Your PC Under Attack

Make Your System Less Of A Target

First Published: Computer Power User
Date Published: March 2004
By Kevin Savetz

From the moment your PC boots up to the moment you shut it down, it's a target. Viruses, keystroke loggers, spyware, crackers, and script kiddies are all out in the wild just waiting to attack your PC. If any one of these weasels its way in, it can mean a world of trouble. Your files may end up destroyed or shared with strangers, or your PC could be used as a spam relay or to distribute someone else's illicit files.

It's up to you to keep your PC out of attackers' crosshairs. If you're anything less than vigilant, chances are sooner or later someone will take control of your PC. The thing is, there's no one surefire signal that your system has been compromised. Windows moving around on their own or the CD-ROM tray opening and closing unbidden are both strong indicators, but the signs will likely be subtler. System slowdowns, an inexplicably full hard drive, and mysterious network activity are the symptoms most users see, if they notice anything at all.

Some invaders "are really stealthy, and you can go for years without ever finding out you are compromised," says Johannes Ullrich, CTO of the SANS Internet Storm Center.

If you do notice a problem, such as system slowdown, this is the time to take a closer look. Don't just treat the symptom; find the cause. If your hard drive is filling up, says Ullrich, "Don't just buy another disk; see why it's full."

After all, your PC could be the Internet's latest warez server.

Preventative Medicine

If your PC hasn't been compromised, you want to keep it that way. Keeping the bad guys out and your data where it belongs requires a dose of preventative medicine. Start by making sure your operating system and major applications have the latest patches installed and keep up-to-date as new patches are released. Staying on top of the latest security advisories for your OS is the best way to keep informed about new vulnerabilities and fixes.

A firewall is essential for keeping crackers, port scanners, and other unwanted visitors away. If you have a cable modem, DSL, or other always-on Internet connection, a hardware firewall-router is the best bet. You aren't excused if you connect to the Internet via a modem; get a software firewall to protect your PC. Also back up your hard drives frequently and test those backups periodically to make sure they work. In addition, close any ports and network services you don't need.

"Firewalls are important, but most importantly, users should know what is running on their systems and disable what isn't needed, including network interfaces that aren't being used," says John Ray, author of "Mac OS X Maximum Security." "If you don't use FTP and Postfix, for example, you should disable those services. If your firewall rules are incomplete or inaccurate, system invaders will have fewer ports to exploit."

Despite your best efforts, a Trojan horse, software bug, or other exploit can compromise your system. This is why it's smart to make periodic system checks to find what's happening behind the scenes. "Develop a baseline that you can use for comparisons for your machine," says Ray. "Is your processor activity unusually high? Are your drives running when they shouldn't be? If you understand what 'normal' is for your machine, you can quickly detect 'abnormal' activity."

Watch Internet Connections

Spyware, viruses, backdoors, and other general system badness will usually utilize your Internet connection to report back to its home base or send its payload elsewhere. Looking for unusual activity on your network connection can be as simple as watching the LEDs blink on the modem or router. If there is activity that you can't explain, you may have a problem.

The netstat command, available in Windows, Linux, and Mac OS X, will show all the open ports on your system that are connected and that are listening for connections. On a Linux system running as root, type netstat -p. From the Windows XP or Mac OS command line, type netstat -an.

When you examine the program's output, "Everything that's listening on the localhost, 127.0.0.1, is usually harmless, just processes on your PC talking to each other," says Ullrich. Pay attention to anything labeled 0.0.0.0. Those processes are waiting for connections from the outside world. "If there is something listening that you are not aware of, it's a good sign that your system is compromised," says Ullrich.

Read the netstat main page to get the full skinny on its output. Tcpdump (www.tcpdump.org) and Snort (www.snort.org) are other useful tools for monitoring your Internet connection. If you don't use your PC as an Internet server, you may want to simply disconnect your cable or DSL modem when you're not online.

Scrutinize System Processes

In addition to shoring up your Internet connection, monitor the processes running on your PC to make sure nothing untoward is happening behind your back. A process list will show every application and daemon that's currently running.

