INTERNET SECURITY FOR INVESTIGTORS
Investigation firm and Investigation department security needs and practices evolve as technology evolves.
Until recently, few Investigation firms and Investigation departments needed to worry about desktop and notebook computer security beyond protection against viruses and E-mail interception. Networks were “local” and Internet access from the desktop was either protected by enterprise firewalls in the larger Investigation firms and corporate Investigation department or used relatively safe “dial-up” connections. Internet hackers, by and large, focused on large enterprises and Internet servers, ignoring desktop and notebook computers connected to the Internet.
In the last year, the picture has changed. Desktop and notebook computers connected to the Internet are at risk.
The new danger arises from a combination of several factors – first, availability of high-speed “always on” Internet connections mean that desktop and notebook computers are exposed to risk for longer periods of time; second, an increasing number of computers are linked to local networks at work and at home, and networked configurations open additional windows for hackers to exploit; and third, a variety of new and sophisticated tools allow hackers to explore large numbers of computers for security weakness in a short period of time.
The bottom line is that hackers are targeting desktop and notebook computers (and the local networks to which they are connected) in increasing numbers, sometimes with disastrous results. Internet security for Investigationyers, Investigation firms and Investigation departments, long a matter of protecting against Internet-borne viruses and protecting confidential E-mail by encryption, has entered a new arena – protecting desktop and notebook computers from hackers. That’s the bad news. The good news is that relatively simple solutions can dramatically reduce the risk.
This white paper discusses risk and solutions from two perspectives – the security needs of a small Investigation firm and the security needs of a Investigationyer from any size Investigation firm or Investigation department who works on the Internet from home or on the road. We present two key strategies to reduce the risk, plus common sense ways to better manage computer security.
HIGH-SPEED CONNECTIONS – A NEW VULNERABILITY
Larger Investigation firms and most Investigation departments within larger corporate enterprises have been protected from hackers by sophisticated “firewalls” for many years. Until recently, Internet security – outside of virus protection and E-mail security – was not much of a concern for small Investigation firms or Investigationyers working from home or on the road because “dial-up modem” connections were relatively secure from “hacking”.
Dial up connections are relatively “safe” when compared to high-speed, “always on” connections for two reasons. Dial-up connections are hard to hack because a dial-up Internet sessions are typically short. In addition, most dial-up connections use “dynamic IP addressing”, which randomly assigns a new Internet address to a computer each time the user signs on to the Internet, frustrating hackers who use “robots” to identify internet addresses worth exploring and then return to those Internet addresses at a later time to “hack”. But when connected to the Internet, dial-up computers are as vulnerable as any other – “security” lies in primarily in the simple fact the less time online means less exposure to hacking.
The ready availability of high-speed Internet connections for small Investigation firms and home users has dramatically changed this picture. Cable modems, ISDN and ASDL lines, and in-building fiber optic networks are “always on” – connected to the Internet 24x7 – and high-speed connections typically use fixed Internet addresses for each computer, ensuring that the computer will be at that address when the hacker returns.
WHY Investigation FIRM COMPUTERS ARE TARGETS
Hackers are opportunists, looking for valuable information that is easy to get. Desktop and notebook computers are relatively easy to hack because they are not typically well protected against hacking, and Investigation firm computers typically contain files that fit hacker “profiles” – files with “CONFIDENTIAL” headers, client social security numbers and tax identification numbers, tax data and so on. Most of this information is not encrypted.
The combination of opportunity and valuable information is obvious -- Investigation firm desktop and notebook computers are more likely to be identified as targets worth investigating than home computers or general business computers. In a word, the nature of the information contained on Investigation firm computers “lights up the radar” on hackers’ automated scanners.
HOW A HACKER HACKS
Hackers use “robots” and “spiders” – automated programs designed to scan the Internet looking for vulnerable computers and to break into them – to locate computers with security holes.
When a computer with a security hole is found, the hackers use that vulnerability to attack the computer, using robots to scan data files looking for sensitive information, such as documents labeled “confidential”, password lists, social security, address information, tax and financial data, and so on. When a hacker gains access to a computer, the hacker typically also gains access to the server and the other computers attached to the same local network. When files that appear to contain sensitive data are found, the hackers download the files for a closer look. The process is often completely automated, with one robot handling the scanning process, and then handing off vulnerable computers to another robot for examination and downloading.
SIDEBAR: WHAT IS A SECURITY HOLE?
When a computer accesses the Internet, the computer uses TCP/IP, a networking language. TCP/IP opens “ports” to the Internet. A “port” is like pipe or connection to the Internet where communications are directed. For example, when you retrieve information from a web site, that information usually enters your computer through Port 80.
Common ports open to the Internet from a desktop or notebook computer are:
Ports are typically bilateral, both sending and receiving information between the desktop or notebook computer and the remote computer (e.g. the web server) with which it is connected through one of the ports.
Every open port provides a way for a hacker to communicate with a computer that is online. When a hacker finds an open port, the hacker can attempt to connect to the computer using Telnet or other specialized tools. If the hacker can connect to the computer, then the hacker may be able to retrieve files from the computer, send files (including viruses and “Trojan horses”) to the computer or watch Internet communications to and from the computer.
A popular way of automating the hacking process is to send a “Trojan Horse” to a hacked computer. A “Trojan Horse” a program that operates in the background to permit access to a computer any time that the computer is online. A common Trojan Horse is BackOrifice, originally designed as a maintenance and administration tool for corporate networks, but quickly adopted by hackers for use on the Internet.
Automated hacking has increased the scope of hacker activity geometrically in recent years. A wide variety of automated web scanners is available. Many are capable of scanning 20,000 or more computers per minute under optimum conditions, and can be configured to search for specific vulnerabilities and trigger search and download routines based on defined criteria.
Almost all Internet security experts now believe that sophisticated, automated web scanning has reached a point where virtually every computer connected to the Internet is likely to be scanned for security vulnerability with relative frequency.
WHEN NOTEBOOK AND DESKTOP COMPUTERS ARE VULNERABLE
Before automated scanners became commonplace, few hackers targeted desktop or notebook computers. Because relatively few computers could be hacked, hackers typically targeted academic, corporate and military servers. With the advent of automated scanners, hackers obtained the ability to scan millions of desktop and notebook computers efficiently, and hackers began to search for vulnerabilities in desktop and notebook computers.
Most academic, corporate and military servers use operating systems that are designed to protect sensitive information from outside intrusion, and are additionally protected by sophisticated monitoring software and firewalls. Used properly, monitors and firewalls against and monitor the automated scanners used by hackers.
Not so with desktop and notebook computers, because the Microsoft Windows 95/98 and Windows NT Workstation default network configurations were optimized for ease of use and sharing information among computers on local networks. As a result, security protections are relatively weak unless special precautions are taken to protect the computers from intrusion.
Desktop and notebook vulnerability arises, for the most part, from: (1) insecure Microsoft networking configurations that enable the computer to operate on both the Internet and a local network without building a “wall” between the two, and (2) applications that open “doors” into the computer independent of network configuration – applications like personal web servers, Internet Relay Chat, Telnet, web browsers, file transfer protocols, electronic mail, remote access and so on.
Far and away, insecure network configuration presents the greatest risk because network configuration errors are so common that hackers typically set automated scanners to probe that single vulnerability efficiently. Scanning for “doors” opened by applications is less common, although security holes in Microsoft Web Server and Microsoft Outlook are targeted with enough frequency to be a realistic concern. Other “doors” are less common and harder to open, and are targeted less frequently.
The vulnerability is greatest with two conditions are met:
(1) the desktop or notebook computer is configured to connect to both the Internet and a local network using “Client for Microsoft Networks”; and
(2) file and printer sharing is enabled.
HOW MICROSOFT NETWORKING CREATES VULNVERABILITY
Desktop and notebook computers using Windows 95/98 and Windows NT Workstation “default” to an “open” network configuration.
The reasons for the “open” network configuration are sound – Windows 95/98 and Windows NT Workstation default configurations were designed for ease of use and easy local networking for smaller businesses and SOHO/home users – configured to reduce the need for technical knowledge when installing and maintaining the computers and networks to which the computers were connected – rather than for tight security. However sound the idea behind the “open” configuration, Windows 95/98 and Windows NT Workstation default networking configurations create an Internet security risk that is now becoming a problem for an increasing number of Investigationyers, Investigation firms and Investigation departments.
The following is a short – and, we hope, clear – technical explanation of the problems created by the “open” default configuration: We offer the technical background because it is necessary to understand the background in order to understand the solutions.
Windows networking organizes networking components in three “layers”, illustrated by the following diagram:
The key to understanding both the problem and the potential solutions created by Microsoft networking is to understand the “Transport Protocol Layer”. A transport protocol is a computer language used by computers on a network to communicate with one another. All of the computers on a network must use the same transport protocol if the network is to function. Microsoft networking offers three alternative transport protocols – “TCP/IP”, developed for UNIX local networks and the Internet, “NetBEUI”, developed by IBM and Microsoft for local networks, and “IPX/SPX”, developed by Novell for local networks.
Internet connections use “TCP/IP” as the “Transport Protocol Layer” and require that TCP/IP be “bound” to (techno-speak for tied together with) dial-up, cable, DSL and other hardware adapters linking the computer to the outside world, as follows:
Local networks use ONE of the protocols in the “Transport Protocol Layer” and “bind” that protocol to “Client for Microsoft Networks” (and, if the computer is set up to share files over the local network, to “Microsoft File and Printer Sharing”) in the “Network Services Layer” as well as to the “Local Network Interface” in the “Hardware Adapter Layer”, as follows (using NetBEUI as the selected transport protocol):
Take a look at the two diagrams together. Note that (1) neither the “Network Services Layer” nor the “Local Network Interface” are needed for normal Internet connections; and (2) neither the “Dial-up Adapter” not the “Cable/DSL Interface” in the “Hardware Adapter Layer” are needed for local networking operations. It is possible to configure Windows 95/98 and Windows NT Workstation to entirely separate local network and Internet connection.
The default settings in Windows 95/98 and Windows NT Workstation, however, “bind” all active network services, protocols and adapters on one layer together with all active components on the next layer up or down, as follows (building on the diagrams shown above):
Windows networking default settings “bind” all active components on each layer to all active services on the other Investigationyers. The default settings bind active “Network Services Layer” to the Internet’s TCP/IP “Transport Layer Protocol”, opening the individual desktop and notebook computers connected to the Internet (and by extension, every other desktop and notebook computer on the local network with that computer) to hacking from the Internet.
A desktop or notebook computer configured in “bind everything” mode is vulnerable whenever it is connected to the Internet, even when not attached to a local network. A Investigationyer who takes a notebook computer home from the office and logs on to the Internet, for example, to check personal E-mail is vulnerable if the notebook is not properly configured. Because the vulnerability is in the desktop or notebook computer itself, Investigation firms and Investigation departments cannot depend solely on network firewalls at work for protection – any computer that connects to the Internet when outside the network is “open” to hacking.
MICROSOFT NETWORKING AND NOVELL NETWORKS
The binding problems discussed in this White Paper apply when “Client for Microsoft Networks” is enabled. Setting up Novell networks using Windows 95/98 and Windows NT Workstation configuration defaults for the “Novell Netware Client” usually presents no binding problems.
The reason is that Windows 95/98 and Windows NT Workstation defaults do not typically bind TCP/IP transport layers to the “Novell NetWare Client” Network Services Layer – instead, Windows 95/98 and Windows NT Workstation typically bind the “Novell Netware Client” layer only to the “Novell IPX ODI” Transport Protocol Layer, and the Novel IPX ODI protocol only to the Local Network Interface. The TCP/IP protocol, on the other hand, is typically bound only to dial-up adapters and Cable/DSL interfaces.
MICROSOFT NETWORKING AND UNIX NETWORKS
UNIX presents a special case because whenever TCP/IP (the UNIX protocol) is used as the transport protocol for the local network, components of the “Network Services Layer” must be bound to Internet connection components of the “Hardware Adapter Layer”, as shown by the following diagram:
SAFEGUARDING DESKTOP AND NOTEBOOK COMPUTERS
The key to safeguarding desktop and notebook computers using Microsoft networking under Windows 95/98 or Windows NT Workstation is to (1) configure Windows to “unbind” the components needed for the local network from the components needed for Internet access, if feasible, and (2) if that is not possible, use a “personal firewall” on the desktop or notebook computer.
The following is a summary of the two keys to reducing risk:
Key #1: Configure Windows to Reduce Risk
The first alternative – if feasible – is to reconfigure Windows 95/98 and Windows NT Workstation desktop and notebook computers to separate local network components from Internet connection components. While this is not always possible, we believe that it is the simplest and most effective way to achieve a reasonable level of security.
The core idea is to use TCP/IP for Internet connections, on the one hand, and either Net BEUI or IPX/SPX for local network connections, on the other, and to keep the two functions separate.
The following diagram illustrates the concept (combining the two diagrams used above):
The notebook or desktop computer is configured to use TCP/IP for Internet connection and NetBEUI for the local network. Microsoft’s default bindings between the TCP/IP and services and adapters needed to operate the local network have been removed from the default configuration, as have Microsoft’s default bindings between the NetBEUI protocol and the adapters used for Internet connection.
In this configuration, the desktop or notebook computer is connected to two networks (the local network and the Internet) in different ways (TCP/IP for the Internet and NetBEUI for the local network), with no connection at all between the two networks. The diagram illustrates use of NetBEUI for the local network, but IPX/SPX could be used as well.
The methods by which this can be accomplished will vary from Investigation firm to Investigation firm, depending on the network operating system used by the Investigation firm and many other factors. At the end of this white paper, we will point you to a number of web sites that discuss the methods in depth, but we caution individual Investigationyers that network reconfiguration falls under the category of “Don’t do this at home!” Unilaterally unbinding the layers on a desktop or notebook computer without taking the firm’s network configuration as a whole into consideration will mostly likely result in disaster – knocking you off your firm’s network.
Key #2: Use a “Personal Firewall” to Reduce Risk
Separating the two networks is feasible only when the local network can be configured to use NetBEUI or IPX/SPX as the local network transport protocol.
In some cases, NetBEUI or IPX/SPX is not a workable alternative, because TCP/IP is or must be used as the transport protocol. Among the common situations where separating Internet connections from the local network are not feasible are:
In addition, certain applications “open” the computer to access from the Internet, regardless of the transport protocol used for the local network, rendering Internet/local network separation inadequate to protect a notebook or desktop computer. Among the applications that can “open” a desktop or notebook computer are “personal web servers” such as the Microsoft Personal Web Server installed with MS Front Page 2000, and remote access programs such as PC Anywhere, LapLink and Wingate.
In all of these cases, one or more “firewalls” will be needed to protect notebook and desktop computers.
A “firewall” is hardware or software that inspects data flowing to or from an individual computer or a local network to determine whether the data should be blocked or allowed to pass.
SIDEBAR: HOW DO FIREWALLS WORK?
A “firewall” is hardware or software that inspects data flowing to or from an individual computer or a local network to determine whether the data should be blocked or allowed to pass.
All network communication (including Internet communication) is accomplished by exchanging “packets” of data between two computers connected on the network.
Packets are small snippets of data that flow between the two computers. Each packet contains the destination address of the sending computer and the computer to which the packet is being sent, the port number used by the sending computer and the port number to which the packet is being sent, and a small amount of data.
When a packet is sent to an open port on a computer, the receiving computer acknowledges receipt of the packet and sends back a message to the sending computer. If the packet is accepted, the receiving computer communicates that to the sending computer. If the packet is not accepted for any reason, the receiving computer replies back as well, reporting that the packet has been rejected. In either case, the two computers communicate with one another.
A firewall is hardware or software that is inserted between an open port and the network. The firewall reads each and every data packet before it arrives at a computer’s open port and accepts or rejects that packet based on criteria programmed into the firewall. If the firewall rejects a packet, the firewall does NOT report back to the sending computer – instead, the firewall “ignores” the packet. Because the sending computer gets no response at all, the firewall has, in effect, made the receiving computer “invisible”, because the receiving computer, sending no response at all, acts as if the computer is offline.
Firewalls create “security zones”, protecting the computers within the zone from intrusion from outside the zone.
A typical “network firewall” creates a security zone at the point of entry to a local network from the outside world. The firewall protects computers on the network from intrusion from outside the network, but the local network typically remains “open” internally – individual desktop and notebook computers connected to the network can, unless other protections are in place, can be seen from any computer within the zone using “Network Neighborhood” – and, if a computer has “shared resources” (a drive or a printer), that shared resource can be seen or used. The following diagram illustrates the concept:
Within a Investigation firm’s local network, the fact that individual desktop and notebook computers are not protected is not normally a problem – the computers attached to a local network are usually “trusted”, that is, used for business purposes by reliable partners and support staff.
When a network is not protected by a firewall, or when individual desktop and notebook computers are connected to the Internet through a high-speed connection, none of the desktop and notebook computers are in a security zone, as illustrated by the following diagram:
Worse still, certain kinds of high-speed connections create a “virtual local network” of all computers connected to the “Internet Service Provider” using that connection – cable modems are notorious in this regard. When a “virtual local network” exists, any shared resource (drive or printer) bound to the network by TCP/IP can be seen by all other users connected to the virtual network using “Network Neighborhood”, just as if the users where connected by a local network in an office. When this is the case, you don’t even have to be a hacker to hack!
Firewalls have been used for years to protect local networks from external intrusion, but network firewalls do not protect desktop and notebook computers from two potentially significant risks:
(1) information passing along networks within the firewall boundary; and
(2) information passing to and from the desktop or notebook computer when it is outside the firewall boundary (e.g. when used at home or on the road).
