Who's That Knocking At My Door? Go Away!

More than once per second, someone tries to hack into Vince's systems. Fortunately, amateurs make most attempts

One of the nagging problems in information security is the difficulty of finding out how many security incidents occur. Unfortunately, this information is difficult to obtain.

1pixclear.gif
THISWEEK'SGLOSSARY

Freedom of Information Act: This law makes information more accessible to the public. That's great if you want
to find out what the FBI had on Elvis (http://foia.fbi.gov/presley.htm) but not so great if you call in the FBI for help: Anyone can get the details of your security setup and how you were attacked.

SubSeven: A Trojan horse program that masquerades as a seemingly innocuous executable e-mail attachment. Once launched, SubSeven allows complete remote control of a computer. An attacker can access or destroy files, steal account information and generate denial-of-service attacks — all without the user's knowledge.

Information Sharing and Analysis Centers (ISAC): These centers were set up by President Clinton to promote sharing of threat and incident data within industry sectors. For example, the ISAC for financial services is at www.fsisac.com.

LINKS:

www.attrition.org: This security Web site keeps mirror images of Web site defacements. For an example, see this Department of Justice hack:www.attrition.org/mirror/attrition/1996/08/
18/www.doj.gov.
Many military sites have been replaced by tags like this one: www.attrition.org/mirror/attrition/
2001/03/31/mailserver.tci.navy.mil/
.


www.dshield.org: Need to see if
a given IP address is attacking just you? Look at what other people are seeing at this Web site

Companies fear the public relations and share-value impact of disclosing a security breach. Perversely, revealing even an unsuccessful attack can be a public relations disaster. And once an organization announces that it has been attacked, it may suffer further attacks as a result of the news coverage.


For other crimes, we can use police statistics or insurance claims data to measure the change in risk over time. Currently, however, there isn't much of a market for cyberinsurance, so insurance data isn't available. Police data isn't much better because companies are hesitant to report computer crimes. Some distrust the police, believing them to have a low level of awareness of computer security issues. Laws like the Freedom of Information Act and the low rate of successful prosecutions add to this distrust.


But companies can't hide everything. The highest-profile attacks in the current environment are Web site defacements. A useful resource in this area is Attrition.org's Web site. Hackers notify this group when they deface a site, and Attrition.org makes a mirror copy of it as a record. This means it has accurate data reflecting trends in this area. And the current trend isn't good. Attrition.org's Web site is seeing about 30 defacements per day, an increase from 13 per day a year ago and two per day two years ago. And it doesn't look like this will improve anytime soon.


To supplement this data from the outside world, we also regularly examine data from our systems to ensure that our defense is properly focused. We have an intrusion-detection sensor outside the firewall that logs many attacks, and we also log a great deal at our firewalls. As an exercise, we recently analyzed a week's worth of data down to the last packet and noticed some remarkable trends. I hadn't looked at this data in detail for some time, and I was startled by what we found.


My company was an early adopter of the Internet, so we have a large address range. This means that if an attacker picks an address at random, we have a 1 in 65,000 chance that we'll be the target. We are a major financial organization, making us a possible target of choice for directed attacks.


So, given all that, how many attacks and probes do you think we detect? One per month? One per day? I thought the result would be something in the range of once per hour. My research uncovered a much higher figure: We detected 1.5 attacks every second.

Of the non-Web connections (such as Domain Name System, File Transfer Protocol or e-mail), 85% were unauthorized, consisting of attempts to gather information or compromise our systems. Our firewall or our intrusion- detection system blocked these unauthorized connections—no doubt a few of them were errors caused by people mistyping IP addresses. It's also possible that some much more competent attacks penetrated our outer shell.


The most popular attacks are those that use scanning tools to target known vulnerabilities. The top attacks in our sample week were DNS BIND buffer overflow probes (379,273), Back Orifice probes (64,932), WU-FTP buffer overflow probes (64,824) and NetBIOS share name probes (38,285).


From the perspective of an attacker, the DNS and FTP attacks make a certain amount of sense. Recent high- profile, easy-to-exploit problems have been discovered in these servers that some companies haven't yet patched. Exploiting these problems can give the attacker root access to critical servers.


But the next two? These include some foolish attacks by obviously unskilled individuals. To run a scripted attack doesn't take very much skill, but at least you're trying to break into a system on your own behalf. Those that scan for Back Orifice and SubSeven Trojan horse programs are bottom feeders.


These are script kiddies that are too lazy to break into systems themselves but are looking for systems that other people have already broken into and left back doors into. Does this ever work? Anyone with even the most simple firewall will have blocked attacks to these ports, and all antivirus software detects and protects against these tools.

The volume of these probes for prebroken systems is worrying—surely, these kids must sometimes succeed, meaning that there must be many machines with Back Orifice or SubSeven running, leaving them open to the least competent hackers. If someone were to try the real-world equivalent of these four scanning attacks—checking each car in a lot to see if it is unlocked by trying every door - someone would surely notice, and the perpetrator would almost certainly be warned off. The brazenness and sheer mass of these attempts show that these attacks aren't being noticed or that when they're reported, no effective action is being taken.


This doesn't bode well for the future of the Net. More and more people are coming online, often without sufficient security protection. Within a second after a Web site goes online, strangers are trying to break into the systems. Users may expect that law enforcement will protect them from malicious strangers, but no such protection exists at present. Indeed, once a machine has been hacked, even if users become aware of the intrusion, they may find fumigating their machines difficult.


What can we as security professionals do to deter this behavior? I welcome your thoughts in the Security Manager's Journal forum.



Site Attacks/Probes by Type

Site attacks and probes against Security Manager's Journal author Vince Tuesday's Web site, broken down by type of attack, over a one-week period in April. The total number of attacks for this period was an astounding 707,389.

20pie_chart.gif



blue_box.jpg


DNS Probes: 379,273

Attempts to access the Domain Name Servers over TCP, commonly originating from Linux machines compromised by the Lion worm.

creme_box.jpg


Back Orifice: 64,932

Probes for machines already infected with the remote control Trojan Worm virus so that the hacker can exploit it.

grey_box.jpg


WU-FTP: 64,824

Attempts to access FTP servers. Most attackers usually are looking for unpatched WU-FTP servers in order to exploit that weakness.

ltyellow_box.jpg


NetBIOS Share Name: 38,285

Attempts to find accidentally shared network drives on Windows systems using NetBios Name and other services on a TCP port.

white_box.jpg


Usenet: 8,044

Attempts to find unprotected Usenet News servers for reading and posting news anonymously.

orange_box.jpg


Ident: 6,836

Mail servers and other systems trying to collect information about a user who is currently logged in to our systems.

red_box.jpg


Other: 145,195

SubSeven probes and other denied traffic.








































Related:

Copyright © 2001 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon