ITS 4050 - Internet and Web Security


Chapter 4, Mitigating Risk When Connecting to the Internet

This lesson presents some material from chapter 4. Objectives important to this lesson:

  1. Threats from the Internet
  2. Web site hosting
  3. Protecting the connection from LAN to WAN
  4. Best practices
Concepts:
Chapter 4

On page 77, the chapter begins a long section about risks associated with connecting to the Internet. The text makes a good point that even a computer that has no particular secrets on it can become a zombie workstation, controlled by an attacker who simply needs an army of connected devices. The text presents a discussion about malware through page 82. Browse through this material to see if any of it is new to you. It should not be new by the time you are in this course.

Page 82 begins a section about personal attacks. It begins with a list of features that might be indicators that a web site is reputable. Unfortunately, all six features could be copied from another site, or could be created from scratch to look professional. They are no longer a guarantee that the site is legitimate, not even the SSL padlock icon.

Page 83 begins a discussion of more personal attacks:

  • Harassment and cyberstalking - The text lists several examples of harassment, including spam, IM spam, impersonation of friends to gain information, creation of hate sites and groups, and placing fake sex ads. The text recommends that you start by sharing personal information only with known, authenticated contacts, blocking communication from harassers, blocking messages from harassers, and reporting harassment to police.
  • Identity theft - The text mentions several of the ways a thief can obtain personal information to steal an identity: dumpster diving, phishing, searching discarded or stolen data storage, and spyware. The text cautions us not to do business with vendors who don't take care to protect our data, but most consumers will pay no attention to that advice. The other actions by the thief might be countered by destruction of data devices that are no long used, shredding documents or burning them instead of discarding them, and not trusting doubtful software we install or email that asks for our data.

The section about email is more about email system features than about the things we should do to protect ourselves. It mentions blocking identified junk mail sources, and the rest of the page doesn't matter much.

Moving to page 85, there is some hope for better advice. The text lists five vulnerability categories, and some basic actions to take:

  • End-user vulnerabilities - Talk to your users, or better yet, train them to be users who avoid scams and negligence that put the network at risk.
  • Security vulnerabilities - Make sure that defenses are actually defending the network. Configure the firewalls to filter out traffic that has no reason to pass into or out of our network.
  • Port vulnerabilities - The text points out that there are 65,535 possible ports on each computer. Each is a possible door into that computer. Closing all ports that are not expected to be used makes sense, and setting a firewall to enforce that decision makes more sense. Note, from the advice in the previous bullet point, that firewalls do not protect in this way until they are configured to do so.
  • Software vulnerabilities - Most major software applications are regularly patched and updated. This is something we have come to expect and accept. Large applications, and operating systems, contain too much code to be certain there are no security holes. It is a good thing that good people are always looking for holes that need to be patched. You should check for available patches regularly, especially for software from publishers who do not notify you about updates.
  • Malware vulnerabilities - Let's take this to mean both malware and viruses, and make it a point to run and update protective programs against both of them.

On the bottom of page 86, the text begins a list of attacks that various kinds of attackers might stage. Several will be familiar to you.

  • Password attack - This presumes that the attacker has at least a guess about user IDs. Often, the login ID for staff is identical to their email ID, minus the email domain, so once you know one you may be able to guess many more.
  • Cyberstalking - As noted above, this is an attack against an individual, not against a network. To the person being attacked, the difference is not important.
  • Social engineering - The short form is that the attacker solicits help from the victim, either through pity or intimidation. The "help" can be access to any kind of resource.
  • Eavesdropping - This would include the classic conversational eavesdropping, as well as the interception of network signals, whether wired or wireless. The text proposes encrypting all network traffic to combat this.
  • Backdoor attack - Attacking through an intentionally created point of access known to developers, troubleshooters, or perpetrators who executed a program to provide such access.
  • Man-in-the-middle attack - Like eavesdropping, but it involves interception of both sides in a session, and possibly changing the data that is being sent/received.
  • Spoofing - Impersonation of a recognized ID or address to gain unauthorized access or to pass along a file that will become part of an exploit.
  • Dictionary attack - The attacker attempts to log in to a network or device, using one potential password after another from a file of words found in a dictionary. The text says that this can be confounded by using passwords that include numbers, but it is not uncommon for an attacker to use a file that replaces letters with numbers (e.g. 0 for o, 1 for i) as people often do.
  • Brute-force attack - The attacker uses a program that guesses passwords based on an algorithm that tries every possible combination of characters that could be in a password.

