(Ebook) - Hack - BlackICE Guide To Computer Security

LACK
G UIDE TO C OMPUTER S ECURITY

BlackICE Guide to Computer Security, Version 2.5
Copyright © 2001, Network ICE Corporation
All Rights Reserved
Authors: Susanna Breiling, Andrew Plato, Kimi Winters
The use and copying of this product is subject to a license agreement. Any other use is
strictly prohibited. No part of this publication may be reproduced, transmitted,
transcribed, stored in a retrieval system or translated into any language, in any form, by
any means without the prior written consent of Network ICE Corporation. Information
in this document is subject to change without notice and does not constitute any
commitment on the part of Network ICE Corporation.
Network ICE Corporation may have patents or pending patent applications, trademarks,
copyrights, and other intellectual property rights covering the subject matter of this
document. Furnishing of this document does not in any way grant you license to these
patents, trademarks, copyrights, or any other intellectual property of the Network ICE
Corporation.
BlackICE™, ICEcap®, ICEpac™, InstallPac™, Network ICE™, and the Network ICE
logo are all trademarks of the Network ICE Corporation.
Windows® and Microsoft® are registered trademarks, and Windows NT™, Windows
2000™, Windows 95™, Windows 98™, Windows Me™, and Internet Explorer™ are all
trademarks of the Microsoft Corporation.
Netscape is a trademark of Netscape Communications Corporation.
Conventions Used in this Manual

Bold The names of screen objects, such as menu choices, field
names, and items in lists.
Italics Italics are used for emphasis or to highlight an important
word or concept.
Monospaced Pathnames, filenames, and code are shown in monospaced
font.
Monospaced Bold Values you must type in are shown in monospaced, bold font.
Monospaced Italics Variables, such as a server name, are shown in monospaced,
italic font. These are usually enclosed in angled brackets
< servername> as well.
[Inside Brackets] Keyboard keys, such as [ENTER] or [Page Up] are shown
inside brackets.
Notes include important information about the operation or
NOTE: Note use of the product.
Warnings contain critical information that may cause harm to
WARNING: Warning
your computer or the proper operation of the product.
TIP: Tip Helpful information about optimizing or using the software.
C OPYRIGHT u I
T ABLE OF C ONTENTS
SECTION 1: I N T R O D U C T I O N .................................................................................... 1
The Hacker Threat ..............................................................................................................2
How Hackers Exploit the Internet............................................................................................... 2
Who Are Hackers?..................................................................................................................... 2
Home Computers – The New Target for Hackers...................................................................... 3
The Proliferation of Always-On Connections ............................................................................. 3
It Will Not Happen To Me........................................................................................................... 3
Introduction to Computer Networking..................................................................................4
Connecting to the Internet.......................................................................................................... 4
Computer Addresses ................................................................................................................. 5
Packet Switching ....................................................................................................................... 5
Protocols.................................................................................................................................... 7
Ports .......................................................................................................................................... 7
Hacker Attacks ....................................................................................................................9
Intrusion Defense ..............................................................................................................11
Detection.................................................................................................................................. 11
Monitoring ................................................................................................................................ 12
Protection................................................................................................................................. 12
SECTION 2: H AN D L I N G I N T R U S I O N S ....................................................................... 13
How to Respond to an Attack............................................................................................13
Step One – Determine the Severity ......................................................................................... 13
Step Two – Respond ............................................................................................................... 14
Reporting Hackers.............................................................................................................16
How to Report a Hacker........................................................................................................... 16
Retaliation Hacking ...........................................................................................................17
SECTION 3: C O M P U T E R S E C U R I T Y ......................................................................... 18
Good Security Practices ....................................................................................................18
Computer Hardening .........................................................................................................19
Install the latest Security Patches and Service Packs ............................................................. 20
Harden Passwords .................................................................................................................. 20
Use the NTFS Hard Drive Partition Format.............................................................................. 21
Do Not Multi-Boot .................................................................................................................... 21
Secure All Shares with Passwords .......................................................................................... 21
Disable All Unnecessary Accounts .......................................................................................... 21
Explicitly Select Users with Network Access............................................................................ 22
Disable Telnet.......................................................................................................................... 22
Do Not Install a Web Server .................................................................................................... 23
Disable NetBIOS (WINS)......................................................................................................... 23
Secure the Registry ................................................................................................................. 24
Never Cache Passwords ......................................................................................................... 25
Disable Userdata Persistence.................................................................................................. 25
Protecting Home/Office Networks .....................................................................................26
Solution One – Install NetBEUI Protocol.................................................................................. 26
Solution Two – Install a Hardware Router................................................................................ 26
Solution Three – Build a Dual-Interface Proxy Server ............................................................. 27
C ONTENTS u II
APPENDIX A: F O R M O R E H E L P ............................................................................... 28
Need More advICE? ..........................................................................................................28
Product Documentation.....................................................................................................29
Technical Support .............................................................................................................29
APPENDIX B: G L O S S AR Y ....................................................................................... 30
C ONTENTS u III
INTRODUCTION
With high-speed Internet access becoming a standard feature for many home and office
computers, there is a growing need for smarter, faster computer security. Hackers are
now targeting home and small business users because these systems are rarely well
defended.
This guide is intended for BlackICE users who want to know more about computer
security and hacking in general. This guide is ideal if you are new to computers and/or
the Internet.
For more information about using BlackICE products refer to the following related
documents:
BlackICE Defender This guide describes how to use and configure BlackICE
User’s Guide Defender.
BlackICE Advanced This guide is intended for advanced users who wish to
User’s Guide customize BlackICE.
Intrusions Reference Detailed information about all the intrusions BlackICE

