INTERNET SECURITY FOR INVESTIGTORS

SIDEBAR: WHAT IS A SECURITY HOLE?

When a computer accesses the Internet, the computer uses TCP/IP, a networking language.  TCP/IP opens “ports” to the Internet.  A “port” is like pipe or connection to the Internet where communications are directed.  For example, when you retrieve information from a web site, that information usually enters your computer through Port 80. 

Common ports open to the Internet from a desktop or notebook computer are:

Ports are typically bilateral, both sending and receiving information between the desktop or notebook computer and the remote computer (e.g. the web server) with which it is connected through one of the ports.

Every open port provides a way for a hacker to communicate with a computer that is online.  When a hacker finds an open port, the hacker can attempt to connect to the computer using Telnet or other specialized tools.  If the hacker can connect to the computer, then the hacker may be able to retrieve files from the computer, send files (including viruses and “Trojan horses”) to the computer or watch Internet communications to and from the computer.

A popular way of automating the hacking process is to send a “Trojan Horse” to a hacked computer.  A “Trojan Horse” a program that operates in the background to permit access to a computer any time that the computer is online.  A common Trojan Horse is BackOrifice, originally designed as a maintenance and administration tool for corporate networks, but quickly adopted by hackers for use on the Internet.

Automated hacking has increased the scope of hacker activity geometrically in recent years.  A wide variety of automated web scanners is available.  Many are capable of scanning 20,000 or more computers per minute under optimum conditions, and can be configured to search for specific vulnerabilities and trigger search and download routines based on defined criteria. 

Almost all Internet security experts now believe that sophisticated, automated web scanning has reached a point where virtually every computer connected to the Internet is likely to be scanned for security vulnerability with relative frequency. 

WHEN NOTEBOOK AND DESKTOP COMPUTERS ARE VULNERABLE

Before automated scanners became commonplace, few hackers targeted desktop or notebook computers.  Because relatively few computers could be hacked, hackers typically targeted academic, corporate and military servers.  With the advent of automated scanners, hackers obtained the ability to scan millions of desktop and notebook computers efficiently, and hackers began to search for vulnerabilities in desktop and notebook computers.

Most academic, corporate and military servers use operating systems that are designed to protect sensitive information from outside intrusion, and are additionally protected by sophisticated monitoring software and firewalls. Used properly, monitors and firewalls against and monitor the automated scanners used by hackers.

Not so with desktop and notebook computers, because the Microsoft Windows 95/98 and Windows NT Workstation default network configurations were optimized for ease of use and sharing information among computers on local networks.  As a result, security protections are relatively weak unless special precautions are taken to protect the computers from intrusion. 

Desktop and notebook vulnerability arises, for the most part, from: (1) insecure Microsoft networking configurations that enable the computer to operate on both the Internet and a local network without building a “wall” between the two, and (2) applications that open “doors” into the computer independent of network configuration – applications like personal web servers, Internet Relay Chat, Telnet, web browsers, file transfer protocols, electronic mail, remote access and so on. 

Far and away, insecure network configuration presents the greatest risk because network configuration errors are so common that hackers typically set automated scanners to probe that single vulnerability efficiently.  Scanning for “doors” opened by applications is less common, although security holes in Microsoft Web Server and Microsoft Outlook are targeted with enough frequency to be a realistic concern.  Other “doors” are less common and harder to open, and are targeted less frequently.

The vulnerability is greatest with two conditions are met: 

(1)     the desktop or notebook computer is configured to connect to both the Internet and a local network using “Client for Microsoft Networks”; and

(2)     file and printer sharing is enabled. 

HOW MICROSOFT NETWORKING CREATES VULNVERABILITY

Desktop and notebook computers using Windows 95/98 and Windows NT Workstation “default” to an “open” network configuration. 

