|
Randy Cassingham's BlogHistorical Details and Author's Notes from This is True® - the First For-Profit E-mail Publication (and Still Going Strong). |
Internet Security: Have you Checked Your System Lately?
Last week I was chatting with a friend about online security. Not just dealing with spam, but just basic online security: can your computer be hacked? Is there really anyone interested in hacking your computer? The answer might surprise you.
Subscribe for Free
My friend said there was nothing really to worry about. I said he was naive. As he was sitting here behind me, I pulled up my overnight server security report. I certainly won't say I've got a bulletproof server: it was hacked last year, in fact (that's why I no longer have a forum -- the forum page briefly tells that story). But we've since instituted some fairly tight controls because of the overnight security report I was getting. It tells me who successfully logged in, as well as who tried to log in.
So I pulled up that day's report for my friend showing a random day's worth of access attempts. I pointed out where I had logged in, where my admin had logged in, and then page upon page upon page of failed attempts. Each attempt shows the IP address of the computer trying to access secure areas, as well as how many times it tried to get in. Your computer has an IP (Internet Protocol) address too; even if you're on dial-up, when you log in to your Internet Service Provider so you can surf or get your mail, part of the process is to get an IP address -- you can't surf without one. (If you're connected full time by cable or DSL, getting an IP address is part of your computer's boot-up routine.)
So here's what I found from my report on Friday: my firewall software blocked 944 different IP addresses trying to crack my server. One of those tried 3,395 times to gain access. Several others tried several hundred times. So was that a freakish day? Maybe the weekend would be a way different story? Not really: there were "only" 880 IP addresses in today's report, covering Sunday. None tried 3,000+ times, but one tried 1,026 times. On average, on this "slow" day each of those 880 systems tried to crack mine a tad over 12 times -- 10,725 attempts in total. In one day. That's seven-and-a-half attempts per minute.
It's all done by software -- software running on improperly secured computers that have been cracked. Maybe the cracking programs try my server more because it is a server, with a nice, big, fat Internet connection? Maybe ...but I doubt it. If they were using "smart" searches to find vulnerable systems, they would have given up on mine, since when they knock on the door they find it's bolted tighter than most. My guess: they're just probing IP addresses one after another after another, trying to find a way in.
So what does this imply for you? Like my server, as I noted above your computer also has an IP address. Does that mean that random probes for vulnerable systems land on the IP address your computer has been assigned, and that these software-based probes looking for unsecured systems might be trying to get into your computer?
Yes. That's exactly what that means.
So why do the people behind these probes want to crack computers? First, they want to steal your computer's resources, and the Internet connection you pay for, to send their spam. That's one of the reasons spam is now 80-90 percent of all e-mail -- you can't just find "the senders" and shut them down because spam is now literally coming from hundreds of thousands of computers -- cracked, unsecured computers that were taken over by such probes. And as noted above, that's what happened to me. Can't such probes be blocked? You bet: my server now blocks them. If you have a firewall, such as what's built in to most routers, you're mostly safe. But what's the weakest part of a computer? Its operator: people may have firewalls, but that doesn't do much good if you get a virus-laden program by e-mail, and run the program wondering what it is -- and it takes over your computer. That's why you need to run anti-virus software: it helps in case you're foolish enough to run unknown programs.
What other reasons? "DOS" attacks -- denial of service. You're mad at someone and want to take down their web site? If you can line up a few hundred or thousand computers to incessantly ping that server, it will get overloaded and crash, no matter how good its security is. Yes, it happens: a Google search for "dos attack" brings over 2 million hits, which means over 2 million web pages describing what a DOS attack is, or the what happened to a site that was attacked. And of course there's the holy grail: identity theft. If you store your account numbers, passwords and more for your bank or brokerage accounts, they are vulnerable.
These attempts on my server are just a symptom of a fact: there are lots of people out there actively looking for weaknesses to exploit. Your job is to make sure your computer isn't exploitable.
The point is not to panic you. The point is to make sure you are not as naive as my friend. Have you secured your computer? Have you checked that it really is secure? Are you part of the spam problem because your computer has been compromised to send spam? Are you sure? And when is the last time you checked? If it hasn't been anytime recently, check now. Here are some resources I've talked about in the past:
- My own Spam Primer has more on schemes spammers and others try to pull on you
- One of my Bonzer Site write-ups has info on detecting spyware on your computer
- Another Bonzer Site write-up has plenty of more information
- My buddy Leo Notenboom has a great article on his "Ask Leo" site, How do I keep my computer safe on the Internet? -- search for other articles while you're there if you have questions.
- And online security guru Steve Gibson has some great tools -- run his "Shields Up!" to see how secure your computer is. Takes just a couple of minutes.
The bottom line: It is naive to think you're safe online just because you can't see the "bad guys". They're there, and they depend on people with poor security to make their jobs easier. You can be a part of their schemes, or you can take action to thwart them. I definitely opened my friend's eyes. I hope I also opened yours.
RSS
Most Recent Comments
I agree with both of Hugh's recommendations.
I also add that a hardwall firewall is not complete. Hardware firewalls prevent break-INs to your computer. They don't keep your computer from giving away secrets in the OUTbound direction. If (and it's a very likely 'if') your computer has ever been compromised by a worm or spyware, you may have an open door that your hardware firewall 'thinks' is okay.
For Windows computers, both XP and Vista have a software firewall, but how much can you trust it when you see XP continuously updating newly discovered security flaws? Still, it's free and better than nothing. Use it.
And then there's spyware (malware). If you surf, you WILL hit a site that tries to install spyware and you won't know it. Ask 5 people about the best anti-spyware program and you'll get 10 answers, many of them contradictory. All I can say is use the free ones, even 2 or 3 of them as each works a little differently. Those that cost haven't proven themselves to be any better.
Posted by: Mike from Dallas | May 13, 2007 12:00 PM
Three comments.
First, I'd like to also second the earlier suggestion to use a router hooked to your DSL or Cable modem. That DOES keep people from getting INTO your systems, unless you open up a DMZ port to host a Dynamic DNS channel -- most folks don't.
Second, I think that anti-virus companies and vendors who load AV software onto modern computers should be sued for fraud. Originally, viruses were little snippets of code that hooked into your system's interrupt vectors and did nasty stuff with your hard drive. They are virtually non-existant today, and have been for several years. Rather, most threats today come from Trojans that are embedded in emails (esp. attachments) that target widely-known vulnerabilities in Outlook Express, which Microsoft actually prevents you from deleting completely from Windows. Estimates show that up to 80% of all Windows users WORLDWIDE use Outlook Express as their email client. And the vast majority of them NEVER CHANGE THEIR DEFAULT SETTINGS. It's no wonder that people target it.
Finally, I've had a little server on a co-lo with a hosting place for 4 years now. When we put it in, it was getting hammered with pings from Windows-based hosts sitting on the same sub-net constantly searching for NETBIOS ports and other crap that unsecured Windows boxes do (especially those not cleared of CODE-RED viruses). We installed a small firewall and that cut down on 98% of this "noise" traffic.
I added a small script into my server that runs every few hours and tallies up the number of attempts to login to the system from specific IPs. On a typical day, it gets a half-dozen attempts, and sometimes 1000-3000 tries by individual IPs. Analysis of the logs indicates a pattern; these are obviously being run by "script kiddies", just running scripts that cycle through a long litany of known exploits. And the lists keep growing.
The IPs originate all over the world. However, the largest number seem to originate in northern Europe, like Norway. Maybe they're using proxy servers; I can't tell. It's annoying, but I regard it like the weather -- some days are clear (few attempts), some cloudy (more light attempts), and some are quite stormy (multiple attempts with thousands of tries each). It's just life on the internet!
Posted by: David in Phoenix | May 14, 2007 5:15 PM
I am well aware of the need for security but understand my computer so little I don't know if I am secure. Tried the ShieldsUp program, which tells me I am VERY secure. That relieves a bit of my paranoia re the internet, but I will continue to turn everything off when I am finished. I will be checking out some of the resources suggested and will pass info of ShieldsUp on to friends & family. Thanks.
---
If you're not sure, ask a knowledgeable friend to help. That's the only way to be responsible and not allow your machine to be a zombie for spammers or other criminals. -rc
Posted by: Clara, Portland, OR | May 19, 2007 5:32 PM