Table of Contents
- Web Application Security
Operating System Security
- Operating System Overview
- OS Security Weaknesses
- OS Security Pointers
- Reverse Engineering
- How Antivirus Programs (Don’t) Work
- Trojan Malware: From Non-profit to Commercial Criminals (A Brief History)
- Implementing IPSec under Windows Server, Part I
- Colinux, Part 2
- Colinux, Part 3
- Removing the Haxdoor.H Trojan: A Warez-misdirecting, Browser-hijacking, Porn
- Understanding Buffer Overflows
- Types of Overflows
- Inside Look at a 0-day Buffer Overflow
- Windows Genuine Advantage
- Windows Vista Security, Part 1
- Windows Vista Security, Part 2
- Windows Vista Security, Part 3
- Windows Vista Security, Part 4
- The Agony of Remotely Administering Vista Home Edition, Part 1
- The Agony of Remotely Administering Vista Home Edition, Part 2
- Windows 7 Firewall: A Glimpse of Light at the End of the Tunnel?
- USB Hacks
- Ulteo: Crossbreeding Your Favorite Operating Systems, Part 1
- Ulteo: Crossbreeding Your Favorite Operating Systems, Part 2
- Network Security
- Hardening Your System
- Wireless Security
- Mobile Security
- Data Forensics
- Legal and Ethical Issues of Security
- Home User Security
- Job Security for the IT Security Industry
- A Biased Book Review: Chained Exploits: Advanced Hacking Attacks from Start to Finish
- Security of Mechanical Locks
- Information Security in Academics
- Holiday Security: Hackers Don’t Take Holidays
- Gary McGraw on Building Secure Software
- Gary McGraw on Exploiting Online Games
- A Student-Hacker Showdown at the Collegiate Cyber Defense Competition
- The Collegiate Cyber Defense Competition Year 3: Revenge of the Red Cell
- Questions from RSA 2007
- How to Steal 80,000 Identities in One Day
OS Security Weaknesses
Last updated May 23, 2003.
Now that you have had a brief overview of what an operating system should provide for a user with regard to functionality, let's take a look at the security aspects of some favorite operating systems. In this section, we discuss the two most common operating system families and the security features they include. We also examine methods by which these security features can be attacked and/or bypassed, and how to protect against these types of attacks.
For this section, we drew heavily on key security books that every Windows/UNIX administrator should have in his or her library: Maximum Windows 2000 Security (Sams, 2001, ISBN 0672319659), and Maximum Linux Security (Sams, 1999, ISBN 0672316706), both by Anonymous et al. These books provide a wealth of useful insights into the security strengths and weaknesses of Windows and Linux.
Microsoft Windows has long maintained a reputation for having inadequate security, but many security experts believe that Windows is not inherently weak. Instead, they place the blame squarely on the shoulders of the administrators who are responsible for the system. In other words, with proper maintenance and configuration, a Windows OS can be made relatively secure.
There are several areas in which Windows is known to be vulnerable:
Uneducated users. Windows is an operating system for the masses. Many users don't understand or care about the security risks associated with improperly configuring the system. In addition to this rather extensive group, many businesses employ part-time administrators, elected from existing employees based on the fact that they know the most about computers. Unfortunately, this strategy often results in disaster the first time a hacker probes the gates looking for an easy target.
Commercial system. Windows has always been about providing the user with a simple and easy operating system. The early versions didn't do much in the way of security. Like other software companies, Microsoft is always looking to add features to their product to encourage existing customers to upgrade. In addition, their commercial nature requires backward compatibility with older, less secure versions. And with each new feature and service, a whole new set of security issues arises.
Poor auditing. When people think of Windows server-logging capabilities, the first thought is usually the Event Viewer. While this integral part of Windows does provide some useful information, the Event Viewer has long been considered a less-than-adequate logging tool with cryptic messages and missing information.