In the last year, well-designed “personal firewalls” – software designed to act as a firewall for individual desktop and notebook computers – have begun to appear on the market. Properly designed personal firewalls create a “security zone” around the individual desktop or notebook computer -- effectively protecting the individual computer from intrusion originating anywhere outside the computer – from the Internet, from other users of an office local network or from curious neighbors poking around a “virtual network” created by some kinds of high speed Internet connections, as illustrated by the following diagram:
When a desktop or notebook computer is attached to local network protected by a network firewall, the personal firewall adds a layer of protection – providing a second barrier to hacking from the Internet and protecting the desktop or notebook computer from unauthorized access by co-workers. When the desktop or notebook computer is outside the office – at home or on the road – the personal firewall provides primary protection for the computer – from the Internet, from other computers on a home network and from other users connected to a virtual network using certain types of high-speed Internet connections.
SIDEBAR: A LOOK AT TWO PERSONAL FIREWALLS
ConSeal PC Firewall
Most personal firewalls -- ConSeal PC Firewall is an example -- are consumer versions of firewall technology designed for local networks. ConSeal PC Firewall, like others in the class, offers sophisticated firewall protection for an individual computer. Like its network firewall cousin, ConSeal PC Firewall is technically powerful, but requires careful configuration and a reasonable level of technical knowledge to configure properly, a task beyond the skills of most individual Investigationyers and small Investigation firms.
ConSeal PC Firewall is, like most others in its class, a mature product that is free of “Version 1.0” quirks and bugs. The real question is whether an individual can understand configuration options and make appropriate decisions.
BlackICE Defender is a new personal firewall designed for use on desktop and notebook computers. BlackICE Defender uses a different design approach, combining basic traditional firewall techniques while monitoring connection attempts in a way somewhat akin to virus protection software – watching for patterns that are “signatures” of hacking techniques, and tightening security when hacking attempts are identified. Because BlackICE monitors connection attempts on a continuing basis, adjusting security levels to risk, configuration is very simple – the user selects among four levels of security – “trusting”, “cautious”, “nervous” and “paranoid”. The program defaults to “cautious” but will dynamically increase security to “paranoid” when it detects an attack. Like anti-virus programs, BlackICE depends on a database file to identify hacking patterns, and requires periodic downloading of an updated database file to keep monitoring and detection up to date.
NetICE maintains an online message board for BlackICE users, and our review of the messages shows no serious problems – just the usual “brand new product” bugs and quirks. In our view, BlackICE is, even with the quirks that need to be ironed out in future releases, sufficiently powerful and well-designed to be worth careful evaluation if you need a personal firewall for desktop and notebook computers.
COMMON SENSE RECOMMENDATIONS
In addition to Internet/local network separation and/or personal firewalls, we recommend that all Investigation firms, Investigation departments and Investigationyers using desktop and notebook computers at home or on the road adopt common sense measures to reduce risk. Our recommendations are suggestions for additional protection when either Internet/local network separation or a personal firewall is in place.
If neither safeguard is in place, then our common sense recommendations are the only source of protection. We do not consider our common sense recommendations adequate to provide even minimal security – the best case is that the common sense protections will slow down or frustrate hackers for a short period of time.
With that background, we recommendation:
HOW SECURE IS SECURE?
In general, desktop and notebook computers can be grouped into three levels of Internet security:
Level of Protection
Nothing – absolutely nothing at all – will render a desktop or notebook computer 100% secure. Security is an ongoing exercise, a series of technological skirmishes between security experts and hackers, flanking and maneuvering for advantage. What works today may not work three months down the road.
At present, however, our recommended safeguards will provide reasonable levels of protection against hacking. The following is a rough estimate of the level of security that will be afforded by each:
Want to know more? We recommend three web sites for further information concerning Internet security:
Microsoft Security Advisor (http://www.microsoft.com/security/) Microsoft’s Security Advisor site ties together virus and security alerts and patches covering the full range of Microsoft products. The site offers an extensive knowledge base of security bulletins and white papers.
Security and Microsoft Office (http://officeupdate.microsoft.com/focus/Catalog/FocusSecurity.htm) A specialized section of the Microsoft Office Update, this site focuses on security and anti-virus protection available in Office 97 and Office 2000, including Outlook and Outlook Express.
The SANS Institute (http://www.sans.org) The SANS (System Administration, Networking, and Security) Institute is a cooperative research and education organization. SANS offers a wealth of information concerning Internet and network security issues of all kinds.
Shields Up! (http://grc.com/) Gibson Research Corporation’s “ShieldsUp!” site offers excellent free security testing for desktop and notebook computers that ferrets out Microsoft networking and application vulnerability. The site also contains screen-by-screen “hands on” instructions for unbinding Internet and local/networks using NetBEUI as the transport protocol in Windows 95/98 and Windows NT. Sign on to the Gibson Research site and follow the “Shields Up” links.