Analysis of Internet and Security
By Magesh Parthasarathy
The modern internet has become very popular with regular residential customers ranging from students to youngsters to adults and senior citizens. People do online browsing with their favorite browsers for various purposes like e-commerce, watching online movies, games, email, voice and text chat application, web based video conferencing, web cam application etc, file sharing of digital media content using NAS or SAN without the knowledge of hackers and security issues. This paper analyses the security issues and the different means the hackers get into the end users personal computers and cause security havocs. This paper discusses issues with enterprise customers as well wherein different products like proxy appliances, dedicated firewalls, application load balancers and VPN devices exist between data centre and end user traversing the different network access points across the internet.
The personal computers generally come with with windows operating system or any one flavor of UNIX operating system. Whenever a client opens a browser and types in a http url, various things happen behind without the knowledge of the user. A DNS resolution takes place with the DNS server for that particular http website domain which yields the ipaddress. A route lookup for the destination is made and the packet gets pushed out on the preferred interface where the route exists. The packet goes out of the machine through wired Ethernet connection or wireless connection. Generally home users install firewall and antivirus software on their machines. In addition, an external firewall which supports NAT generally exists between the personal computer and the ISP supplied cable modem or DSL router. The main theme behind such a connection setup is to ensure that the customers personal computers are protected from viruses, denial of service attacks, buffer overrun attacks, SYN attack, memory leaks causing system crash, phishing, identity theft, root kits, spyware, key loggers, botnet, stealing the user name and passwords, credit card details and various valuable information stored on the customers personal computers or their local network etc.
2. Different security vulnerabilities and attacks
2.1. Operating system Vulnerabilities
The operating system by itself may have different vulnerabilities in them which the hacker can utilize to attack the personal computer and take control of it.
2.2. Browser Vulnerabilities
The hackers also try to utilize the vulnerabilities in the browser as well and can remotely connect to the system and exploit its vulnerabilities. There is browser hijacking where the user thinks he is going to a particular website but the hijacker forces the browser to the site where he wants to with the help of his code that got installed on the machine through pop-ups or through browser holes as well as store cookies in browsers address space exploiting shared library concept. The browsers can be regular web content browsers as well as streaming media players and stream rippers.
2.3. External Firewall
The external firewall generally provides stateful inspection. This means it will allow request packets originating from the personal computer to the internet and the response packet for it from the internet. At the same time, it blocks any packets originating from internet trying to connect to the personal computer. The firewall also does NAT where the single or range of public ipaddress learnt from the internet is translated to range of private ipaddresses. Some firewalls do support DHCP release and renewal so that new public ipaddress from ISP is learnt. The firewalls also support for wireless configuration and security configuration. The firewalls also support configuring rules and access control lists at port level, ipaddress level, protocol level, Mac address level, url level, url rewrite as well as at content level for matching expressions for various applications. Rigid firewalls do support inside local ipaddress, inside global ipaddress, outside local ipaddress and outside global ipaddress and port address translation (PAT). Firewalls do protect from ip spoofing through packet filtering.
2.4. Internal Firewall
The internal firewall is the software firewall installed on customer’s personal computer. This also provides same functionalities as external firewall. This functionality is a localized one corresponding to that particular machine whereas external firewall is applicable to a group of personal computers connected on a local area network.
2.5. Port Scanning
The customer’s personal computer can be scanned for open ports and if any unused ports are open, they are vulnerable to attacks by intruder.
2.6. TCP SYN/RST and Land attack
The open ports can be bombarded with just SYN packets alone without sending final ack causing several half-open connections and causing memory depletion and system crash.TCP RST attack causes route flapping in case of BGP application and behavior varies from application to application.
2.7. Weak passwords/Dictionary attack
The hackers can very easily figure out the weak passwords and try to retrieve the login credentials. Dictionary attack is one kind of attack to generate series of password for cracking password.
