|
Randy Cassingham's BlogHistorical Details and Author's Notes from This is True®
|
Internet Security: Have you Checked Your System Lately?
Last week I was chatting with a friend about online security. Not just dealing with spam, but just basic online security: can your computer be hacked? Is there really anyone interested in hacking your computer? The answer might surprise you.
Weekly Weird News
My friend said there was nothing really to worry about. I said he was naive. As he was sitting here behind me, I pulled up my overnight server security report. I certainly won't say I've got a bulletproof server: it was hacked last year, in fact (that's why I no longer have a forum -- the forum page briefly tells that story). But we've since instituted some fairly tight controls because of the overnight security report I was getting. It tells me who successfully logged in, as well as who tried to log in.
So I pulled up that day's report for my friend showing a random day's worth of access attempts. I pointed out where I had logged in, where my admin had logged in, and then page upon page upon page of failed attempts. Each attempt shows the IP address of the computer trying to access secure areas, as well as how many times it tried to get in. Your computer has an IP (Internet Protocol) address too; even if you're on dial-up, when you log in to your Internet Service Provider so you can surf or get your mail, part of the process is to get an IP address -- you can't surf without one. (If you're connected full time by cable or DSL, getting an IP address is part of your computer's boot-up routine.)
So here's what I found from my report on Friday: my firewall software blocked 944 different IP addresses trying to crack my server. One of those tried 3,395 times to gain access. Several others tried several hundred times. So was that a freakish day? Maybe the weekend would be a way different story? Not really: there were "only" 880 IP addresses in today's report, covering Sunday. None tried 3,000+ times, but one tried 1,026 times. On average, on this "slow" day each of those 880 systems tried to crack mine a tad over 12 times -- 10,725 attempts in total. In one day. That's seven-and-a-half attempts per minute.
It's all done by software -- software running on improperly secured computers that have been cracked. Maybe the cracking programs try my server more because it is a server, with a nice, big, fat Internet connection? Maybe ...but I doubt it. If they were using "smart" searches to find vulnerable systems, they would have given up on mine, since when they knock on the door they find it's bolted tighter than most. My guess: they're just probing IP addresses one after another after another, trying to find a way in.
So what does this imply for you? Like my server, as I noted above your computer also has an IP address. Does that mean that random probes for vulnerable systems land on the IP address your computer has been assigned, and that these software-based probes looking for unsecured systems might be trying to get into your computer?
Yes. That's exactly what that means.
So why do the people behind these probes want to crack computers? First, they want to steal your computer's resources, and the Internet connection you pay for, to send their spam. That's one of the reasons spam is now 80-90 percent of all e-mail -- you can't just find "the senders" and shut them down because spam is now literally coming from hundreds of thousands of computers -- cracked, unsecured computers that were taken over by such probes. And as noted above, that's what happened to me. Can't such probes be blocked? You bet: my server now blocks them. If you have a firewall, such as what's built in to most routers, you're mostly safe. But what's the weakest part of a computer? Its operator: people may have firewalls, but that doesn't do much good if you get a virus-laden program by e-mail, and run the program wondering what it is -- and it takes over your computer. That's why you need to run anti-virus software: it helps in case you're foolish enough to run unknown programs.
What other reasons? "DOS" attacks -- denial of service. You're mad at someone and want to take down their web site? If you can line up a few hundred or thousand computers to incessantly ping that server, it will get overloaded and crash, no matter how good its security is. Yes, it happens: a Google search for "dos attack" brings over 2 million hits, which means over 2 million web pages describing what a DOS attack is, or the what happened to a site that was attacked. And of course there's the holy grail: identity theft. If you store your account numbers, passwords and more for your bank or brokerage accounts, they are vulnerable.
These attempts on my server are just a symptom of a fact: there are lots of people out there actively looking for weaknesses to exploit. Your job is to make sure your computer isn't exploitable.
The point is not to panic you. The point is to make sure you are not as naive as my friend. Have you secured your computer? Have you checked that it really is secure? Are you part of the spam problem because your computer has been compromised to send spam? Are you sure? And when is the last time you checked? If it hasn't been anytime recently, check now. Here are some resources I've talked about in the past:
- My own Spam Primer has more on schemes spammers and others try to pull on you
- One of my Bonzer Site write-ups has info on detecting spyware on your computer
- Another Bonzer Site write-up has plenty of more information
- My buddy Leo Notenboom has a great article on his "Ask Leo" site, How do I keep my computer safe on the Internet? -- search for other articles while you're there if you have questions.
- And online security guru Steve Gibson has some great tools -- run his "Shields Up!" to see how secure your computer is. Takes just a couple of minutes.
The bottom line: It is naive to think you're safe online just because you can't see the "bad guys". They're there, and they depend on people with poor security to make their jobs easier. You can be a part of their schemes, or you can take action to thwart them. I definitely opened my friend's eyes. I hope I also opened yours.
RSS
21 Comments on This Entry
All comments in this blog are reviewed prior to being published. Spammers: don't waste your time. The posting criteria are simple: if a comment is worth visitors' time to read, it's approved. If not, it's not.
Posted by Bob, Long Island, NY on April 30, 2007:
You're counting access attempts on various ports, not actual attempts to log onto your server, right? Before I started using a router which is also a hardware firewall, my software firewall logged thousands of access attempts per day as well. I submitted them to a service that analyzed and totaled the records. What I found was that most were not malicious but could be considered "background noise". There were maybe 2% (at that time) which were attempts from infected machines to find other infected machines by accessing one specific port that the infected machines open. Blocking those ports from being opened is the rationale behind outbound firewalls.
While I don't have current figures, my past experience indicates that very few attempts to actually hack into another machine are being made. However there are certainly enough that a "naked" system should never be connected to the Internet.
---
They're not necessarily login attempts, but they are probing for vulnerabilities. My admin says:
"[The access attempts] are random probes of all types, not just login attempts. Random viruses attempting to spread, other crap. The kind of thing that a firewall stops, and the kinds of stuff that Windows users do need to be aware of."
Finding an unsecured login (such as a default password) is just one way to crack a system. It is foolish to think that by (say) changing passwords, you're safe. That is just one of many, many vulnerabilities, but it only takes one unlocked door for your system to be compromised. -rc
Posted by Pat, North Carolina on April 30, 2007:
You may be interested in this article posted by Sophos, regarding how the website of the Miami Dolphins was breached just prior to Superbowl.
The one item that needs adding to your article is that users of Windows must keep up to date with Microsoft patches -- there are holes that are patched each week as they are discovered and used by hackers to get into computers.
Security is getting to be more and more of an issue, but much could be prevented if everyone did the basic maintenance of removing spyware, keeping virus protection up to date, and keeping patches up to date.
---
I couldn't cover it all, but indeed your conclusion is great advice. -rc
Posted by Jarred, Olympia WA on April 30, 2007:
I have to say, the one piece of advice you give may not be necessary: anti-virus software. I haven't used it in years. Why? Because it slowed down my PCs (yes, even my super-powerful state-of-the-art setups), caused periodic glitches, and honestly didn't do much good. It's far more important to have a trained user than to have anti-virus software.
Part of the reason is that such software is reactive: "Hey, there's a new virus that just caused all sorts of trouble. We've addressed it and now you're safe." Except, if you were one of the first hit, you're still screwed.
The reality is that viruses are extremely rare these days. Trojan horses are all over the place, but if you can just get over using Outlook/Outlook Express (I use Thunderbird) and can then control your urge to open every damn attachment, you've foiled about 99% of "virus" attacks.
My other advice: use Firefox of something other than Internet Explorer (something you've mentioned before); update Windows - whatever version - on a weekly basis, or turn on the automatic update feature; and use a hardware router on broadband connections - mine cost a measly $35 and works fine as a basic firewall.
The key is to train yourself (and others) to not be idiots. Unfortunately, the more user-friendly OSes out there aren't helping. For example, Windows by default hides file extensions. Turn that off in Explorer by going to Tools->Folder Options->View->Uncheck hide extensions for known file types. (The process is a bit harder under Windows Vista - go figure. New OS, and now it tries even harder to make sure people don't know what files really are.)
---
I agree with pretty much everything here, including that you don't need antivirus software (note: I lump trojan horse attacks under that label) if you don't have e-mail software that automatically runs attachments for you (some older ones did!), and you're religious about not running attached programs yourself, EVEN IF it apparently comes from someone you know. Because odds are, it really didn't. -rc
Posted by Stefan, Germany on May 1, 2007:
My servers show much less impressive statistics.
Why? Because I completely block IP addresses for a few minutes after they try and fail login.Only very few are fast enough to get a second try before the lockout occurs.
---
It's ridiculous to have to go to such measures, but it sounds pretty smart to me. -rc
Posted by Nathan, Florida on May 1, 2007:
I myself run a small private FTP server for friends and family to use as they need it. When I was setting the server up I had not yet turned on any security for it before I went to bed for then night planning on finishing the next day. In the morning I had found that not only had the server been accessed already but it had been "tagged" which is where the hacker makes a directory on the drive claiming the hard drive as their own. After trying clear the directory and the files on it unsuccessfully I ended up having to fully format the drive and start over as it was faster than spending any more time removing everything that was added.
This slip in security set me back a day in personal time. Had this been a live server with data on it already, the hack could have been much more damaging. Now that I have the server up and running I am consistently seeing IP addresses trying to login to it using a host of names and trying password after password. As the server admin I have the power to block IP addresses which I do, but so far after 3 years of the server being in service, blocking IP address has done nothing to slow down those trying to gain unauthorized access.
---
Indeed it won't, since there are literally hundreds of thousands of systems all over the world that have been turned into robot cracking and spamming machines. If one gets blocked, no worries -- before long they'll have another one to set against you.
The key thing to notice here, by the way, is why that is: Nathan's system was cracked in less than 24 hours after it went online. That's not amazing, it's typical! -rc
Posted by Ken, New York on May 1, 2007:
I consider myself pretty net-savvy. I've been programming computers for over 35 years, and I've been on the 'net since Windows 3.1 was still "shiny". Yet my system's firewall was broken into. (I hate the term "hacked", since I consider myself a "hacker" in the original sense of the word.)
We had recently gotten broadband, and I set up one system on our network to be the router/firewall. Unfortunately, I had set it up in such a way that the Winsock proxy was available from the outside as well as from our LAN. One day, I noticed unusual outgoing SMTP connections on the router's status window. It took me a while to realize just what was happening -- someone "out there" had connected to our Winsock proxy to send spam, and it would appear to the outside world as if it were someone on our LAN sending them. Of course, by then the damage had been done. I don't know how many spams were sent from our router, but our IP did get on at least a few blacklists for it. Fortunately, SpamCop's list (which is what we use) is run by intelligent people, and after explaining what happened, they ran a quick test, saw it was fixed, and removed our IP.
Then there was the time I upgraded the router/firewall from WinMe to Win2000. (The router/firewall software was off at the time, as I was doing the upgrade in order to run the latest software, which no longer supported WinMe.) While downloading the latest service pack, I got a popup telling me I needed to download some security patches. I almost clicked on the link, which of course was really Messenger Popup spam, and would have infected my system. Had I not been downloading the updates at the time (the window of opportunity was only a few minutes, but they found it), I wouldn't have even given it a second thought, and recognized it for what it was immediately.
About 90% of my wife's consulting services lately has been cleaning up the mess people have made of their computers with all of the spyware that's installed on them.
Posted by Adam, Baton Rouge on May 2, 2007:
As someone involved in computer security at work, I can assure anyone that the problem is only getting worse. At the last SANS security conference that I attended they announced that their tests showed unpatched and unprotected computers attached to the internet were compromised in less than 20 minutes. Which, unfortunately, means that you often don't have time to fully patch and protect those systems before they are infected! The solution, of course, is other protection such as a firewall.
