So You've Been Hacked, Part II


You cannot stop a hacker. Let's repeat this mantra together, "You cannot stop a hacker". Let's face it -- while you or I may be good, someone's better! I found that out the hard way (but my security was rather lax--see Part I). Some hacker will eventually decide to invite themselves into your Internet computers (or LAN).

In the 1970s a very popular film was "War Games." The plot was about a youngster who dials banks of phone numbers trying to hack his way into computers. He succeeds by hacking into a top-secret military computer through the proverbial back door. While your computer may or may not have back doors, every modem installed in a workstation is a potential entry point.

The forgoing scenario is inevitable. You will be hacked. Either from the Internet, from an errant modem or from an inside job. But you can make it difficult and you can prepare for the unavoidable. We'll focus on just your Internet computers (those that are open by definition to the Internet).

Know Thyself

How difficult you wish to make access to your computer? The more difficult it is for the hacker to hack, the more difficult for the users. The more difficult for the users, the less they will use the system. The less they use the system, the lower the productivity. The lower the productivity of the computer systems, the smaller your budget becomes. The smaller your budget...well, you get the idea.

So we have our firewall and our access rules. We have our ACL lists. We have our security groups. We may even have large passwords, with mixed characters which need to be changed at specific intervals. While all these steps will aid in defeating a hacker, they are not foolproof, and may in fact defeat your users. How many offices have we walked into where everyone knows the server password, or passwords at attached to the user screens? In addition, does your client or even you have the budget to properly maintain the firewall and all the additional security measures?

It has always been my contention that the more security you put up (vis a vis keeping people out of your systems) the more you advertise that you have something so valuable, that you have to keep it to yourself. Think of your protection of your computer systems as war. A war that will always be waged, day in and day out, 24 hours a day, seven days a week. A war between that pits your company and client against the enemy, the hackers.

Sun Tzu, the great Chinese military strategist noted that all warfare is based on deception, and, when able to attack, we must seem unable; when using our forces, we must seem inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.

That's the reason behind the concept of a bastion hosts and multiple firewalls. But the cost involved in setting up a system such as this may be prohibitive. And again, defeat may be from the inside or the flank, and not a frontal assault. How else can you help yourself and clients?

As we encountered, hackers are quite good, and good hackers are wicked. They cover their tracks and use multiple access points to breach your security defenses. But, it you were able to have a baseline of your computer system, you would be able to ascertain if your system has been breached.

Protect Yourself

There are a multitude of steps you as the VAR or systems administrator can take to protect yourself. Installation of firewalls and proxy servers go along way in protecting your LAN, but may not entirely protect your Internet servers. A major way to increase or harden your system is by limiting access.

The first step would be to turn off un-needed services. However, it is just these services that leave you so vulnerable that may make this option untenable. Telnet, SSH and FTP are three of the major ways hackers gain access to your system. They are also the three major ways that your users will gain access to your system.

Limiting access via access control lists may become overwhelming task and administrative nightmare, especially if you have a large diverse user base. Same holds true for limiting which hosts (or IP address ranges) you will trust, and will permit access to your computer.

Your greatest defense may not be offensive, but defensive. By "knowing thyself," you may be able to instantly know if your systems have been breached, and determine which files have been tampered with. This will enable you to a) fix the damage and b) possibly walk reverse engineer your break-in and increase your external security.

Most if not all of these security measures are time consuming. They take time and planning during installation. They take time to monitor and tweak while they are tested. And, finally they take time to administer. Are they worth the time and energy? That's a question only you and your clients can make.

What's the cost for reinstalling a system? Most security experts agree that once a system has been compromised, it needs to be re-installed. In our case, given the large number of different systems and servers this computer ran, from SQL databases to Web Servers, E-mail List Servers to News Servers, we estimated over 80 hours. Now do the math. Your hourly rate times 80 hours. That's a lot of money.

Below is a list of programs that can be used to "harden" or create a bas-line of your system.

UNIX/Linux

The Bastille Hardening System (http://www.bastille-linux.org/)

  • Gives you control of what services get disabled or reconfigured on a Linux system.

    Tripwire (http://www.tripwire.org)

  • creates a base-line of all system files. Periodically compares this base-line with actual files.

    SATAN (ftp://ciac.llnl.gov/pub/ciac/sectools/unix/satan/)

  • Satan recognizes several common networking-related security problems, and reports the problems without actually exploiting them.

    SARA (http://www-arc.com/sara/)

  • The Security Auditor's Research Assistant is a third generation Unix-based security analysis tool that is Based on the SATAN model

    TCP wrappers (ftp://ftp.cerias.purdue.edu/pub/tools/unix/netutils/tcp_wrappers/tcp_wra...)

  • Tool commonly used on Unix systems to monitor and filter connections to network services. Allows monitoring and control over who connects to a hosts TFTP, EXEC, FTP, RSH, TELNET, RLOGIN, FINGER, and SYSTAT ports

    Ipacl (ftp://ftp.cerias.purdue.edu/pub/tools/unix/netutils/ipacl/ipacl.tar.Z)

  • IPACL stands for 'IP access list'. It has been designed to filter incoming and outgoing TCP/UDP packets . Forces all TCP and UDP packets to pass through an access control list facility.

    Windows

    Microsoft lists many tools on their website:

    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur...