All Products  |  Support  |  Search  |  microsoft.com Home       
HomeMembershipFeaturesTips & TechniquesRegularsCompetitionsPromotionsAbout CMQ
     
 
 

Hacked Off?

31st of January, 2002
   
 
 
Hackers, crackers, script kiddies … whatever they’re called, they pose a real threat to your system’s security. Fortunately, they’re easy to thwart. David Peterson explains how

The first attempt against my company Web site came before I’d even finished setting it up. It wasn’t listed on any search engines, and I hadn’t registered the domain name yet. It doesn’t take long for a system to come under attack, and you don’t need to be a business to become a target.

In the real world, Internet security often has more to do with petty vandalism by bored kids and the oversights of overworked system administrators than with Hollywood-style espionage. And defeating the bad guys doesn’t require a single car chase – it’s often as simple as downloading the latest security update from Microsoft.

The bad guys themselves are generally far from being ‘masterminds’, and may very well not even have a clue what it is they’re doing. There are some exceptions, of course, (see the sidebar Organised crime on page 24), but the popular perception of the hacker is largely a myth.

Hackers – not all they’re cracked up to be
The myth begins with the name itself. The term ‘hacker’ didn’t originally have the sinister connotations that it does today.

In the early days of computing, hackers were people who, despite lack of resources and often without formal training, could apply their ingenuity to create clever results. The results would often be inelegant, but usually quick and effective.

Most Communiqué members have probably, at some stage, hacked out macros in Excel or Word. Australians seem to be natural hackers, having readily translated into the electronic domain their legendary ability to use fencing wire and a stick to repair just about anything.

In recent years, journalists have misappropriated the term ‘hacker’ to describe those who maliciously break the security on systems with intent to vandalise or steal from it. In an attempt to distance themselves from this sort of behaviour, the hacker community coined the derogatory term ‘cracker’ in the mid-1980s, but the name has never really gained widespread acceptance in the mainstream media.

At the bottom of the totem pole is the ‘script kiddie’. Having watched too many movies, script kiddies yearn for the status they imagine will come from being a cracker, but lack the wit or patience to learn how. Instead, they download cracking scripts from the Internet and use them to attack Web sites.

When they eventually stumble across a site that is vulnerable, they generally vandalise it and leave behind a message about how clever they are – despite the fact that they had no idea what they actually did or how they did it.

Despite their ignorance, script kiddies present a real threat because of their vast numbers, persistence and complete disregard for other people’s property. Fortunately, they are also very simple to thwart – but more on this later.

So what are they after?
Some crackers and script kiddies are simply after notoriety by bringing down high-profile Web sites or a large number of smaller ones.

The ‘World of Hell’ cracking group, for example, claimed the record in June 2001 for having defaced 679 Web sites in one minute – most of which were owned by individuals or small businesses.

Others don’t intend immediate harm, but use compromised systems as launching pads for future attacks against other Web sites. If your Web site is used in this fashion, any attacks would be traced back to your site and any blame or retaliation would initially fall upon you, rather than the actual culprit. Some are after free storage space for things they would rather not have in their own name. One of the fellows I caught trying to break into my home computer (see the sidebar I’m safe because … on page 26,) was attempting to set it up as a distribution point for pirated software. Others have more sinister criminal intentions (see sidebar below).

The big question: Is IIS secure?
The huge surge in attacks on Microsoft Internet Information Server (IIS) Web servers in the second half of 2001 gave some media exposure to the claims made by UNIX devotees that Windows is not a secure enough operating system for the Internet.

An important point to note about all of these attacks is that they made use of widely-publicised exploits for which patches had already been released – in most cases months prior to the attacks. The other important thing to note is that the UNIX operating systems suffer from the same problems, and then some. One research group (project.honeynet.org) estimated the life expectancy of an unpatched UNIX server at around 72 hours.

The moral to the story? Don’t believe the hype. Windows and Internet Information Server will look after your company Web site just fine as long as you keep an eye on security. How can you do that? Read on.

