============================================================================= Network and Computer Security Michael Crowley, Kevin Slate, Fred Kass 5Dec02 ============================================================================= What are hackers doing these days? What is the threat? Hackers are currently using software which scans the Internet looking for vulnerable computers to break into. Recently, a large amount of this activity has involved Windows computers, especially Windows 2000 and Windows XP. However, users of UNIX or UNIX-like systems such as Linux and Macintosh OS X are far from immune from attack also. How are you vulnerable? * No administrator password or other accounts or weak passwords. Hackers look for computers with weak or no passwords for both user accounts or network shares * Known security holes that could be patched by keeping up with updates. * Getting you to run a Trojan horse programs (similar to a virus but which provides others with more control) that may come via - attachments, - web pages viewed with insecure versions of Internet Explorer, - Instant Messenger, - peer-to-peer file sharing programs, etc. If someone can get you to run a program that they provide, you are at risk of letting a hacker into your machine. If a hacker gains control of your system, software is installed on the computer which allows the hacker, and often others, to remotely control the computer via the Internet. If your computer does get hacked, usually unknown to you, your computer is used for such things as: * Illegal distribution of copyrighted material such as music, movies, and software. These tend to be are very large files, the distribution of which has a significant impact on the college network and interferes with everyones' use of the network. * Hacking other computers in general, both on and off campus. * Hacking other computers on campus in ways that would be impossible from outside our network: - Keystroke logging -- recording anything you type. - Scanning as much of our local network as they can, sometimes being able to view network traffic of other machines, thus capturing usernames and passwords. * Launching attacks on other networks (Denial of Service attacks). This can cause the disruption of the operation of entire networks and/or servers on networks. There are serious monetary implications of such Denial of Service attacks. In other words, a hacked machine allows unknown persons outside the college to attack systems from the local college network. This is a serious threat for the integrity of the college network and the various computer systems on the network. A hacked machine is a threat to personal computers and host computers that are essential for the operation of the college. If a computer is hacked, or if it shows signs indicating it is likely to have been hacked, its network access must be curtailed. ----------------------------------------------------------------------------- How can someone tell if a system is hacked? Some signs that a computer is hacked may be blatant: * Flooding the network with traffic in a Denial of Service attack. * Receiving complaints from copyright holders or their agents who monitor the Internet for the illegal distribution of copyrighted materials. Of course, such a warning does not mean a computer is hacked -- it may be running common peer-to-peer file sharing software such as KaZaA. A hacked computer often exhibits various signs that can be discovered by appropriate network monitoring tools and Intrusion Detection Systems. These include: * High output traffic * Programs listening on various TCP/IP ports on the computer which allows outsiders to connect and control your computer. These are especially: - IRC ports - FTP ports * Patterns of IRC traffic * Scanning the network for other vulnerable machines. (There are other signs that can be detected if you are on the particular machine.) Intrusion Detection System programs monitor the signs that a computer puts out and the amount and types of traffic. They may look for specific markers in the network traffic. Note -- high output traffic alone does not indicate a hacked computer. Excessive output is often the result of peer-to-peer file sharing programs such as KaZaA and many others. Nevertheless, excessive traffic does pose a threat to the operation of the network and such a computer may be treated in the same way as a hacked computer. If a system exhibits sufficient signs of having been hacked, or if the system exhibits signs of being a threat to the security or operation of the network, that computer must be curtailed from posing a threat. ----------------------------------------------------------------------------- What will Networking do? The action that we take depends on the degree of threat to the security and operation of the network: 1. Warning the owner of the computer of the problem. This step is generally done if there appears to be little threat to network security. This is done first, for example, for high traffic users. If traffic diminishes, nothing more needs to be done. 2. Quarantine the computer to on-campus operations only. This is a short-term solution that allows computer operations on campus. The assumption here is that a hacker is from off campus and would not be able to reach the computer. This method also prevents peer-to-peer filesharing to off campus locations. This solution is used for computers with continued excessive network traffic or for machines that exhibit signs of being hacked. It is also used if we receive a complaint from a copyright holder or one of their agents who have found a computer has been illegally distributing copyrighted materials. 3. Logically remove the computer from the network. This is done by turning off the dataport. This solution is used if there is an immediate threat to the network or if the computer is avoiding a quarantine state. (Windows ME may not properly relinquish an IP number, for example.) ----------------------------------------------------------------------------- What happens to a hacked machine? A hacked machine needs to be cleaned. This is a daunting task. Hackers want to keep control of your machine. You may remove various programs that they installed, but if you do not get them all, you may find the hacker has left a "back door" that can provide access again to your computer. LITS staff may help you look at your computer to determine if it is hacked. If it is hacked, you need to get it clean before it is allowed full network access. Most security experts agree: If you have been hacked, 1. Back up your data from the computer 2. Reformat your disk 3. Reinstall the operating system 4. Restore your data from your backups It is very important to be careful about saving your work from a hacked computer. We have seen, for example, a hacker program whose icon was the same as a FOLDER. If you save your work from a hacked machine, if part of your documents includes a program masquerading as something else, and you click on that program, you are likely going to let a hacker back in your system. You may notice the similarities to viruses. However, many of the programs used by hackers are also legitimate programs. Virus protection is liable not to pick up intrusions by hackers. ----------------------------------------------------------------------------- Prevention The best prevention is to become educated about the risks and the solutions. Do not assume it cannot happen to you. It is much easier to become educated and avoid the problems than it is to recover from the problem. Always have ALL of your ORIGINAL installation media handy in the event you need to reinstall your operating system and your various programs. We recommend the work of Phil Rodrigues at the University of Connecticut: http://www.security.uconn.edu/index.html Their web pages are excellent and they have excellent links to other web pages on the topic of security. For information specific to Mount Holyoke College for users of Windows 2000 or XP: http://www.mtholyoke.edu/lits/network/doc/security-win.txt The web page above describes things you should do on your Windows 2000 or Windows XP to reduce its vulnerability. =============================================================================