- Your Users: People with Whom You Share Your Computer
- The Bad Guys: People Who Would Do Your System Harm
- Everybody Else
The Bad Guys: People Who Would Do Your System Harm
We'll call them bad guys, nefarious individuals, malicious persons, or crackersyou can call them whatever makes you happy. Regardless of what they're called, the vast majority of people who intend to compromise your system security are nothing more than minimally computer-literate jerks. The romantic notion of the Robin-Hood-like computer cracker who breaks into a government computer to expose the evil military experiments that the government is doing, or the well-meaning geek who infiltrates a corporate network for amusement, leaving behind an explanation of how he did it and how to plug holes, is a myth that's based in too little reality. The media has done us a disservice by portraying characters "hacking" computer security in such a positive light, and the fact that so many computer users have successfully eschewed responsibility for the actions of their machines is not helping the climate, either. Regardless of the causes, however, most threats to your computer will be caused by the actions of relatively unsophisticated computing "punks," who are using tools they don't really understand to try to take your computer for a joyride. Most of these attacks will actually be carried out by "innocent victims," whose computers have already been compromised and programmed to carry out further attacks on behalf of the cracker actually pulling the strings. It's not at all uncommon for the person who's directly responsible for initiating the attacks to have no ability to control it, and no in-depth understanding of the attack mechanism. Usually they're no more than poorly supervised children with too much time on their hands, and a program for "l33t kR4k1n6" that they downloaded from the Internet. The next most prevalent threat will probably be from nonusers of your system who have acquired access through an error in judgment on the part of one of your users, such as loaning his password to a "close" friend. Unless there's a reason for one of the few actually sophisticated crackers to single you out, it's highly unlikely that your system will ever be touched by someone who specifically wants to enter it, for purposes of theft or mayhem.
Regardless of your situation, you can better protect your machine if you can make educated guesses regarding the type of security threats you're most likely to encounter. A targeted defense plan won't be universal, but it will protect you from the vast majority of the likely attacks, with a minimum of ongoing effort on your part.
Troublemakers and Bad Guys by Type
In "Psychology of Hackers: Steps Toward a New Taxonomy," (previously hosted at InfoWarCon, a cyber-terrorism topics conference, under http://www.infowar.com/hacker/99/HackerTaxonomy.html, and currently available from http://psyber.letifer.org/downloads/priv/hacker_doc.pdf), Marc Rogers, M.A., Graduate Studies, Dept. of Psychology, University of Manitoba, categorizes hackers into seven distinct (although not mutually exclusive) groups: tool kit/newbies, cyber-punks, internals, coders, old guard hackers, professional criminals, and cyber-terrorists. These categories are seen as comprising a continuum from lowest technical ability (tool kit/newbies) to highest (members of the old-guard, professional criminal, or cyber-terrorist persuasions). This breakdown is largely predicated on differing psychological profiles, and is limited to categorizing persons who create security problems or breach security intentionally. Because the psychological categories are less useful for understanding the types of threats than the patterns of attack will be, and because you're also interested in protection from unintentional or undirected threats, we've expanded on this list slightly, and used a few more conventional names.
Script Kiddies. Roger's "Tool Kit/Newbie," to whom we refer as the script kiddie, is a relatively computer illiterate individual who is seeking self- and external affirmation through the act of displaying his (or her) computer prowess. Script kiddies appear to usually be children with too much time on their hands and no respect or regard for other's personal property. Typical script kiddies seek to "own" (that is, take over and control) as many remote computers as possible, which are then used as evidence to support their claims to "elite hacker" status among their peers. Because they lack computing sophistication, script kiddies are limited to using tools that others have written and made available for download from a myriad of sites around the Internet. It is not at all unusual for script kiddies to have no knowledge of the mechanism of an attack that they're using, or ability to tweak the instrument of that attack to avoid even the simplest of countermeasures. This in general places script kiddies fairly low on the list of threats about which one must be concerned. However, a frighteningly large number of these misguided little twits are wandering the ether, and there are a distastefully large number of computer owners who haven't bothered to install the simple countermeasures necessary to thwart the attacks.