STPP it or you’ll go blind

Microsoft has announced the Strategic Technology Protection Platform (STPP), mobilising resources to proactively assist customers to secure their systems.

Get secure

  • Mobilisation of account managers and field representatives. Microsoft has mobilised its support staff to work with customers of all sizes to ensure that their networks are operating securely.
  • New security tool kit. The tool kit includes service packs and security hot fixes for Windows NT 4 and Windows 2000 along with security tools. It can be ordered on CD or downloaded from www.microsoft.com/security.

Stay secure

  • Comprehensive security roll-up packages. Microsoft is providing customers with security roll-up packages via Windows Update.
  • Windows Update ‘Auto Update’ security hot fixes for businesses. Microsoft is making available an automated service for providing business customers with the security roll-up packages in a way that meets the needs of enterprise-level customers.
  • Expanded scope of the Secure Windows Initiative (SWI). SWI has the sole focus of continually improving Microsoft’s own development processes to deliver more secure and reliable products and technologies.

Defend yourself
Attacks over the Internet generally tend to exploit a common set of mistakes made by computer owners. As the first step in keeping your computer safe, ask yourself the following questions:

  • Do you have passwords that can be easily guessed or that you use in a number of different places?
  • If you have IIS installed, do you still have the sample files on your Web site?
  • Are you running services (like FTP) that you don’t really need?
  • Are you procrastinating about installing the latest security patches?

How to tighten security on your PC
Your home PC, regardless of which version of Windows you’re running, can be just as vulnerable as a server. To help Windows NT 4.0 Workstation and Windows 2000 Professional users to keep their PCs safe, Microsoft has released a tool called the Microsoft Personal Security Advisor, accessible from www.microsoft.com/technet/mpsa/start.asp.

It only takes a few minutes to run, and it checks your PC for vulnerabilities – such as easily guessable passwords and any new security patches or software updates that you may be missing. It produces a report of its findings on your Web browser with links to explanations and further information.

How to tighten security on your Web server
Microsoft’s Web site contains a wealth of security tools and checklists that you can use to keep your servers secure. Examples include:

  • The IIS Lockdown tool (www.microsoft.com/technet/security/tools/locktool.asp). A quick and easy solution for securing your Web server, IIS Lockdown can protect against almost all known security vulnerabilities affecting IIS4 and IIS5 in a matter of minutes – even without installing the security patches. Because the facilities that are often exploited by crackers are disabled, a locked-down server will also be resistant to most exploits that may be devised in the future.
  • URLScan (www.microsoft.com/technet/security/urlscan.asp) is an intrusion detection tool that screens all incoming requests to your Web server for the peculiarly formed requests that are the signature of Web site attacks. These suspicious requests are intercepted by URLScan, preventing them from reaching the server and causing damage. Like the IIS Lockdown tool, the way it works does not only protect against current vulnerabilities, but also attack methods that have not yet been discovered.
  • As any security expert will also tell you, keeping current with the latest security patches is vital. But as any system administrator will also tell you, it can be a fair bit of work. To make life easier, Microsoft has released a tool called the Network Security Hotfix Checker (www.microsoft.com/technet/security/tools/hfnetchk.asp), which can scan a single server or range of servers and report what patches and service packs are missing.
  • If you are about to set up a new Web server, be sure to keep handy a copy of the IIS4 Security Checklist (www.microsoft.com/technet/security/tools/iischk.asp) or the IIS5 Security Checklist (www.microsoft.com/technet/security/tools/iis5chk.asp).

Whether you are looking after a Web server, a corporate network or just your own PC, you can keep current with all of the latest security news through Microsoft’s notification service. To subscribe, send a blank email to securbas@microsoft.com.

David Peterson is a principle consultant at Peterson IT Consulting (www.PetersonITConsulting.com). He can be contacted by email at david@PetersonITConsulting.com.

   
     
   
   
     
     
Search Features

View Latest Features