If you are not worried about password cracking, I suggest we spend twenty minutes with Dr. Michael Pound who will demonstrate what he can do with some captured password hashes.


The text also mentions four variations on Denial of Service attacks:

  • Ping flood - The idea here is to send a ping request to the broadcast address of the network a target machine is on. This can be a problem if there are a large number of devices on the target network (and they all respond). This is a reasonable argument to segment your network in a way that your important devices are on small subnets. Another approach would be to configure devices to refuse response to broadcasts. Of course, a better equipped attacker would set an army of zombies pinging the actual target device.
  • Fraggle - This is another attack that sends packets to a network's broadcast address, this time UDP packets (pings are ICMP packets).A false address is used in the attacker's packets. This reference tells us that most routers should be immune to this attack, and will not forward them.
  • Smurf - The same thing as a Fraggle attack, except that it uses ICMP packets. The reference I provided in the line above indicates that this is an obsolete attack for the same reason.
  • Distributed Denial of Service - This is a generic term that includes any kind of attack that is staged through multiple computers under the control of the attacker. The text says the army would number in the hundreds or thousands, but I am not aware that an actual number is required to qualify.

The text moves on to discuss web site hosting. It reviews some common features that are provided by most commercial and free hosting services, but pays more attention to features that relate to e-commerce sites:

  • disk space - How much space is included in your plan, and how much do you need?
  • bandwidth - How much traffic will you have on your site, including page reads, uploads, and transactions?
  • flexibility - Can you do what you want on the site, or are you prevented from some activity you want as part of your business?
  • pricing - Can you afford the hosting service you are considering, or the one you already have?
  • uptime guarantees - Is the hosting service up to providing access by your customers when they want it?
  • backups - Things happen, don't they? Does the hosting service keep backups of their clients' data? How often are they made? Can we access copies of our own data?
  • security - The text tells us we must know what security is used by the hosting provider. Sharing details with clients may not be the best idea. What if the next attack comes from a disgruntled client?
  • expectation of new services - Does the provider regularly upgrade services provided? Will upgrades become available for a price, once they are possible on the site?
  • support - What support is possible for frequent problems? How about for rare problems? Is there an administrator or a web master to consult?

Web hosting does not have to be done by a service company, if you have the desire and knowledge to handle all the points above, as well as to provide your own equipment and link to the Internet. The text points out that a small company may not be able to dedicate resources to this option. The text refers to this choice as internal hosting, and the choice to use a hosting company as external hosting.

Setting up a presence on the Internet also requires that there be a URL for a customer to use, which means that you must have space in someone's Internet domain, or you must register a domain name of your own. This is the method most people on the Internet choose, perhaps because it makes them look like they are independent of anyone else. The text discusses doing a Whois search for the domain name you want to register. This is not the only way. You can run a search like that through the interface of most domain registrars, as well.

The text discusses DNS service, how name resolution is passed up and down the branches of the DNS tree (see page 95), and four ways DNS can be attacked on page 96.

  • DoS attacks - Flooding a particular DNS server with requests can prevent it from responding to real requests. This does not seem like big deal at first, but this link takes you to an article about DNS defense that starts with a story about a botnet attack against a DNS service that affected many of its clients.
  • Footprinting - This is tracking down network information about a person or a website. This article discusses the concept more fully, and leads you to tools that you can use to determine what information is available about your sites.
  • Address spoofing - Address spoofing is impersonation, temporarily transmitting and receiving with an IP address that belongs to another device. This is more related to breaking through firewalls than it is to DNS attacks.
  • Redirection - This attack is discussed in the article in the link under DoS attacks. It sends false DNS resolutions to requesters, sending them to web sites that are not the ones they wanted. This can be part of a larger scam, or it may be done to boot hits on a web page.

The text introduces the seven-domains-of-a-network model on page 97. The best thing about the discussion is that the author spends less than a page on it. The author uses the model to explain that our defense of our network regarding the Internet takes place at the point where our network connects to a Wide Area Network, typically our connection to our Internet Service Provider.

The material that follows, through the end of the chapter is just basic advice about running and protecting a network. The summary on page 107 hits the basic ideas, but it is written at a level for end users. Review it

 

Assignments

  1. Continue the reading assignments for the course.
  2. Download the new lab handouts as they become available.
  3. Complete the lab assignments and class discussion in this module.