Computer threat - continued

Another threat to the computer and network as follows:

Denial of Service (DoS)

This type entangling the hacker and or a certain party to send a number of ICMP echo request to the broadcast address. Remember that the address of sender request have been disguised so difficult to tracks.

Protection to the network can be done by selection to the reciprocation of ICMP echo, another way is do not activate the directed broadcast at the router. Permit out package only and the sender address same with internal network address. This is important to the network security

The other level of Denial of Service(DoS) is Distributed Denial of Service (DDoS).
This type will increase the traffic and combine the bandwidth from some of host to one target host or network.

Spoofing

Is the creation of TCP/IP packets using somebody else's IP address. Routers use the "destination IP" address in order to forward packets through the Internet, but ignore the "source IP" address. That address is only used by the destination machine when it responds back to the source.

Broadcast Amplification

By using broadcast amplification, an attacker can direct machines at one site to flood another site with network packets. If huge amounts of packets are sent to a site, it goes down under the load, causing denial of service. To prevent this technique from being used, the document's authors suggest that companies turn off the capability to forward directed broadcast or multicast traffic.

TCP SYN attack

is an attack based on bogus TCP connection requests, created with a spoofed source IP address, sent to the attacked system. Connections are not completed, thus soon it will fill up the connection request table of the attacked system, preventing it from accepting any further valid connection request.

The source host for the attack sends a SYN packet to the target host. The target hosts replies with a SYN/ACK back to the legitimate user of the forged IP source address.

Since the spoofed source IP address is unreachable, the attacked system will never receive the corresponding ACK packets in return, and the connection request table on the

Attacked system will soon be filled up.The attack works if the spoofed source IP address is not reachable by the attacked system. If the spoofed source IP address where reachable by the attacked system, then the legitimate owner of the source IP address would respond with a RST packet back to the target host, closing the connection and defeating the attack.

TCP SYN flood is a denial of service attack that sends a host more TCP SYN packets than the protocol implementation can handle.

This is a resource starvation DoS attack because once the connection table is full, the server is unable to service legitimate requests.

Computer threat - Network Security

Every TCP package have 'flag bit’ defining content and intention of each package.

Example:

A package with flag bit contain "SYN or SYNCHRONIZE" will undertake to conduct initiation connection from sender to recipient. A package with flag bit contain "ACK" will undertake to inform receiver about sender information.
While a TCP package with beet flag contain "FIN" or "FINISH" undertaking to stop connection from sender to recipient.

To build a TCP connection, need data transfer package between two host, transfer of this data recognized by the name of "TCP Three-Way Handshake" as below picture.

Computer Network Threat

Threat is very harmful to the entire system and also by application at internal and external network.

The threat as follows:

Remote Login - this matter happened when someone capable to connect to a computer and have ability to control to several things related to resource found on the host or computer.

Application Backdoors - some program have special ability to access with long distance (remote access). Some bug program, exactly contain a backdoor or hidden access providing level control the computer and program.

SMTP session hijacking - SMTP is most commonly method used to deliver E-mail. By getting E-mail mailing-list, someone can deliver undesirable E-mail to thousands of or more users. This matter is called unsolicited junk mail or spam.

Spamming conducted with joining SMTP server which not suspect, then deliver thousands of E-mail called redirecting process, so that complicate to detect who is the real sender of the Mail Spam.

Operating system bugs – In application, some operation system have conducive security gap to be exploited illegally.

E-mail bombs - is an Individual attack, someone send hundreds or thousands of E-mail to one address so the victim E-mail cannot accept E-mail anymore.

Macro - To make simple or facilitate procedure an application, many application program permit us to make command which can be run by the program (script). By exploiting ability of script or macro, attacker can cause damage of data at computer.

Virus – Most known to make trouble at computer. The growth of virus from method, way of, making, effectiveness, damage storey, and also speed of spreading is different each other.

Redirect bombs – Hacker or Cracker can use ICMP to change direction of information and attack to other router.