Guide can detect and block. Includes information about
stopping attacks as well.
These documents are available free of charge on the Network ICE web site at:
http://www.networkice.com/support/documentation.html.
S ECTION 1 u I NTRODUCTION u 1
THE HACKER THREAT
In September 2000, a large financial services company had their computer systems
hacked. Credit card numbers for over 20,000 people were stolen 1. A similar event
happened in 1999, when hackers hijacked nearly 500,000 credit card numbers and
stored them on United States government computers 2.
In 1997 a hacker broke into the NASA network and gained access to the space shuttle
control computers. The hacker overloaded some computers causing brief
communication outages while the shuttle Atlantis docked with the damaged Mir space
station. Fortunately, NASA was able to switch over to an alternate system and finished
the mission successfully. However, the intrusion put the space shuttle at risk and
prompted numerous changes in security protocols at NASA. 3
If hackers can get into NASA and global financial firms, what is stopping them from
getting your credit card number off your home computer?
How Hackers Exploit the Internet

The Internet is a decentralized collection of computers implementing well-known
technology standards. The decentralized nature of the Internet ensures that no single
body, corporation, or government can control it. However, it also means that the
technical details of how the Internet works are freely available to all – including
hackers.
Hackers exploit this freedom. They use their knowledge of networking and computers
to break into systems. While most hackers are computer hobbyists looking for a
complex intellectual challenge, some hackers are dedicated criminals and pose a very
real threat to the Internet.
Who Are Hackers?

There are a lot of myths surrounding hackers. Hollywood and popular culture often
portray hackers as intelligent outsiders like Neo in the movie The Matrix. In reality,
most hackers are not brilliant computer experts, but inexperienced hobbyists using
popular hacking tools they barely understand.
Nevertheless, those hobbyists can still do serious damage. Some of the most prevalent
attacks on the Internet today, Denial of Service (DoS) attacks, are the result of simple
tools in the hands of inexperienced high-school students. These hacks have knocked
out telephone systems and web sites for large companies such as AT&T and Nike,
costing unknown millions in lost revenue and labor to stop the attacks.
Regardless of who hacks, the danger is real and growing – and not just for big
corporations.
1
Associated Press, September 11, 2000, www.associatedpress.com .
2
Brunker, Mike, MSNBC, March 17, 2000. www.msnbc.com .
3
Associated Press, July 4, 2000 www.associatedpress.com .
Home Computers – The New Target for Hackers
In the past, hackers were not much of a threat to home users. Internet connections were
slow, and the information on most home computers was not worth hacking.
Today, the average home computer is a virtual gold mine of information. Everything
from passwords to financial records offer hackers all sorts of ways to cause trouble.
While encryption technologies have made most on-line transactions very safe, they are
never 100% safe. Hackers can break into your computer, steal those encrypted files,
and then use freely available cracking tools to break the encryption and get the data.
Some hackers enjoy using their skills as a way to extract revenge as well. The
anonymity of the Internet often makes people behave differently. An innocuous
message posted to a public forum might incite the ire of hackers who single you out as
their next victim.
The Proliferation of Always-On Connections

One of the prime reasons home computers are becoming targets, is the proliferation of
always-on connections such as cable modems or DSL lines. Whenever your computer
is turned on, these connections are “live” on the Internet. While you are sleeping, at
work, or at the grocery store, hackers could be probing your Internet connection
looking for weaknesses.
Hackers need time to do their work. Hacking can be a very slow and methodical
process of locating, testing, and then exploiting vulnerabilities on a computer. The
more time a computer is connected to the Internet, the greater the chance that a hacker
will locate your computer and have time to hack it.
It Will Not Happen To Me

Just innocent web surfing and sending e-mail cannot be dangerous, right?
Most hackers use automated scans that can examine millions of computers in hours.
From these scans they get a “hit list” of computers with weak security or easily
exploited vulnerabilities. While you sleep or are at work, a hacker located anywhere
around the world can be breaking into your computer. Without any warning, your
personal files can be ripped off, and a “backdoor” or virus planted on your computer.
At the hacker’s discretion he can wipe out your hard drive or use your accounts to
cause serious trouble.
Ever had your computer crash while on-line? Ever wonder why a program or access to
your e-mail suddenly stops working? Sometimes it is not faulty software but hackers
purposefully causing these problems.
If you use chat rooms or play on-line games you are especially vulnerable to attacks.
Also, hackers enjoy targeting inexperienced computer users.
Along with all the great services and information on the Internet, there are also a lot of
mischievous people who want nothing more than to cause problems.
INTRODUCTION TO COMPUTER NETWORKING
To truly understand how to stop hackers, it is important to know how computers
communicate with each other. Computer networking is not a new technology.
Engineers were networking computers together as early as the 1950s. However,
hacking did not become a significant problem until computers became freely accessible
over national and global networks.
This section describes how modern computer systems are networked together. This
section is ideal for readers who are new to the Internet and network security.
Connecting to the Internet

