Not exactly aviation but computer
and Internet security is something all of us should know something about. Who is stealing
your digital secrets...
Internet security
by Venik
However, being a fellow
web surfer I am sure you are interested in Internet security as much as I am. I receive
hundreds of e-mails every week and this prompted me to write a short review of some of the
most common security threats on the Internet. Even the experienced web surfers are often
unaware of many dangers of sending private information over the Net. I work in the field
of computer security and, perhaps, you will find useful some of my thoughts on the
subject.
Passwords and Encryption
So, you want to know how
secure is your "secure" information? Let's consider one very common situation:
you have Microsoft Office 97 / 2000. This product allows you to encrypt a document using a
password and a fairly advanced encryption algorithm. The encryption technique used by
Office 97 / 2000 is a fairly sophisticated one. However, it is artificially limited in its
capabilities because of the US government regulations. This and the general tendency of
users to select simple passwords is what makes such encryption vulnerable.
If your password is a
common word (in any language), a name, a technical or scientific term, etc., then your
file can be opened using a simple program available on the Internet for free in a matter
of minutes. Common words and names are frequently used by people as passwords because they
are easy to remember. If you chose a numeric password or if your password incorporates
various extended ASCII characters, your password can still be cracked by an average PC in
a matter of days, if it's about 7 digits long.
Let's say you have a long
and complex password (which you will probably have to write down somewhere, reducing its
advantage to nothing). Your file is quite secure, right? No, it is not secure because of
the government regulations, which limit the power of commercially-available encryption
programs. Any Office 97 / 2000-encrypted file can be cracked by a single PC in about two
months using a freeware program that's very easy to use.
There are several ways to
reduce the two-month decryption period to days, hours, or even minutes. Two months is for
a Pentium II @ 333 MHz. A supercomputer (available to government agencies, corporation,
people with useful connections) can do the job in minutes. A network of several PCs can
decrypt a file in days or minutes, depending on the number of computers available.
Imagine a situation: a college dorm or a corporate office with 20 PCs connected into a LAN
(local access network). A small decryption program is installed on all of the computers
and the workload is evenly distributed (or distributed according to the processing power
of individual computers in the LAN). Now divide the two-month waiting period by twenty.
Many other popular
programs, like Word 95 or WordPerfect, utilize encryption algorithm that can be cracked instantly
by any computer.
The best way to keep your
secrets is not to have any :-)
Decryption and Password
Cracking
Here's a real-life
illustration of how your digital secrets may be obtained by hackers.
The "wrl1287 -
encrypted" file is a password - protected Word 97 document. If you try to open it in
MS Word, the program will ask you for a password, as you can see on the illustration
above.
A program called Advanced
Office 97 Password Recovery (widely available on the Internet for free) will find the
password in up to several hours if the password is under 8 digits long.
However, if the password is
8 digits or longer, you will need to use something else. Something like the GuaWorD
program - another free, simple, and widely - available program. This program will not get
you the password but it will decrypt the Word file in under 10 days on a single PC (or
much faster on multiple PCs).
That's what I used to
decrypt the interesting "wrl1287 - encrypted" file, which turned out to be a
Kosovo Liberation Army document. I decrypted this file myself and just a few days before I
knew almost nothing about cracking encrypted Word files. This should give you some idea
about how easy it is to decrypt some information.
What is safe...
"All my confidential
files are kept on my home computer and only I have access to it, so everything's safe even
without the fancy encryption." That's what many people believe and they are correct
to a certain extent: as long as you can control access to your computer, your files will
be safe. The real question here, as you probably already know, is whether or not you can
control access to your computer. And locking the door to your bedroom may not always be
the answer.
As always, here's a
real-life example from my personal experience. My computer is connected to the Internet
through a TV cable connection. In other words, whenever my computer is working, it is
online and hackers can see it (and not just hackers). Cable connection is quite fast,
which is good for me. Unfortunately, it is also good for a hacker, who can quickly
transfer large amounts of data from my machine, once he gets access to it. And, since my
computer is on and online most of the time, chances are that I may not be near my computer
at the time such a transfer takes place. So I won't even know if something was stolen.
Here's how it works:
During your voyages
through the Internet you pickup a special kind of computer "virus" called a
"Trojan horse." You probably know the legend, so I won't go into ancient
mythology and stick to modern-day "Trojans." By itself, this program is quite
harmless - it will not go on a wild rampage through your machine, destroying all your porn
photos and other important stuff you may have. The "Trojan" will install itself
in a very stealthy manner and make sure that it is loaded in memory every time you start
your machine. It will also make sure that it does not show up when you give your Windows
the three-finger salute (pressing CTRL-ALT-DEL to bring up the list of running processes).
In other words, the "Trojan" will hide itself quite well and, chances are, it
will not be picked up by any popular anti-virus programs.
The rest is simple. A
hacker would scan a range of IP addresses (Internet Provider address - a unique Internet
"name" of your computer when it's connected to the Net) and, if the
"Trojan" is installed on any computers in the given range of IPs, it will
respond. The hacker will now have absolute control of your machine (sometimes even more
control than you have). The hacker can now read your files and do anything he wants with
your information. And the worst thing is that you won't suspect a thing, if you are
dealing with an experienced hacker. Sometimes (although rarely) you may be specifically
targeted by a hacker. This means that the hacker knows something about you and knows that
you may have some important information on your computer. This is a very dangerous
situation.
There are many ways a
"Trojan" can find its way to your machine. It may already be there and neither
you nor your anti-virus software know about it. If you are personally targeted by a
hacker, the latter may find many ingenious ways of getting the "Trojan" to your
machine. It's not all that complicated. Many advanced "Trojans" are very small
in size but exceptionally sophisticated and often can operate on their own even when
your computer is offline! They can look for certain files, extract certain strings of
information (such as your bank account and credit card numbers), compress this
information, and wait until the next connection to transmit this info to a specified
location. Such a location may be a public FTP server (file server), which can be freely
accessed by anyone and anyone can retrieve the information deposited by the
"Trojan", so there's no way of identifying the hacker. Naturally, a hacker would
be attracted by any encrypted files you may have on your machine: if they are encrypted,
they must be quite important. And we already discussed the problems with encryption.
There are hundreds of
different "Trojans". Some allow general access to your computer and some - more
sophisticated - can work autonomously, gathering valuable information and delivering it to
the hacker. Many of these "Trojans" will not be detected even by the latest
anti-virus software. (You see, the "Trojans" are not really viruses and they
don't behave like viruses, so the anti-virus software must know exactly what to look for,
otherwise it will miss a "Trojan." And it is relatively simple to modify a
"Trojan" so the anti-virus software does not recognize it as a hostile
application). Even when the "Trojan" is located, removing it is not an easy
task. In many cases, an anti-virus program may not able to get rid of the
"Trojan" even if it thinks it found one. You need to obtain instructions for
removing the specific type of the "Trojan" installed on your machine and to
follow these instruction to the letter. This often involves modifying the registry and
doing other advanced things unfamiliar to most computer users.
Know your enemy
When you are on the
Internet, you must watch your back. Some computer users believe that security does not
concern them, because they do not keep any sensitive information on their machines. They
are wrong. Just one example: a hacker can access your computer to distribute a computer
virus. The FBI will come knocking on your door and their primary goal would be to put you
behind bars, since looking for the real hacker may take too long and chances of catching a
hacker that smart are not very high anyway.
Of course, everyone sees
their job differently, but for you these philosophical intricacies along with some bad
luck may mean spending twenty years in a state house. You may be a randomly-picked target
or the hacker might have targeted you on purpose, which is always more dangerous. My
advise: don't have enemies with a degree in computer sciences and/or too much free time on
their hands. (Trust me: I have plenty of enemies that fall precisely in these two
categories, and it ain't fun.)
Defending yourself may be
difficult or even hopeless. When you work with computers long enough, you start realizing
that nobody really knows how these devious machines work. Computers are built to use the
twisted logic of the humans who created them. The only problem is that, unlike us,
computers always follow this logic to the end. Quite often computers do things that
perplex even the most experienced computer experts. And if you want to know just how
advanced many computer experts are, just remember all the hype around the "Y2K
bug," remember all the people who spent insane amounts of money in 1999 to prepare
for a nuclear holocaust, that was supposed to be caused by a problem that never
materialized in any significant way (and not because we did such a good job preparing for
it, but because there are so few computer specialists who really understand their job).
Some more scary
stories
Here's something that
happened to me just a few days ago. After installing high-speed Internet connection, I
figured that it would be a good idea to spend a hundred bucks and get some personal
firewall software. This type of applications controls what's going through that cable
connecting your computer to the wall :-) The firewall software I have is a
widely-available commercial package that was modified by me to eliminate certain known
problems and to address some of my personal requirement. Simply put, the firewall software
watches over the incoming and outgoing connections, blocks some suspicious stuff (and also
blocks ads, which is always nice), keeps the unused ports under lock (ports are basically
doors into your computer, which may be used by a hacker to get in or by special kinds of
"Trojans" to transmit info from your machine.)
