the following related
documents:
BlackICE Defender This guide describes how to use and configure BlackICE
User’s Guide Defender.
BlackICE Advanced This guide is intended for advanced users who wish to
User’s Guide customize BlackICE.
These documents are available free of charge on the Network ICE web site at:
http://www.networkice.com/support/documentation.html.
S ECTION 1 u I NTRODUCTION u 1
THE HACKER THREAT
In September 2000, a large financial services company had their computer systems
hacked. Credit card numbers for over 20,000 people were stolen 1. A similar event
happened in 1999, when hackers hijacked nearly 500,000 credit card numbers and
stored them on United States government computers 2.
In 1997 a hacker broke into the NASA network and gained access to the space shuttle
control computers. The hacker overloaded some computers causing brief
communication outages while the shuttle Atlantis docked with the damaged Mir space
station. Fortunately, NASA was able to switch over to an alternate system and finished
the mission successfully. However, the intrusion put the space shuttle at risk and
prompted numerous changes in security protocols at NASA. 3
If hackers can get into NASA and global financial firms, what is stopping them from
getting your credit card number off your home computer?
1
Associated Press, September 11, 2000, www.associatedpress.com .
2
Brunker, Mike, MSNBC, March 17, 2000. www.msnbc.com .
3
Associated Press, July 4, 2000 www.associatedpress.com .
S ECTION 1 u I NTRODUCTION u 2
Home Computers – The New Target for Hackers
In the past, hackers were not much of a threat to home users. Internet connections were
slow, and the information on most home computers was not worth hacking.
Today, the average home computer is a virtual gold mine of information. Everything
from passwords to financial records offer hackers all sorts of ways to cause trouble.
While encryption technologies have made most on-line transactions very safe, they are
never 100% safe. Hackers can break into your computer, steal those encrypted files,
and then use freely available cracking tools to break the encryption and get the data.
Some hackers enjoy using their skills as a way to extract revenge as well. The
anonymity of the Internet often makes people behave differently. An innocuous
message posted to a public forum might incite the ire of hackers who single you out as
their next victim.
S ECTION 1 u I NTRODUCTION u 3
INTRODUCTION TO COMPUTER NETWORKING
To truly understand how to stop hackers, it is important to know how computers
communicate with each other. Computer networking is not a new technology.
Engineers were networking computers together as early as the 1950s. However,
hacking did not become a significant problem until computers became freely accessible
over national and global networks.
This section describes how modern computer systems are networked together. This
section is ideal for readers who are new to the Internet and network security.
S ECTION 1 u I NTRODUCTION u 4
Computer Addresses
Once connected, a computer must have an address, so other computers can locate it on
the Internet. Just like a house or apartment has an address, computers on a network
must also identify themselves. Most computers use a combination of the following
address types:
n IP Address: An IP address is the basic “street” address for a computer. These
addresses have 4 numbers, such as 192.168.10.15. Most Internet Service
Providers (ISPs) assign an address to your computer when you log on to the
Internet. Other computers locate your computer by using that address.
Unfortunately, hackers can forge IP addresses (called spoofing) and make the
hacker’s transmissions appear to be originating from your computer.
n DNS Address: Domain Name System (DNS) is an address translation system that
forms the basis of many Internet sites. Rather than using strings of numbers, DNS
allows computers to locate each other with familiar names. DNS addresses are in
the familiar name.domain.com format. For example, to reach the Network ICE web
site, you only need to remember www.networkice.com. This is a DNS address for
the web server at Network ICE. The master DNS databases are propagated
throughout the Internet so your local Internet Service Provider (ISP) has the correct
IP address for the DNS name.
n NetBIOS Address: NetBIOS allows corporate networks to select single words to
identify computers. For example, a computer on the network could be named
MYCOMPUTER, and other users would see this name in the Network Neighborhood
lookup. Although NetBIOS cannot be used across the Internet, the use of NetBIOS
names can present some security vulnerabilities to hackers.
n MAC Address: These addresses are specific and unique to each network hardware
device. Network cards, modems, routers, even network printers have MAC
addresses. MAC addresses help network administrators inventory systems.
However, they can also be useful in tracking down hackers or proving that a hacker
used a particular computer.
Packet Switching
The basis for most network and Internet communications is packet switching. Your
computer communicates with other computers on the Internet by using a stream of
packets. All communication is broken up into digital packages that are sent out, one at
a time, through the network connection.
Each packet contains a tiny fragment of the data you are sending. The computer on the
other end puts all the fragments back together.
S ECTION 1 u I NTRODUCTION u 5
Figure 1 – Packets example.
For example, you send a digital photo of your new car to a friend. Before sending the
picture, your computer breaks up the image file into thousands (possibly millions) of
tiny data fragments. Those fragments are then “packaged” into packets. The packets
are transmitted to your friend’s computer, which then extracts the data fragments from
the packets and reassembles the image.
When your computer transmits a packet, it sends them to a router (usually at your ISP).
Routers are the digital equivalent of postal carriers. They look at the address on each
packet and then forward it to the correct place.
Figure 2 – Routers on the Internet can direct packets to the correct computer(s).