Thug, subspecies group. A subset of Roger's "Cyber-punk," the group-loving thug is a sort of script kiddie on steroids. These individuals are not satisfied with simply "owning" your machine, but seem somewhat more anger addicted than simple script kiddies and are bent on malicious damage to your machinenot just evidence that they've broken into it. Thugs may display slightly more sophistication in their computer skills than do script kiddies, but quite thuggish attacks can be carried out by script-kiddie methods, and the majority of thugs do not progress beyond these means. Their attacks are occasionally directed against specific targets with intent, but are more frequently along the lines of untargeted vandalism, directed at whatever machines appear most vulnerable or convenient.
Because it helps to have an adequate mental picture of the people against which you're trying to defend, it may be useful to understand that both script kiddies and thugs are tremendously dependent on the fantasy "cult of personality" that they accrue around their (often made up) legendary exploits. They also fall almost exclusively into the peculiar group of people who want so badly to be "different" that they must form little clubs in which to do it. Choosing names for themselves such as "Dark Lord" and "Mafiaboy," they gather together in clannish groups such as the "Cult of the Dead Cow," or "The Noid." The communal exploits of these groups are then held as bragging rights in a pathetically testosterone-deprived variant of pack-animals competing for the position of alpha-male. Perversely, they don't even seem satisfied to live within their own rules defining their pecking order, as it's not at all unusual for members of one group to claim membership in another, with more "impressive" credentials.
These aren't the daring and creative "hackers" of movie fame, or the overly enthusiastic "computer geeks" from the sitcoms. They're latent bullies who can't hold their own on a physical playground, so they take to the Internet where their blows can be struck from the anonymity of a keyboard. It's a pity corporal punishment has become so politically incorrect these days, because what these people need most is a good swift kick in their not-so-virtual pants.
If your computer is connected to the network, script kiddies and group-loving thugs will account for better than 99% of all attempted attacks against it. Thankfully, defending against them, at least to the point of preventing intrusion, is relatively easy. If you follow the recommendations of this book, and keep up with your security precautions in the future, you should be able to block 100% of their attacks.
Thug, subspecies loner. These individuals make up the remainder of Roger's cyber-punk grouping, and are the minimally skilled malcontents who prefer the mystique of the loner to the pack mentality of the group-loving thug. The loner thug accounts for fewer security problems, partly because they appear to be a more rare breed, and partly because they've no need to accrue a "body count" as they've no peer group to parade it in front of. Unfortunately this means that these attackers tend to be somewhat more targeted in their attacks than the group-loving thugs, who typically move on to easier prey if your system puts up the slightest resistance. Loner thugs tend to function most often in "retribution" mode, attacking systems against which they feel they've some grievance (or whose owners or users they simply don't like for one reason or another). They can also be quite single-minded and may iterate through all known attacks against a single host, rather than the more typical pattern of the group thugs, who usually iterate a single attack through all known hosts.
- Opportunistic Tourist. These people are the computer equivalent of
the folks who check all of the pay-phone coin-returns as they walk by, or the
manufacturing plant visitor who decides to grab an unofficial souvenir when
nobody's looking. Not (typically) out looking to cause trouble, the
opportunistic tourist takes advantage of a noticeable security flaw, but
won't actively work to create one. Usually, they're more prone to
causing accidental damage than to intentional thievery or harm. However, if a
hole in your security is large enough to be noticed by casual bystanders,
it's certainly large enough for someone who's out searching for
Occasionally, you may find an accidental tourist who has wandered through security with absolutely no intention of doing anything wrong. This happens (or at least is observed to happen) most frequently, it seems, to the most completely naive computer users. The people who can sit down in front of a machine and start fiddling, with no idea what they're doing, are the most likely to invoke collections of events that a better-trained user would know to avoid as disallowed. This isn't likely to happen frequently, and it tends to freak system administrators out when it does, but do realize that it can happen. If it does, the guy whose neck you're about to wring for goofing around in a root shell isn't even going to know what root means.
Users. Not specifically a "bad guy", but as noted previously, a user can cause a considerable amount of damage, even just accidentally.
Admin Kiddies. The equivalent of script kiddies wearing cheap
white hats, these are the inexperienced and incompetent people who have landed
in positions of computing security responsibility. It's not a frequently
acknowledged fact in the computing security industry, but although the majority
of computing security violations aren't directly caused by unprofessional
computing security professionals, the violations are often directly enabled by
the negligence of these poseurs. It's sometimes difficult to tell whether
these people should be considered to be "bad guys" or not. They
don't often intend to do your security harm, but they are quite frequently
willing to risk the security of your information to their inexperienced
administration, and to charge you quite handsomely for the privilege.