In Linux, type ps -ef at the command line. In Mac OS X, type ps -aux. To see the process list in WinXP, press CTRL-ALT-DELETE, click the Processes tab, and select Show Processes From All Users. Ullrich recommends becoming familiar with the output from these commands before you suspect there's a problem. "The output is quite cryptic, and you have to know what to expect," he says.

A favorite trick of crackers, Trojans, and worms is to hide payload amongst your legitimate software. On Red Hat Linux or any other Linux distro with RPMs, you can validate the software on your machine against the RPM package manager database. The rpm -qv option will check your installed binaries against the official versions. "The first time you run it, you'll get a lot of results, configuration files and such, so it's something you should run before you get infected so you are familiar with the output," says Ullrich.

Tripwire (www.tripwire.org) is a nicer version of rpm -qv; it monitors key attributes of files that shouldn't change, including binary signature and size. "It is very nicely configurable but a little bit complex. You can have it run once a day to tell what files have changed on your system or if new devices have been added to the /dev directory," says Ullrich. Tripwire is preinstalled on Red Hat Linux but is available for all Linux versions. A Mac OS X version is available at www.macguru.net/~frodo/Tripwire-osx.html.

Antivirus Software

If you run Windows, you absolutely need an antivirus utility. Even if you are smart and systematic about not opening attachments and use other usual safeguards, viruses can sneak in. (See our antivirus roundup on page 62.) Viruses do exist on Linux and Mac OS platforms but are less of a problem. For those systems, antivirus software isn't a definite necessity but is still a good idea.

"Other operating systems don't need it that much. OS X and Linux users are better off with a tool like Tripwire. It's more comprehensive than a virus checker," says Ullrich. However, free virus checkers are available for Linux, "so you may as well install one." Antivirus apps can also help in a multi-OS environment or if you have a Samba shared drive.

Ray adds that a virus checker "is good to have around, if for no other reason than most of us do interact with Windows users. They don't need any additional help propagating viruses."

If You're Attacked

What if you discover your system has been compromised? First, unplug the affected PC's Internet connection. Then back up your data (if it isn't backed up already), investigate the problem, and remove it if you can.

"Transfer the hard drive image to another machine over the network, then rebuild that box," says Ullrich. "If you are compromised, I would not necessarily trust virus removal tools. A system that's compromised means something was fundamentally vulnerable. You don't know what else might have been taken advantage of."

Booting to a CD-ROM-based operating system will allow you to use trusted applications to investigate and hopefully resolve the problem. To help, consider using FIRE (fire.dmzs.com; Forensic and Incident Response Environment), which is a bootable Linux CD distribution that can help you investigate and repair Windows and Linux systems. The distribution includes a virus scanner, tools for searching for deleted files and recovering data from lost partitions, and other utilities.

Although it will hurt, the best medicine is often to wipe your hard drive and start from scratch. "If you've been subject to a root exploit, you simply can't assume that the attacker has not embedded malicious code throughout your system," Ray says. "All too often I see administrators attempt to resurrect computers after a break-in by deleting the obvious files that don't belong. The result is a machine that is generally unstable and usually hacked again within days."

Firewalls, system monitoring, and virus checking may seem like a lot of overhead for simply using a computer. Although these precautions take time to implement and use, consider it a drop in the bucket compared to the excruciating problems a vulnerable system can bring.

Security Off The Desktop

If you think keeping your PC secure is a full-time job, get ready for some moonlighting work, too. Your other gizmos, including your cell phone and PDA, are also vulnerable to security breaches.

Take, for example, bluejacking, which is the use of Bluetooth to surreptitiously make messages appear on strangers' cell phones and PDAs. It can be used as a harmless prank to confuse the recipient and also to send spam to nearby victims. The fix is to raise the security settings for Bluetooth on your device or disable them altogether. More information is available at bluejackQ.com.

PDA viruses, while not as prolific as PC viruses, do exist. And with the increased reliance on wireless Internet connectivity, anyone nearby can sniff out your email password and the contents of the email you send and receive from your PDA. The biggest threat to a PDA user is losing the unit itself. After all, a PDA is a whole lot easier to steal than a desktop PC. Consider using encryption software such as F-Secure FileCrypto ($65; www.f-secure.com/products/filecrypto) so a thief can't get your data if he gets the hardware.

What about your video game console? Out of the box, your Xbox and PlayStation are secure. You're safe even when you connect to online games. But if you've hacked your Xbox to run Linux, you've opened the doors to crackers, Trojan horses, and every other exploit a full-featured operating system is subject to.

Horror Stories

While researching this article, we ran across numerous articles and heard several horror stories from security experts on computer security. For example, we heard about a tax office full of PCs becoming infected with a nasty virus on April 15. We also heard about how the Klez virus emailed a client's personal finances spreadsheet to everyone in his address book.

Countless users with broadband Internet connections have discovered their PCs have become FTP sites for porn and pirated software. Often they find this out only after their Internet providers disabled their accounts. Other users have found out too late that their computers have been turned into email relays, spewing out spam.

We also were told of the effects of "botnets," in which thousands of compromised PCs listen on an IRC channel for instructions. With one command a cracker can make all of those PCs do his bidding, such as launching a distributed DoS attack. Is this rare? "No, we hear about this a couple of times a week," says Johannes Ullrich, CTO of the SANS Internet Storm Center.

The Top 5 Security Holes To Plug

Each year, the SANS Institute and FBI release lists of the most commonly exploited vulnerabilities in Windows and Linux/Unix systems. The full lists, plus information about how to protect against the vulnerabilities, are at www.sans.org/top20. The following are the top five vulnerabilities from the Windows and Linux lists.

Windows

Internet Information Services. Default, unpatched IIS installations on Windows XP Pro, 2000 Server, and NT4 can expose private data to the outside world and allow crackers to take control of the server. Apply new patches as they're released and use the IIS Lockdown Tool (www.microsoft.com/technet/security/tools/locktool.asp).

Microsoft SQL Server. SQL Server may allow attackers (and worms) to alter database content, download private information, or take control of the server altogether. Disable the SQL/MSDE Monitor Service on UDP port 1434 and apply the latest patches.

Windows authentication. This vulnerability isn't entirely a problem with Windows; it's a problem with users, too. Vulnerable passwords (those that are easily guessed or derived with brute-force cracking software) are partly to blame. SANS recommends disabling the insecure Windows For LAN Manager authentication system and preventing password hashes from being stored or copied.

Internet Explorer. Being the most popular Web browser can also mean a world of security woes. ActiveX vulnerabilities, Web page spoofing, and buffer overflows are among the myriad chinks in IE's armor. If you use IE 5.5 or earlier, then download version 6. Install the latest patches and keep them updated. Use IE's security options to tighten ActiveX security.

Windows Remote Access Services. A horde of Windows services--NetBIOS, anonymous login, remote Registry access, and remote procedure calls--can allow others to view your data, control your PC, or use your PC as part of a DoS attack. Disabling network shares and anonymous logins and blocking affected ports can mitigate these problems.

Linux/Unix

According to the SANS Institute, the following are the top five vulnerabilities on Linux/Unix systems.

BIND Domain Name System. This widely used implementation of DNS is often used in DoS attacks. If your system doesn't need to be a DNS server, disable BIND. Otherwise, patch to the latest version.

Remote procedure calls. RPCs let one computer execute programs on another and are, therefore, ripe for abuse, especially in DoS attacks. Turn off any RPC services you don't need and install the latest patches.

Apache Web Server. Apache is the most popular Web server, thus making it a popular target for crackers who can use it to deface your Web site, launch a DoS attack, or root your server. Install the latest patches and disable scripting languages you don't need.

General Unix authentication accounts with no passwords or weak passwords. Poor passwords are an opening in security on every OS. The best approach is to replace weak passwords with uncrackable ones.

Clear Text services. FTP, telnet, POP, and other network services that transmit unencrypted data are an easy target for packet sniffers. Disable those services and use secure replacements, such as SFTP, SSH, and secure email tunneling to keep private data private.

Mac OS X

Mac OS X has its share of vulnerabilities, some stemming from its Unix roots. Here are the five specific vulnerabilities of Mac OS X, according to John Ray, author of "Mac OS X Maximum Security."

