As a Risk Consulting Company based in Mumbai, we are often called upon to asses the risk to a company’s network security from hackers and suggest solutions to prevent intruders from accessing a company’s communications systems. When we talk about the communications and internet security of a company we are basically talking about Network Security.
Network security goes hand in hand with Computer Security
These days it is hard to separate the two. Everything, from electronic hotel door locks to cellular telephones to desktop computers, is attached to networks. As difficult as it is to build a secure stand-alone computer, it is much more difficult to build a computer that is secure when attached to a network. And networked computers are even more pregnable; instead of an attacker needing to be in front of the computer he is attacking, he can be halfway across the planet and attack the computer using the network. A networked world may be more convenient, but it is also much more insecure.
These days it’s pretty much impossible to talk about computer security without talking about network security. Even something as specialized as the credit card clearing system works using computer networks. So do cellular telephones and burglar alarm systems. Slot machines in casinos are networked, as are some vending machines. The computers in your kitchen appliances such as the smart refrigerators will soon be networked, as will the ones in your car. All computers a and home entertainment and utility gadgets and devices will eventually be networked.
Lots of different types of networks are out there, but I’m going to be talking about the Internet protocol: TCP/IP. Networking protocols seem to be converging on the Internet, so it makes the most sense to talk about the Internet. This is not to imply that the Internet protocols are more insecure than others — although certainly they were never designed with security in mind — only that there are more good examples. Later, I talk about the fundamental dilemma of choosing a common protocol that is widely attacked by hackers, and hence whose security is constantly improving, or one that is obscure and little-known, and is possibly even less secure.
HOW COMPUTER NETWORKS WORK
Computer networks are bunches of computers connected to each other. That is, either physical wires run between computers — wires in an office LAN, dedicated phone lines (possibly ISDN or DSL), dial-up connections, fiber optic, or whatever — or there is an electromagnetic connection: radio links, microwaves, and so forth.
Simply, when one computer wants to talk to another, it creates a message, called a packet, with the destination computer’s name on it and sends it to the computer over this network. This is fundamentally unlike telephone conversations. When Alisha wants to call Sunil, she tells the phone company’s computer network Bob’s network name (commonly known as his telephone number) and the network hooks up different communications circuits — copper wire, satellite, cellular, fiber, whatever — to make an unbroken connection. Alisha and Sunil talk through this circuit until one of them hangs up. Then, the telephone network disassembles this connection and lets other people use the same pieces for other phone calls. The next time Alisha calls Sunil, they will be connected through a completely different set of links. (Well, mostly different; the line between the telephones and the first switches will be the same.)
Computers don’t use circuits to talk to each other. They don’t have conversations like people do — they send short data packets back and forth. These packets are broken-up pieces of anything: e-mail messages, GIF’s of naked ladies, streaming audio or video, Internet telephone calls. Computers divide large files into packets for easier transmission. (Think of a ten-page letter being divided up and mailed in ten different envelopes. At the recipient’s end, someone opens all the envelopes and reassembles the letter in its proper order. The packets don’t have to arrive in order, and they don’t have to travel along the same route to their destination.)
These packets are sent through the network by routers. There are bunches of protocols — Ethernet, TCP, whatever — but they all work basically (for large values of “basically”) the same way. Routers look at the addresses on packets, and then send them toward their destination. They may not know where the destination is, but they know something about where it should go. It’s sort of like the postal system. A letter carrier visits your house, takes all of your outgoing mail, and brings it to the local post office. The post office might not know where 173 Sea Wind Heights, Ashutosh Lane, Bandra is, but it knows that it should put the envelope on the truck to the airport. The airport postal workers don’t know either, but they know to put the letter on a plane to Mumbai. The Mumbai post office knows to put the letter on a truck to Bandra. The Bandra post office knows to put the letter to Carter Road. And finally, the local Carter Road post office knows where the address is, and a letter carrier delivers it.
What You Need To Know About IP Security
It’s not hard to see that any network built on this model is terribly insecure. Consider the Internet. As those packets pass from router to router, their data, sometimes called their payload, is open to anyone who wants to read it. The routers are only supposed to look at the destination address in the packet header, but there’s nothing to stop them from peeking at the contents. Most IP packets in the world go over just a handful of high-speed connections between lightning-fast routers, known as the Internet backbone. All packets between distant points, the United States and Japan, for example, go through only a few routers.
It’s hard for an individual hacker to monitor the entire Internet, but it’s easy for him to monitor a small piece of it. All he has to do is to gain access to some computer on the network. Then he can watch all the packets going through, looking for interesting ones. If he gets access to a machine close to Company A, he will probably be able to monitor all the traffic in and out of that company. (Of course, by “close to” I mean “near on the network,” and not necessarily physically near.) If he gets a machine nowhere near Company A, he might see little (or none) of that company’s traffic. If he’s a quintessential hacker and doesn’t care what company he eavesdrops on, then it doesn’t really matter.
Packets with passwords in them are particularly interesting. Password sniffing is easy, and a common Internet attack. An attacker installs a packet sniffer designed to steal usernames and passwords. All the program does is collect the first two dozen (or so) characters of every session that requires a login and save them for the attacker. These characters almost certainly contain the username and password (usually the unencrypted password). Then the attacker runs a password cracker on the encrypted passwords, and uses those passwords to break into other computers. It’s difficult to spot because password sniffers are small and in conspicuous. And it can snowball. Once you have broken into one machine, you can install a password sniffer on it and get even more passwords. Maybe you can use those passwords to break into other machines. And so on.