Size/complexity. Microsoft has its foot in every software door (and even some hardware doors). This is nice for integration; however, it makes it very difficult for the average administrator to keep up with the software in terms of understanding how to properly use and configure it.
Insecure installation. One of the most common reasons that Windows servers fall prey to attackers is because they're installed and forgotten. Unfortunately, Windows is infamous for having little to no default security. This includes hidden shares, blank passwords, and no protection from known vulnerabilities. In other words, a default installation of Windows may as well place a sign on its front door step saying, "Own me, please."
From this short look into Windows security issues, you can see that it takes a diligent administrator to ensure that the OS is secure. Everything from patches to understanding proper installation procedures to ensuring that the system's files and services are audited is key to ensuring that your Windows machine stays secure.
Alternate Data Streams
When an attacker gains access to an information system, she often wants to leave a few programs behind to create a backdoor into the system. In addition, she may also want to leave a few files behind for the next time she connects to reduce the amount of setup time. But how does the attacker do this without being detected? Is it possible to make data invisible to the average user? Unfortunately, through the use of a feature of the NTFS system, this is not only possible, but is also extremely easy to do.
Alternate Data Stream
The Alternate Data Stream (ADS) is a technology that is linked directly to NTFS (i.e., Windows NT File System), the key file system format for Microsoft's server operating systems. In short, ADS allows a file name to be associated with more than one file stream; in other words, multiple files (up to 252) can exist behind a front file. While this can be handy in some situations (i.e. Thumbs.db), it creates a serious security risk because the use of ADS allows files to be invisible to all but the dedicated searcher. Unfortunately, ADS is well known among the hacker community.
The following is a short example of how the ADS can be used (see figure 1):
Figure 1: ADS example.
At this point, you should be viewing a simple text document that has the words 'Normal File' in it, as illustrated in figure 2. What happened to the 'Hidden file' text that should also be associated with the file? This is why ADS is a handy tool for hackers.
Figure 2: innocent.txt
While hackers are one group that find ADS useful, there are others who find the functionality of ADS attractive. In fact, any computer savvy user with sensitive data to hide can use ADS with other security measures (e.g., encryption) to make their data all but invisible. This could include child pornography, illegal financial files, secret conversations of a cheating spouse, and more. In other words, if someone wanted to secret away potentially damaging files on a computer, they may employ the use of ADS.
In addition to information hiding, it is also possible to hide executables in hidden file streams using a command similar to the following:
type c:\bo2k.exe > boot.ini:bo2k.exe
This example would load the infamous BackOrifice2k file into a stream of boot.ini, which is a very safe place to hide. To execute this file, the following registry entry could be added to the target system (see figure 3).
Figure 3: bo2k.exe hidden behind boot.ini file
As you can see, using ADS has many advantages to for those with less than honorable intentions. Back doors, hidden data, and even virus payloads can be tucked safely into a part where few will venture.
Detecting an ADS is a difficult feat using the normal search and discover methods with which most users are familiar. Even in the virtual world of the computer, people still base their cognition on visual representations. Therefore, if a file says it holds 10k of data, the computer can't be lying. Simply put, people have to 'see it to believe it', which makes the ADS so dangerous.
Unfortunately, there is no obvious way to detect the use of an ADS with just the tools provided by the Windows operating system. You would have to know an ADS was there and also be able to determine its name. Without this information, the data is as good as invisible. However, there are a few useful 3rd party tools that can quickly and easily spot ADS's.
One of the most popular tools available is lads.exe, available at http://www.heysoft.de. This command line tool will search an NTFS volume for all hidden streams and their names. As figure 3 illustrates, the previously used example files have several hidden streams: hidden, hidden.txt, seth, and bo2k.exe. Lads provides us with the name of the original file, its location, and the hidden stream names.
If a GUI based tool is preferred, there are several programs available online that can do the trick. One, which is illustrated in figure 4, shows us the same results as Lads. This program, crucialADS is available for download at www.crucialsecurity.com.
