|Home||Pauline's Pages||Howto Articles||Uniquely NZ||Small Firms||Search|
|Internet Security - Protection against Hackers|
The risks are increasing as people stay longer on-line and hacking tools improve. Conventional wisdom was that your identity changed every time you dialled in to your ISP so the chances of being hacked were remote. That is no longer true and a weak machine can be identified and targeted in minutes. The default Internet/Network configuration on almost every Windows machine leaves it wide open to attack.
The end result is potentially disastrous in that many machines are as accessible over the Internet as from any local Network machine and even when a Network is not required or in use the Network components are loaded by default. The user is unaware and again the default is that there is no password even when the machine is turned on. This leaves only statistics to protect you - each Dial-Up session via an ISP lasts only a finite time and with Dial Up connections and the address on the Internet will be a random selection from the ISPs addresses. The protection has been largely eroded by the longer times spent on-line with cheap access via "free" services and the speed with which scanners can probe Internet addresses looking for vulnerable machines.
To give you a feeling for what can be done, this is a boast alleged to have been made by Greg Hoglund, the author of the"Asmodeus" scanner:
|"Right now, Asmodeus is capable of scanning ranges of TCP ports on subnets. At the time I originally wrote the socket engine, it was the fastest scanner on the Net. Since that time, a few other scanners have been released which are pretty darned fast. Most of these are commercial and very expensive at that. Asmodeus can keep up. I have scanned entire class C's in less than a minute. You can scan some small countries in one night ;) I believe Asmodeus can stream along at a modest 30,000 sockets per minute under optimum conditions. All of the data that is gleaned from the scan is passed through a user-supplied script. This script allows you to define what security holes will be checked for........"|
I have now looked at several other machines which have the default Network Settings, both as configured on delivery or when a Network adapter had been installed - every one would have been wide open if used on the Internet. A further disturbing feature is that the Window Plug and Play has also detected and installed and or reconfigured the Networking settings invisibly in several cases. This seems to have occurred when completely different devices have been installed such as a printer - the Network Settings were then different to those I had initially set up and in one case I found a duplicate adapter had been installed with different settings to the original. I have had the same problem with a duplicate Modem being installed with a new printer.
The second solution is to install a Firewall, again this may not be simple to configure but should be taken seriously if you have a Local Network sharing files. It is a must if family/staff economise on passwords on a Networked machine.
Regardless of the solution you adopt you should also consider having all your sensitive and important information encrypted using PGP or similar. This also covers you against theft or local investigation of your business or personal data.
In order to reach its destination, whether it's another computer two meters or two continents away every Internet Packet must clearly contain a destination address and, so that the receiving computer knows who sent the packet, every packet also contain the address of the originating machine. The address is made up of two parts, the IP address which always identifies a single machine on the Internet (you often see these as blocks of numbers like 123.456.789.012 in your Browser status line) and a port which is associated with a particular service or conversation happening on the machine. Think of an IP address as a computer's switchboard number and a port as an individual phone extension. Software on your PC creates ports to allow specific networking functions. Web access, for example, generally uses port 80, while FTP runs through port 21. To get in, the hacker must find an open port on your machine.
Firewall software inspects each and every packet of data before it's seen by any other software running within your computer. A Firewall therefore has total veto power over your computer's receipt of anything from the Internet. A TCP/IP port is only "open" on your computer if the first arriving packet, which requests the establishment of a connection, is answered by your computer. If the arriving packet is simply ignored, that port of your computer will effectively disappear from the Internet.
The real power of a Firewall is derived from it's ability to be selective about what it lets through and what it blocks. Since every arriving packet must contain the correct IP address of the sender's machine, (in order for the receiver to send back a receipt acknowledgment) the Firewall can be very selective about which packets are admitted and which are dropped. A Firewall can be designed to "filter" the arriving packets based upon any combination of the originating machine's IP address and port and the destination machine's IP address and port. So, for example, if you were running a web server and needed to allow remote machines to connect to your machine on port 80 (http), the Firewall could inspect every arriving packet and only permit connection initiation on your port 80. New connections would be denied on all other ports. The Firewall allows - in the telephone analogy - you to select, depending on who calls and which extension whether you answer, allow the phone to ring or give an unobtainable note.