Trusted directory authentication. By default, Mac OS 10.3 trusts LDAP directory information discovered during DHCP. "If Mac OS X binds to a directory server for authentication information, the server can provide administrative account access to the Panther client without needing to 'crack' or add any user accounts," says Ray. A fix is listed at docs.info.apple.com/article.html?artnum=32478.

FileVault's insecure file deletion. When you enable FileVault to encrypt the contents of your home directory, the original files are deleted insecurely and can be recovered with standard disk recovery tools.

Trivial password reset. Anyone with a Mac OS X installation CD can reset the administrative password by booting from the CD and using the Password Reset Utility. "While this isn't a hole, per se, users need to understand that unless there is physical security of their machine, anyone can potentially access their system," Ray says. You can use Apple's firmware security tools to disable booting from CD.

Loose restrictions on sudo. Mac OS' reliance on sudo as a means of performing command-line administrative tasks brings inherent insecurities. Users who become complacent in system administration may open the door to malicious scripts.

Personal file sharing guest access. By default, personal file sharing allows remote users to store data into a user's Drop Box without his knowledge. This could be used to exceed a user's storage quota or fill the Mac's hard drive.

Apply A Coat Of Protection

The threats to your system do exist, but there are some measures you can put in place to at least lessen the risk of being attacked. For example, antivirus software is important for all platforms, but it's an absolute must for Windows users. (Read our roundup of antivirus applications on page 62.)

In addition, if you don't have a hardware firewall, download ZoneAlarm, a software-based firewall. The free version (www.zonelabs.com) works over a modem or broadband connection. The $49.95 Pro version adds email-attachment scanning, ad blocking, and file security functions.

Also consider installing Norton Internet Security 2004 ($69.95; www.symantec.com); it includes a firewall, antivirus utility, spam filter, and privacy guard. Essentially, it' is a one-stop shop for protecting your Windows PC from major security threats.

In Mac OS X, BrickHouse ($25 shareware; www.securemac.com/brickhouse.php)is a front-end to the ipfw (Internet Protocol Firewall) firewall that's built into Mac OS X. BrickHouse provides more features than the basic ipfw interface in System Preferences and includes ready-made filter sets for dial-up users, users running a LAN, and other common configurations. If you'd rather not use ipfw, turn to Firewalk X 2 ($34.99 shareware; www.pliris-soft.com), a full-featured firewall that doesn't rely on ipfw. It offers real-time alerts, can restrict network access to specific apps, and detects port scanners.

IPNetSentryX ($40; www.sustworks.com/site/prod_sentryx_overview.html) takes an unusual approach to keeping bad guys away from your Mac by quietly watching for suspicious behavior. Once it's triggered, it puts up the firewall, keeping the intruder at bay. You don't have to worry about working around a firewall because it isn't there until it's needed. If you want the safety net of a virus checker, try McAfee Virex ($35; www.nai.com), which catches Windows and Mac viruses. The program is also included with a .Mac account (www.mac.com.)

For Linux systems, netfilter and iptables make up the framework that provides packet filtering and NAT, two vital tools for keeping the outside world out of your machine. You can use them to build a firewall and share a single IP address for your LAN. The good thing about netfilter and iptables is that they're already part of the Linux 2.4 (and later) kernel. The bad thing is they're not so easy to set up. Start with the tutorials and HOWTO articles at www.netfilter.org/documentation.

Firewall Builder (www.fwbuilder.org), a graphical front-end to iptables, is a firewall-configuration-management tool. With it you can create a set of objects describing your firewall, servers, and subnets of your network and then drag those objects into policy rules to implement your firewall. It's much easier than editing configuration files by hand, and it's open source.

If you need a secure and portable Linux installation, try Tinfoil Hat Linux (tinfoilhat.shmoo.com). This fits-on-a-floppy Linux distro is perfect for defeating keyboard loggers and other system snoops and for keeping your PGP keys safe and portable. Because it doesn't support networking at all, you can be sure it will keep Internet crackers at bay. If your security fetish turns to paranoia, it will even blink encrypted messages in Morse code on the keyboard LEDs.

Finally, F-Prot (www.f-prot.com/products) is an antivirus utility that can find more than 102,000 strains. It's free for personal use.

Reprinted with permission from Computer Power User magazine.


Articles by Kevin Savetz