I knew that many
consumer-class firewall applications have a sufficient number of security holes. As an
example, the firewall software allows the application named iexplorer.exe (your MS
Internet Explorer browser) full access to the Net. That's OK, since you use the browser to
access the Web and other places. However, it may be enough to rename, say, the SubSeven
"Trojan" to iexplorer.exe for this dangerous program to get full access
to the Internet right through your firewall. The firewall asks the SubSeven virus when it
tries to access the Web: "Who are you?" And the virus replies "I am the
Internet Explorer." And the firewall says: "Oh, sure, go ahead, have full access
to the Net any time you want." Pretty stupid, but true nevertheless.
Generally, designers of
consumer-level firewalls are lazy SOBs who are more concerned with making a quick buck by
giving you a false sense of security. And don't let "respectable" names of
firewall applications like Norton or McAfee confuse you - they have some of the biggest
security holes. These firewalls are getting better, but not fast enough. If you go to the
store today and buy a commercially-available firewall software, you'll just be trying to
cover one security hole with another. But it's better than nothing. Such firewall programs
will not protect you from advanced hackers, but they will keep all kinds of teenagers away
from your machine.
So, back to my story. I
installed firewall software and tweaked it until I got rid of some known problems. The
very next day the firewall intercepted a break-in attempt by some smartass using the
SubSeven "Trojan." My software is configured to record the hacker's IP address
and to automatically run a trace to obtain the hacker's physical location and any other
available network information. After this operation is completed, my firewall program
e-mails all the info to my Palm computer. Here's what I got in the e-mail while I was
stuffing my face with a sandwich at work:
Rule "Default Block
Backdoor/SubSeven Trojan" blocked
(cn611423-a,Backdoor-g-1). Details:
Inbound TCP connection
Remote address,service is (65.0.199.139,3010)
c1178902-a.provo1.ut.home.com
Latitude: 20.910000
Longitude: 55.390000
Saint Denis, Mascarene Islands (Fr.)
@Home Network
As you can see, the hacker
was trying to use the Backdoor/SubSeven Trojan to gain access to my machine. If some of
you have problems with geography, the Saint Denis island, from where the hacker was
operating, is located between Madagascar and Mauritania and it belongs to France. And,
obviously, they do have cable Internet over there. After the initial e-mail, I received 50
more (!) e-mails from my firewall. The hacker was quite persistent and tried to test my
system for presence of several different "Trojans," including the Black Orifice
and even the newest Russian Salamander "Trojan." This told me that the hacker
was not an amateur and that I had to do something to stop this, because sooner or later
this dude would have gained access to my machine.
From the hacker's IP
address I could see that he was using the @Home network for his Internet access. Since I
was using the same ISP, I sent the complaint to the @Home and they closed the hacker down.
Now this dude must be pretty angry, since there's no other high-speed ISP on his island,
so it's back to dial-up for him, he-he... :-)
This is just one incident
and it was resolved fairly quickly. One thing still bothers me about this situation: the
hacker was targeting specifically my IP address, which means that he wanted to get
into my computer and not just any computer. I got my IP address just a few days earlier
and the hacker already knew it and knew that I was the owner of the address. You have to
agree that this is quite disturbing.
What is also interesting is
that the hacker was using the same ISP as I was - the @Home network. This suggests some
sort of a security leak in the @Home's confidential customer databases. Even though I did
not register with the @Home using my real name or address (it did require some creative
lying, which involved a certain friendly neighbor and a dead dog, but I will not bore you
with the details :-), my e-mail address is still "Venik," and that's the only
trail the hacker could have followed. The hacker probably didn't know that I work as a
server system administrator and also know some of the hacking tricks, so he got burned.
But it does not mean that he will stop trying :-( You never know what's worse: to see the
hacker try to get into your system, or to see the "everything's OK" status of
your firewall software...
¡No Pasaran!
Finally we got to the most
interesting and useful part of this short guide to Internet security - how to protect your
digital secrets. For the sake of simplicity, let's brake this complex task down into the
following sections:
general computer security measures
matters of encryption
controlling your Internet connection
securing electronic transmissions
General computer security
Any particularly sensitive
information (and I'll live the definition of this broad term up to you), should not be
kept on a networked computer. This is as simple as that. Buy yourself a second cheap PC
for the sole purpose of storing sensitive information. Get yourself good encryption
software (the PGP is quite good and it's free) and use it to encrypt files on a
non-networked computer. Get some general security software for Windows (or your particular
OS) that would control overall access to your machine (just in case anyone manages to get
physical access to your computer.) All these measures together will provide your sensitive
information with a very high level of security.