Make no mistake, there are fantastically talented computing security professionals out there, and a great many more who are thoroughly competent and consummately professional in their concern for executing their jobs. There are also, however, a large number of people who claim to be security experts, who are much less concerned with your computer security than they are with their job and/or paycheck security. Beware any security expert who poses firewalls, or any other buzzword security solution, as the answer to any and all security ills. Especially distrust those who promote the use of known-vulnerable software as a corporate standard, and then construct complicated and expensive methods to protect against that software's inherent flaws.
Admin kiddies prey upon users' ignorance of computing security topics to sell themselves as experienced professionals, and to sell Cracker Jack-box security solutions as effective defensive measures. To protect yourself, you need to stay abreast of security topics well enough to intelligently evaluate the performance of, and remedies proposed by, your computing security staff. If you don't take responsibility for providing educated supervision, you'll be lucky if your security staff is really taking responsibility for securing your computers.
User Malcontents. Roger's "Internals," these are
disgruntled employees, former or current students who didn't make the
grade, or any number of other legitimate users of a system who can attack
security from the inside. Legitimate access to your system allows for all manner
of illegitimate activity, from one end of the threat spectrum to the other. A
legitimate user can export sensitive data, tie up resources, or do anything that
an external illegitimate attacker canonly much, much more easily. If you
have any reason to expect that one of your users is likely to take action
against your system, remove that user as quickly as you can.
To illustrate the simplicity with which a user can wreak havoc, you might want to try the following shell script on a machine that you don't mind sacrificing and then watch it grind to a halt almost instantly. Enter the following into a shell script named bar.csh, make it executable, and run it:
#!/bin/csh while(1) ./bar.csh & end
Don't be surprised when your shell shortly refuses to execute any more commands. It may not even come back to life after you kill and restart Terminal.app, and the behavior of GUI applications will be unpredictable. Restart your machine to make certain that all running copies are dead.
Explorer/Adventurer. Falling either into Roger's
"Coders" or "Old Guard Hackers," the explorer/adventurer is
closest to the "hackers" of the movies and media. These are typically
hackers in the true sense of the word, often obsessively curious about the
workings of computers and networks with which they aren't familiar.
Alternatively they may find the logic and complexity of computer security
systems to be a stimulating mental challenge and may approach trying to outthink
the security system designer as a high-adrenaline sport. Unless they've a
reason to want to damage your system, creating real problems for you is
probably very far from these people's minds because it's directly
against the code of ethics to which real hackers frequently subscribe
They don't, however, have much regard for the privacy of your information,
and display what can only be described to an outsider as a distain for any
security that you might have put in place. (It's actually much more
complicated than that, but unless you can get inside the way a hacker thinks,
there isn't a good word for it.)
Hacker culture makes a semantic distinction between "white hat" and "black hat" hacking and cracking. The former group religiously believes that if they violate your security, but do no harm (and potentially even then inform you of the hole, so that you can fix it), that they've definitely done nothing wrong, and probably done something right. The latter believeswell, it's difficult to say, exactly, not being in their heads, but something along the lines of "if you're dumb enough to put your machine online, you deserve what happens to it" is probably close enough. Hackerdom takes these concepts of good and evil to the farthest definable extreme, and loosely organized groups of people who act on the principles of "dark side hackers" and "samurai." These terms describe the fundamentally opposed forces of malicious hacker-turned-cracker, and the freelance white hats who see it as their mission to stop the dark-side hackers.
Interdicted Real Programmer. Not someone you want to get in the
way of, he's usually the best programmer on a project, and he's
usually annoyed because management has stuck yet another stupid wall between him
and getting his job done. The interdicted real programmer isn't actually a
bad guy, but if your security system is getting in the way of him working on his
programming project, he'll make it look like Swiss cheese in short order.
the story of Mel might be enlightening as well
are typically professional hackers of the wizard variety
and they usually consider the current coding project to be the single highest
priority in their computing world. Work on the project takes precedence over
anything else, which frequently means that things such as firewalls, security or
access policies, and other "trivial annoyances" that inhibit coding
progress are ignored, subverted, or eliminated, whichever is most expedient.
If you're managing one of these people, it's little use to tell him "security is part of your job." If he's working on a security product, it's part of his job. If he's worried about whether his development platform is secure, it's part of his job. If you had the network guy change the rules in the firewall because you didn't want the sales staff downloading MP3s, and your real programmer now can't get to a site he needs for some source code, eviscerating your security is now his job.
This isn't to say that you should never hire real programmers if you want to have your system remain secure. There's abundant evidence that almost all real, significant computing work that can't be done by a pack of trained monkeys is done by highly skilled individuals, and that one highly skilled programmer is almost impossible to replace, no matter how many lesser programmers you add to the project. In The Mythical Man-Month (Addison-Wesley, 1975, ISBN 0-201-00650-2) Fred Brooks postulates Brooks's Law (http://www.catb.org/jargon/html/entry/Brooks's-Law.html), which states that adding manpower to a late programming project makes it later, and this has been proven time and time again. Your highly skilled programmers are therefore not replaceable by less skilled and more docile ones. Instead, you're much better off learning to let them work in the environment that they require, and allowing them to do the programming you require while impeding them as little as possible. If security for their development environment or product is an unavoidable concern, you might be better off letting them handle as much of it as possible themselves. They'll typically find security measures put in place by a lesser programmer a passing amusement, but would consider a breach of security that they had implemented to be a personal insult and a black mark against their reputation, so they're not likely to take the responsibility lightly.
Spooks and Spies. Yes, Virginia, there really are professional
industrial espionage experts. It's little use worrying much about them,
however, because if you've got someone with a professional interest in
getting at your computer's secrets, what you can learn from this, or a
dozen more books, is going to be of only passing utility. You're going to
need professional help if you want to stop a professional. Certainly, the
techniques you'll learn in this book will make a pro's life more
difficult, and you can go a long way toward making your machine invulnerable to
network attacks by following some relatively simple precautions. However, if
pros are getting paid to steal your data and they can't do it over the
network, they'll have little compunction about breaking in and simply
stealing your computers. Because it seems most pros look at such physical
methods as relatively low class, they might be more likely to have forged some
company letterhead for Apple, or some other major software vendor, and then send
you a free software upgrade to OS X 10.3 (or whatever), complete with the
backdoor they require to access your machine. Or maybe they'll just set up
a fake company, and solicit your employees with the hopes of a new,
higher-paying job, or even hire them to pick their brains and debrief them of
the very information you've worked so hard to keep private.
If there's little or no money to be made by stealing your information, you've probably little concern about the professional cracker. Unless they've decided to use your machine as a stepping-stone to cover their tracks into some more important target, they've more important things to do than to crack into machines that can't pay the bills. On the other hand, if there's an economic incentive to someone else having your data, there's probably someone else willing to pay at least that much to steal it from you. People get murdered for a few hundred thousand dollars. If you're a college researcher working with a pharmaceutical company and your research could make them millions, how much do you think their competition is willing to pay, and how far would someone go to get it?
Terrorist. Finally, there are cyber-terrorists, who operate for no
reason other than to wreak havoc upon some target. These people are something
like super-thugs, though they're probably much more selective about their
targets. The world to this point (thankfully) hasn't seen much activity
from cyber-terrorists. Most things that the media ascribes to cyber-terrorism
seem more likely to come from thuggish sorts with above average abilities. For
example, the recent attacks on the root nameservers that kept DNS traffic fouled
up for long periods during late 2002 could easily have been intended to be
terrorism. It seems more probable, though, that it was nothing more than the
work of some thuggish crackers tackling a more-serious-than-usual target. The
attacks have been neither well enough organized nor effective enough to suit a
terrorist. The attacks could have done considerably more damage, and wreaked
considerably more havoc, with only a little more effort and a bit better
planning. Given what we've seen the non-cyber version of terrorists do, it
seems unlikely that they'd be satisfied with making Web pages fail to load
one out of three mouse-clicks. (And frankly, given that a certain OS vendor
sells products that through stubbornly poor design cause more damage than these
attacks have, what self-respecting terrorist is going to formulate an attack
that's less effective than simply selling crappy software?)
Occasionally what appear to be honest cyber-terrorists do pop up, mostly (to this point) acting against small segments of the population by doing things such as defacing government or public service Web sites, or disabling utility company computer systems. Larger-scale, and/or more damaging types of attacks can be effected, however, and as it appears that we are moving into a period of history with heightened terrorist activity, it's reasonable to assume that the terrorists will make use of the Internet to the best of their abilities. Most likely, your major concern will be against such automated attacks as the script kiddies and lower-ability thugs produce. Unless your machine has some unique reason to be singled out for attack, a terrorist is probably not going to address it personally. If you are maintaining a machine with sensitive government information, the government is probably going to give you rather specific instructions on how to protect it from expected attacks. On the other hand, you don't need to be a government entity to be a likely target of terrorism. If you're maintaining a machine that, if compromised, would negatively affect your local or national economy, it's probably something that a terrorist would consider trying to knock down. Only you can decide the degree to which you think you could be a likely target, so only you can determine whether the precautions we cover in this book will be sufficient, or whether your machine really needs professional help.
Of course, people don't necessarily fit these distinctions perfectly, so there will always be people causing mischief who fit some blend of these types. They are, however, reasonably representative of the types of troublemakers that we've heard of, noticed, had run-ins with, or chased out of our systems over the years. If you're interested in a semi-real-time picture of the current crop of malcontents roaming the Net, and the security issues they are causing, we highly recommend staying abreast of a number of security-related resources, such as the comp.security.* newsgroups and mailing lists such Bugtraq from securityfocus.com (http://www.securityfocus.com/popups/forums/bugtraq/intro.shtml), and even keeping a finger on the pulse of the troublemakers themselves by watching traffic on the IRC channels where they congregate to trade stories and software. (Ircle, or any number of other IRC clients findable through http://www.versiontracker.com/ will get you online. We'll cover a brief introduction to using this tool to look for the troublemakers in Chapter 9.) You'll find many more resources to watch listed by these sites, as well as more that we've listed in Appendix B.
Even if you're not interested in observing the beasts in the wild, keeping an eye on some of these will give you advance warning of trouble brewing, and possibly the information you need to protect your system.
Which Ones, and What to Worry About
What variety of troublemakers you're most likely to find trying to break in to or damage your machine will, as you've hopefully gathered by considering the profiles already described, depend entirely on the intent of your machine and the sensitivity and value of your data. The likely suspects, of course, aren't the only ones that might hammer your hardware, so you do need to consider implications of even the unlikely attacks, but if you eliminate the likely ones first, you'll be covered against the vast majority of attacks.
You're in a much better position to judge the likely attacks against your system than we are, but do please take the motives and mindsets of the attackers seriously. Almost everyone I've ever known who has had the thought "Oh, that'll never happen to me, why would they bother my machine?" with respect to security has had their security cracked, and their machines damagedsometimes more than once. Several of these people are computer management professionals who should have known better. They've been cracked by script kiddies and thugs purely because of laziness in keeping up with software patches. Others are average home users who've suffered similar attacks via their dial-in or cable modems. The closest I've come to a cyber-terrorist was someone who mailed a death-threat to the U.S. President's cat from one of OSU's public-access terminal rooms. Although it seems silly in retrospect, the Secret Service agents who showed up didn't think it was amusing. And although I never did get the complete story from the FBI, my desktop machine at the company where I worked in the early 1990s was cracked, and used in what was probably an incident of industrial espionage. The incompetence of the company's IT staff cost several people their jobs, but I don't believe that the perpetrators were ever found. These things happen, they happen frequently, and to everybodythere's nothing about the fact that you don't want to be cracked, or don't think that you'll be cracked, that will protect you. Seriously considering the possibilities, and working to protect your machine from those that are likely to happen, will do much better.
If you're a home user, you probably won't be beat upon by professional corporate spies, but you will be subject to attacks by script kiddies and thugs. Probably daily. Or, if trends in security proceed as they have recently, within a year or so you will likely find attacks hitting your machine several times an hour when you're online. Opportunistic tourists aren't likely to find their way onto your machineunless, of course, you let your houseguests fiddle with your computer. You also will have all the problems natively inherent to having users on machines. Even if your machine is otherwise secure, data that you or your users allow out through careless network transmissions will be picked off the network by the kiddies who have successfully broken other machines around you that are less well managed.
If you're managing a public access computing cluster, you will probably encounter the opportunistic tourist more frequently than most because you'll have a never-ending stream of users whose curiosity about just what they can get away with will override their better sense.
If your data is valuable, you need to consider how valuable it is, and what someone would be willing to do for that value. Money is a motivator. You've still got all the problems of those who have nothing to motivate anyone to crack their systemsand they have enough to worry aboutas well as the fact that people actually will benefit if your security fails.