Not only is eavesdropping possible, but active attacks are also possible . . . easier, actually. In most communications systems, it is far easier to passively eavesdrop on a network than it is to actively insert and delete messages. On the Internet, it is reversed. It’s difficult to eavesdrop. However, it’s easy to send messages; any self-respecting hacker can do that. Because communications are packet-based, and they travel along many different paths and are reassembled at the destination, it’s easy to slip another packet in with the rest of them. Many, many attacks are based on blindly inserting packets into existing communications channels.
What is IP Spoofing
It’s called IP spoofing, and it’s easy. Packets have source and destination information, but an attacker can modify them at will. An attacker can create packets that seem to come from one site, but don’t really. Computers on the Internet assume that the “from” and “to” information is accurate, so if a computer sees a packet from a computer it trusts, it assumes that the packet is trusted. An attacker can take advantage of this trusting relationship to break into a machine: He sends a packet purporting to come from a trusted computer in the hope that the target computer will trust the packet.
There are routing attacks, where an attacker tells two points on the Internet that the shortest route between them goes through his computers. This makes eavesdropping on a particular node easier. This section could go on and on; whole books have been written about attacks against the Internet.
The solutions to these problems are obvious in theory, but harder in practice. If you encrypt packets, no one can read them in transit. If you authenticate packets, no one can insert packets that pretend to come from somewhere else, and deleted packets will be noticed and reacted to.
In fact, several solutions encrypt packets on the Internet. Programs like SSH encrypt and authenticate shell connections from a user on one machine to a computer across the network. Protocols like SSL can encrypt and authenticate Web traffic across the Internet. Protocols like IPsec promise to be able to encrypt and authenticate everything.
What is DNS Security
The Domain Name Service (DNS) is basically a large distributed database. Most computers on the Internet — nodes, routers, and hosts — have a domain name like “brokenmouse.com” or “anon.penet.fi”. These names are designed to be remembered by people, and are used to build things like URLs and e-mail addresses. Computers don’t understand domain names; they understand IP addresses like 184.108.40.206. IP addresses are then used to route packets around the network.
Among other things, the DNS converts domain names to IP addresses. When a computer is handed a domain name, it queries a DNS server to translate that domain name into an IP address. Then it knows where to send the packet.
The problem with this system is that there’s no security in the DNS system. So when a computer sends a query to a DNS server and gets a reply, it assumes that the reply is accurate and that the DNS server is honest. In fact, the DNS server does not have to be honest;it could have been hacked. And the reply that the computer gets from the DNS server might not have even come from the DNS server; it could have been a faked reply from somewhere else. If an attacker makes changes in the DNS tables (the actual data that translates domains to IP addresses and vice versa), computers will implicitly trust the modified tables.
It’s not hard to imagine the kinds of attacks that could result. An attacker can convince a computer that he is coming from a trusted computer (change the DNS tables to make it look like the attacker’s computer is a trusted IP address). An attacker can hijack a network connection (change the DNS tables so that someone wanting to connect to legitimate. company.com actually makes a connection with evil.hacker.com). An attacker can do all sorts of things. And DNS servers have a viral update procedure; if one DNS server records a change, it tells the other DNS servers and they believe it. So if an attacker can make a change at a few certain points, that change can propagate across the Internet.
In one attack in 1999, someone hacked the DNS system so that traffic to Network Solutions — they’re one of the companies that register domain names — was redirected to other domain-name registration companies. A similar attack, from 1997, was a publicity attack. This was before domain registration was opened up for competition. Eugene Kashpureff, owner of the alternative AlterNIC, redirected Network Solutions traffic to his site as a protest. He was arrested and convicted, and received two years’ probation.
In 2000, RSA Security’s homepage was hijacked by spoofing the DNS tables. This is not the same as breaking into the Web site and defacing the page. The attacker created a fake home page, and then redirected legitimate traffic to that faked page by manipulating the DNS records. The hacker did this not by cracking RSA’s DNS server, but the DNS server upstream in the network. Clever, and very easy. DNS record spoofing is a trivial way to spoof a real Web site crack. And to make matters worse for the hijacked site, the hijacking misleads people into thinking intruders cracked the Web site at Company A, when intruders actually cracked the DNS server at Company B.
These problems are serious, and cannot easily be fixed. Cryptographic authentication will eventually solve this problem, because no longer will computers implicitly trust messages that claim to come from a DNS server. Currently people are working on a secure version of the DNS system that will deal with these issues, but it’s going to be a long wait. I will talk about Cryptographic authentication in the next post.
You can keep track of our daily blog posts by entering your email id below. Whenever a new post is published on our blog, you will receive a snippet of it in your email inbox and you can choose to click on a link in your email inbox to read more.
If you would like us to assess the safety and security of your computer’s network from external as well as internal attackers, feel free to give me a call us for a consultation on this number – +91 98206 07875
Amit Sen, a commercial pilot by training, has over 15 years experience in the space of corporate investigations, handling Copyright & Trademark infringement cases, Pre – employment verification Industrial Espionage investigations, Asset & Net – Worth assessment assignments and vendor / supplier verification cases, among others. Co-founder of Alliance One Detectives – which is the best home security consultants in Mumbai. Apart from specializing in home security, Amit has also successfully completed assignments in a wide range of sectors, including the machine tools industry, pharmaceutical industry, hospitality sector, specialized equipment (Oil & natural gas sector, aviation industry etc.), telecom industry & the IT & ITes sectors. These cases have all involved both offline and online investigations.