Source routing - At many case, a data package which work through one or some network determined by router pass to route information by the router, but sometime hacker used the package as the real sender.

Another type of computer attack are from (next posted about this) :

Denial of Service (DoS)
Spoofing
Broadcast Amplification
TCP SYN

The method to run the threat above, can be conducted variously including using virus.

Network security - protecting PC

Tapping by hacker is an annoying problem when we are on surfing internet.

We have to learn how to hack but shall be used for protection from attack.

Following is tips and some software assisting to protect PC from online tapping.

Often we forget to protect our PC “attacking” from online tapping when we surf the internet.

Many civil people feel enough in protecting its PC with a program a kind of firewall desktop and anti spy firewall.

In fact, still many gap at firewall which you used, can be exploited by online watcher hacking on your PC

Below is a tips to protect PC from internet tapping in a LAN party, W-LAN or home connection as my experience.

Activated your Firewall:

In course of online tapping or infection, usually the first step do by hacker is collect information and data concerning victim to be tapped. Usually hacker use information compiler tools like “ Nmap” ( http://www.insecure.org/nmap), hereinafter hacker will check open port at victim PC and also TCP/IP package sent from PC into Network. This matter to get specific information is called print finger from victim PC.

The others way, hacker usually try to get deeper information by delivering an E-mail bait to victim (victim will open the e-mail through Microsoft Outlook program which integrated in its Windows). From bait E-mail answered, hence hacker directly can check what kind of E-mail software and server client install in victim PC.

A lot of “software bug” site, discuss about weak of E-mail software and server client according to each version, but I’m not talking about that weak at this post.

So how to avoid that attack ?

The way of which you can use as protection early is firewall desktop. If you do not wish to use special firewall or commercial, hence you enough activate personal firewall that found on Windows XP service pack 2. Comprehend firewall application path and activity which you use in order not to harm you.

Ascertaining your pc clear of Virus and Trojan, before install the firewall.
Configure your firewall with carefully in each application requiring to access online and also access sharing file in existing network.

Encrypt the Important Folder and WebMail connection.

After getting information about victim PC, usually hacker can start tapping, it is of course with two important tools that is " Ethereal" and "ARP-Spoofer". With ARP-Spoofer, hacker can take information which pass by victim PC with Gateway Internet access and that information package can be opened with “Ethereal (http://www.ethereal.com)”.

To overcome matter above, we have to encrypt our Webmail connection through https band. Do not use http band, better avoid to use ftp band and telnet, because can be sabotaged by hacker. You can use SSH connection to replace ftp band or the telnet. The existing constraint is there is very rare web server providing https service and the SSH.

One of the common Mail which use HTTPS is GMail. Whereas for the important and confidential folder in the PC better do Encrypt. Its data content with right click on folder that you want to Encrypt, its way open part: Properties – Advanced – Encrypt content to protect data. But this matter can be done if your XP windows system file is use NTFS type. By use NTFS system file, we also can block out to access rights access certain consumer.

Use Good Firewall.

With DNS spoofing, hacker can do deflection instructing PC victim to spurious website. This deflection is easy to do because DNS protocol is not have any security mechanism. This matter can be prevented by using good firewall application.

At firewall nowadays, usually DNS cache keep with elegantly, so when we ever visit to previous website, hence DNS spoofing we can prevent.

Recognize to access autoexec at registry

If hacker have succeeded tap your pc, usually they always prepare backdoor to facilitate hacking access in other opportunity. One of the effort draw up backdoor is by altering victim pc system file. But this matter can be easy to detect to through antivirus program.

The way of more realistic to all hacker by placing Trojan in our PC, then run through one of the "Autoexec" what running with autoexec in other Windows system. In anticipating this matter, which we do with install additional tools “Autorun” from Sysinternalsi (http://www.systernals.com).

With this tool can display lot of autoexec exist in our system. Autoruns also can show signature from autoexec exist in our pc system. If found autoexec entry which unknown and identify as trigger Trojan, hence Autoruns can turn off it. With this tool, we assisted in eliminating against backdoor which is possible left by hacker in our pc.

Besides trick above, to avoid tapping, suggested do not use User Administrator when surf in internet, then arrange your explorer internet security setting to High Level Security setting.

And don't forget to always Update your Windows, especially when newest update improve many Security system on your PC.

Callback connection setting

The callback feature instructs your remote access server to disconnect, and then to call you back, after you dial in.

What does it mean and what for ?
Call the server from your home, then immediately hanging up by the server and then server dialing you back.
Required callback enhances network security by ensuring that only users from specific locations can access the server. By dropping the call, and then calling back a moment later to the preassigned callback number, most impersonators can be thwarted.

How it work ?



You call the server to the server via modem, once your server modem response, your connection automatically disconnected then your server call you back.

What for ?
For example, you need some file from your network server while you are at home or you are out of office, and this is reduce your phone charge and the others one, you can used internet trough your server network as a gateway.

How to Setting ?

Office/Server Setting:
step 1: Incoming Connection

Open Network Connection -> Create a new connection -> Next -> Select Set up an Advance Connection -> Next -> Accept incoming connection -> Select your modem device -> Do not allow virtual private connection -> select User Permission -> Next -> Finish.

step 2:
Set Remote Access Server (RAS)
Of course this part must configured by your administrator (if you want to know how to configure RAS, ask me). If you are as a user, put the modem to your computer as your network client, then do the only step1, and of course you have to let your computer on when you leave.

Your Home Computer setting:
step 1:

Open Network Connection -> Create a new connection -> Next -> Connect to the Internet -> Next -> Setup my connection manually -> Connect using a dial-up modem -> Type connection name -> Next -> Type the Phone Number -> Type User Name and password that you has been permission to connect as above (server configuration) -> Next -> Finish.

step 2:
Open Network Connections.
On the Advanced menu, click Dial-up Preferences.
On the Callback tab, do one of the following:
1. If you do not want to use callback, click No callback.

2. If you want to decide whether to use callback at the time you connect, click Ask me during dialing when the server offers.

3.If you want to use callback consistently, click Always call me back at the number(s) below, and select the modem or device on which you want to be called back.

4.If Phone number is blank for the device you have selected, click Edit, and then type the number.

5.If you want to remove a modem or device from the list of possible callback devices, click the modem or device, and then click Delete.

(see the final setting screen)


Now try connect to your computer office.
The surprised is,
1. The phone cost become to your office computer phone line. Your cost only on the first called.
2. If your office computer able to connect the internet via you server connection, you can used internet too from your home (must check your office computer firewall setting).

Network security - Firewall setting

You probably know that you need firewall security; in fact, you may even already have a firewall management program in place. But what exactly is firewall security, and what does firewall management entail?

The word firewall originally referred literally to a wall, which was constructed to halt the spread of a fire. In the world of computer firewall protection, a firewall refers to a network device which blocks certain kinds of network traffic, forming a barrier between a trusted and an untrusted network. It is analogous to a physical firewall in the sense that firewall security attempts to block the spread of computer attacks.

How Does Firewall Management Work?

A firewall management program can be configured one of two basic ways:

* A default-deny policy. The firewall administrator lists the allowed network services, and everything else is denied.
* A default-allow policy. The firewall administrator lists network services which are not allowed, and everything else is accepted.

A default-deny approach to firewall security is by far the more secure, but due to the difficulty in configuring and managing a network in that fashion, many networks instead use the default-allow approach. Let's assume for the moment that your firewall management program utilizes a default-deny policy, and you only have certain services enabled that you want people to be able to use from the Internet. For example, you have a web server which you want the general public to be able to access. What happens next depends on what kind of firewall security you have.

Below is a firewall security script, has been tested with Kerio Personal Firewall, may this rule can accepted to others firewall:

LSA Shell (lsass.exe) -> Ask - Permit - Ask - Ask
Windows NT Logon Application (winlogon.exe) -> Ask - Permit - Ask - Ask (log)
Userinit Logon Application (userinit.exe) -> Ask - Permit - Ask - Ask
Generic Host Process (svchost.exe) -> Ask - Permit - Ask - Ask (log)
Microsoft File & Printer Sharing -> Deny All (For LAN can be: Ask - Permit - Ask - Ask)
Any Other Application -> Deny - Ask - Deny - Ask (log & alert). invisible mode
Internet Browser Application -> ask - deny - deny - permit (log)
Kaspersky AntiVirus/ Kaspersky Internet Security -> ask - deny - deny - permit (log)
FTP Manager Application -> permit - permit - permit - permit (log & alert)
Yahoo Messenger -> deny - ask - deny - permit (log & alert)


Below is the rule script for Filter packet in Ferio Firewall or Tiny firewall and may can accepted to others firewall:

RULE 1
Description: ISP Domain Name Server Any App UDP
Protocol: UDP
Direction: Both
Local Port: Any
Local App.: Any
Remote Address Type: Single
Host address: IP number (Your ISP DNS server)
Port type: Single
Port number: 53
Action PERMIT

RULE 2
Description: Other DNS
Protocol: TCP and UDP
Direction: Both
Local Port: Any
Local App.: Any
Remote Address Type: Any
Port type: Single
Port number: 53
Action DENY

RULE 3
Description: Back Orifice Block (Logged)
Protocol: TCP and UDP
Direction: Incoming
Port type: List of Ports
Local App.: Any
List of Ports: 54320,54321,31337
Remote Address Type: Any
Port type: Any
Action DENY

RULE 4
Description: Netbus Block (Logged)
Protocol: TCP
Direction: Incoming
Port type: List of Ports
Local App.: Any
List of Ports: 12456,12345,12346,20034
Remote Address Type: Any
Port type: Any
Action DENY

RULE 5
Description: RPCSS (Logged)
Protocol: UDP
Direction: Incoming
Port type: Single port
Local App.: Any
Port number: 135
Remote Address Type: Any
Port type: Any
Action DENY

RULE 6
Description: Block Low Trojan Ports TCP UDP (Notify)
Protocol: TCP and UDP
Direction: Both
Port type: Port/range
Local App.: Any
First port number: 1
Last port number: 79
Remote Address Type: Any
Port type: Any
Action DENY

RULE 7
Description: Block High Trojan Ports TCP UDP (Notify)
Protocol: TCP and UDP
Direction: Both
Port type: Port/range
Local App.: Any
First port number: 5000
Last port number: 65535
Remote Address Type: Any
Port type: Any
Action DENY

RULE 8
Description: Block Outbound Unauthorized Apps TCP UDP
(Notify)
Protocol: TCP and UDP
Direction: Outgoing
Port type: Any
Local App.: Any
Remote Address Type: Any
Port type: Any
Action DENY
Nb: Kaspersky Antivirus 6 & Kaspersky Internet Security 6 usage, the remote port address choose Any)

RULE 9
Description: Block Inbound Unknown Apps TCP UDP
(Notify)
Protocol: TCP and UDP
Direction: Incoming
Port type: Any
Local App.: Any
Remote Address Type: Any
Port type: Any
Action DENY

RULE 10
Description: Block ICMP (Logged)
Protocol: ICMP
Direction: Both
ICMP Type: Echo Reply, Destination Unreachable, Source
Quench, Redirect,
Echo, Time Exceeded, Parameter Prob, Time Stamp, Time
StampReply, Info
Request, Info Reply, Address, Address Reply, Router
Advertisement, Router
Solicitation (ALL)
Remote Endpoint: Any
Action DENY

RULE 11
Description: In Block Ping and TraceRoute ICMP
(Notify)
Protocol: ICMP
Direction: Incoming
ICMP Type: Echo
Remote Endpoint: Any
Action DENY

RULE 12
Description: Out Block Ping and Trace Route ICMP
(Notify)
Protocol: ICMP
Direction: Outgoing
ICMP Type: Echo Reply, Destination Unreachable, Time
Exceeded
Remote Endpoint: Any
Action DENY

RULE 13
Description: Block Common Ports (Logged)
Protocol: TCP and UDP
Direction: Incoming
Port type: List of Ports
Local App.: Any
List of Ports:
113,79,21,80,443,8080,143,110,25,23,22,42,53,98
Remote Address Type: Any
Port type: Any
Action DENY

RULE 14
Description: Loopback
Protocol: TCP and UDP
Direction: Both
Local Port: Any
Local App.: Any
Remote Address Type: Single
Host address: 127.0.0.1
Port type: Any
Action PERMIT

RULE 15
Description: Block Inbound NetBIOS TCP UDP (Notify)
Protocol: TCP and UDP
Direction: Incoming
Port type: Port/Range
First Port: 137
Last Port: 139
Local App.: Any
Remote Address Type: Any
Port type: Any
Action DENY

RULE 16
Description: Block Outbound NetBIOS TCP UDP (Notify)
Protocol: TCP and UDP
Direction: Outgoing
Local Port: Any
Local App.: Any
Remote Address Type: Any
Port type: Port/Range
First Port: 137
Last Port: 139
Action DENY

RULE 17
Description: Bootpc (Logged)
Protocol: TCP and UDP
Direction: Incoming
Port type: Single port
Local App.: Any
Port number: 68
Remote Address Type: Any
Port type: Any
Action DENY

RULE 18
Description: Out Needed To Ping And TraceRoute Others
Protocol: ICMP
Direction: Outgoing
ICMP Type: Echo
Remote Endpoint: Any
Action PERMIT

RULE 19
Description: In Needed To Ping And TraceRoute Others
Protocol: ICMP
Direction: Incoming
ICMP Type: Echo Reply, Destination Unreachable, Time
Exceeded
Remote Endpoint: Any
Action PERMIT

RULE 20
Description: Internet Explorer-Web browsing (logged)
Protocol: TCP
Direction: Outgoing
Port type: Any
Local App.: Only selected below => iexplore.exe
Remote Address Type: Any
Port type: Any
List of ports: Any
Action PERMIT

RULE 21
Description: Outlook Express
Protocol: TCP
Direction: Outgoing
Port type: Any
Local App.: Only selected below => msimn.exe
Remote Address Type: Any
Port type: List of ports
List of ports: 25,110,119,143
Action PERMIT

RULE 22
Description: Yahoo Messenger
Protocol: TCP
Direction: Outgoing
Port Type: Any
Local App.: Only selected below => yahoomessenger.exe
Remote Address Type: Any
Port Type: List of ports
List of ports: 443,80,5050
Action PERMIT

RULE 23
Description: Yahoo Messenger
Protocol: UDP
Direction: Outgoing
Port Type: Any
Local App.: Only selected below => yahoomessenger.exe
Remote Address Type: Any
Port Type: single
List of ports: 3478
Action PERMIT

RULE 24
Description: Download Manager (logged)
Protocol: TCP
Direction: Outgoing
Port Type: Any
Local App.: Only selected below => (your download manager file)
Remote Address Type: Any
Port Type: List of ports
List of ports: 80,21
Action PERMIT


For filter packet setting on Local Area Network (LAN) can added with below rule script to allow NetBIOS access at specific port:

RULE 15a
Description: Trusted Inbound NetBIOS TCP UDP
Protocol: TCP and UDP
Direction: Incoming
Port type: Port/Range
First Port: 137
Last Port: 139
Local App.: Any
Remote Address Type: Trusted Address Group
Port type: Any
Action PERMIT

RULE 16b
Description: Trusted Outbound NetBIOS TCP UDP
Protocol: TCP and UDP
Direction: Outgoing
Local Port: Any
Local App.: Any
Remote Address Type: Trusted Address Group
Port type: Port/Range
First Port: 137
Last Port: 139
Action PERMIT