The reasons for the “open” network configuration are sound – Windows 95/98 and Windows NT Workstation default configurations were designed for ease of use and easy local networking for smaller businesses and SOHO/home users – configured to reduce the need for technical knowledge when installing and maintaining the computers and networks to which the computers were connected – rather than for tight security.  However sound the idea behind the “open” configuration, Windows 95/98 and Windows NT Workstation default networking configurations create an Internet security risk that is now becoming a problem for an increasing number of Investigationyers, Investigation firms and Investigation departments.

The following is a short – and, we hope, clear – technical explanation of the problems created by the “open” default configuration:  We offer the technical background because it is necessary to understand the background in order to understand the solutions.

Windows networking organizes networking components in three “layers”, illustrated by the following diagram:

The key to understanding both the problem and the potential solutions created by Microsoft networking is to understand the “Transport Protocol Layer”.  A transport protocol is a computer language used by computers on a network to communicate with one another.  All of the computers on a network must use the same transport protocol if the network is to function.  Microsoft networking offers three alternative transport protocols – “TCP/IP”, developed for UNIX local networks and the Internet, “NetBEUI”, developed by IBM and Microsoft for local networks, and “IPX/SPX”, developed by Novell for local networks.

Internet connections use “TCP/IP” as the “Transport Protocol Layer” and require that TCP/IP be “bound” to (techno-speak for tied together with) dial-up, cable, DSL and other hardware adapters linking the computer to the outside world, as follows:

Local networks use ONE of the protocols in the “Transport Protocol Layer” and “bind” that protocol to “Client for Microsoft Networks” (and, if the computer is set up to share files over the local network, to “Microsoft File and Printer Sharing”) in the “Network Services Layer” as well as to the “Local Network Interface” in the “Hardware Adapter Layer”, as follows (using NetBEUI as the selected transport protocol):

Take a look at the two diagrams together.  Note that (1) neither the “Network Services Layer” nor the “Local Network Interface” are needed for normal Internet connections; and (2) neither the “Dial-up Adapter” not the “Cable/DSL Interface” in the “Hardware Adapter Layer” are needed for local networking operations.  It is possible to configure Windows 95/98 and Windows NT Workstation to entirely separate local network and Internet connection.

The default settings in Windows 95/98 and Windows NT Workstation, however, “bind” all active network services, protocols and adapters on one layer together with all active components on the next layer up or down, as follows (building on the diagrams shown above):

Windows networking default settings “bind” all active components on each layer to all active services on the other Investigationyers.  The default settings bind active “Network Services Layer” to the Internet’s TCP/IP “Transport Layer Protocol”, opening the individual desktop and notebook computers connected to the Internet (and by extension, every other desktop and notebook computer on the local network with that computer) to hacking from the Internet. 

A desktop or notebook computer configured in “bind everything” mode is vulnerable whenever it is connected to the Internet, even when not attached to a local network.   A Investigationyer who takes a notebook computer home from the office and logs on to the Internet, for example, to check personal E-mail is vulnerable if the notebook is not properly configured.  Because the vulnerability is in the desktop or notebook computer itself, Investigation firms and Investigation departments cannot depend solely on network firewalls at work for protection – any computer that connects to the Internet when outside the network is “open” to hacking. 

MICROSOFT NETWORKING AND NOVELL NETWORKS

The binding problems discussed in this White Paper apply when “Client for Microsoft Networks” is enabled.  Setting up Novell networks using Windows 95/98 and Windows NT Workstation configuration defaults for the “Novell Netware Client” usually presents no binding problems.

The reason is that Windows 95/98 and Windows NT Workstation defaults do not typically bind TCP/IP transport layers to the “Novell NetWare Client” Network Services Layer – instead, Windows 95/98 and Windows NT Workstation typically bind the “Novell Netware Client” layer only to the “Novell IPX ODI” Transport Protocol Layer, and the Novel IPX ODI protocol only to the Local Network Interface.  The TCP/IP protocol, on the other hand, is typically bound only to dial-up adapters and Cable/DSL interfaces.