For example, the picture of your car first went to a local router at your ISP. Then your
ISP’s router forwarded it to another router. That other router forwarded the packets to
another, and possibly another router. Sometimes a transmission can “hop” through 30
or more routers before it gets to its final destination.
S ECTION 1 u I NTRODUCTION u 6
Routers handle enormous quantities of packets and can sometimes get clogged up.
Therefore, if one router is too busy, it can pass off the transmissions to another router
that is available. Likewise, if one router does not know exactly where to send a packet,
it can forward it to a different router that does know. This is why transmissions “hop”
through many routers.
Since each packet is individually addressed, different routers can handle different
packets in the same transmission. This allows the routers to get your transmission to
its destination regardless of the path it has taken. Theoretically, your packets could
bounce all over the country, just to get to your friend next door.
The concept of packets and packet switching is important because hackers can capture
and manipulate packets to carry out certain kinds of attacks.
Protocols
When computers transmit information, they have to encode that information into a
“language” that other computers can understand. There are two main protocols used on
the Internet: Transmission Control Protocol (TCP) and User Datagram Protocol
(UDP).
n TCP is used for everything from accessing web sites to sending email. TCP
communications form connections with remote computers to send and receive
packets. For example, when you want to download your email, your computer
opens up a TCP connection with your mail server and downloads the mail.
n UDP is virtually identical to TCP except that it lacks the error correcting features
of TCP. UDP is used for interactive, streaming, and otherwise time-sensitive
transmissions. Because there are no error correction procedures with UDP, the
transmissions are a little faster. For example, if you play a multi-player Internet
game like Quake, your computer sends and receives UDP packets to coordinate
your on-screen movements with those of other players on the Internet.
However, protocols are only half the picture. When computers send and transmit
information they also open and close special connection points, or “ports”, as described
in the next section.
Ports
When computer applications “talk” to the Internet, they open and close special
communication channels or “ports”. For example, web servers transmit all web site
information over TCP port 80. When you access a web server, your computer makes a
request to TCP port 80 on the remote web server. If the server is listening on that port,
it responds to your request and sends the proper web pages back to your computer.
Ports allow for categorization and modularization of network communications.
Applications such as web servers, chat programs, and computer games isolate their
transmission to specific connection ports ensuring their communications do not
interfere with other applications. There are 65535 TCP and 65535 UDP ports available.
When computers communicate, they do not just pick ports at random. International
standards established over the past 30 years assign and manage which ports are used for
which programs. In general, ports are broken down into three categories: system,
application, and private.
n System ports comprise all TCP and UDP ports from 1 to 1023. System ports are
tightly regulated and used for very specific computer functions. For example, port
110 is only for POP3 e-mail communication. Some of the most common system
ports are listed on the next page.
S ECTION 1 u I NTRODUCTION u 7
Common System Ports
Port # Description
21 FTP, File Transfer Protocol
23 Telnet
25 SMTP, Simple Mail Transport Protocol
37 Time, for time servers
53 DNS, Domain Name Services
67-68 Bootstrap, for booting systems over a network
80 HTTP, world wide web
82 XFER
110 POP3, e-mail servers
118 SQL Server
119 NNTP, Internet News Servers
137-139 NetBIOS
161-162 SNMP, Simple Network Management Protocol
194 IRC, Internet Relay Chat
389 LDAP, Lightweight Directory Access Protocol
443 HTTPS, secure HTTP communications
n Application ports comprise all TCP and UDP ports from 1024 to 49151. These
ports are registered with international standard committees for use with network
applications. For example, the Yahoo messenger program uses TCP port 5050.
Many computer applications that are not considered vital system applications use
ports in this range.
n Private ports comprise all the ports above 49152. These ports are used for private
or dynamic use, and are unregistered and freely available to any application.
S ECTION 1 u I NTRODUCTION u 8
HACKER ATTACKS
Hackers have a wide variety of attacks they can carry out. However, these attacks are
easily categorized into seven kinds. This section summarizes the kinds of attacks
hackers most commonly attempt.
Automated Scans
Description Automatic scans search for open ports or resource shares on your
computer.
Method These scans blindly monitor large areas of a network or the Internet for
computers. When a computer is located, another automated scanner can
examine the target system for open communication ports that the hacker
can exploit.
Danger By itself, a port or resource scan is not very dangerous. Most hackers
never follow up on such scans. However, if a hacker is searching for a
vulnerable system, port and resource scans are almost always a prelude to
something more severe.
Trojan Horse Attacks
Description Like the fabled gift to the residents of Troy, a Trojan Horse is a computer
program or application that appears to do one thing while hiding
something much more sinister within it. Trojans are dangerous
applications planted on your computer that open up vulnerabilities on
your system.
Method A hacker plants an agent or Trojan Horse virus on your computer.
Trojans are planted on computers in a number of ways. One common
method is to send the victim an executable ( .exe) file that appears
innocuous. While the victim enjoys a movie, cartoon, or other
distraction, the program installs a Trojan on the computer.
The Trojan either opens up communication ports, or surreptitiously sends
information about your system to the hacker’s computer. The hacker then
exploits your computer using the information he acquired from the Trojan
Horse program.
The most common hacking agents are Back Orifice and SubSeven. These
agents, if properly planted, make a computer completely exposed to
hackers.
