Protecting Firewall - Part4

Chasing After Ghosts

This is a side effect of the types of misunderstandings that were discussed in the previous subsection.When a person who starts to learn about the jargon related to personal firewalls, is reported that some "dangerous" communication efforts persist from the same source, the person is decisive to locate and identify the "hacker", and perhaps report about it to the police or to its Internet service provider. However, since many people do not really understand thoroughly how things work, they may sometimes spend many hours in trying to locate a cracker that does not exist, or when the knowledge they need to have, in order to track the cracker, is much higher than what they have, and they might even suspect the wrong person due to lack of knowledge (e.g. the connection person on the Internet service provider that was used by the cracker). More knowledgeable people, usually do not bother to track those "hackers" (which are usually teenagers), but instead are concentrating on the security of their computer.Blocking Legitimate CommunicationsNo personal firewall is smart enough to decide for the user what is a legitimate communication and what is not. A personal firewall cannot make a distinction between a legitimate program trying to contact its server to check and notify the user when there is a newer version, and a non-legitimate program trying to communicate with its server in order deliver sensitive information such as passwords, unless the user tells it. It is thus up to the user to decide what should be considered as legitimate and what should not. Yet, can we count on the user to be knowledgeable enough to decide what is legitimate and what is not? In many cases the user is not knowledgeable enough, and may thus allow non-legitimate communication or disallow a legitimate and important communication. There are many types of communications handled just to manage other communications. Among this are various types of communications between your computer and the various servers of your Internet service provider. A not knowledgeable user may interpret those types of communications as cracking efforts, and will thus decide to block them. As a result, a connection might become slower, a connection to the Internet service provider might be disconnected quiet often and other types of communication problems.Being Tricked by Trojans bbbJust as less knowledgeable users may instruct the firewall to block legitimate communications, they can be tricked by various Trojans to allow them to communicate. Some Trojans are using names resembling or identical to names of legitimate programs, so that the user would think that it is a legitimate programs. Users should be aware of that.Heavy Software, Buggy SoftwareUntil now we discussed only problems related to lack of appropriate knowledge by the user. Yet, there are other problems regarding personal firewalls. For example, some of them are known to be quite heavy on computer resources, or slow down the communication speed. Different personal firewalls quite vary with regard to that. If you have a new computer with a slow Internet communication (such as regular dial-up networking) then it might not slow down your computer noticeably. Yet, if you use an older computer, and a fast communication, you might find that some personal firewalls will slow down your communication quite drastically. Personal firewalls also vary on how much they are stable.Advantages of External Firewalls over Personal Firewalls1. They do not take resources from the computer. This should be clear. This is especially useful when the firewall blocks flooding attacks.2. It is harder (although in principle still possible) for a Trojan horse to disable it, because it does not reside in the same computer that the Trojan has infected. It is not possible to use the specific communication while totally bypassing the firewall.3. They can be used without any dependence on the operating system on the computer(s) they defend.4. No instability problems.

Read More

Backdoors-Part1

Since the early days of intruders breaking into computers, they have tried to develop techniques or backdoors that allow them to get back into the system.   In this paper, it will be focused on many of the common backdoors and possible ways to check for them.  Most of focus will be on Unix backdoors with some discussion on future Windows NT backdoors.  This will describe the complexity of the issues in trying to determine the methods that intruders use and the basis for administrators understanding on how they might be able to stop the intruders from getting back in.  When an administrator understands how difficult it would be to stop intruder once they are in, the appreciation of being proactive to block the intruder from ever getting in becomes better understood.  This is intended to cover many of the popular commonly used backdoors by beginner and advanced intruders.  This is not intended to cover every possible way to create a backdoor as the possibilities are limitless. The backdoor for most intruders provide two or three main functions:
Be able to get back into a machine even if the administrator tries to secure it, e.g., changing all the passwords. Be able to get back into the machine with the least amount of visibility.  Most backdoors provide a way to avoid being logged and many times the machine can appear to have no one online even while an intruder is using it. Be able to get back into the machine with the least amount of time.  Most intruders want to easily get back into the machine without having to do all the work of exploiting a hole to gain access.
            In some cases, if the intruder may think the administrator may detect any installed backdoor, they will resort to using the vulnerability repeatedly to get on a machine as the only backdoor.   Thus not touching anything that may tip off the administrator.   Therefore in some cases, the vulnerabilities on a machine remain the only unnoticed backdoor.

Password Cracking Backdoor

One of the first and oldest methods of intruders used to gain not only access to a Unix machine but backdoors was to run a password cracker.  This uncovers weak passworded accounts.  All these new accounts are now possible backdoors into a machine even if the system administrator locks out the
intruder's current account.  Many times, the intruder will look for unused accounts with easy passwords and change the password to something difficult.  When the administrator looked for all the weak passworded accounts, the accounts with modified passwords will not appear.  Thus the administrator will not be able to easily determine which accounts to lock out.

Rhosts + + Backdoor

On networked Unix machines, services like Rsh and Rlogin used a simple authentication method based on hostnames that appear in rhosts.  A user could easily configure which machines not to require a password to log into.  An intruder that gained access to someone's rhosts file could put a
"+ +" in the file and that would allow anyone from anywhere to log into that account without a password.  Many intruders use this method especially when NFS is exporting home directories to the world.   These accounts become backdoors for intruders to get back into the system.  Many intruders
prefer using Rsh over Rlogin because it is many times lacking any logging capability.  Many administrators check for "+ +" therefore an intruder may actually put in a hostname and username from another compromised account on the network, making it less obvious to spot.

Checksum and Timestamp Backdoors

Early on, many intruders replaced binaries with their own trojan versions.  Many system administrators relied on time-stamping and the system checksum programs, e.g., Unix's sum program, to try to determine when a binary file has been modified.  Intruders have developed technology that will recreate  the same time-stamp for the trojan file as the original file.  This is
accomplished by setting the system clock time back to the original file's time and then adjusting the trojan file's time to the system clock.  Once the binary trojan file has the exact same time as the original, the system clock is reset to the current time.  The sum program relies on a CRC
checksum and is easily spoofed.  Intruders have developed programs that would modify the trojan binary to have the necessary original checksum, thus fooling the administrators.  MD5 checksums is the recommended choice to use today by most vendors.  MD5 is based on an algorithm that no one has yet to date proven can be spoofed.

Login Backdoor

On Unix, the login program is the software that usually does the password authentication when someone telnets to the machine.  Intruders grabbed the source code to login.c and modified it that when login compared the user's password with the stored password, it would first check for a backdoor password. If the user typed in the backdoor password, it would allow you to log in regardless of what the administrator sets the passwords to.  Thus this allowed the intruder to log into any account, even root.   The password backdoor would spawn access before the user actually logged in and appeared in utmp and wtmp.  Therefore an intruder could be logged in and have shell access without it appearing anyone is on that machine as that account.  Administrators started noticing these backdoors especially if they did a "strings" command to find what text was in the login program.
 Many times the backdoor password would show up. The intruders then encrypted or hid the backdoor password better so it would not appear by just doing strings.  Many of the administrators can detect these backdoors with MD5 checksums.

Read More