It is important for investigators to understand the difference between an intrusion and an attack because whether there was an actual unauthorized entry to the network or system can be an important factor in proving the elements of a criminal offense. Attacks can be committed without gaining entry to the network or system, as in the case of DoS attacks. These attacks overload network resources to make the network unavailable to legitimate users, but the attacker never gains access to any computer on the network.

If investigators and prosecutors don't understand this difference (which they can do only by understanding the technical aspects of how the attack works), they could file charges that won't stand up in court or bring the wrong charges against a cybercriminal. This would be similar to a situation in which no one on the law enforcement team understood the difference between the offenses of robbery and burglary. Robbery requires that a physical assault or threat of serious bodily injury takes place during the commission or attempted commission of a theft. Burglary requires that the offender unlawfully enters the premises of another person to commit a theft. If law enforcement officers arrest a suspect for breaking into a home and stealing a television set while the residents are gone, and they charge the suspect with robbery (and if the prosecutor brings such a case to trial), the suspect will almost certainly be found not guilty, because the state doesn't have proof of the elements of the offense of robbery. This situation would never happen, because law enforcement officers are drilled in the technical differences between robbery and burglary from the time they attend the police academy, and all prosecuting attorneys are well versed in these differences. However, it's entirely plausible to imagine the wrong charges being filed in a computer crime case simply because no one involved understands the technical aspects of these types of crimes.

It's important, then, to be precise when we refer to specific computer crimes. DoS attackers should not be referred to as intruders when no intrusion occurs. Likewise, not all intruders can accurately be classified as attackers—although those who gain access and then destroy data or plant viruses are properly called by both names.

Attackers can launch their attacks against a system or network in two different ways. A direct attack is launched from a computer used by the attacker (often after preintrusion/attack tools, such as port scanners, are used to find potential victims).

A distributed attack is more complex. Distributed attacks use someone else's system(s), rather than the attacker's, to perform the tasks that directly launch the attack. In this type of attack, there are multiple victims, which include not only the target of the attack but also intermediary remote systems from which the attack is launched that are controlled by the attacker. The intermediaries are referred to as agents or zombies. Software robots called botnets or bots are installed on the zombie computers, and can run autonomously and automatically. The bots can be configured to attack at a specific time, or take commands from the attacker on a remote computer. This type of attack, of course, makes it more difficult to track down the perpetrator, because the attack packets that reach the victim have multiple source addresses, and none of these is the address of the attack's originator. Commands from attacker to intermediary are often encrypted to further thwart tracing. Encrypted transmissions can't be read by a packet sniffer (a protocol analyzer).

A distributed attack works a little like the practical joke in which the jokester calls numerous pizza parlors, pretending to be a customer, and requests that pizzas be delivered to someone else's address. The primary victim is the resident at the target address who ends up with a flood of unwanted pizzas, but the pizza vendors are victims as well because their resources are used, without their prior knowledge or consent, to carry out the attack.

Attackers using the distributed method can launch their attacks simultaneously from dozens, hundreds, or even thousands of Internet hosts all over the world. This means that far more traffic can be generated than is possible with standard one-source attacks. A typical distributed attack model using UNIX-based computers, according to the CERT Distributed Systems Intruder Tools Workshop, has the attacker controlling several systems called masters. Each master controls a larger number of agents running daemons—the software that is used to launch the attack. The daemons are installed on the agent machines by exploiting operating system or protocol vulnerabilities. This entire process can be automated so that potential agents are discovered and penetrated and the daemon is installed on all of them, then steps are taken to hide the fact that an intrusion occurred, using batch scripts. (We discuss attack automation in more detail in the next section.) Table 10.1 outlines the distributed attack process (after installation of the daemons).

Because this model's components are arranged in a pyramid form, with one attacker controlling several masters, which in turn control numerous agents/daemons, it is easier to disable the attack system closer to the top, where there are fewer systems to deal with. If the masters are disabled, the agents and their daemon software will not be able to function. Of course, the most efficient disabling technique is to find the attacker, thus disabling the entire attack sequence.

An automated attack is one that's performed by a computer program rather than the attacker manually performing the steps in the attack sequence. For quite some time, hackers have distributed attack tools that make it easier to launch network attacks. However, prior to 2000, most of these tools would initiate only one attack sequence; launching additional attack sequences required the intervention of the human attacker. However, newer tools are able to continually initiate new attack cycles on their own. This was the case with worms such as Nimda and Code Red, which we'll discuss later in this chapter. This increasing level of automation makes these attacks more dangerous and more widespread. According to CERT, the increasing automation and sophistication of attack tools is one of the most significant trends in the “Black Hat” hacking community.

Today's attack tools can perform the entire attack process. Instead of a hacker being required to perform a port scan with one tool to identify vulnerable systems, then using a different tool to penetrate the victim network and yet another tool to propagate the attack, now one tool can do it all. This speeds up the process as well as makes it easier for hackers who lack technical skills to mount a successful attack. Some attack tools are executed at the command line, but many of them have user-friendly graphical interfaces as well as detailed help files to instruct attackers in their use. Configuration files might also allow users to customize the attack.

To avoid detection by intrusion detection system (IDS) software that relies on pattern recognition, modern tools can employ different techniques—such as random selection—to interrupt patterns that would trigger detection by the IDS. In addition, many of the tools use common protocols such as Hypertext Transfer Protocol (HTTP) and Internet Relay Chat (IRC), which disguise their packets by making them look like normal Internet traffic. These tools are widely available through anonymous File Transfer Protocol (FTP) sites and hacker newsgroups on the Internet. Hackers can also modify legitimate network analysis tools if they have the source code, turning them into attack tools by adding code to exploit the vulnerabilities that they find.

Some intrusions and “attacks” might actually be unintentional. Server or network crashes can be caused by users experimenting, visiting Web sites that run malicious code, or unknowingly downloading and introducing a virus into the system. In fact, a large number of virus attacks are initiated accidentally or unknowingly. The user who appears to have sent the virus via e-mail is often a victim of the attack him- or herself, because many viruses and worms are written to spread themselves by accessing the victim's address book and sending infected mail to all the addresses found there.

Accidental attacks can be just as destructive as deliberate ones, and network security personnel must be just as vigilant in protecting against them. However, from the law enforcement perspective, the perpetrator's intent matters very much. Most criminal offenses require that an act be committed intentionally or at least knowingly, so the elements of the offense might not be present if an employee causes an intrusion or attack without intending to—even if his or her actions were careless. On the other hand, some acts are still considered criminal when a lower state of culpability (recklessness or negligence) is present. It is very important for investigators to be aware of the culpable mental state that is specified as an element of each offense to be charged. If no level of culpability is specified, the criminal code usually defines a “default” level of culpability that applies.

Users inside the network are in the best position to gain access to information or sabotage the network's integrity. According to most computer security studies, as documented in Request for Comments (RFC) 2196, actual loss (in terms of money, productivity, computer reputation, and other tangible and intangible harm) is greater for internal security breaches than for those from the outside. Internal attackers are more dangerous for several reasons:

Preventing such problems begins with the same methods used to prevent unintentional security compromises, but it goes a step further. To a large extent, unintended breaches can be prevented through education. This obviously will not have the same effect on network users who intend to breach security. The best way to prevent such breaches depends, in part, on the motivations of the employee(s) concerned.

Implementing auditing helps detect internal breaches of security by recording specified security events. Administrators are then able to track when objects such as files or folders are accessed, the user account used to access them, when users exercise user rights, and when users log on or off the computer or network. Modern network operating systems include built-in auditing functionality. We discuss methods of auditing security events in Chapter 13. We discuss interpreting and using security audit log files in Chapter 14.

Firewalls are helpful in keeping basically compliant employees from accidentally (or out of ignorance of security considerations) visiting dangerous Web sites or sending specific types of packets outside the local network. However, firewalls are of more limited use in preventing intentional internal security breaches. Simply limiting users’ access to the external network cannot thwart insiders who are determined to destroy, modify, or copy data. Because they have physical access, insiders can copy data to removable media or to a portable computer, or perhaps even print it to paper and remove it from the premises. They can change the format of the data to disguise it, or they can even employ steganography to hide it inside seemingly innocent files and then upload the files to Web-based data storage services.

In a high-security environment, measures should be taken to prevent this sort of theft. For example:

Intentional internal breaches of security constitute a serious problem, and company policies should treat them as such. We discuss this topic in more detail in Chapter 12, in the section “Designing and Implementing Security Policies.”

External intrusions and attacks are the major concerns of many companies when it comes to network security issues. In a number of high-profile cases in recent years, the Web servers of prominent organizations have been hacked. Attempts to penetrate sensitive government networks, such as the Pentagon's systems, occur on a regular basis. Distributed denial-of-service (DDoS) attacks make front-page news when they crash servers and prevent Internet users from accessing popular sites.

The good news about external intrusions is that the area(s) that must be controlled are much more focused than with internal attacks. There are usually only a limited number of points of entry to the network from the outside. This is where a properly configured firewall can be invaluable, allowing authorized traffic into the network while keeping unauthorized traffic out. On the other hand, the popularity of firewalls ensures that dedicated hackers know how they work and spend a great deal of time and effort devising ways to defeat them.

If preventive measures don't work (and it's likely that sometimes they won't), the next step for network administrators is to shift into reactive mode and attempt to minimize the damage. Before they can do that, they must have a way to recognize that an attack is taking place.

IDSes use two methods to identify that an attack is occurring:

It's easy to program an IDS to recognize specific patterns, but attackers can defeat it by making small changes to the pattern or by fragmenting the attack packets—that is, dividing the attack messages or code into fragmented packets. A number of TCP/IP exploits use fragmented packets; these exploits are called frag attacks. Effect recognition is more difficult because the “effects” often resemble normal network traffic or problems caused by hardware or software faults.

The problem with any IDS—indeed, with all computer software—is that it does only exactly what it is told to do. Thus far, true artificial intelligence (programs that can “think”) hasn't been achieved. Law enforcement officers know that the human factor—intuition and the ability to make great leaps of logic—can be very important in detecting and solving crimes. Unfortunately, no device or program is able to observe the behavior of computer systems and network components and intuitively recognize that there's something wrong. Very specific criteria must be set and met before an IDS will recognize an attack. This explains why human administrators will always remain an important ingredient in creating a proper security posture in any organization and why eternal vigilance is more than just a watchword for people with security responsibilities.

The attack type refers to how an intruder gains entry to your computer or network (if, indeed, entry is actually gained at all) and what the attacker does once he or she has gained entry (or without gaining entry). Some of the more common types of hack attacks include social engineering attacks, DoS attacks, scanning and spoofing, “nuke” attacks, and dissemination of malicious code. When you have a basic understanding of how each type of attack works, you will be better armed to guard against them.

It is useful for us to sort these different intrusions and attacks into categories such as the following:

The following sections discuss specific types of attacks that fit into each category.

A port is, in its simplest meaning, a point where information enters or leaves a computer. Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) use port numbers to provide separate “subaddresses” to identify what service or application incoming information is destined for, or from which outgoing information originates.

The term port scanner, in the context of network security, refers to a software program that hackers use to remotely determine what TCP/UDP ports are open on a given system and thus are vulnerable to attack. Scanners are also used by administrators to detect vulnerabilities in their own systems, to correct them before an intruder finds them.

Scanning is used for several purposes prior to penetration and/or attack:

A good scanning program can locate a target computer on the Internet (one that is vulnerable to attack), determine what TCP/IP services are running on the machine, and probe those services for security weaknesses. Many scanning programs are available as freeware on the Internet, but numerous security tools are also available for purchase with greater reliability and functions.

Port scanning refers to a means of locating “listening” TCP or UDP ports on a computer or router and obtaining as much information as possible about the device from the listening ports. TCP and UDP services and applications use a number of well-known ports (see the “Who's Listening?” sidebar in this section), which are widely published. The hacker uses his or her knowledge of these commonly used ports to extrapolate information.

For example, Telnet normally uses port 23. If the hacker finds that port open and listening, he or she knows that Telnet is probably enabled on the machine. The hacker can then try to infiltrate the system by, for example, guessing the appropriate password in a brute force attack.

A total of 65,535 TCP ports (and the same number of UDP ports) are used for various services and applications. If a port is open, it responds when another computer attempts to contact it over the network. Port-scanning programs such as Nmap are used to determine which ports are open on a particular machine. The program sends packets for a wide variety of protocols, and by examining which messages receive responses and which don't it creates a map of the computer's listening ports.

Port scanning does no harm to a network or system, but it provides hackers with information they can use to penetrate the network. Because people conducting port scans are often up to no good, they frequently forge the source IP address to hide their identity.

Half scans (also called half open scans or FIN scans) attempt to avoid detection by sending only initial or final packets rather than establishing a connection. A half scan starts the SYN/ACK process with a targeted computer but does not complete it. (See the description of this process in the following section on TCP/IP exploits.) Software that conducts half scans, such as Jakal, is called a stealth scanner. Many port-scanning detectors are unable to detect half scans.

The Merriam-Webster Online Dictionary (www.merriam-webster.com) defines a spoof as a “light humorous parody” or hoax, but also defines it as being synonymous with a less benign action of deception. Hackers use spoofed addresses to deceive other computers and fool them into thinking a message originated from a different machine. Although IP spoofing is probably the most popular, it is not the only spoofing method used by hackers. Others include ARP spoofing, Web spoofing (which we'll discuss in Chapter 11), and DNS spoofing. Let's take a quick look at how each of these works.

Trojans, or Trojan horse software, are programs that appear to be legitimate or innocent but actually do something else in addition to or instead of their ostensible purposes. We discuss Trojans in general later in this chapter, in the section “Attacking with Trojans, Viruses, and Worms.” As part of the preattack phase, a hacker can plant on the victim's computer a Trojan program that installs keystroke-logging programs to gather information for the main attack or that sets up the means by which the attacker will later get into the system. An infamous case of the latter was the Back Orifice Trojan, which could be disguised as a component of some other innocuous software program and, once installed, created a “back door” for attackers to take over control of the victim PC. For more information about the updated Back Orifice 2000 (BO2K), you can visit www.bo2k.com.

If an attacker has on-site access to the victim system, one way to collect passwords and other information prior to an attack is to place a physical tracking device (a keystroke logger) on the system. This is a very small device, about 2 inches long and a half-inch in diameter, which you can install in less than a minute; you simply unplug the keyboard from the PC and plug the keyboard into the logger, and then plug the logger into the PC's keyboard port. It is not noticeable to most users.

Inside the logger are a microchip and a nonvolatile memory chip (similar to a CompactFlash card or memory stick). Depending on the amount of memory in the device, it can record anywhere from a few to dozens of pages of keystrokes; for example, 64 KB of memory will store about 32 pages. No software needs to be installed on the computer for the loggers to work, and they are compatible with a variety of PC operating systems. No battery or outside power source is required; the device draws power from the computer. Once the strokes have been captured, the attacker removes the device and attaches it to a different PC. The captured data can be password-protected; once the correct password is entered, it can be read in Notepad or another text editor. Afterward, the data can be saved to a file and the memory in the device can be erased. An example of a keystroke-logging device is the KeyGhost (see www.keyghost.com).

Software programs can also perform keystroke logging, but the attacker needs to be able to log on to the system to install the software; the advantage of the physical device is that it can capture the passwords necessary to log on. Software-based loggers capture only the keystrokes made after booting into the operating system, whereas the hardware device can capture keystrokes made before the OS loads—for example, changes made to the Basic Input Output System (BIOS).

Other spyware programs can do much more than just log keystrokes. Many of these programs allow the person who installs and configures the software to specify criteria that will trigger the capture of screenshots. Some of the programs can even rename themselves and change their locations on the disk to avoid detection. One such example of these monitoring programs is Spector Pro (www.spectorsoft.com).

Network monitors, also called protocol analyzers, allow administrators to capture and analyze the traffic on their networks for troubleshooting purposes or to monitor network activity. Hackers can use these same tools to capture packets surreptitiously and read the information in those packets. Analyzers that allow for placing the network adapter in promiscuous mode are especially useful to hackers. In this mode, the adapter can capture traffic sent to or from any computer on the network segment. Some analyzers, such as the Network Monitor built into Microsoft Windows 2000 Server and Windows Server 2003, limit capture to packets sent to or from the machine that is running the analyzer software. However, a version of Microsoft's NetMon comes with the company's Systems Management Server product and permits the use of promiscuous mode.

These programs are network sniffers. Any person with Administrative privileges can install the Network Monitor on a Windows Server and start “listening” to activity on the wire. Administrators—or hackers who have compromised an administrative account—can use the tool to collect network data and analyze it on the spot, or they can save the recorded activities to review at a later time. It is possible to set triggers for when certain events or data cross the wire, so the tool can be used, for example, when certain keywords in e-mail communications move through the network. The Network Monitor program allows its users to capture only those frames that they are interested in based on protocol or the source or destination computer. Even more detailed and exacting filters can be applied to data that has been collected, allowing the monitoring person to pinpoint the precise elements that he or she is looking for in the captured data.

Figure 10.1 shows the contents of a captured packet. You can see the text message (“Windows 2003 is great!”) that was sent across the network.

Some commercial products provide greater functionality than the Network Monitor tool for Windows servers. You can use network information-gathering tools to obtain network data for forensic analysis and identify network issues; of course, malicious users also can use these tools for hacking purposes. These tools generally offer the functionality of a sniffer and an IDS combined. As we mentioned, sniffers are powerful programs that work by placing the host system's network card into promiscuous mode. A network card in promiscuous mode can receive all the data it can see, not just packets addressed to it. Switches segment traffic and know which particular port to send traffic to and block it from all the rest. Although this feature adds much needed performance gains, it does raise a barrier when attempting to sniff all potential switched ports. Forensic analysis will usually require the switch to be configured to mirror a port. Some common network monitoring tools include:

There is no way to prevent port scanning—but IT professionals can control whether the scanner finds open doors to their networks. An important security step for administrators is to use port-scanning software themselves to learn about their own networks’ vulnerabilities and then plug the openings so that others will be unable to use them to gain access. Most firewalls log port-scanning attempts, and freeware or shareware such as Lockdown2000 or NukeNabber can be downloaded and installed to notify the administrator that ports are being scanned and provide the IP address from which the scan originates.

You can prevent IP spoofing using source address verification on the router, if it supports this function. Other steps you can take to protect against spoofing include:

Administrators can prevent ARP spoofing using static ARP tables. A static table is manually configured by the administrator, so broadcast responses don't result in an automatic update of the cache. The problem with this solution is that it doesn't work well with large networks; the burden on the administrator to keep the tables current would be overwhelming. Another solution is MAC binding. This method is enabled on the network switches and allows automatic updating, but when a particular IP address has been associated with a MAC address, that association can't be changed except by an administrative action. Furthermore, some tools monitor changes to the cache, with automatic notification to administrators so that they will be aware of any attempts to use ARP spoofing.

Administrators can prevent DNS spoofing by securing the DNS servers on the Internet and by using the latest version of the DNS software. As vulnerabilities are identified, they are generally addressed in the next version.

Properly configured firewalls can help keep Trojans out of the network, and software such as Trojan Remover claims to be able to eliminate Trojan programs even when antivirus (AV) software cannot detect them. The usual virus protection guidelines (don't open unsolicited attachments, download files only from reputable sites, apply security patches diligently) can also help protect against Trojans.

Keystroke logging devices are impossible to detect via software. Physical examination of the cable connecting the keyboard to the computer reveals the presence of such devices. Antikeystroke logger programs can scan for keystroke logging activity and detect software-based loggers. An example is Anti-Keylogger, which is available from www.anti-keyloggers.com.

Protective measures against sniffers include limiting physical access to the network (because the sniffer software must be installed on a computer on the local subnet), using switches instead of hubs to prevent all packets from going to all the systems on the network, and using encryption. This last solution won't prevent sniffers from capturing network packets, but it will prevent the hacker from being able to read the data inside them. “Antisniffing” software can be used to scan the network for sniffers or for computers whose network adapters are running in promiscuous mode.

Protocol exploits use the characteristics of a protocol, such as the “handshake” method that TCP uses to establish a communications session, to obtain a result that was never intended—for example, overwhelming the targeted system to the point where it is unable to communicate with legitimate users. There are many ways that the normal behavior of network protocols can be manipulated to congest the network or server to the point where no legitimate communications can get through. In this section, we discuss in detail what a DoS attack is and the many ways that the characteristics of TCP/IP can be used to launch DoS attacks. We also discuss source routing attacks and other protocol exploits.

Many hackers now target routers instead of computers for their attacks. The popularity of DSL and cable Internet connectivity has brought routers to home networks as well as business networks. This, in turn, has created a new point of vulnerability.

Many of the new, relatively inexpensive routers designed for broadband connections come with default administrator passwords that can be used on any of the vendor's devices if the administrator does not change the password. This means a hacker with knowledge of the default password could log on and make changes to the routing table or router configuration. This differs from most operating systems that do not come with a default password but require the user to create one during installation. In addition to the administrator password, some router vendors have created special so-called “back door” passwords for their systems, intended to be used by the vendor's tech support personnel so that if an administrator forgot the admin password, the vendor could help the administrator get back in. Of course, this system could also be exploited by hackers with knowledge of the secret “master” password.

Hackers can also obtain router passwords the same way they get the passwords for computers: using sniffer or spyware software, brute force attacks, or social engineering tactics. Whichever method the hacker uses to access the router, he or she can then create DoS attacks by changing routing table entries to send all messages to the same destination. In fact, if the router uses Routing Information Protocol (RIP) to dynamically update its routing tables, the attacker can send spoofed RIP messages to make the changes to the routing table without even needing to access the router directly.

Administrators can take a number of steps to help prevent exploits, including the following:

The name Trojan is short for Trojan horse and refers to a software program that appears to perform a useful function but in fact performs actions that the program's user does not intend or is not aware of. Trojan horses are often written by hackers to circumvent a system's security. Once the Trojan is installed, the hacker can exploit the security holes it creates to gain unauthorized access, or the Trojan program may perform some action such as:

Basically, the Trojan can perform any action that the user has privileges and permissions to do on the system. This means that a Trojan is especially dangerous if the unsuspecting user who installs it is an administrator and has access to the system files.

Trojans can be very cleverly disguised as innocuous programs, utilities, or screensavers. A Trojan can also be installed by an executable script (JavaScript, a Java applet, ActiveX control, or the like) on a Web site. Accessing the site can initiate the program's installation if the Web browser is configured to allow scripts to run automatically. Trojans can use the default behavior of Windows to disguise their true nature. Because the file extension (the characters that appear after the last dot in a filename) are hidden by default, a hacker can name a file something such as vacation.jpg.exe and it will be shown in Windows Explorer as vacation.jpg, seeming to be an innocent graphics file when it is really an executable program. Of course, double-clicking it to open the “picture” will run the program. Trojans that are designed to allow a hacker unauthorized access across the network (such as Back Orifice) are sometimes called remote access Trojans, or RATs.

Viruses are programs that are usually installed without the user's awareness and perform undesired actions that are often harmful, although sometimes merely annoying. Viruses can also replicate themselves, infecting other systems by writing themselves to any diskette that is used in the computer or sending themselves across the network. Viruses are often distributed as attachments to e-mail or as macros in word processing documents. Some activate immediately on installation, and others lie dormant until a specific date or time or a particular system event triggers them. For more information, see the article “How Computer Viruses Work” at www.howstuffworks.com/virus.htm.

Viruses come in thousands of varieties. They can do anything from popping up a message that says “Hi!” to erasing the entire contents of a computer's hard disk. The proliferation of computer viruses has also led to the phenomenon of the virus hoax, which is a warning—generally circulated via e-mail or Web sites—about a virus that does not exist or that does not do what the warning claims it will do.

Real viruses, however, present a real threat to your network. Companies such as Symantec and other AV software vendors design their products to detect and remove virus programs. Because new viruses are created daily, it is important to download new virus definition files, which contain information required to detect each virus type, on a regular basis to ensure that your virus protection stays up-to-date.

The types of viruses include:

Viruses that are programmed to “go off” (activate and destroy data or files) on a certain date are called time bombs or logic bombs. One of the first of this type to gain worldwide attention was the Michelangelo virus in the early 1990s, which attempted to erase the hard disks of infected PCs on March 6, the birthday of the famous painter. A few years later, a disgruntled ex-employee of Omega Engineering planted a time-bomb virus on the company's network that resulted in approximately $10 million in loss and damage. He was convicted of the crime and sentenced to 41 months in prison.

A worm is a program that can travel across a network from one computer to another. Sometimes different parts of a worm run on different computers. Worms make multiple copies of themselves and spread throughout a network. The distinction between viruses and worms has become blurred. Originally the term worm was used to describe code that attacked multiuser systems (networks), whereas virus described programs that replicated on individual computers.

The primary purpose of the worm is to replicate. These programs were initially used for legitimate purposes in performing network management duties, but their ability to multiply quickly has been exploited by hackers who create malicious worms that replicate wildly and can also exploit operating system weaknesses and perform other harmful actions.

Protecting systems and networks from the damage caused by Trojans, viruses, and worms is mostly a matter of common sense. Practices that can help prevent infection include the following:

Recognizing the presence of malicious code is the first-response step if the system does get infected. Administrators and users need to be on the alert for common indications that a virus might be present, such as missing files or programs; unexplained changes to the system's configuration; unexpected and unexplained displays, messages, or sounds; new files or programs that suddenly appear with no explanation; memory “leaks” (less available system memory than normal) or unexplained use of disk space; and any other odd behavior of programs or the operating system. If a virus is suspected, a good AV program should be installed and run to scan the system for viruses and attempt to remove or quarantine any that are found. Finally, all mission-critical or irreplaceable data should be backed up on a regular basis in case all these measures fail.

Some virus writers create “proof of concept” viruses that do not cause damage and are designed merely to demonstrate that a particular type of virus can be written. For example, it was once thought that viruses could not be spread by simply reading e-mail; users were told that as long as they didn't open attachments, they were safe. The first viruses exploiting Hypertext Markup Language (HTML) e-mail to run and infect systems when a user opened the e-mail message (not an attachment) proved that the concept of a virus that could spread via e-mail alone. In June 2002, researchers at McAfee received a proof-of-concept virus called Perrun that is embedded in a JPEG image file. Although limited, this was the first known case of a virus embedded in a picture file that runs automatically when the graphic is viewed. That same month, Symantec reported the first cross-platform virus; it could infect both Linux and Windows systems.

The moral of the story is that virus writers are a creative and persistent bunch and will continue to come up with new ways to do the “impossible,” so computer users should never assume that any particular file type or operating system is immune to malicious code. The only sure way to protect against viruses is to power down the computer and to leave it turned off.

You'll find a dozen definitions of script kiddie, depending on the source you consult. Webopedia (www.webopedia.com) defines the term as someone who “randomly seeks out a specific weakness over the Internet in order to gain root access to a system without really understanding what it is s/he is exploiting because the weakness was discovered by someone else.” The Jargon Lexicon at www.faqs.org/docs/jargon/index.html is a bit more judgmental: “The lowest form of cracker … People who cannot program but who create tacky HTML pages by copying JavaScript routines from other tacky HTML pages.”

Regardless of the precise definition, most agree on one thing: Script kiddies don't have much technical expertise themselves, but they use code written by others to wreak havoc. In the hacker culture, they are generally regarded with contempt or at least with a lack of respect. Nonetheless, hackers who do understand the technology continue to distribute scripts and programs that the script kiddies use to do their dirty work.

The number of people who write their own code to hack systems is relatively low in comparison to those who have marginal skills and use the scripts and tools of others. Script kiddies and their cousins, packet monkeys (people who launch DoS attacks against Web sites for “no apparent reason”), have been around for many years, and have caused considerable damage to systems throughout the world. An example is the large-scale DDoS attack that brought down Yahoo!, eBay, ZDNet, and CNN. The Yahoo! attack was launched by a Canadian teenager called “Mafiaboy” who used a utility called Stacheldraht that was written by a German hacker.

The “real” hackers spend years playing with computer systems and learning the intricacies of complex operating systems, often preferring to work with UNIX. They take pride in their knowledge and in the “elegance” of their attacks. They regard script kiddies, who rely on scripts written by others and even stoop to using hacking tools with graphical interfaces, in much the way a master jewel thief regards a street thug. Because script kiddies are unskilled (and thus are less able to cover their tracks) and because they tend to crave attention (whereas most skilled hackers take pride in being able to stealthily invade a system and get out without anyone knowing), script kiddies make up a large proportion of the network intruders and attackers who are caught and prosecuted.

Despite their disrespectful nickname and the low level of regard they're given in the hacker community, script kiddies can do a lot of damage, and the randomness of their attacks makes them especially dangerous. As with drive-by shootings that target random victims, script kiddies’ actions are impossible to predict and they place everyone at risk.

As unsophisticated as script kiddies are, another variety of “wannabe” hacker is even less technically savvy. At least the average script kiddie knows enough to type a few commands to launch the script he or she got from somebody else. The newest incarnation of “do it the easy way” attackers is too unknowledgeable—or too lazy—to do even that. Instead, this new breed uses “point and click” utilities with pretty graphical interfaces or “fill in the blank” Web sites that serve as front ends to launch the chosen attack(s) against specified targets without the so-called hacker even needing to know how to download a file.

David Rhoades of Maven Security came up with the term click kiddies to describe these “rebels without a clue.” Rhoades travels to computer security conferences around the world with his presentation, called “Hacking for the Masses.” In his talk, he outlines just how easy it is for literally anyone to commit online breaking and entering—and much worse—with readily available tools that, to paraphrase Rhoades, are so user-friendly even your grandmother can bring down several servers before dinner.

Use of the Web-based attack tools favored by click kiddies also makes it more difficult to trace the origin of the attack, because the attack is coming from an intermediary (the Web site that provides the tool) instead of directly from the attacker.

The same preventive measures that we've already discussed apply to protecting a network from nontechie hackers. In addition, script kiddies can sometimes be lured in and caught by setting up a honeypot, which is a system designed specifically for the purpose of trapping attackers. The honeypot is a system or network that acts as an “open invitation” to hackers. It is connected to the Internet with minimal protection, running unpatched operating systems and application software that can be easily exploited. The systems are constantly monitored so that the attacker can be identified and traced before he or she has a chance to destroy evidence. We discuss honeypots in more detail in Chapter 14.

A wireless access point connects the traditional wired network to wireless clients by transmitting network data through the air. The wireless access point acts as a relay between the wired network and wireless clients. Many companies implement many wireless access points that can hand off the wireless signal to ensure that the client does not get disconnected. These access points range from home or home office devices that cost less than $100 to enterprise access points that implement complex security features and allow for specialized configuration and management.

The wireless access points themselves simply provide a means for the data to travel from the wired network to the client. The network infrastructure services must still be provided to the client. Although most access points today have these features built into the device, you can also use your traditional servers to provide services such as Dynamic Host Configuration Protocol (DHCP) and routing.

For a client to connect wirelessly to a LAN, it must have a wireless network card compatible with the wireless standard used by the target network. With the majority of laptops today including built-in network devices, wireless networks are becoming a standard with most home and corporate networks. Although wireless LANs have traditionally been used for mobile devices, the ease and cost-effectiveness of extending the network has some companies implementing wireless cards on their desktop machines.

Even with all the advancements in recent years, installing a wireless network on your LAN is not something you should do without careful planning. Before adding wireless connectivity to your network, you should understand the major advantages and disadvantages of introducing wireless connectivity.

Wireless networks offer users the following advantages:

Wireless networks also have some disadvantages as well:

To transmit and receive data through a wireless connection, the client must be associated with the access point. This association connects the two devices and allows the client to obtain an IP address and communication on the network. Signal power and security settings can interfere with the association process.

On Windows XP and Windows Server operating systems, Microsoft provides the Windows Wireless Zero Configuration (WZC) utility to assist the user with connecting to wireless networks. Although it does make the association process easier, it also introduces some security concerns you should be aware of.

If a preferred network is not available, WZC will probe for networks that are already connected. This information can be viewed by anyone using a wireless analyzer and can be used to set up fake access points to lure clients to connect. WZC will also attempt to connect to the wireless network with the strongest signal. Knowing this, an attacker can create fake wireless networks with high-power antennas and cause computers to associate with their access point rather than the legitimate one. When possible, it is recommended that you use the vendor-provided wireless management tool.

If you are using a wireless card from Linksys, Dell, or Netgear, you will likely have installed management software from the vendor that can control the association of the wireless device. This software has been designed by the manufacturer to work with the corresponding hardware and is typically more secure.

All wireless management software will require you to select the wireless network to which you would like to connect. You will select the service set identifier (SSID). The SSID is the public name of the wireless network. If the network has security enabled, you will be prompted to enter the passphrase or encryption key. If you do not know the key, you will not be allowed access to the network. If the network is open or you enter the correct security key, your computer will attempt to establish the connection.

Wireless penetration testing involves using the same techniques that hackers use to attack wireless networks. A negative stigma is often associated with the use of hacker tools and methodologies. Network administrators and management frequently consider the use of these tools as the legitimization of hacker-based tactics and strategies. This attitude can lead to an insecure wireless network that has not been tested to determine the ability to prevent a true attack from succeeding.

Conducting penetration tests to determine the security of your wireless infrastructure is essential. Through the practice of learning, understanding, and implementing the same methods of attack the intruder will use, one can better assess vulnerabilities, overcome weaknesses, and fortify defenses. During a wireless penetration test, it is important to gather as much information about the network as possible. Most networks are discovered during wardriving (the process of scanning for insecure networks), so the attack may be targeted more toward a wireless vulnerability than a specific corporate network.

When conducting a penetration test you should conduct both are an internal and an external attack. The internal approach allows you to use information you already know about the network, such as encryption keys, network design, and signal ranges. This type of test validates the security of the network from an internal employee's point of view. External testing is done without using any knowledge of the network infrastructure. The tester uses tools an intruder would use and simulates an actual attack. It is important that a skilled security professional perform this test to ensure that these tools do not negatively impact network and server systems.

The key thing to remember during a wireless penetration test is that the goal is to assess the security of the wireless network. Management approval in writing of what tests are expected and the potential impact to the network is a good way to ensure no surprises for either side. Those performing the test should also do the following:

Users that are persistent in their desire to connect to an unauthorized access point will keep an eye out for security professionals completing wireless audits and simply unplug the access point until the scan is complete. The amount of effort required for physical wireless scans can often result in less frequent scans. Detecting wireless access points from your wired network has many advantages. You can set automated scripts that search your network on a continuous basis, saving you time and money. By using tools such as Nmap and Nessus, you can scan sections of your network not easily accessible to wireless scanning.

To perform wired network scans for access points, you must be connected to the internal network and have the ability to connect to all the subnets you want to scan.

Before initiating an attack, a hacker will want to know as much about the target network as possible, using various wireless tools to perform information gathering. Once the hacker feels comfortable with the information gathered, he or she may use injection techniques to force information across the wireless network that can be used to crack encryption schemes. Once this data has been captured, it is matter of time before the encryption key is discovered and the hacker is connected to the internal network via the wireless access point.

The tools used to perform these attacks are freely available on the Internet and are included in live security distributions. Some of these tools include:

Most wireless access points have the ability to log traffic and connections. It is important to consider logging requirements before an incident occurs. Being able to go back to a specific time when an event is thought to have occurred gives the investigator the ability to analyze and determine whether there was indeed a wireless attack on the network.

The logging on most access points does not provide the kind of granularity required for effective logging. You can set up a wireless IDS/IPS to monitor and log any suspicious wireless activity using wireless sensors. These sensors detect malformed wireless packets and log the data for forensic analysis later.

Investigating wireless attacks is difficult due to the nature of the technology. This is exactly the reason attackers like to use this method to gain access to corporate networks. The best solution is to configure your wireless network securely to ensure that hackers will not be able to gain access easily. If a wireless incident does occur, an investigator can use the same tools the attacker used to determine how the attack was done and decide how much information may have been exposed. Proactively reviewing event logs on servers and network devices is always a good step toward identifying attacks early and handling them appropriately.