Figure 4: CrucialADS in action
The other option is to use an ADS aware IDS or AV system. Unfortunately this requires a lot of overhead processing and management and still may not fully protect a computer. In other words, the AV software will only alert the use if the ADS contains known malicious code, and the IDS will only complain if it is set up to detect and monitor for ADS changes, and then only if the administrator understands what those changes mean. However, for those administrators that prefer the IDS methods, Tripwire does detect ADS changes.
From this short look into alternate data file streams you can see why they are a valid security risk. For this reason, it is recommended that you add an ADS detection program to your collection of security programs, and use it regularly. Unfortunately, many administrators are not aware of this, which compounds the threat. If you are looking for more information about ADS, please review the reference section.
Securing Windows NT/2000 Servers for the Internet, By Stefan Norberg offers the busy administrator a quick but informational book that covers most every security subject relating to NT/2K and the Internet. For the reader who wants an overview, and even some details, this book is a good read.
Linux is considered by many to be an operating system for the computer geek. While this was true at one time, for all practical purposes Linux OSes have evolved to the point where they're starting to attract the average user. From the Wal-Mart Lindows machines to the implementation of Red Hat File Server, Linux is making some major headway into the mainstream market. Unfortunately, this means that the number of inexperienced Linux users is also growing.
One of the most common blanket statements made with regard to Linux is that it's more secure than Windows. Unfortunately, this isn't exactly correct, and has misled more than one person into believing they're safe from hackers if they only use Linux. While it may be true that Linux can be made more secure than other OSes, Linux users face many of the same problems as owners of other OSes. These are the major security issues for Linux:
Complexity. By far, the most threatening issue Linux users face is a complex set of commands, concepts, and programs that need to be understood to properly implement security. In fact, this can easily be seen when a new user installs Linux for the first time. While some Linux distributions (versions) have started making decisions for the user, many Linux OSes require the installer to choose between cryptically named programsor just to install the entire OS. Unfortunately, the list of several hundred programs is often overwhelming. As a result, the user installs the entire OS, including the HTTP daemon, FTP daemon, mail daemons, and morenone of which are secure by default.
Networking OS. As Maximum Linux Security states, "Although Linux is well suited to personal use (even in non-networked environments), it is still inherently a network operating system. Default Linux installations run many Internet services, and unless you take proper precautions, attackers can target these services remotely throughout the duration of your online session."
Root account. If there's one rule in Linux that many people ignore, it's "Don't use the root account unless you absolutely need it." The reason for this rule is found in the power that root access offers to the user. Like the Administrator account in Windows NT, root is the highest-level interactive login account that exists in Linux. The danger lies in the fact that most exploited programs run with the permissions of the user who activated that program. In other words, if a user is surfing the Internet as root, he or she may inadvertently execute a script on a web page. This script would then have root access, and could conceivably access any file or even delete the entire file system. However, the root account is often used as the primary account in Linux. In fact, some distributions (such as Lindows) require the use of the root account during installation and operation.
Open source updates. Much of the software created for Linux is written by students, research groups, or software companies who are trying to find a way to make Linux software profitable. Combine this with the fact that Linux is open source, which means that all the software is open to examination by the world, and you have a potential security nightmare. The problem is not that open source software is any more insecure than proprietary software. In fact, Linux vendors are known for having updates or patches within hours of a reported security vulnerability. Instead, the problem is that administrators never receive word about these updates. For example, Red Hat releases as many as five security bulletins a day that need to be reviewed by an administrator to see if they're applicable. While many of these alerts may be irrelevant, it only takes one missed warning to leave a system open to attack.
The previous pages should have enlightened you about some of the security issues surrounding Windows and Linux operating systems. While these are not the only issues, most security experts would agree that these represent the more serious concerns. Now that you have a general idea of where to look for security risks, let's take a closer look at each of these OSes and examine some specific security threats.