2.8. HTTP Cookie information
Whenever a end user starts browsing, the end server stores a cookie for that user in the clients machine for tracking the session. This cookie information and other temporary files stored by the client browser during browsing yields valuable information to the hacker who could steal them when he gains control on the machine and uses backdoor way of entry to that machine.
2.9. Virtual or temporary ipaddress of sender
Sometimes hackers send advertisements as email. The full header information supported by most of the email client reveals the sender ipaddress which might be a fake non-existent temporary ipaddresses. When users click on the link, their system gets infected with malicious code.
2.10. Botnet attack
The hacker gets into the system using the backdoors and executes code on the system such a way that the system tries to open random connections to outside world under the control of the attacker. The affected system is called bot. Spammers use this method as one of their techniques to send email spams.
Virus are special programs that cause damages to the file system and hardware like hard disk etc, slows down system performance, abnormal system behavior etc
Spyware are special programs written to track or monitor the users actions like keyboard typing, the websites visited, how many times a user logged in and timestamps of login etc. The spyware causes identity theft and invasion of privacy for the user.
2.13. Java scripts and active X control
Most browsers support java scripts and active X control. The hackers utilize this to connect to the end users machine when the user begins browsing the internet and run the culprit code in the form of scripts whose functionality is to monitor, track and perform key logging and transmitting the collected information to the remote intruder causing identity theft of the affected end user.
2.14. Wireless vulnerabilities
The hackers can intrude into the system through wireless means whenever the wireless system be it external firewall or host personal computer sends out broadcast of SSID. The hacker can attach his system through the SSID. Since most of private networks use private ipaddress space, the hacker uses those addresses to easily intrude onto a system.
2.15. Raw text chat messages
The chat messages generally remain unencrypted. That leads to another security issue.
2.16. Phishing websites
Whenever a user tries to access a website by typing in a url in his browser, sometimes the user would be lead to a fake website called phishing website whose primary purpose is to gather all the user details without his knowledge.
2.17. Device drivers, capture cards, TV tuner card(Graphics and multimedia), kernel based rootkits, browser based rootkits, hypervisors and memory resident programs.
The intruder can install his hacking code in the device drivers without the knowledge of the user browsing the internet. The malicious code can also be installed as rootkit and memory resident programs which can persist across reboots. Rootkits can also be hidden in the browser called user mode rootkit in addition to kernel mode rootkit. Similarly there are audio and video capture cards and TV tuner cards (in case of watching TV on a computer with utility xawtv) for capturing streaming contents on a personal computer. The intruder can also attack the video capture utility like nvtv which is a program designed to talk to NVIDIA video cards on a personal computer directly to enable their TV out modes. It doesn’t require any special video drivers or kernel support
Once a malicious code starts running from the host machine that tries to initiate connection to outside world, there is no way for firewall to detect whether the connection is opened by the actual user or the malicious code. The malicious code could also change the operating system characteristics to permit an intruder to have control on the affected system and allow him to work with it from remotely. The firewalls both internal and external get easily fooled in such a scenario.
2.18. Login process and firewall functionality
Many of commercial firewall software become operational after the user login process. There is a relative time difference between the time user logged in and the time the firewall software becomes operational. If a hacker is continuously bombarding a host with various attack scripts or test suites, it is possible for the hacker to invade into the system on system reboots during the time between the user logged in and the firewall software become operational.
2.19. VoIP-H.323/SIP and VLC (video streaming server) and open source telephony server hacking
RTP is the most popular communication protocol for VoIP networks. Whether it is used with SIP or H.323, it is responsible for the audio communication once a call has been set up.
While SIP and H.323 have their own security issues, the use of RTP introduces many more. RTP assumes that a significant amount of security is coming from elsewhere during a VoIP call, allowing it to be absent of many basic security protections with authentication, authorization, and encryption.
The primary items used to control RTP packets between any two entities are the session information, timestamp, and SSRC information. All of these items are easily spoofable by attackers or unauthorized internal users, allowing malicious personnel to perform several types of attacks directly on RTP, including eavesdropping, voice injection, and Denial of Service.
Eavesdropping, voice injection, and Denial of Service attacks are basically the worst-case scenario for any voice conversation, for the following reasons:
The ability of attackers to listen to phone calls between two trusted entities removes any guarantee of confidentiality on a VoIP call.
The ability of an attacker to inject audio during existing conversations eliminates the integrity of a VoIP call.
The ability of attackers to end a call forcibly eliminates the reliability of the VoIP call.
Without confidentiality, integrity, and reliability, RTP sessions are left sorely lacking in security.
2.19. Service Provider vulnerabilities
Some of the service providers do not support security with encryption. It is left with the end users application to take care of it. As a result, a man in the middle can sniff the unencrypted data, know the sender and receiver’s ipaddress and could cause trouble to the end users.
2.20. Port Mirroring
Some of the routers and switches at the service provider and enterprise end support port mirroring to monitor the content going across the port.
2.21. SQL Injection
SQL injection is the entering of SQL code into web forms such as login fields or an address bar in the browser. The purpose behind this attack is to manipulate the database serving the application, system or site. This exploit is quite sophisticated and capable of inflicting severe damage.
Backdoor injection is a variation of this exploit that has become quite common. Hackers do not stop at manipulating a site via the login screen or address bar. That innocent search box on your website is also associated with a critical database, making it a potential target for an attack. The insertion of SQL commands in a search box can cause a wide range of damage such as retrieving usernames and passwords, illicitly searching the database field set and amending other sensitive data. Without the proper security implementations, a knowledgeable intruder can easily explore a database and obtain field names and insert various commands to retrieve information. From there they may have the ability to change account details, product prices, and client info. Once a hacker gets that deep, there’s almost no limit to what they can do.
2.22. Cross-site scripting
Cross-site scripting or XSS, is another popular technique cable of causing many problems for website owners. XSS is being practiced increasingly more than SQL injection and is actually more difficult to prevent.
2.23. DNS cache poisoning attack
Normally, an Internet-connected computer uses a DNS server provided by the computer owner’s Internet service provider (ISP). This DNS server generally serves the ISP’s own customers only and contains a small amount of DNS information cached by previous users of the server. A poisoning attack on a single ISP DNS server can affect the users serviced directly by the compromised server or indirectly by its downstream server(s) if applicable.
To perform a cache poisoning attack, the attacker exploits a flaw in the DNS (Domain Name Server) software that can make it accept incorrect information. If the server does not correctly validate DNS responses to ensure that they have come from an authoritative source, the server will end up caching the incorrect entries locally and serve them to users that make the same request.
This technique can be used to replace arbitrary content for a set of victims with content of an attacker’s choosing. For example, an attacker poisons the IP address DNS entries for a target website on a given DNS server, replacing them with the IP address of a server he controls. He then creates fake entries for files on the server they control with names matching those on the target server. These files could contain malicious content, such as a worm or a virus. A user whose computer has referenced the poisoned DNS server would be tricked into thinking that the content comes from the target server and unknowingly download malicious content.
2.24. Rogue DHCP server
If a malicious person plants a “rogue” DHCP server, it is possible that this device could respond to client requests and supply them with spurious configuration information. This could be used to make clients unusable on the network, or worse, set them up for further abuse later on. For example, a hacker could exploit a bogus DHCP server to direct a DHCP client to use a router under the hacker’s control, rather than the one the client is supposed to use.
2.24. Web Application attack – Account harvesting
Using this technique, an attacker can determine legitimate user IDs and even passwords of a vulnerable application. Account harvesting is really a simple concept, targeting the authentication process when an application requests a user ID and password. The technique works against applications that have a different error message for users who type in an incorrect user ID than for users who type a correct user ID with an incorrect password.
2.25. IP Address spoofing
Three different flavors of IP address spoofing used in a variety of attack scenarios: simply changing the IP address, guessing TCP sequence numbers, and spoofing with source routing.
2.26. Session Hijacking
When a user has an established interactive login session with a machine, using telnet, rlogin, FTP, SSH, and so on, an attacker can use a session hijacking tool to steal the session from the user. When most hijack victim’s notice that their login session disappears, they often just assume that its network trouble. The users will likely just try to log in again, unaware that their session wasn’t dropped; it was stolen.SSL users can also be exploited by the attackers using proxy software utilizing the session id.
2.27. Denial of service attacks
DoS attacks generally fall into two categories: stopping a service and resource exhaustion. Stopping a service means crashing or shutting off a specific program or machine that users want to access. With resource exhaustion attacks, the service itself is still running, but the attacker consumes computer or network resources to prevent legitimate users from reaching the service.
2.28. SMTP gateway attack
Email spoofing is used by spammers for junk email attacks to individuals, corporate and web hosting services.
3. Intrusion Detection and Prevention
3.1. Antivirus and Antispyware Utilities
There are different free and commercial software that are available which can detect the presence of viruses and spyware that infected the machine. Each utility works by comparing with their own signature database. The end users primarily residential customers have to install such utilities to protect their system from intruders and regularly update their systems. Some of the virus software stores themselves in compressed format on file systems so that they could not get detected during a scan. The elf-header of the file happens to be helpful under certain circumstances.
3.2. User accounts and rights permissions
There must be one administrator account with multiple standard user account configured on the machine. When the customer is browsing, it is advisable to avoid browsing from administrator account and do so from one of the standard user account. This would restrict the downloaded content preventing from executing or modifying the critical system files and folders which could very easily happen under administrator account. The intruder can also modify the system registers at the operating system level and modify the behavior of the operating system at his wish which could all be prevented.
3.3. Policy and Browser configurations
The policies on the host machine as well as on both external and internal firewall have to be configured in a rigid way at the granularity of application level as well as with trusted and banned user boundaries.
Browser configuration has to be made such a way that all security features like to protect against phishing, prompting for redirected URL, prompting for third party cookie installation etc, deletion of temporary files and folders which stores cookies at regular intervals has to be made.
3.4. Firewall support
The firewall should permit the end user to allow filtering configuration for both inbound and outbound traffic in a bi-directional way. The firewall should at the basic level provide security for different applications like email, video/voice conferencing using messenger, net meeting application etc, in general, voice, video and data transfer through various protocols and technologies using IMAP, POP, SMTP, SIP, H.323, GPON, packet cable Docsis, etc
3.5. Backup and Restore support
Backup and restore is one of the essential features that is used for backing up working contents as well as ability to retrieve and restore the contents when the system gets corrupted.
3.6. POST, shutdown and restart
The system should support to power up with POST (power on self test) and without POST diagnostic procedure using operations like shutdown and restart.
3.7. Monitoring and logging
The system should support Monitoring services and system loggers which aid in identifying the intruders or malicious programs.
3.8. Startup programs and startup services
Monitor the startup program and services that are supposed to start after the system boots.
4. VPN solution
In order to protect all the end user application the tunnel has to originate from the end users personal computer and should support encryption and privacy and safeguard against identity theft, intrusion and privacy for all applications. In order to protect from losing the user name and password details, there are mechanisms like RADIUS, AAA, LDAP servers which maintains the user details in the form of database on a dedicated server so that the users get authenticated from these dedicated hacker proof servers. On the assumption that the operating system and browsers are free from vulnerabilities, SSL VPN is one of the ideal solution which protects all end users applications in a secure way with its simplicity in configuration besides the support of security from service provider. IPSec VPN is another one which tries to protect all end users but its complex in nature from configuration perspective. MPLS VPN is another solution that exists but in case of MPLS VPN the tunnel protection is guaranteed only between the NAP (Network Access Point) or PNAP of service provider alone or from the CPE alone and do not cover the end users applications. Secure DNS support takes care of vulnerabilities in DNS.