Hackers, crackers, script kiddies
whatever theyre called, they
pose a real threat to your systems security. Fortunately, theyre
easy to thwart. David Peterson explains how
The first attempt against my company Web site came before Id even finished
setting it up. It wasnt listed on any search engines, and I hadnt
registered the domain name yet. It doesnt take long for a system to come
under attack, and you dont need to be a business to become a target.
In the real world, Internet security often has more to do with petty vandalism
by bored kids and the oversights of overworked system administrators than with
Hollywood-style espionage. And defeating the bad guys doesnt require a
single car chase its often as simple as downloading the latest
security update from Microsoft.
The bad guys themselves are generally far from being masterminds,
and may very well not even have a clue what it is theyre doing. There
are some exceptions, of course, (see the sidebar Organised crime on page 24),
but the popular perception of the hacker is largely a myth.
Hackers not all theyre cracked up to be
The myth begins with the name itself. The term hacker didnt
originally have the sinister connotations that it does today.
In the early days of computing, hackers were people who, despite lack of resources
and often without formal training, could apply their ingenuity to create clever
results. The results would often be inelegant, but usually quick and effective.
Most Communiqué members have probably, at some stage, hacked out macros
in Excel or Word. Australians seem to be natural hackers, having readily translated
into the electronic domain their legendary ability to use fencing wire and a
stick to repair just about anything.
In recent years, journalists have misappropriated the term hacker
to describe those who maliciously break the security on systems with intent
to vandalise or steal from it. In an attempt to distance themselves from this
sort of behaviour, the hacker community coined the derogatory term cracker
in the mid-1980s, but the name has never really gained widespread acceptance
in the mainstream media.
At the bottom of the totem pole is the script kiddie. Having watched
too many movies, script kiddies yearn for the status they imagine will come
from being a cracker, but lack the wit or patience to learn how. Instead, they
download cracking scripts from the Internet and use them to attack Web sites.
When they eventually stumble across a site that is vulnerable, they generally
vandalise it and leave behind a message about how clever they are despite
the fact that they had no idea what they actually did or how they did it.
Despite their ignorance, script kiddies present a real threat because of their
vast numbers, persistence and complete disregard for other peoples property.
Fortunately, they are also very simple to thwart but more on this later.
So what are they after?
Some crackers and script kiddies are simply after notoriety by bringing down
high-profile Web sites or a large number of smaller ones.
The World of Hell cracking group, for example, claimed the record
in June 2001 for having defaced 679 Web sites in one minute most of which
were owned by individuals or small businesses.
Others dont intend immediate harm, but use compromised systems as launching
pads for future attacks against other Web sites. If your Web site is used in
this fashion, any attacks would be traced back to your site and any blame or
retaliation would initially fall upon you, rather than the actual culprit. Some
are after free storage space for things they would rather not have in their
own name. One of the fellows I caught trying to break into my home computer
(see the sidebar Im safe because
on page 26,) was attempting to
set it up as a distribution point for pirated software. Others have more sinister
criminal intentions (see sidebar below).
The big question: Is IIS secure?
The huge surge in attacks on Microsoft Internet Information Server (IIS) Web
servers in the second half of 2001 gave some media exposure to the claims made
by UNIX devotees that Windows is not a secure enough operating system for the
An important point to note about all of these attacks is that they made use
of widely-publicised exploits for which patches had already been released
in most cases months prior to the attacks. The other important thing to note
is that the UNIX operating systems suffer from the same problems, and then some.
One research group (project.honeynet.org)
estimated the life expectancy of an unpatched UNIX server at around 72 hours.
The moral to the story? Dont believe the hype. Windows and Internet Information
Server will look after your company Web site just fine as long as you keep an
eye on security. How can you do that? Read on.
STPP it or youll go blind
Microsoft has announced the Strategic Technology Protection Platform (STPP),
mobilising resources to proactively assist customers to secure their systems.
- Mobilisation of account managers and field representatives. Microsoft has
mobilised its support staff to work with customers of all sizes to ensure
that their networks are operating securely.
- New security tool kit. The tool kit includes service packs and security
hot fixes for Windows NT 4 and Windows 2000 along with security tools. It
can be ordered on CD or downloaded from www.microsoft.com/security.
- Comprehensive security roll-up packages. Microsoft is providing customers
with security roll-up packages via Windows Update.
- Windows Update Auto Update security hot fixes for businesses.
Microsoft is making available an automated service for providing business
customers with the security roll-up packages in a way that meets the needs
of enterprise-level customers.
- Expanded scope of the Secure Windows Initiative (SWI). SWI has the sole
focus of continually improving Microsofts own development processes
to deliver more secure and reliable products and technologies.
Attacks over the Internet generally tend to exploit a common set of mistakes
made by computer owners. As the first step in keeping your computer safe, ask
yourself the following questions:
- Do you have passwords that can be easily guessed or that you use in a number
of different places?
- If you have IIS installed, do you still have the sample files on your Web
- Are you running services (like FTP) that you dont really need?
- Are you procrastinating about installing the latest security patches?
How to tighten security on your PC
Your home PC, regardless of which version of Windows youre running, can
be just as vulnerable as a server. To help Windows NT 4.0 Workstation and Windows
2000 Professional users to keep their PCs safe, Microsoft has released a tool
called the Microsoft Personal Security Advisor, accessible from www.microsoft.com/technet/mpsa/start.asp.
It only takes a few minutes to run, and it checks your PC for vulnerabilities
such as easily guessable passwords and any new security patches or software
updates that you may be missing. It produces a report of its findings on your
Web browser with links to explanations and further information.
How to tighten security on your Web server
Microsofts Web site
contains a wealth of security tools and checklists that you can use to keep
your servers secure. Examples include:
- The IIS Lockdown tool (www.microsoft.com/technet/security/tools/locktool.asp).
A quick and easy solution for securing your Web server, IIS Lockdown can protect
against almost all known security vulnerabilities affecting IIS4 and IIS5
in a matter of minutes even without installing the security patches.
Because the facilities that are often exploited by crackers are disabled,
a locked-down server will also be resistant to most exploits that may be devised
in the future.
- URLScan (www.microsoft.com/technet/security/urlscan.asp)
is an intrusion detection tool that screens all incoming requests to your
Web server for the peculiarly formed requests that are the signature of Web
site attacks. These suspicious requests are intercepted by URLScan, preventing
them from reaching the server and causing damage. Like the IIS Lockdown tool,
the way it works does not only protect against current vulnerabilities, but
also attack methods that have not yet been discovered.
- As any security expert will also tell you, keeping current with the latest
security patches is vital. But as any system administrator will also tell
you, it can be a fair bit of work. To make life easier, Microsoft has released
a tool called the Network Security Hotfix Checker (www.microsoft.com/technet/security/tools/hfnetchk.asp),
which can scan a single server or range of servers and report what patches
and service packs are missing.
- If you are about to set up a new Web server, be sure to keep handy a copy
of the IIS4 Security Checklist (www.microsoft.com/technet/security/tools/iischk.asp)
or the IIS5 Security Checklist (www.microsoft.com/technet/security/tools/iis5chk.asp).
Whether you are looking after a Web server, a corporate network or just your
own PC, you can keep current with all of the latest security news through Microsofts
notification service. To subscribe, send a blank email to email@example.com.
David Peterson is a principle consultant at Peterson IT Consulting (www.PetersonITConsulting.com).
He can be contacted by email at david@PetersonITConsulting.com.