Danger Trojan Horse hacks are the most common and dangerous attacks because
they provide hackers a “back door” into your computer. There are two
ways to stop these attacks: First, block any communications between the
Trojan agent and the hacker, which BlackICE can do. Second, remove
the agent application, which most virus scanning utilities can do.
S ECTION 1 u I NTRODUCTION u 9
Corrupt Packet Attacks
Description A hacker sends packets to your computer that causes the system to slow
down or crash.
Method There are numerous ways hackers can forge packets with incorrect
addresses or information. Some of these methods merely slow the system
down briefly. Others can cause a system to crash or become seriously
unstable.
Danger Most new operating systems have defenses for corrupt packet attacks.
BlackICE can also stop such attacks.
Password Grinding
Description A hacker uses an automated password generation program to “grind”
away on a password until it is guessed.
Method There are numerous, freely available tools on the Internet that a hacker
can use to crack passwords. Since most operating systems lock out users
if they enter the wrong password too many times, most hackers download
password files and grind them “off-line”. Most modern computers can
crack encryption systems rather quickly provided the hacker uses the tool
properly.
Danger Password grinding can be very dangerous. Once a hacker has your
passwords, he can literally do whatever he wants. It is a good idea to
change your passwords frequently and use secure passwords. See Harden
Passwords on page 20 for more information.
Denial of Service (DoS) Attacks
Description A hacker overloads a network connection with billions of packets.
Method DoS attacks are crude, but effective. Quite simply, a hacker with a very
fast Internet connection bombards another system with packets until the
other system collapses. DoS attacks are commonplace for large web
sites.
Danger DoS attacks are hard to stop once they get going. Fortunately, most
intrusion defense systems, like BlackICE, can stop them from
overloading an Internet connection.
Known Vulnerability Attacks
Description A hacker exploits a known weakness in an operating system or Internet
enabled application.
Method Computer operating systems are very complex. As such, there are always
some holes in the system that hackers can figure out. Once a hole is
discovered, the information spreads rapidly via hacker web sites to other
hackers.
Danger Some system vulnerabilities are very serious and can completely expose
your system to attacks. Updating the operating system with the latest
service packs and security patches stops these attacks.
S ECTION 1 u I NTRODUCTION u 10
Social Intrusions
Description A hacker poses as a system administrator or other authority figure and
attempts to coerce you to reveal confidential information.
Method Social intrusions are by far one of the most common ways to get into
systems. They are also the easiest to stop.
The scam is pretty simple. A hacker telephones or sends an e-mail
posing as a police officer, network administrator, or other person of
authority. Usually they say there is some problem and they need your
password to update their files. An unsuspecting user may willingly give
out the information assuming the person is trustworthy. The hacker then
uses the legitimate password to get into the system.
In a 1999 study, a security consulting firm reported that over 80% of the
computer users they contacted willingly revealed confidential
information about themselves or their computer to a person posing as a
system administrator. In many cases, the consultants merely asked for it,
without showing any credentials or explaining the situation.
Danger Social intrusions are extremely dangerous because nothing can stop a
hacker armed with legitimate information.
INTRUSION DEFENSE
The task of stopping hackers falls upon a class of computer software and hardware
products called Intrusion Detection Systems (IDS), such as BlackICE. IDS products
have three responsibilities: detection, monitoring, and protection. This section
describes how IDSs detect and stop hackers.
Detection
The most difficult aspect of stopping hackers is merely identifying that an intrusion is
actually occurring. Hackers are clever and know how to disguise their activities inside
the normal traffic of a network. What constitutes an attack versus legitimate use of the
Internet is often very hard to determine. With millions of packets racing by on the
Internet link, locating the 10 packets that are from a hacker is not easy.
Many current firewall systems use a technology called “pattern matching” to locate
intrusions. Pattern matching is similar to how virus detection software works. As
packets are received, the IDS compares information in the packets to a database of
known “signatures” or “patterns” that hackers typically use.
Many pattern-matching firewalls have trouble keeping pace with modern, high-speed
connections. Comparing a billion packets to a database of 2500 patterns is a very huge
processing task, even for modern computers. This makes many pattern-matching
systems prone to overloading and missing intrusions.
Hackers know this and use methods to purposefully evade pattern-matching firewalls.
One method is to fragment transmissions into numerous small packets. Pattern
matching systems need to examine an entire attack to determine if it is dangerous. If
the attack is fragmented into thousands of little packets, the firewall never “sees” the
complete attack and therefore cannot detect it.
S ECTION 1 u I NTRODUCTION u 11
BlackICE is not a pattern matching firewall. BlackICE uses a patent-pending seven-
layer protocol analysis engine. This engine dynamically analyzes network
transmissions for hacking activities. The BlackICE technology is significantly faster
than pattern-matching systems and many times more reliable. Additionally, BlackICE
can handle badly fragmented attacks.
Monitoring
Once a hacker’s transmissions are identified, capturing those packets and logging all
contents is a rather easy procedure. Yet many IDS solutions fail to implement even
basic evidence file capturing or logging mechanisms.
Evidence file gathering is crucial to reconstruct what the hacker did. Such evidence
files can also be very useful to law enforcement should it become necessary to pursue a
hacker for criminal activity.
BlackICE includes a powerful network logging and capture function that can collect
information a hacker sends to your computer. This information is logged into specially
coded trace or evidence files, which can then be analyzed using a trace file-decoding
program to determine exactly what the hacker did (or tried to do).
Protection
The last aspect of an IDS is to protect the computer from the hacker. Blocking hackers
requires layers of defense systems that ensure all traffic from the hacker is rejected
before it can interact with the computer operating system.
Dynamic Address Protection
The first layer is a dynamic firewall. When an intrusion is detected, all transmissions
from the hacker’s network (IP) address are blocked. Since hackers can forge addresses
of legitimate systems, the firewall must only block the transmissions long enough for
the hacker to give up.
Standard Packet Protection
One way hackers circumnavigate firewalls is to break up their transactions into many
“fragmented” packets. Most firewalls are not able to analyze all these fragmented
packets and allow transmissions to pass right through.
The standard packet protection firewall blocks such fragmented packets as well as other
packet manipulation techniques.
Port Blocking
The last layer of defense is to block transmissions on specific network ports. Hackers
often search for open ports to exploit.
BlackICE can be configured to block ports that hackers typically exploit such as
NetBIOS share ports.
S ECTION 1 u I NTRODUCTION u 12
HANDLING INTRUSIONS
Getting hacked is a pretty common problem on the Internet. When you install
BlackICE, you may be surprised at the number of attacks that are logged. Fortunately,
most attacks are pretty innocuous. However, some are not. This section describes how
to handle attacks and secure your computer from hackers.
TIP: See the BlackICE Summary Application Guide for more information about
blocking intruders and configuring BlackICE.
WARNING: Do not block systems from your Internet Service Provider (ISP) or internal
network. Most ISPs have automated scans to check the state of users’ connections.
Blocking scans from your ISP may be a violation of your usage agreement and grounds
for terminating your account. Contact your ISP for help identifying the systems it uses
to scan connections. Most ISPs reveal the DNS address of their system. This address
usually contains the domain name of the ISP (e.g. server.isp.com).
4
If you do not have a DNS name for the hacker it is probably best to just block the
attacker and forget about it. Savvy hackers can hijack connections and spoof IP
addresses, which makes it impossible to report them to anybody who could stop them.
RETALIATION HACKING
It is tempting to turn the tables on hackers and hack them back. Network ICE
strongly discourages any attempts at “retaliation hacking.” It might feel good to
attempt such revenge, but ultimately it is counterproductive and could make matters
worse.
There are four very compelling reasons not to attempt any retaliation hacking.
1. Hacking is probably a violation of your ISP’s usage policies. Hacking is one of the
quickest ways to get your Internet account cancelled. This includes corporate
Internet connections.
2. Retaliating against a hacker could merely incite the attacker to do more. Most
sophisticated hackers are diligent enough to protect their own systems. Therefore,
if you attempt to hack them back, this could encourage them. Less experienced
hackers may find your retaliation as grounds to broadcast your account to various
hacker forums. This could summon more experienced hackers to zero in on your
system.
3. Hacking is usually not a constructive activity. BlackICE Defender protects your
systems from hackers. Retaliating only wastes time and will probably not stop the
hacker. In the realm of networking countermeasures, the best offense is a solid
defense.
4. Some hacking tools are actually Trojans themselves. Devious hackers know the
best target for hacking is a person who fancies him/herself a hacker. Therefore,
they may offer you special applications that make hacking easy. In reality, these
programs can contain Trojans that open your computer to hacking from the hacker
who gave you the tool.
Be safe, block the hacker and forget them. BlackICE can take care of the hacker and
protect your computer.
Computer security is no longer something that only worries network engineers. The
hackers of today are highly skilled and ubiquitous. While you surf the Internet, a
hacker from anywhere in the world might be hacking your computer and stealing your
identity.
You have already taken the first step toward stopping hackers with BlackICE.
BlackICE can detect, monitor, and stop hackers before they get into your computer.
For most casual Internet users, BlackICE can protect your computer completely.
However, there are other things you can do to “harden” your computer from hackers.
This section describes how to further protect your computer from the prying eyes of
hackers.
COMPUTER HARDENING
Hardening refers to configuring a computer to be more resistant to attacks. Hardening
aims to make a computer virtually impenetrable to hackers.
This section describes how to harden Windows-based systems. For additional
information about hardening systems, see the Network ICE advICE web site at
www.networkice.com/advice .
Many of these instructions require some advanced understanding of Windows-based
systems. For help performing any of these tasks, refer to the on-line help included with
your copy of Windows. You may also want to refer to the Microsoft on-line
Knowledge Base at support.microsoft.com .
Options for hardening a computer depend on the operating system you are using.
Windows NT/2000 and Windows 95/98/Me are technically very different systems even
though they look alike. In this section, hardening options indicate the operating
system(s) where they are applicable.
Perhaps the simplest way to make Windows systems safe is to keep up to date on the
latest security fixes. The easiest way to get the latest patches is to use Microsoft’s
Windows Update web site at www.windowsupdate.com . This site can automatically
detect what is installed on your computer and identify which updates you need to
install. For additional information visit the Microsoft web site at www.microsoft.com .
