Theoretical Hacking for IT Managers

When it comes to network security, yes, balance between paranoia and apathy is possible.

Not everyone has "l33t skilz" or mass amounts of hardened TCP/IP stack programming experience. When I'm at work, I don't look at logs all day long, nor do I run security audits every five minutes. I do my job, which takes all of my time. This is the situation for most small to medium sized companies that have only a few IT guys. So how does an everyday IT guy handle the constant threat of impending attack?

Keeping up with the latest security threats in a mixed OS environment is virtually impossible. You have to choose where to put your defenses. I choose my defenses based on my own paranoid view of the world, with my procrastination and laziness factored in for good measure. The term I use for this is "theoretical hacking", in which no actual computers, programs or animals are harmed.

The first question in theoretical hacking is, "Where do I start?". You have two options here, inside out or outside in. That is, you can consider attacks from the point of view of someone outside your office trying to break in. Or, you can consider scenarios in which someone inside your office is trying to cause damage or steal data. For now, let's take the standpoint of some random dude on the outside trying to break into your network.

First, though, let me make one thing clear: if someone really wants to cause you harm or wants to break into your network--and I mean really wants to do it--you can't do much about it. Anyone with enough time and resources can do just about anything. In response, you can hope that you set enough tripwires to give you warning if something bad is going on. Or, you can hope to be far enough off the grid as to be invisible. I say "off the grid" because not everyone is a Google, Microsoft, IBM or Apple. The only Web presence my company has is a Web site not hosted by us and e-mail, which we do host. So, only one real link exists between my company and the outside world, giving us only SMTP/POP to deal with--more on this later.

I like to compare network security to a glass house. In a glass house, you can have a great deal of security on all of the doors and windows. You can have armed guards. You can have cameras, lasers, alligators, a catapult and a sith lord. But, that doesn't change the fact that everyone walking by can see what is going on inside your glass house. If someone stands outside and looks in long enough, he will know everything about the place. You also can't stop people from walking up and knocking on the door or looking in the mail box. And the really bad part is you can't stop some kid from throwing a rock at your glass house. The best you can do is watch and hope your glass house doesn't break. Network security is passive in this same way. We have to wait and watch for something to happen.

When you're considering a network security design, there are two extremes. One is the delusional paranoid design, which consists of a standalone computer with no peripherals, no Internet, no USB, no Bluetooth, no CD-ROM, no floppy, no external hookups at all. The standalone uses biometric authentication with 128-character alphanumeric passwords to access each application as it is needed. You have to memorize whatever work you do and retype it at another location. The other extreme is a more common situation, in which a bunch of computers are set up in a public place with free Internet access and without passwords. The reality for most people lies between these two extremes but leans more toward the latter.

Let's start with the basics. Think about the actual connections leaving the network; think about what is leaving. A big part of security ends up concerning who is on the network, not what is on the network. So, think about the employees. Who is doing what? Are employees surfing the Web or actually performing tasks for which Internet access is a critical tool? In most cases, minus e-mail, the latter isn't true. So what is the real concern with employee Web surfing? Viruses. I use the term "viruses" to refer to trojans, spyware and any type of application not intended to be installed as a job function application. A lot of tricky apps are out there that get users to install them under the guise of other apps. Users on your network never should be allowed to install anything.

Thus, in a company where employees are Web surfing and using e-mail, the first order of business is to stop any and all viruses. This actually is fairly simple to do if you are running Linux, but most companies have a large allotment of Windows desktops. Therefore, I suggest using desktop antivirus software with hourly updates. This is a simple yet highly effective method of stopping almost any type of attack. If your company has no services running--FTP, SQL, etc.--the only real threat is viruses. How else can some random dude gain access to a system?

So here we are with a bunch of users on the Internet, and the only defense is antivirus/trojan software. Simple scenario? Yes. Realistic? Yes. So, how would you break into a network with no services running and no exploits on the desktops? You scan the network. How do you scan the network? You start by figuring out what subnet or IP address the computers are on. There are only three ways of finding out that information. First, you can do a general scan of IP addresses and hope you run across the company's network. But, if there aren't any services running, how would that network show up? Keeping with the no services example above, your network is pretty safe on that front. The second way to find subnets or IP addresses is to track them from a Web site. If one of your users goes to someone's Web site, blog, list or anything of that sort, the IP address can be logged and used later. The third method of finding subnets and IP addresses is through e-mail messages, which keep them in the headers.

So, it really boils down to hiding your network's IP addresses from the world when users are Web surfing and e-mailing. One way to hide them while surfing is to use an application such as Tor. Here is a quote from the Tor Web site about what it does:

Tor is a toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features. Tor aims to defend against traffic analysis, a form of network surveillance that threatens personal anonymity and privacy, confidential business activities and relationships, and state security. Communications are bounced around a distributed network of servers called onion routers, protecting you from websites that build profiles of your interests, local eavesdroppers that read your data or learn what sites you visit, and even the onion routers themselves.

With something like Tor in place, we're left to deal with e-mail headers. There isn't a universal easy solution to this one, although it can be easy to fix--it really depends on the situation. If you outsource your company's e-mail, that protects your network. But, now you have to worry about some third party looking over your e-mail. If that is not a concern and outsourcing e-mail is cost effective, then with a few minor tweaks you should be good to go. The tweaks themselves are simple, too: secure POP and SMTP and do not send POP/SMTP passwords over the Internet without some type of encryption.