MICROSOFT NETWORKING AND UNIX NETWORKS

UNIX presents a special case because whenever TCP/IP (the UNIX protocol) is used as the transport protocol for the local network, components of the “Network Services Layer” must be bound to Internet connection components of the “Hardware Adapter Layer”, as shown by the following diagram:

SAFEGUARDING DESKTOP AND NOTEBOOK COMPUTERS

The key to safeguarding desktop and notebook computers using Microsoft networking under Windows 95/98 or Windows NT Workstation is to (1) configure Windows to “unbind” the components needed for the local network from the components needed for Internet access, if feasible, and (2) if that is not possible, use a “personal firewall” on the desktop or notebook computer. 

The following is a summary of the two keys to reducing risk:

Key #1:  Configure Windows to Reduce Risk

The first alternative – if feasible – is to reconfigure Windows 95/98 and Windows NT Workstation desktop and notebook computers to separate local network components from Internet connection components.  While this is not always possible, we believe that it is the simplest and most effective way to achieve a reasonable level of security.

The core idea is to use TCP/IP for Internet connections, on the one hand, and either Net BEUI or IPX/SPX for local network connections, on the other, and to keep the two functions separate.

The following diagram illustrates the concept (combining the two diagrams used above):

The notebook or desktop computer is configured to use TCP/IP for Internet connection and NetBEUI for the local network.  Microsoft’s default bindings between the TCP/IP and services and adapters needed to operate the local network have been removed from the default configuration, as have Microsoft’s default bindings between the NetBEUI protocol and the adapters used for Internet connection.

In this configuration, the desktop or notebook computer is connected to two networks (the local network and the Internet) in different ways (TCP/IP for the Internet and NetBEUI for the local network), with no connection at all between the two networks.  The diagram illustrates use of NetBEUI for the local network, but IPX/SPX could be used as well.

The methods by which this can be accomplished will vary from Investigation firm to Investigation firm, depending on the network operating system used by the Investigation firm and many other factors.  At the end of this white paper, we will point you to a number of web sites that discuss the methods in depth, but we caution individual Investigationyers that network reconfiguration falls under the category of “Don’t do this at home!”  Unilaterally unbinding the layers on a desktop or notebook computer without taking the firm’s network configuration as a whole into consideration will mostly likely result in disaster – knocking you off your firm’s network.

Key #2:  Use a “Personal Firewall” to Reduce Risk

Separating the two networks is feasible only when the local network can be configured to use NetBEUI or IPX/SPX as the local network transport protocol. 

In some cases, NetBEUI or IPX/SPX is not a workable alternative, because TCP/IP is or must be used as the transport protocol.  Among the common situations where separating Internet connections from the local network are not feasible are:

• UNIX Networks.  UNIX local networks require TCP/IP as the transport protocol for communication between notebook and desktop computers and network servers.  Many corporate enterprise networks, optimized for interoffice communications, use UNIX as the network operating system.  And with the increasing popularity of LINUX, a low-cost variety of UNIX, growing numbers of smaller offices are using TCP/IP as the transport protocol.
• ISDN Internet Connections.  ISDN (digital phone lines) use a network router to communicate with the Internet.  Router configuration typically requires TCP/IP as the transport protocol for the local network, precluding the use of NetBEUI or TCP/IP.
• Virtual Private Networks.   A Virtual Private Network (VPN) is a technique of using the Internet to connect remote computers and local networks in various locations securely.  Because VPN is Internet-based, VPN requires TCP/IP as the transport protocol.

In addition, certain applications “open” the computer to access from the Internet, regardless of the transport protocol used for the local network, rendering Internet/local network separation inadequate to protect a notebook or desktop computer.  Among the applications that can “open” a desktop or notebook computer are “personal web servers” such as the Microsoft Personal Web Server installed with MS Front Page 2000, and remote access programs such as PC Anywhere, LapLink and Wingate.

In all of these cases, one or more “firewalls” will be needed to protect notebook and desktop computers. 

A “firewall” is hardware or software that inspects data flowing to or from an individual computer or a local network to determine whether the data should be blocked or allowed to pass. 

SIDEBAR: HOW DO FIREWALLS WORK?

Basic Concepts

A “firewall” is hardware or software that inspects data flowing to or from an individual computer or a local network to determine whether the data should be blocked or allowed to pass. 

All network communication (including Internet communication) is accomplished by exchanging “packets” of data between two computers connected on the network. 

Packets are small snippets of data that flow between the two computers.  Each packet contains the destination address of the sending computer and the computer to which the packet is being sent, the port number used by the sending computer and the port number to which the packet is being sent, and a small amount of data. 

When a packet is sent to an open port on a computer, the receiving computer acknowledges receipt of the packet and sends back a message to the sending computer.  If the packet is accepted, the receiving computer communicates that to the sending computer.  If the packet is not accepted for any reason, the receiving computer replies back as well, reporting that the packet has been rejected.  In either case, the two computers communicate with one another.

A firewall is hardware or software that is inserted between an open port and the network.  The firewall reads each and every data packet before it arrives at a computer’s open port and accepts or rejects that packet based on criteria programmed into the firewall.  If the firewall rejects a packet, the firewall does NOT report back to the sending computer – instead, the firewall “ignores” the packet.  Because the sending computer gets no response at all, the firewall has, in effect, made the receiving computer “invisible”, because the receiving computer, sending no response at all, acts as if the computer is offline.

Firewall Zones

Firewalls create “security zones”, protecting the computers within the zone from intrusion from outside the zone.

A typical “network firewall” creates a security zone at the point of entry to a local network from the outside world.  The firewall protects computers on the network from intrusion from outside the network, but the local network typically remains “open” internally – individual desktop and notebook computers connected to the network can, unless other protections are in place, can be seen from any computer within the zone using “Network Neighborhood” – and, if a computer has “shared resources” (a drive or a printer), that shared resource can be seen or used.  The following diagram illustrates the concept:

Within a Investigation firm’s local network, the fact that individual desktop and notebook computers are not protected is not normally a problem – the computers attached to a local network are usually “trusted”, that is, used for business purposes by reliable partners and support staff. 

When a network is not protected by a firewall, or when individual desktop and notebook computers are connected to the Internet through a high-speed connection, none of the desktop and notebook computers are in a security zone, as illustrated by the following diagram:

Worse still, certain kinds of high-speed connections create a “virtual local network” of all computers connected to the “Internet Service Provider” using that connection – cable modems are notorious in this regard.  When a “virtual local network” exists, any shared resource (drive or printer) bound to the network by TCP/IP can be seen by all other users connected to the virtual network using “Network Neighborhood”, just as if the users where connected by a local network in an office.  When this is the case, you don’t even have to be a hacker to hack!

Firewalls have been used for years to protect local networks from external intrusion, but network firewalls do not protect desktop and notebook computers from two potentially significant risks:

(1)     information passing along networks within the firewall boundary; and

(2)     information passing to and from the desktop or notebook computer when it is outside the firewall boundary (e.g. when used at home or on the road).

In the last year, well-designed “personal firewalls” – software designed to act as a firewall for individual desktop and notebook computers – have begun to appear on the market.  Properly designed personal firewalls create a “security zone” around the individual desktop or notebook computer -- effectively protecting the individual computer from intrusion originating anywhere outside the computer – from the Internet, from other users of an office local network or from curious neighbors poking around a “virtual network” created by some kinds of high speed Internet connections, as illustrated by the following diagram:

When a desktop or notebook computer is attached to local network protected by a network firewall, the personal firewall adds a layer of protection – providing a second barrier to hacking from the Internet and protecting the desktop or notebook computer from unauthorized access by co-workers.  When the desktop or notebook computer is outside the office – at home or on the road – the personal firewall provides primary protection for the computer – from the Internet, from other computers on a home network and from other users connected to a virtual network using certain types of high-speed Internet connections.