Harden Passwords
This option is applicable in:
Windows NT/2000 Yes
Windows 95/98/Me Yes
It is best to use passwords that are extremely difficult to guess. The best passwords are
odd combinations of letters, numbers, and symbols, in both lower and upper case.
Names of pets, family members, and favorite cars might be easy to remember but they
are also easy to hack.
The User Manager in Windows NT/2000 can actually go a step further and require users
to create hardened passwords. It can also establish strict password policies that prevent
hackers from running cracking programs on the operating system. It is a good idea to
implement the following hardening policies on Windows NT/2000 machines.
n Enable lockout on all normal accounts. 3 to 5 attempts is a good limit.
n Force long passwords, at least 6 characters.
n Require unique passwords so that when users change a password, they cannot re-
use an old one.
Figure 5 – Windows 2000 includes a Local Security Settings feature to control password
policies.
Windows NT/2000 systems can access hard drives that use the NTFS format. NTFS is
much more secure than FAT or FAT32 partitions. Use the convert.exe program
located in the directory where Windows NT/2000 is installed to convert a FAT partition
to NTFS.
Do Not Multi-Boot
This option is applicable in:
Windows NT/2000 Yes
Windows 95/98/Me Yes
Use only one operating system. Do not dual boot to any other operating system.
Multiple operating systems may allow a hacker to exploit weaknesses in one operating
system while the other is running.
If you create any shared resources, particularly shared hard drives, protect those shares
with passwords. Use passwords that are not easily guessed. The most difficult
passwords to crack are those consisting of non-dictionary words, upper and lower case
letters, numbers, and symbols such as % or #.
Unless your computer requires anonymous access for a web site or database, it is a
good idea to disable all unnecessary accounts, especially the Guest account. If you are
unsure which accounts to disable, at least change the password on these accounts to
something very secure.
Windows NT/2000 allows you to explicitly select which users can access the system
over the network. It is a good idea to restrict this to only those user groups that should
be allowed to access your computer.
For most DSL and home users, you can completely disable all network access for users.
This will not interfere with local access; only remote access from other computers is
blocked.
Figure 6 – Windows NT/2000 allows you to explicitly select the user groups that can access
your computer over the network.
Disable Telnet
This option is applicable in:
Windows NT/2000 Yes
Windows 95/98/Me No
Without a doubt Telnet is the most abused service for hackers. Unless you have a very
specific need to have telnet access to your computer, check the computer services and
specifically disable the telnet service.
Unless you are using your computer as a web server, do not install Internet Information
Server or Personal Web Services. These services open the computer up to numerous
attacks as they enable Internet services.
If you do plan to use the system as a web server, enable only those services needed.
For example, if you do not plan on offering FTP services, disable the FTP services.
You may also want to assign non-standard ports to your web services. For example,
configure FTP services to use port 21111 rather than the default 21. This might keep
inexperienced hackers from attempting to break into your FTP server.
Windows NT and 2000 support remote access to the registry using the Registry Editor
program and a special Windows interface command (Win32 API call).
The following registry key dictates which users/groups can access the registry
remotely:
HKEY_LOCAL_MACHINE\
SYSTEM\
CurrentControlSet\
Control\
SecurePipeServers\
Winreg
If this key does not exist, remote access is not restricted, and only the underlying
security on the individual keys control access.
In a default Windows NT Workstation installation, this key does not exist. In a default
Windows NT Server installation, this key exists and grants administrators full control
for remote registry operations.
Another good idea is to alter the security settings on each main key in the registry to
only allow the system and administrators access to the keys. This can be done using
the regedt32.exe program in the system32 folder where Windows NT is installed.
Windows systems allow you to save passwords for numerous applications. These
passwords are saved in encrypted files or in areas of the registry that a hacker might be
able to access. Once a hacker gets a hold of these files, it is merely a matter of time
before a password grinding utility can extract your passwords from the files.
Therefore, when Windows prompts you to save a password, uncheck the option. It may
be a little inconvenient, but that is better than hackers getting access to your computer.
Internet Explorer 5.0-5.5 can cache passwords and logon information. This information
could allow a hacker to access web sites you visit, including e-mail. It is a good idea to
disable this feature so Internet Explorer does not save this information locally.
This feature is not available in Internet Explorer 3.02 – 4.0 or Netscape Navigator.
1. To disable this feature, select Internet Options from the Tools menu in Internet
Explorer.
2. Select the Security tab. Then click Custom Settings.
3. Scroll down to the Userdata persistence entry and select Disable.
4. Click OK.
Figure 10 – One way to isolate an internal network is to use a dual-interface proxy server
with the WINS/TCP/IP client disabled on the external interface.
Such an arrangement requires some advanced experience with computer networking. It
also requires proxy server software. This solution is ideal for larger networks that
cannot use NetBEUI and need the services of a proxy server.
This arrangement requires two network interface cards in the proxy server computer.
Building a dual-interface proxy server will stop attacks directed at the proxy server
system, but will not protect computers on the internal network. Therefore, make sure to
purchase copies of BlackICE for your internal computers.
NEED MORE A D V IC E?
For more help with computer security, visit the Network ICE advICE web site at
http://advice.networkice.com/Advice/default.htm . This site provides in-depth articles
and instructions on securing computers and stopping hackers.