Choose long and complex
passwords and keep them in memory. I just ran a password cracking program on a shadow file
(a file on UNIX servers that contains encrypted passwords): out of about 2000 users 20 had
apple1 as their password and about 200 passwords were cracked in under 6 minutes on
a Pentium III 933MHz PC. Don't be that naive. Don't use dictionary words or names (even in
combination with numbers). Don't use passwords shorter than 8 characters. Don't use a
password that in any way resembles your user name. Always incorporate extended ASCII
characters into your password (i.e. some of this stuff: ~!@#$%^&*). Change your
passwords at least every three months.
These are the basics. If
you don't follow these simple rules, you either don't have any secrets or you are asking
for trouble. Most computer users would fall into these two categories, so don't be
offended.
Encrypting files
High-quality
encryption software is available for free. One of the more popular freeware packages is
the Pretty Good Privacy, or PGP. US export restrictions forbid American companies from
exporting high-quality encryption software. So if you are getting an encryption
program, get the one designed for internal use in the U.S. (if you live in the States, of
course), or buy something made in your own country. Never buy exported encryption
software. Countries that have good encryption programs include Russia, the US, and France.
Use at least 128-bit encryption, although 256-bit is preferred (standard in Russia since
1989 - currently the highest government-standard encryption level in the world. Just some
standard Russian paranoia :-)
Do not assume that your data is 100% safe
even if you encrypted it with the best algorithm, the longest key or the most complex
password. Security is a relative term. Everything depends on how important your
information is. If it's your credit card number or your personal financial documents - you
would be OK in most cases. However, if we are talking about industrial or military secrets
- no encryption is good enough. Ask yourself this question: who may be interested in your
sensitive information. If the answer is - maybe some hacker somewhere, a roommate, a
family member, a co-worker - encryption will provide you with a high level of
security.
However, if the answer is - KGB, CIA, some
large corporation, your long-time personal enemy - encryption alone won't suffice. Even a
person who normally does not have access to powerful computing equipment or even who is
not a computer expert, given enough persistence, time and money, will decrypt your files.
For example: anybody with no computer experience can have a Word 97-2000 file decrypted in
a matter of 2-3 days for about $45 using one of the many professional services widely
available on the Internet.
Secure
Internet connection
There's no such thing. But this should not
stop you from trying to make your Internet experience as safe as possible. This is a
contest between you and all the hackers out there. Whoever gives up first - loses. Put a
few dollars together and buy yourself a firewall program. But before doing that, research
the topic for a few days and select the most recommended software. Install it and use it.
This is the most important part: many people who install firewall software, soon disable
it because it keeps on nagging them with various questions ("should I allow this or
that connection?") Don't be upset by this, in a week or two your firewall learns
about your Internet habits and won't bother you with too many questions.
Most firewall creators provide regular
updates for their programs. Downloading and installing these upgrades is essential. This
should be done regularly and not just whenever you remember to do it. Put it in your
schedule and do it at least once every month. If you are not an experienced Internet user
and the firewall software gives you some strange warning, don't hesitate to call technical
support or to post a question online to a computer security forum. If you suspect that
someone is trying to break into your computer while you surf the Net, get all the info you
can from the firewall program and contact your Internet service provider.
System administrators hate hackers
(although often sysadmins do some hacking themselves). So, if you ask your sysadmin for
help, chances are that he will go out of his way to squash the hacker. It's a matter of
professional pride for most good sysadmins. From your end, you also should take some
measures to stop the hacker. If you see that someone is being quite persistent in his
attempts to get into your machine, first, secure your sensitive information (encrypt it,
transfer to a non-networked computer or external storage media) and then try to find out
who is the hacker's ISP and contact them.
Securing
e-mail
Many people put sensitive information in
their e-mails. That's not a problem. The problem is that very few of them use encryption.
Those who use encryption will attract attention of various government agencies involved in
electronic espionage. These agencies have all the resources and expertise required to
rapidly decrypt insane amounts of information and then search for specific keywords or
phrases, such as "my uncle, Osama bin Laden, comes to visit me next week." :-)
An example of such a snooping government-sponsored system would be the Echelon, used by
the US National Security Agency to spy mainly against the European Union. If you are
targeted by a monster like this, obviously you have some serious secrets and require
services of a professional computer security expert.
There is one way of using encryption over
e-mail without attracting too much attention. The technique is called steganography.
This is somewhat similar to digital watermarks added to images, say, by Photoshop (I know,
some steganography enthusiasts will bite my head off for this comparison, but I am doing
my best here). Steganography applications can embed encrypted data into digital photo
images. Considering the volume of porn traveling on the Net, it becomes evident that
checking every shot of Busty Dusty for encrypted secrets would require some serious
processing power and time. Steganography applications are available for free and there are
versions for most operating systems. You should research this subject if you send
encrypted files over e-mail.
Software
Personal Firewall