SIDEBAR:  A LOOK AT TWO PERSONAL FIREWALLS

ConSeal PC Firewall

Most personal firewalls -- ConSeal PC Firewall is an example -- are consumer versions of firewall technology designed for local networks.  ConSeal PC Firewall, like others in the class, offers sophisticated firewall protection for an individual computer.  Like its network firewall cousin, ConSeal PC Firewall is technically powerful, but requires careful configuration and a reasonable level of technical knowledge to configure properly, a task beyond the skills of most individual Investigationyers and small Investigation firms.

ConSeal PC Firewall is, like most others in its class, a mature product that is free of “Version 1.0” quirks and bugs.  The real question is whether an individual can understand configuration options and make appropriate decisions.

BlackICE Defender

BlackICE Defender is a new personal firewall designed for use on desktop and notebook computers.  BlackICE Defender uses a different design approach, combining basic traditional firewall techniques while monitoring connection attempts in a way somewhat akin to virus protection software – watching for patterns that are “signatures” of hacking techniques, and tightening security when hacking attempts are identified.  Because BlackICE monitors connection attempts on a continuing basis, adjusting security levels to risk, configuration is very simple – the user selects among four levels of security – “trusting”, “cautious”, “nervous” and “paranoid”.  The program defaults to “cautious” but will dynamically increase security to “paranoid” when it detects an attack.  Like anti-virus programs, BlackICE depends on a database file to identify hacking patterns, and requires periodic downloading of an updated database file to keep monitoring and detection up to date.

NetICE maintains an online message board for BlackICE users, and our review of the messages shows no serious problems – just the usual “brand new product” bugs and quirks.  In our view, BlackICE is, even with the quirks that need to be ironed out in future releases, sufficiently powerful and well-designed to be worth careful evaluation if you need a personal firewall for desktop and notebook computers.

COMMON SENSE RECOMMENDATIONS

In addition to Internet/local network separation and/or personal firewalls, we recommend that all Investigation firms, Investigation departments and Investigationyers using desktop and notebook computers at home or on the road adopt common sense measures to reduce risk.  Our recommendations are suggestions for additional protection when either Internet/local network separation or a personal firewall is in place. 

If neither safeguard is in place, then our common sense recommendations are the only source of protection.  We do not consider our common sense recommendations adequate to provide even minimal security – the best case is that the common sense protections will slow down or frustrate hackers for a short period of time. 

With that background, we recommendation:

• Passwords.  Consider protecting shared drives on desktop and notebook computers with passwords.  While the Microsoft networking password protection should not be considered secure because of Windows file share password cracking programs are commonplace on the Internet, well-chosen passwords (e.g. long random strings of letters and numbers) provide a margin of protection.  And don’t forget to change passwords often.
• Use Non-Descriptive “Shared As” Names.  When both “Client for Microsoft Networks” and “Microsoft File and Printer Sharing” are active, the user, machine and workgroup names as well as the names assigned to shared drives and printers are broadcast to anyone with access to the computer.  Consider using non-descriptive file sharing names for shared drives on desktop and notebook computers – NOT “Estate Planning Files”, for example – to minimize the chance that a hacker will focus on the shared drive.
• Hide “Shared As” Names.  Windows does not broadcast “shared as” names ending in a dollar sign (e.g. “Shared$”).  Consider hiding “shared as” names for resources containing sensitive information.  Hiding shared resources comes at a cost, however, because legitimate users on a local network cannot see the “shared as” names, but drive mapping is a workable substitute for local network users in most cases.
• Encrypt Confidential Files.  Consider encrypting files that contain confidential information, such as social security numbers, password lists and so on. 
• Update Security Patches Frequently.   Microsoft regularly issues updates and patches for Windows 95/98 and Windows NT Workstation.  Netscape and Microsoft also regularly update browsers.  Updates patch known security vulnerabilities.  Consider updating the operating system and browsers on a regular basis.
• Clear Browser Cache Frequently.  Browsers store copies of visited web pages on local hard drives for fast refresh.  Hackers download browser caches, and may be able to obtain sensitive information entered into a web site using the cache.  Consider clearing the browser cache on a frequent, regular basis.
• Avoid Hacker Web Sites.  Hacker web sites contain a wealth of valuable information about security vulnerabilities – very useful for hackers and security experts.  Our advice: “Don’t try this at home.”  Avoid hacker sites unless you are using an isolated, carefully protected computer with no data files.  Visiting a hacker site is the best way we know to make sure that you become a target. 

HOW SECURE IS SECURE?

Security Levels

In general, desktop and notebook computers can be grouped into three levels of Internet security:

• Invisible – A desktop or notebook computer is “invisible” when all active Internet ports can be probed without reporting back a reply because the computer is protected by an effective firewall that is blocking all unauthorized external contact with the computer.  When a computer is “invisible” robot and spider scanners will report that the computer is not connected to the Internet.
• Closed – A desktop or notebook computer is “closed” when all active Internet ports refuse connection requests.  A robot or spider scanner will detect the computer, but the computer will refuse connection attempts, and the robot or scanner will not be able to probe further.  A “closed” computer is not 100% secure because hackers can, with effort and luck, often work around closed ports, but the chances of a hacker taking the time are minimal.
• Open – a desktop or notebook computer is “open” when one or more active Internet ports accept connection requests.  A robot or spider scanner will detect the computer and probe the open ports to investigate the computer and, if the information found on the computer meets preset criteria (e.g. documents labeled “confidential”, password lists, social security and address information and so on), usually trigger a download process that copies the files into the hacker’s computer for a closer look.  

Level of Protection

Nothing – absolutely nothing at all – will render a desktop or notebook computer 100% secure.  Security is an ongoing exercise, a series of technological skirmishes between security experts and hackers, flanking and maneuvering for advantage.  What works today may not work three months down the road.

At present, however, our recommended safeguards will provide reasonable levels of protection against hacking.  The following is a rough estimate of the level of security that will be afforded by each:

• Internet/Local Network Separation – If properly configured, Internet/local network separation will result in “closed” status for ports 137-139, the most common point for hacker attacks on the computer.  Internet/local network separation provides effective security unless applications (such as personal web servers and remote access) that open other ports are in place and active.  If such applications are running, ports may remain “open”, providing a point of attack for hackers, unless a firewall is in place.
• Firewalls – an effective firewall will result in “invisible” status for all ports.
• Common Sense Recommendations – the common sense recommendations will not change the level of protection on a desktop or notebook computer.  If the computer is “open” it will remain “open” – the purpose of the recommendations is minimize the chances of an attack and to make the hacker’s job tougher if an attack is made on the computer, but the recommendations will not, of themselves, provide meaningful security.

RESOURCES

Want to know more?  We recommend three web sites for further information concerning Internet security:

Microsoft Security Advisor (http://www.microsoft.com/security/) Microsoft’s Security Advisor site ties together virus and security alerts and patches covering the full range of Microsoft products.  The site offers an extensive knowledge base of security bulletins and white papers.

Security and Microsoft Office (http://officeupdate.microsoft.com/focus/Catalog/FocusSecurity.htm) A specialized section of the Microsoft Office Update, this site focuses on security and anti-virus protection available in Office 97 and Office 2000, including Outlook and Outlook Express.

The SANS Institute (http://www.sans.org) The SANS (System Administration, Networking, and Security) Institute is a cooperative research and education organization.  SANS offers a wealth of information concerning Internet and network security issues of all kinds.

Shields Up! (http://grc.com/) Gibson Research Corporation’s “ShieldsUp!” site offers excellent free security testing for desktop and notebook computers that ferrets out Microsoft networking and application vulnerability.  The site also contains screen-by-screen “hands on” instructions for unbinding Internet and local/networks using NetBEUI as the transport protocol in Windows 95/98 and Windows NT.  Sign on to the Gibson Research site and follow the “Shields Up” links.