Firewall technology makes it possible for your home and office computers to safely share their files without any danger of unauthorized intrusion. You simply instruct the Firewall running on your office computer to permit connections on the NetBIOS file sharing ports 137-139 only from the IP address of your home computer. The Firewall running on your home machine would similarly be instructed to permit connections on ports 137-139 only from your office machine's IP address. Thus, either machine can "see" the other's ports, but no one else on the Internet can see them.
This sounds great but what about outgoing calls where you expect information back. It is slightly more complex than the telephone analogy because we are using packets. For example, when you surf the web you need to connect to web servers that might have any IP address (how the http://www.xyz.com is converted to an IP address for you is another story). You wouldn't want all those to be blocked just because you want to block everyone from getting into your machine. It turns out that this is easy for a Firewall too. Since each computer involved in an Internet connection is usually acknowledging the other's data, most packets that flows between the two machines have a bit set in it as a "flag" to denote that it as an acknoledgement. Only the first packet which initiates a new connection would not be acknowledging any previous data from the other machine. In other words, a Firewall can easily determine whether an arriving packet is initiating a new connection, or continuing an existing conversation. Packets arriving as part of an established connection can be allowed to pass through the Firewall, but packets representing new connection attempts can be discarded. Thus, a Firewall can permit the establishment of outbound connections while blocking any new connection attempts from the outside.
There is one more thing that one might want to do and that is to restrict the programs that can access the Internet from within the Firewall and initial connections just in case a virus, hacker, disgruntled employee or industrial spy has left a piece of code on your machine which sends your passwords or data out. The Firewall has no way of knowing what data is being sent but it can filter based on the basis of the application generating the data. In the telephone analogy it is like checking that nobody connects a Fax machine that you do not know about and sends without approval.
The difficulty is not in writing a Firewall program but but in making it user friendly. It must be easy to configure so that it stops everything you do not want to get in whilst allowing you to carry on your normal activities without you having to know the IP address and port number for every connection and details of every program. It should also tell you what it is doing - you do not want to find things stop working without any idea why yet not swamp you with so many warnings etc so you grind to a halt.
Installation is very easy - you download and run a single 1.6 Mbyte file and fill in some registration information and that is it. The next time you reboot the machine it is running and protecting you - there is a new "icon" in the tooltray allowing quick access. The first time it runs it also brings up a screen showing you how to also get a little control panel on the toolbar which is useful whilst you get to know the program. At this point it knows nothing about you programs but it will have already found your local Network. When you first try to connect a program to the Internet such as your browser it will detect and ask if you want to continue and also give you the option to always allow such connections in the future. Each program it detects is added to a list and you can set up any options at a latter stage but if you have allowed it to connect in the future that is usually all you need to do and it will be invisible from then on. I have about 10 programs that it has found including email, FTP and browsers.
Whilst you have been doing this you will probably find that every ten minutes or so you will find an Alert screen saying attempts to connect have been made from outside, some are benign, some are hackers - eventually I turned on the option of sending them to a log file and not popping up on the screen. The Firewall has different Security levels and in the default high security mode there is no response to external "probes" which is what you would normally want although sometimes you will need a lower level as sometimes places you are connected to do some checks for security and to make sure you are still connected. This will be obvious if you turn the Alerts back on and see if there are Alerts coming from a somewhere you are connected with.
Configuration of Zone Alarm with "problem" programs: I have only discovered one "problem" so far on my system with Zone Alarm. When I use FTP to upload to Freeserve's web space the server seems to run checks on my existence and will not work if you work in the highest security "Stealth" mode which does not acknowledge my existence to packets from their web server. All the other web servers I use are quite happy. The first thing to try is lowering the security level to Medium if you have such problems - that still gives good protection and can be raised after your program has run - FTP to Freeserve worked as usual with Medium security. It is then possible to also add such sites to the "local" list which runs by default at medium security to avoid reducing your security whilst using FTP - in the case of Freeserve's FTP there were two addresses which came up as alerts and I added a range covering them in case there were more I had missed. Similar problems have been reported with "chat" programs such as ICQ, MSN Messenger and Netmeeting but judging from my experience with Freeserve it should not be too difficult to configure Zone Alarm to protect you whilst they are in use. I should note that these are not problems with Zone Alarm - it is doing exactly what it should, it is problems with the way programs have been implemented without regard to the increasing use of Firewalls.
Peter and Pauline Curtis
Most recent significant revision: 7th October, 2000