Been hacked lately? Or are you worried that an attack on your system is just a matter of time? Want to find and fix your security holes? Who doesn’t? Securing your company from cyber-evils isn’t as impossible as it sounds. You just need to find an expert to point you in the right direction, which is why we’ve found Alan Bishoff. In this interview, security guru Bishoff provides some detailed answers on how to protect your network from the lurking menace of a hacker attack.
Alan Bishoff is senior network security consultant and Web content manager of Packet Storm, a public service provided by Securify. Packet Storm is a Web site that provides free Internet security resources for companies wishing to protect their networks, or that have recently been hacked.
TR: There’s been a debate recently among TechRepublic members about hiring hackers. Would you hire one?
Bishoff: Yes. You’d have to, to stay on top of everything.
TR: Would you be able to trust them?
Bishoff: If you hired a hacker and the relationship turned sour, that could be a bad thing. You’d almost have to have someone who knew more than the hacker did to [keep your system safe], I suppose. But, I’ve never heard of anything like that happening, and I’ve known lots of people who’ve switched over from the “dark side.” They seem to make good employees.
TR: What is your definition of a cracker as opposed to a hacker?
Bishoff: I’ve never met anyone who actually broke into a computer and called themselves a cracker. It’s used by people who really hate hackers, but that’s about the only kind of people who use it. Hacker is a better term to use to describe someone who breaks into computers.
TR: How can you really know if your network is protected from hackers?
Bishoff: Well, you do different things to protect different kinds of computers. Basically, if you are running a computer that has old services on it that are able to be connected over the network, then you would be at risk. Say you installed a UNIX machine three years ago and never upgraded it, and it’s not behind a firewall, and you can connect through all the ports; then that would really be a risk.
A Windows machine installed three years ago—maybe with a mail server on it, like a mail gateway, and with a Web service on it that’s three years old and never upgraded—would get taken over. From there they could take over the rest of the secure network. Once they’re in a little bit, there’s really no turning back. They’ve got you. For most companies, that’s the way they’re usually set up.
TR: Assuming everything is behind a firewall, what else might they still look for?
Bishoff: Well, the firewall has to let something through. So let’s say you run a Web server and you only let Web traffic through the firewall, which would be a good way to set it up. Some Web servers are old and they have vulnerable CGI scripts on them. So someone could actually send commands through port 80 (the web port), which would go through the firewall, and then execute some kind of back door on the machine on the other side of the firewall.
If they can run code on the other side of the firewall, then they can have the machine connect backwards out of the firewall, effectively making it useless. So if you’re letting something in through the firewall and it’s not secure, people could subvert the whole thing.
CGI scripts are the most common example. I’m sure you’ve heard of all of the government defacements with the RDS bug. RDS is a bug that came out in Microsoft Windows NT about six months ago, which allows you to execute code remotely on a Windows NT machine. That’s how most of these government sites are getting hacked, because they have not been upgraded. But you could have a machine like that running behind the firewall, and all of the attacks can be executed over port 80, so the firewall won’t help you.
TR: How do you secure your Web server?
Bishoff: Well, most Web servers have a lot of different ports open and that’s a real bad thing. You want to set it up so the only port you have open is port 80. If you have a secure Web server that does the credit card number stuff, you need port 443 open as well. Otherwise, you only want port 80 open.
Also do a CGI scan. There’s an excellent freeware program called Whisker that you run against your Web server. If Whisker doesn’t come up with anything and the only port open is port 80, then you have a darn secure Web server, and no one is going to be able to break in unless they break into other computers on your network and then work their way over to your Web server.
TR: What else might you do to make sure you are totally secure?
Bishoff: What you want to do is run the least number of services that you can, because network services give hackers an attack point in your network. The number of network services that you have open to an attacker is the number of machines you have publicly addressable on the Internet (the number of machines that have external Internet addresses), multiplied by the number of services running in each machine.
Say you have a firewall and you have 100 people behind the firewall, then they all have fake IPs [Internet protocols], so they’re all relatively safe from people directly attacking them. What you need to do is find out how many real IPs you have on the Internet and how many services those real IPs are running.
Each IP address has a lot of different ports and different services running different ports. I was talking about port 80 being the Web port, but machines typically have a Web server running on port 80 and they have other kinds of servers running on different ports.
They take mail in through port 25, but if they’re running an old mail server—maybe something three years old that they have never upgraded—someone is going to be able to subvert them through port 25 and gain access to that machine. From there they can take over the whole network.
Most places hackers can break into can be tightened down by turning off the service. Check what services you have and turn off all of the ones you don’t need. Then, for the services you do need, decide how you can provide them in the most secure manner possible.
Continuation of an Interview with Alan Bishoff
TR: What are some examples of services that are vulnerable?
Bishoff: Finger is a largely unused service. Finger will allow other people on the network to see who is logged into the machine and how long they’ve been idle, but that’s real good information for hackers.
For e-mail, there’s lots of different mail programs. Some of them are really secure. Some of them aren’t. If you decide you need mail, you need to only run one mail program on one of the servers and have all of the mail go through there. Then run a really secure [server inside the firewall] and then no one is going to be able to break in.
Subverting a network through an old IMAP or POP server is a really common thing that happens hundreds of times a day. When your Internet browser goes out to get the mail, it connects to an IMAP or a POP server. So companies need IMAP and POP servers so people can read their mail through the browsers. However, they don’t need everyone on the whole Internet to be able to connect to their IMAP and POP servers. So what a company would want to do is first upgrade to the newest version and second, make them only accessible to users within their network.
TR: If you have few services running, and they’re secure, what else can you do to protect your network?
Bishoff: You can’t have people coming in from other sites and logging in remotely, because the other site could get taken over. Let’s say someone has an account on their home ISP and they come from their home ISP to your computer. A hacker who hacked over the home ISP would now own the company too, because they would have the password to the remote login. You can use programs to keep the password from being sniffed, but you need to use encryption if you connect to your network from another network.
[Let’s say] you go to a different company’s site, and you check your e-mail at your company. If the other company is taken over by a hacker, then all of a sudden both companies will be, because the password will get sent. Most employees don’t know this. A lot of user training is needed. And, if you can’t provide user training, you have to take away the power of the users to log in remotely unless they understand the implications.
TR: What other software is available to help protect our networks?
Bishoff: There are so many thousands of threats to the network. Running some of the scanners out there will pick up most of them. There are a lot of free ones and there are a lot of them that you have to pay to use. At Packet Storm Security, we have a lot of free software that people can use to check the network for that kind of thing. That’s actually what we do here: We give out free security tools to help protect networks from hackers. On the site here, we actually have all of the hacker tools and we have all of the tools to defend against them.
Packet Storm is currently the world’s largest Internet security repository. The Web site contains security tools and daily alerts about security developments and hacker threats. The site is popular with security experts because it collects detailed technical information about how intruders exploit network security holes, and provides information about fixes. It is created by contributions from Packet Storm staff and other IT security experts, including some hackers.Located in Palo Alto, CA, Packet Storm’s provider, Securify, is currently held by Kroll-O'Gara. Its security consultants are experienced in network assessment, cryptography, secure systems and software, Public Key Infrastructure (PKI) digital certificates, and computer system defense.
Tell us your hacker stories
Have you been hacked? If so, what were your first steps to remedy the situation? We’d love to hear your stories. Feel free to post them below along with comments about this interview. Also, send us a note if you have a CIO you’d like to see interviewed.