If your company hosts its own mail server, however, you have a whole other set of problems. Hosting your own mail server brings to the table a lot of overhead, and you need to consider many more potential problems. For the purposes of this article, I lightly cover some basic considerations.

When handling e-mail yourself, two basic components are needed, a firewall and a mail server. The firewall performs two functions, network address translation (NAT) and IP/port forwarding. NATing a network is a huge security plus that is simple and effective. It essentially creates a buffer for your network. In that buffer, you can do anything you can dream up to prevent anything you can think up. You also need to IP or port forward the incoming mail to the mail server. I think it's always a good idea to separate exposed servers from the rest of the network, DMZ-style.

Next, you need to introduce antivirus software strictly for the mail server. You can choose from several, so spend some researching which one is best for your company's needs. The main thing here is to let the mail antivirus server take the brunt of the traffic and have it forward the clean mail to the mail server on a different port. I'm not going to get into how to secure the mail antivirus server in this article, but it does need to be done.

At this point, we still need to worry about the IPs in e-mail headers. This is a catch-22 situation, however. You can remove the outgoing headers on e-mail, but doing so can cause difficulties when you are troubleshooting e-mail problems. If you really don't want people to see IP addresses in your company's e-mail headers, you can strip them out at the firewall as the messages leave the network. This step isn't easy to do, but it is possible. In reality, whether you should implement this step depends on how much time you can spend on it.

Still, stripping out the IP address from the header is only part of the solution. You also should add the extra layer of protection offered by hosting an off-site relay for mail. This relay could be a mail server that forwards your company's e-mail to the network. Or, it simply could be the use of secure POP/IMAP to access e-mail. The reason for this relay is DNS MX records. Anyone can look up the host of your domain and get your IP address from your MX record. Having a relay prevents this from happening.

Essentially, the point of this article is to get you thinking about what is happening on your network and about what you can do to be safe without going crazy from all the talk about security breeches and all the security applications on the market. The main idea is to set things up so you don't have to check on them every day. Ideally, you want to have a general sense that your network is secure to the point that someone has to throw a lot of rocks at your glass house before something breaks. At that point, one of your alerts goes off, and you can tell that stupid kid to stop throwing rocks by blocking his IP from connecting to your network.

In conclusion, we are trying to hide our networks from the world. If the world doesn't know where we are, it can't do any damage to us. We are relatively safe simply because we sat down and thought about how some random dude could break into our network.

Aaron Steimle is a partially functional paranoid human with an addiction to Linux and a degree in Electrical Engineering. He vigorously enjoys not being dead. He can be reached at aaronsteimle@gmail.com.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Identity Theft and Stolen Passwords

biometric01's picture

Much has been discussed about Identity Theft, user ID's and Passwords stolen or hacked, credit cards being used without the owners knowledge and so on. Now there is a safe way of protecting your passwords and identity online from being copied, stolen and hacked by keyboard trojans, using your biometric fingerprint and face recognition, and even voice, to log on to web sites. By simply scanning your finger or face or voice you can log on to a web site, log on to your computer, and even encrypt files and folders. No more worrying about who might hack into your online accounts or even your email. No more remembering passwords or using the same passwords on many sites. This is an exciting new innovation from myBiodentity and they have about fourteen products that are enabled with biometrics including email encryption, password manager, virtual disk, and many more. You can read more at http://www.mybiodentity.com

article errors.

mboz62's picture

I must say there are a number of areas I don't agree with about this article, but I will limit things to the two most glaring.

I'm not entirely sure I understand where you're coming from in your glass house analogy. If you have any sort of firewall, even a relatively mediocre one. A passing hacker will need to specifically look at what services your publishing. in your case, I'm guessing you've got SMTP and POP3 published. So if you've got a firewall, then this is more a relatively secure house, with a small crack in the curtains. depending on how cleverly you've published your SMTP / POP3 servers an attacker might be able to discover your OS from these feeds and make inferences from that knowledge. If that hacker realises a flaw in that software that will put a crack in a wall that he might be able to get a crowbar into to open things up a little more. From that, I would say a firewalled network surely isn't a glass house that anyone can peek into.

secondly the part of about stripping out the IP address from email headers in completely wrong. the IP address of the sending MTA is inserted by the receiving MTA after it has left your network, when it is completely out of your control. as for Sendmail Masquerade this is purely a domain name masquerade, not an IP Address masquerade. (just to reply to the comment!)

I am very Glad to see

Gnuru's picture

A VERY GOOD ARTICLE

I am very Glad to see someone is still in to securing optimation
This is a very good example of it....

How to deal whit IP-Addresses in E-mail is a question fore the wise
man to handle but many time it is to handle every thing on the net
you do with care.. and secure "here its a good idea to find out how to bring those scamming people to the court-room SOA..."
Beeware of the untrusty guy out there...In a house of glass we live..

But it isent always all guys how now that they live in sucha place
do they surf to promiscuse places on the net whitout thinking ones ore twice,,

Thats all fore now
Rock on Linux
Gnuru

finding subnets

Anonymous's picture

> The third method of finding subnets and IP addresses is through e-mail messages, which keep them in the headers.

two words: sendmail masquerade

Good read.

iGeek's picture

I think a series of articles like this would be great. Starting with an article like this one which is more abstract, then proceeding to more detailed, step-by-step type articles, would be awesome. Thanks!

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix