Wednesday, August 30, 2006

Stay Secure!

This is definitely not good. During last one week two of my friends lost their yahoo accounts, possibly got hacked. Amit was on SANS security training in Singapore, with 65 other potential hackers security professionals. After the last day in his training when he came back home he realized that his Yahoo! Account password wasn’t working anymore. My other colleague, Sudhakar, accessed his yahoo mail on his roommate’s laptop and next thing he knew the following day was, his yahoo password wasn’t working anymore.

I can’t stress enough how risky it is to access your email/e-banks/e-commerce transactions over public networks or on some others’ machine. It is not a matter of having complete trust on someone you know well enough, even if that person happens to be your family member/close friend/colleague, because you can never be sure if his own machine is secure enough. You cannot rule out the possibility that his machine might already be hacked, and all it takes is just one attempt for you to enter your secret credentials on that hacked machine (or if he hasn’t intentionally been running malicious programs).

An end-user never bothers to secure his own machine apart from following regular recommendations – things like, keep the anti-virus definitions updated, install anti-spywares like Spybot & Windows Defender and keep the definitions updated, regularly scan your system with anti-virus/anti-spywares, blah-blah. But the important aspect we don’t usually realize is that there are other channels to hack into system and keep it infected in a manner that regular anti-virus/anti-spywares cannot detect. The biggest limitation with these scanning tools is that these are all definition based and not behavioral/pattern based. What this means is that unless the loophole/vulnerability/threat becomes visible in public domain and a patch/definition is released, these scanning tools will not be able to detect them. For example, anyone with a decent programming knowledge can develop a quick key-logger/virus/Trojan and release it within limited scope, may be within among his contact circle. Behavioral based scanning tool, on the other hand, keep monitoring the system at lower layers (of OS architecture) and are better able to detect system modifications that key-logger tries to make to activate itself.

The other aspect most people ignore is that they do not change the default system configuration. For example, after a typical Windows installation, quite a few system services get active which might not really be required for user, but which can act as potential security holes. Network services like ‘client for Microsoft networks’ and ‘file and print sharing’ are always active on all the network interfaces – physical network interface as well as wireless interface. Unless a good firewall is installed on the system, it is not very difficult to hack into the system using just these two services and activate some Trojan/key logger on that system. Rootkit is another new category of tools which are even harder to detect with traditional scanning tools.

Here are some quick recommendations. This is not an exhaustive and polished list, but just few quick ones on the top of my head. Of course, it goes without saying that if you use same laptop at both office and home, you should check with your system administrator before making these modifications. 

  • Always ensure that your system is completely patched with up to date hot-fixes. You can use Microsoft’s Baseline Security Analyzer to do the gap analysis and install all the required patches.
  • Never trust any system other that your own (secure) system for entering your credentials (email/banking/credit card/etc). Remember, all it takes is just one attempt, even if that system belongs to your closest friend/family member/colleague. I personally confess of having captured password details of my friends, though I have never (mis)used those details!
  • Disable Remote Registry service. An example where this can be exploited is, lot of instant messengers store user passwords in encrypted form inside registry. All it takes is extracting the relevant registry keys remotely and attacking it offline. Again, anyone who knows me, when I say to them that they haven’t changed their passwords for a long time, I really mean it (sometimes)! J
  • Even when using your own system over public wireless network, do not enter confidential details. The risk with these public hotspots is that you can never know that the person sitting next to you can possibly be running some network capturing tool to sniff your data packets to crack it offline later. There are tools available which can capture your network interface’s MAC address and inject those same MAC address in their own machine’s network packets to trick the wireless switch to send the returning packets to their system. If you really have to use public wireless hotspots for entering confidential details, do that only over VPN connection.
  • Disable ‘Client for Microsoft Networks’ & ‘File and Print Sharing’ on wireless network interface unless you use open wireless access in your office/home for logon authentication and/or sharing files/print attached to your own system. At home if you connect your DSL directly to your system, you should either install a good firewall or disable these two services on the interface where DSL connects (physical LAN port or wireless), because when DSL is directly connected to your system, it is your system which gets the public IP address and gets exposed to Internet. Do yourself a big favor and get a switched-router instead of connecting your system directly to public interface.
  • Avoid installing any third-party softwares without first testing it on some dummy machine. Use VMWare Workstation (paid) or Virtual PC (free) for testing softwares in isolated environments.
  • Regularly run Autoruns and Process Explorer on your system to monitor what all processes are configured to autostart and currently running. If all the entires in these tools scare you first, start getting yourself familiar with it. 

Here are some quick directions on what you should have on your system: 

Don't believe me? Read this:


jtroyer at vmware said...

Just a small correction: VMware Player and VMware Server are both free as well.

Smith said...

Hey Thanks a lot for sharing such a nice and informative article.
it is very helpful.
By the way check out the Professional Training and Certification for Network Security Administrator from EC-Council here