Also of note is that, as a general trend, there seem to be a greater variety of infection attempts against home-based PCs, but more robust / complete attempts against servers. So although you may not see 3,000 attempts to infect your home PC from one IP, you very well might see that many different IP attempts! Of course, this is just a very generic/general statement - exceptions ALWAYS apply.
I'm happy to see you passing the word along, Randy!
Posted by Michael, Portland, OR on May 2, 2007:
After reading your comments on security, I visited all of the listed sites and, as I expected, not word one about Macintosh weaknesses, and how to prevent crackers, spyware, etc. from coming in. I knew that, of course, Macs are inherently secure, and have never been taken over, in spite of the challenge they represent.
The $10,000 hacker contest that located a QuickTime vulnerability has already been patched by Apple, even though it was never exploitable in the way a Microsoft victim is exploitable.
Bottom line: If you want to lose your fear of the Internet, trash your Windows box (or at least get it off the Net) and get a Mac. Then keep a copy of ClamXAV around for the day someone finally, actually does come up with a self-propagating virus, which doesn't seem very likely considering how long it's been. Hell, back in the '80s, we had MORE viruses than Microsoft, all of which died with the OSX changeover.
You need only beware of phishing posts, which are, of course, platform-agnostic.
---
I have been around computers long enough to remember when only Macs were virus targets. Should they become a large enough segment of the market, they will be targeted again. -rc
Posted by Eli, Jerusalem on May 3, 2007:
"I have been around computers long enough to remember when only Macs were virus targets. Should they become a large enough segment of the market, they will be targeted again. -rc"
Microsoft claims that it has sold 20 million copies of Windows Vista in the last 4 months and it already has at least 6 known viruses/worms/malware in the wild. Mac OS X has about 22 million installations worldwide and has been on the market for SIX years and has yet to have one virus detected in the wild. The Mac OS is inherently more secure and no increase in market share will change that. It's not impossible, but apparently it's pretty hard (the first hacker to propigate a virus on the Mac will be world famous- don't you think they're trying all the time to be the first?). Just a thought...
---
My statement stands. -rc
Posted by Ryan from Edmonton, Alberta ~ Canada on May 5, 2007:
I must chime in on the Mac side. There was one successfull attemt on the Mac side about 2 years ago. It required uses to download and install a "picture", and well 10 minutes later and no big explosion it died. The hacking event saw all "eletie" hackers fail their intended mission, but one suceed by a modiied set of rules that required the user to accept the hack. Apple had the problem fixed permenantly within 3 days.
I am a manager for one of Canada's largest independent Mac dealers with 4 stores different citys and we didn't see a machine brought in with the first "malware". Heck I haven't seen a Virus problem on my machines without antivirus in 3 years. I used to be a MCSE and work for a small mom and pop Windows shop and even 10 years ago there was at least 1 a week. That stats are stagering against Windows vunerbilities and we could go on for days about them.
It comes down to one simple fact. People want to have a simple to use machine that they don't have to be experts on security, and have extra software to maintain. Do you buy a car to do a engine rebuild every 6 months? A computer shouldn't need one either! This my at this point sound like a Mac add, but no it is a Wake Up Windows add. Pull your socks up and get security up to date and fix all the holes!
---
I didn't say Windows security didn't suck. It does. That's why people need to pay attention. My essay didn't mention Macs at all, but as you point out it's still necessary to be vigilant. -rc
Posted by Russ, NC on May 5, 2007:
Just to second the statistics and from a home based machine. I don't run a full-time server, but do have one running from time to time for getting data to friends. It always surprises me when I look at the attempt logs and see what is going on. While I don't get 3000 attempts from a single IP, I do see 70-100 different IP addresses every day attempting 20-50 times each. The longer the server is running, the more attempts I see.
Periodically, for fun, I research out where the IP addresses are located, thinking I would find them mainly from China or Russia (as the newspapers claim). While I do get them from those locations, I also get them from all over the US, a few from South America, and a bunch from other European countries.
Luckily I can shutdown my server when no longer needed and the problems go away. I'm glad I don't have to worry about keeping a full-time server secure.
Posted by Kim, Havana, FL on May 5, 2007:
Years ago I dealt with classified information on government computers. The single best method of stopping folks from getting in, is to turn the computer/modem OFF. Unplug it. Pull the com wire out of the wall. If you do not absolutely need to be up and running, turn it off. Even today, I simply disconnect from the Internet if I do not need to be working it.
I also have a back up/slave bootable hard drive on my computer that has a separate on/off power switch I installed on the outside of the computer. When not needed the switch is off, so if I get a virus/worm/hack, they cannot effect this drive. If a problem arises with the master, I shut down, swap the master/slave drives, reboot and I can deal with the problem since the corrupted registry did not boot.
---
It's absolutely true that disconnecting or unplugging will make you safe. Just don't think that when you do get online you're still safe, since the moment you connect the cracking attempts will start. -rc
Posted by michelle, ontario canada on May 5, 2007:
I work telephone tech support for a major computer company that many first time computer users buy due to the low prices. These are the people who need the most help. Yes most of them are surprised to find that I don't run an anti virus program. I usually tell them that i just wait for the inevitable windows crash and then reformat but the truth is that i haven't reformatted in a while. New users feel that if they have a security program or two running they'll be safe. Then they call me to ask me why their operating system is slow and not working properly. I've seen someone call with internet connectivity issues that were caused by them accidentally clicking on the lockdown button on their secuirty program. I don't advocate securing your computer unless you're going to actually educate yourself on what you're doing first because having that anti virus program makes people think they are invincible while they're not realizing that every night when the automatic updates are supposed to run, their computer is turned off and not getting them.
Posted by Marika, Glendale, CA on May 5, 2007:
Since *none* of the links you provide have anything to do with using a Mac I must (ahem) still (but for how long?) be safe using OS X... I do, however, sporadically run ClamXav (a free antivirus program) and MacScan because I have to connect to Windows computers.
---
Look more closely at the links: the Steve Gibson one is great for your system.
I'm not sure what all the windows vs mac comments are about here. My server is definitely Unix, not Windows. This isn't about windows, it's about systems trying to break in no matter what you run. Windows is simply more vulnerable since most systems are running that OS. -rc
Posted by Sandy in Australia on May 6, 2007:
I, too, thought I had all the security talked about in the article. I have my own newsletter so I have to be extremely careful, if not for my own safety then for the safety of my subscribers. Last week I lost ALL my bookmarks. No problem - I back them up twice a day to, not just my hard drive, but to a cd. Problems arose when I went to put the backed up copy back onto my computer. SOMEhow, both my copies were from 2004 despite my backing up twice every single day and having the current updates to all my security programs.
I have since started another newsletter for which I had added hundreds of bookmarks to use down the track in that newsletter. I started that at the end of 2005 so all of those were and are now lost to me. I had, also, spent days at a couple of hours a day, going through all my bookmarks, clearing out dead links and replacing and updating links that had moved - all lost. I am in the process of redoing the updates of the links but all those new bookmarks added since 2004 are all lost. Thankfully, that was ALL I lost - this time. You just cannot be too careful - I am and STILL got caught.
Posted by Murray, Iowa on May 7, 2007:
I am running a firewall at home and I was so annoyed by all the attempt to get in notifications I turned them off. I'm on a dial up line and the phone line is old so I get a 24K connection at best, even though I have a 56K modem, and often times in the short time between the time I dial in and the time I start my e-mail program I'd get a notice that the firewall had already blocked some sort of break-in attempt. So much for the idea of a slow line detering them. Either a software or hardware firewall is rqequired and as Randy says, so is anti virus software.
Posted by Carol Corrao - Ann Arbor, Michigan, USA on May 7, 2007:
I may be a little slow on the uptake, but, exactly what is the purpose of SPAM, anyway? I get a few e-mails a day from the UK Lotto, telling me I've won, and a few more from various dying wives of dead diplomats in Africa who want me to take their money and invest in some Christian charity. It's become part of my routine to read these out loud to my coworkers every morning (and I won't even go into the penis enlargement ads I keep getting!) But do people actually take this crap seriously??