Accessing advICE from BlackICE
The BlackICE Summary Application includes a direct link to the advICE web site. Just
click the advICE button located on the Attacks tab.
TECHNICAL SUPPORT
Web: www.networkice.com/support/online_resources.html
E-mail: support-l1@networkice.com
For updates and upgrade information, please visit the Network ICE web site at
www.networkice.com . For information on how to download the latest update of
BlackICE Defender please see the BlackICE Summary Application Guide.
A PPENDIX B u G LOSSARY u 30
Cracker Tools: Programs used to break into computers. Cracker tools are widely
distributed on the Internet. They include password crackers, Trojans, viruses, war-
dialers, and worms.
Cracking: The act of breaking into computers or cracking encryptions.
Cryptoanalysis: The act of analyzing secure documents or systems that are protected
with encryption for the purpose of breaking into the systems or exposing weaknesses.
Decryption: The act of restoring an encrypted file to its original, plain text state.
Denial of Service (DoS): Act of preventing customers, users, clients, or other
machines from accessing data on a computer. Denials of service attacks are usually
accomplished by interrupting or overwhelming the computer with bad or excessive
information requests.
Digital Signature: Digital code that authenticates whomever signed the document or
software. E-mail, software, messages, and other electronic documents can be signed
electronically so that they cannot be altered by anyone else. If someone alters a signed
document, the signature is no longer valid. Digital signatures are created when
someone generates a hash from a message, then encrypts and sends both the hash and
the message to the intended recipient. The recipient decrypts the hash and original
message, makes a new hash on the message itself, and compares the new hash with the
old one. If the hashes are the same, the recipient knows that the message has not been
changed. Also see Public-key encryption.
DNS: Domain Name System. A database of domain names and their IP addresses.
DNS is the primary naming system for many distributed networks, including the
Internet.
Encryption: The act of substituting numbers and characters in a file so that the file is
unreadable until it is decrypted. Encryption is usually done using a mathematical
formula that determines how the file is decrypted.
Event: BlackICE can detect numerous network activities. Some activities are direct
attacks on your system, while others might be attacks depending on the circumstances.
Therefore, any activity, regardless of severity is called an event. An event may or may
not be a direct attack on your system. BlackICE categorizes all events into four
severity levels:
A PPENDIX B u G LOSSARY u 31
Firewall: A hardware or software barrier that restricts access in and out of a network.
Firewalls are most often used to separate an internal LAN or WAN from the Internet.
See Gateway.
FTP: File Transfer Protocol. A common protocol used for exchanging files between
two sites across a network. FTP is popular on the Internet because it allows for speedy
transfer of large files between two systems. Like all networking protocols, it too has
some significant vulnerabilities.
Gateway: A gateway is a system that provides access between two or more networks.
Gateways are typically used to connect unalike networks together. A gateway can also
serve as a firewall between two or more networks.
Grinding: See password grinding.
Hacker: Generally, a hacker is anyone who enjoys experimenting with technology,
including computers and networks. Not all hackers are criminals breaking into
systems. Many are legitimate users and hobbyists. Nevertheless, some are dedicated
criminals or vandals. See Cracker.
HTTP: Hyper Text Transfer Protocol. The most common protocol used on the
Internet. HTTP is the primary protocol used for web sites and web browsers. It is also
prone to certain kinds of attacks.
ICMP: Internet Control Message Protocol. ICMP, an extension to the Internet
Protocol (IP), supports packets containing error, control, and informational messages.
The PING command, for example, uses ICMP to test an Internet connection.
IDS: Intrusion Defense System (or Software). A class of networking products devoted
to detecting, monitoring, and blocking attacks from hackers. This often is comprised of
a number of related components such as a firewall and protocol analyzer working
together to stop hackers. BlackICE is an IDS.
Integrity: Proof that the data is the same as originally intended. Unauthorized
software or people have not altered the original information.
Internet Worm: See Worm.
Intruder: Person or software interested in breaking computer security to access,
modify, or damage data. Also see Cracker.
IP: Internet Protocol. Specifies the format of packets, also called datagrams, and the
addressing scheme. Most networks combine IPs with a higher-level protocol called
Transport Control Protocol (TCP), which establishes a virtual connection between a
destination and a source. IP by itself is something like the postal system. It allows you
to address a package and drop it in the system, but there's no direct link between you
and the recipient. TCP/IP, on the other hand, establishes a connection between two
hosts so that they can send messages back and forth for a period of time. Current IP
standards use 4 numbers between 0 and 255 separated by periods to create the 32-bit
numeric IP address. For example, an IP address could be: 38.158.99.13.
IRC: Internet Relay Chat. IRC was developed in the late 1980s as a way for multiple
users on a system to “chat” over the network. Today IRC is a very popular way to
“talk” in real time with other people on the Internet. However, IRC is also one avenue
hackers use to get information from you about your system and your company.
Moreover, IRC sessions are prone to numerous attacks that, while not dangerous, can
cause your system to crash.
LAN: Local-Area Network. LAN is a computer network that spans a relatively small
area. One LAN connected via telephone lines or radio waves to other LANs over any
distance create a WAN (a Wide-Area network).
Linux: A version of the UNIX operating system.
Logic Bomb: A virus that only activates itself when certain conditions are met. Logic
bombs usually damage files or cause other serious problems when they are activated.
A PPENDIX B u G LOSSARY u 32
MAC Address: Media Access Control Address. A unique identification code used in
all networked devices. The MAC address defines a specific network node at the
hardware level and cannot be altered by any software.
Name Resolution: The allocation of an IP address to a host name. See DNS.
NetBIOS: Network Basic Input / Output System. NetBIOS is an extension of the DOS
BIOS that enables a PC to connect to and communicate with a LAN (Local Area
Network).
NetBEUI: NetBIOS Extended User Interface. A non-routable networking protocol
developed in the 1980s by IBM. NetBEUI is ideal for smaller, non-subnetted networks
for internal communications. Because NetBEUI is not routable, network transmissions
sent via NetBEUI cannot be transmitted over the Internet.
NAT: Network Address Translation. An Internet standard that enables LAN, WAN
(Wide Area Network), and MAN networks to use extended IP addresses for internal use
by adding an extra number to the IP address. This standard translates internal IP
addresses into external IP addresses and vice versa. In doing so, it generates a type of
firewall by hiding internal IP addresses.
Packet Filter: A filter used in firewalls that scans packets and decides whether to let
them through.
Password Cracker: A program that uses a dictionary of words, phrases, names, etc. to
guess a password.
Password Caching: The storage of a user's username and password in a network
administrator database or encrypted file on a computer. Also called password
shadowing.
Password encryption: A system of encrypting electronic files using a single key or
password. Anyone who knows the password can decrypt the file.
Password Grinding: The process of systematically testing all character combinations
on a password until the correct character string is identified. Password grinding is a
very slow, but effective way to crack password files. There are numerous, freely
available computer programs that can grind password files.
Penetration: Gaining access to computers or networks by bypassing security programs
and passwords.
Phreaking: Breaking into phone or other communication systems. Phreaking sites on
the Internet are popular among crackers and other criminals.
Ping: Packet Internet Groper. PING is a utility to determine whether a specific IP
address is accessible. It works by sending a packet to the specified address and waiting
for a reply. PING is used primarily to troubleshoot Internet connections.
Ping Attack: An attack that slows down the network until it is unusable. The attacker
sends a "ping" command to the network repeatedly to slow it down. See also Denial of
Service.
Pirate: Someone who steals or distributes software without paying the legitimate
owner for it. This category of computer criminal includes several different types of
illegal activities:
n Making copies of software for others to use.
n Distributing pirated software over the Internet or a Bulletin Board System.
n Receiving or downloading illegal copies of software in any form.
Pirated Software: Software that has been illegally copied, or that is being used in
violation of the software's licensing agreement. Pirated software is often distributed
through pirate bulletin boards or on the Internet. In the Internet underground it is
known as Warez.
A PPENDIX B u G LOSSARY u 33
Plain Text: The opposite of Cipher Text, Plain Text is unencrypted text readable to
any system that intercepts network communications.
POP: Post Office Protocol. This is a common protocol used for retrieving mail
messages.
Port: A connection point where a computer communicates with other devices.
Computers have hardware ports such as parallel ports for printers or USB ports for
digital cameras. Networks use virtual ports for assigning a communications channel
that the computer can control. For example, when browsing the web, most HTTP based
communications take place using the TCP port 80. When a computer needs to access a
web site, it opens a channel on TCP port 80, sends the packets through that port and
then receives them back. There are two types of ports, TCP and UDP. UDP is the
same as a TCP port except it lacks the error checking mechanism that TCP uses. There
are over 131,000 ports available for use in a TCP/IP environment (64K TCP, 64K
UDP). Most of these ports are unused, unassigned, or restricted. Some are very
common ports, such as port 80. Others are used exclusively for a brand of software.
For example, Quake games use TCP port 26000 (and others) for network games.
When hackers break into a system they typically exploit ports that are either
accidentally or purposefully opened. For example, one of the easiest ways to see if the
Trojan application Back Orifice is installed on a computer is to scan for activity on
TCP port 54320. This is the TCP port Back Orifice uses when communicating with
other systems.
Promiscuous Packet Capture: Actively capturing packet information from a network.
Most computers only collect packets specifically addressed to them. Promiscuous
packet capture acquires all network traffic it can regardless of where the packets are
addressed.
Protocol: A “language” for communicating on a network. Protocols are sets of
standards or rules used to define, format, and transmit data across a network. There are
many different protocols used on networks. For example, most web pages are
transmitted using the HTTP protocol.
Proxy Server: A server that performs network operations in lieu of other systems on
the network. Proxy Servers are most often used as parts of a firewall to mask the
identity of users inside a corporate network yet still provide access to the Internet.
When a user connects to a proxy server, via a web browser or other networked
application, he submits commands to the proxy server. The server then submits those
same commands to the Internet, yet without revealing any information about the system
that originally requested the information. Proxy servers are an ideal way to also have
all users on a corporate network channel through one point for all external
communications. Proxy servers can be configured to block certain kinds of connections
and stop some hacks.
Public Key Encryption: System of encrypting electronic files using a key pair. The
key pair contains a public key used during encryption, and a corresponding private key
used during decryption.
Reconnaissance: The finding and observation of potential targets for a cracker to
attack.
Router: A device that connects two networks together. Routers monitor, direct, and
filter information that passes between these networks. Because of their location,
routers are a good place to install traffic or mail filters. Routers are also prone to
attacks because they contain a great deal of information about a network.
A PPENDIX B u G LOSSARY u 34
SATAN: A UNIX program that gathers information on networks and stores it in
databases. It is helpful in finding security flaws such as incorrect settings, software
bugs and poor policy decisions. It shows network services that are running, the
different types of hardware and software on the network, and other information. It was
written to help users find security flaws in their network systems.
Severity Levels: See Event.
Shoulder Surfing: Looking over someone's shoulder to see the numbers they dial on a
phone, or the information they enter into a computer.
SMB: Server Message Block. SMB is a message format used by DOS and Windows to
share files, directories and devices. NetBIOS is based on the SMB format, and many
network products use SMB. These SMB-based networks include LAN Manager,
Windows for Workgroups, Windows NT, and LAN Server. There are also a number of
products that use SMB to enable file sharing among different operating system
platforms. A product called Samba, for example, enables UNIX and Windows
machines to share directories and files.
SMTP: Simple Mail Transfer Protocol. SMTP is a protocol for sending e-mail
messages between servers. Most e-mail systems that send mail over the Internet use
SMTP to send messages from one server to another; the messages can then be retrieved
with an e-mail client. In addition, SMTP is generally used to send messages from a
mail client to a mail server.
SNMP: Simple Network Management Protocol. SNMP is a set of protocols for
managing complex networks. The first versions of SNMP were developed in the early
80s. SNMP works by sending messages, called protocol data units (PDUs), to different
parts of a network. SNMP-compliant devices, called agents, store data about
themselves in Management Information Bases (MIBs) and return this data to the SNMP
requesters.
Sniffer: Sniffer is a registered trademark of Network Associates, Inc although it has
come to identify a whole class of products that can capture network transmissions and
encode the information in those packets into evidence files. BlackICE uses Sniffer-
style files for evidence capture.
Snooping: Passively watching a network for information that could be used to a
hacker's advantage, such as passwords. Usually done while Camping Out.
SOCKS: A protocol that handles TCP traffic through proxy servers. SOCKS acts like
a simple firewall because it checks incoming and outgoing packets and hides the IP
addresses of client applications.
SPAM: Unwanted e-mail, usually in the form of advertisements or “get rich quick”
schemes.
Spoof: To forge something, such as an IP address. IP Spoofing is a common way for
hackers to hide their location and identity.
SSL (Secured Socket Layer): Technology that allows you to send information that
only the server can read. SSL allows servers and browsers to encrypt data as they
communicate with each other. This makes it very difficult for third parties to
understand the communications.
TCP: Transmission Control Protocol. TCP is one of the main protocols in TCP/IP
networks. Whereas the IP protocol deals only with packets, TCP enables two hosts to
establish a connection and exchange streams of data. TCP guarantees delivery of data
and also guarantees that packets will be delivered in the same order in which they were
sent.
A PPENDIX B u G LOSSARY u 35
Telnet: A program that connects a computer to a server on a network. It allows a user
to control some server functions and to communicate with other servers on the network.
Telnet sessions generally require a valid username and password. Hackers commonly
use Telnet to hack into corporate network systems.
Tempest: Illegal interception of data from computers and video signals.
Trojan or Trojan Horse: Like the fabled gift to the residents of Troy, a Trojan Horse
is an application designed to look innocuous. Yet, when you run the program it installs
a virus or memory resident application that can steal passwords, corrupt data, or
provide hackers a back door into your computer. Trojan applications are particularly
dangerous since they can often run exactly as expected without showing any visible
signs of intrusion.
UDP: User Datagram Protocol. UDP is a connectionless protocol that, like TCP, runs
on top of IP networks. Unlike TCP/IP, UDP/IP provides very few error recovery
services, offering instead a direct way to send and receive datagrams (packets) over an
IP network. UDP is used primarily for transmitting time-sensitive information over a
network such as streaming media or interactive games.
UNIX: A widely used operating system in large networks.
VPN: Virtual Private Network. These networks use public connections (such as the
Internet) to transfer information. That information is usually encrypted for security
purposes.
Vulnerability: Point where a system can be attacked.
War Dialer: A program that automatically dials phone numbers looking for computers
on the other end. They catalog numbers so that hackers can call back and try to break
in.
Warez: A term that describes Pirated Software on the Internet. Warez include cracked
games or other programs that software pirates distribute on the Internet.
Wire Tapping: Connecting to a network and monitoring all traffic. Most wire tapping
features can only monitor the traffic on their subnet.
Worm: A program that seeks access into other computers. Once a worm penetrates
another computer it continues seeking access to other areas. Worms are often equipped
with dictionary-based password crackers and other cracker tools that enable them to
penetrate more systems. Worms often steal or vandalize computer data. Many viruses
are actually worms that use e-mail or database systems to propagate themselves to other
victim.
A PPENDIX B u G LOSSARY u 36