---
Believe it or not, yes. Most people roll their eyes over them, but enough bite on the scam to make it profitable. I've even run a couple of such stories in True. -rc
Posted by Hugh K. - Kallen Web Design - S.W. Michigan on May 12, 2007:
For individuals, there is no reason to not be running a current antivirus, particularly with free ones like AVG.
Also I strongly recommend a "router" hooked up between your fast internet modem (cable or dsl) and your computer. The Linksys WRT54G model is very functional, totally easy to set up, and just plain works. Amazon sells it for about $50 shipped free, and usually officemax, office depot, staples, best buy or circuit city will have it on sale for that price as well. Not perfect protection, but does a ton of good with a minimum of hassle.
Posted by Mike from Dallas on May 13, 2007:
I agree with both of Hugh's recommendations.
I also add that a hardwall firewall is not complete. Hardware firewalls prevent break-INs to your computer. They don't keep your computer from giving away secrets in the OUTbound direction. If (and it's a very likely 'if') your computer has ever been compromised by a worm or spyware, you may have an open door that your hardware firewall 'thinks' is okay.
For Windows computers, both XP and Vista have a software firewall, but how much can you trust it when you see XP continuously updating newly discovered security flaws? Still, it's free and better than nothing. Use it.
And then there's spyware (malware). If you surf, you WILL hit a site that tries to install spyware and you won't know it. Ask 5 people about the best anti-spyware program and you'll get 10 answers, many of them contradictory. All I can say is use the free ones, even 2 or 3 of them as each works a little differently. Those that cost haven't proven themselves to be any better.
Posted by David in Phoenix on May 14, 2007:
Three comments.
First, I'd like to also second the earlier suggestion to use a router hooked to your DSL or Cable modem. That DOES keep people from getting INTO your systems, unless you open up a DMZ port to host a Dynamic DNS channel -- most folks don't.
Second, I think that anti-virus companies and vendors who load AV software onto modern computers should be sued for fraud. Originally, viruses were little snippets of code that hooked into your system's interrupt vectors and did nasty stuff with your hard drive. They are virtually non-existant today, and have been for several years. Rather, most threats today come from Trojans that are embedded in emails (esp. attachments) that target widely-known vulnerabilities in Outlook Express, which Microsoft actually prevents you from deleting completely from Windows. Estimates show that up to 80% of all Windows users WORLDWIDE use Outlook Express as their email client. And the vast majority of them NEVER CHANGE THEIR DEFAULT SETTINGS. It's no wonder that people target it.
Finally, I've had a little server on a co-lo with a hosting place for 4 years now. When we put it in, it was getting hammered with pings from Windows-based hosts sitting on the same sub-net constantly searching for NETBIOS ports and other crap that unsecured Windows boxes do (especially those not cleared of CODE-RED viruses). We installed a small firewall and that cut down on 98% of this "noise" traffic.
I added a small script into my server that runs every few hours and tallies up the number of attempts to login to the system from specific IPs. On a typical day, it gets a half-dozen attempts, and sometimes 1000-3000 tries by individual IPs. Analysis of the logs indicates a pattern; these are obviously being run by "script kiddies", just running scripts that cycle through a long litany of known exploits. And the lists keep growing.
The IPs originate all over the world. However, the largest number seem to originate in northern Europe, like Norway. Maybe they're using proxy servers; I can't tell. It's annoying, but I regard it like the weather -- some days are clear (few attempts), some cloudy (more light attempts), and some are quite stormy (multiple attempts with thousands of tries each). It's just life on the internet!
Posted by Clara, Portland, OR on May 19, 2007:
I am well aware of the need for security but understand my computer so little I don't know if I am secure. Tried the ShieldsUp program, which tells me I am VERY secure. That relieves a bit of my paranoia re the internet, but I will continue to turn everything off when I am finished. I will be checking out some of the resources suggested and will pass info of ShieldsUp on to friends & family. Thanks.
---
If you're not sure, ask a knowledgeable friend to help. That's the only way to be responsible and not allow your machine to be a zombie for spammers or other criminals. -rc