The first part of networking is the connection. There are basically three ways to
connect a computer to the Internet.
n Dial-up modem: This is the most common way to connect. A modem uses a
regular telephone line to dial-up to your Internet Service Provider (ISP). The ISP
authenticates your logon and connects you to the Internet. Modems have only one
significant benefit over other connections in that they are only connected while in
use. This significantly decreases the amount of time the computer is exposed to the
Internet. However, because modem communications must travel over telephone
lines that use older, analog technology, they are significantly slower than
broadband connections. Some DSL connections require dialing up to a server,
however, their fast speed and persistent connection really makes them fall into the
second category of connections.
n Broadband: This category includes cable, DSL, ISDN, wireless, and satellite
connections. While there are technical differences between each of these types,
they share one common feature: persistent connections. Broadband connections are
“always-on” to the Internet while the connection device has power.
Although some DSL and ISDN connections do require “dialing-up”, typically users
leave these connections open indefinitely since the communications links do not
automatically disconnect
n Corporate network: This category includes all computers that use a Network
Interface Card (NIC) connected to a corporate network to access the Internet.
Many corporations do not connect each computer individually to the Internet.
Instead, they install powerful networking devices such as routers and switches to
connect all the computers on the corporate network to the Internet. Properly
designed corporate networks also use firewalls to protect their internal network
from hackers.
Whether your computer uses a dial-up modem or a high-speed cable modem, all
networked systems run a high risk of being attacked. While connected, your computer
becomes a part of the Internet and as such can be attacked from other computers.
Computer Addresses
Once connected, a computer must have an address, so other computers can locate it on
the Internet. Just like a house or apartment has an address, computers on a network
must also identify themselves. Most computers use a combination of the following
address types:
n IP Address: An IP address is the basic “street” address for a computer. These
addresses have 4 numbers, such as 192.168.10.15. Most Internet Service
Providers (ISPs) assign an address to your computer when you log on to the
Internet. Other computers locate your computer by using that address.
Unfortunately, hackers can forge IP addresses (called spoofing) and make the
hacker’s transmissions appear to be originating from your computer.
n DNS Address: Domain Name System (DNS) is an address translation system that
forms the basis of many Internet sites. Rather than using strings of numbers, DNS
allows computers to locate each other with familiar names. DNS addresses are in
the familiar name.domain.com format. For example, to reach the Network ICE web
site, you only need to remember www.networkice.com. This is a DNS address for
the web server at Network ICE. The master DNS databases are propagated
throughout the Internet so your local Internet Service Provider (ISP) has the correct
IP address for the DNS name.
n NetBIOS Address: NetBIOS allows corporate networks to select single words to
identify computers. For example, a computer on the network could be named
MYCOMPUTER, and other users would see this name in the Network Neighborhood
lookup. Although NetBIOS cannot be used across the Internet, the use of NetBIOS
names can present some security vulnerabilities to hackers.
n MAC Address: These addresses are specific and unique to each network hardware
device. Network cards, modems, routers, even network printers have MAC
addresses. MAC addresses help network administrators inventory systems.
However, they can also be useful in tracking down hackers or proving that a hacker
used a particular computer.
Packet Switching
The basis for most network and Internet communications is packet switching. Your
computer communicates with other computers on the Internet by using a stream of
packets. All communication is broken up into digital packages that are sent out, one at
a time, through the network connection.
Each packet contains a tiny fragment of the data you are sending. The computer on the
other end puts all the fragments back together.
Figure 1 – Packets example.
For example, you send a digital photo of your new car to a friend. Before sending the
picture, your computer breaks up the image file into thousands (possibly millions) of
tiny data fragments. Those fragments are then “packaged” into packets. The packets
are transmitted to your friend’s computer, which then extracts the data fragments from
the packets and reassembles the image.
When your computer transmits a packet, it sends them to a router (usually at your ISP).
Routers are the digital equivalent of postal carriers. They look at the address on each
packet and then forward it to the correct place.
Figure 2 – Routers on the Internet can direct packets to the correct computer(s).
For example, the picture of your car first went to a local router at your ISP. Then your
ISP’s router forwarded it to another router. That other router forwarded the packets to
another, and possibly another router. Sometimes a transmission can “hop” through 30
or more routers before it gets to its final destination.
Routers handle enormous quantities of packets and can sometimes get clogged up.
Therefore, if one router is too busy, it can pass off the transmissions to another router
that is available. Likewise, if one router does not know exactly where to send a packet,
it can forward it to a different router that does know. This is why transmissions “hop”
through many routers.
Since each packet is individually addressed, different routers can handle different
packets in the same transmission. This allows the routers to get your transmission to
its destination regardless of the path it has taken. Theoretically, your packets could
bounce all over the country, just to get to your friend next door.
The concept of packets and packet switching is important because hackers can capture
and manipulate packets to carry out certain kinds of attacks.
Protocols
When computers transmit information, they have to encode that information into a
“language” that other computers can understand. There are two main protocols used on
the Internet: Transmission Control Protocol (TCP) and User Datagram Protocol
(UDP).
n TCP is used for everything from accessing web sites to sending email. TCP
communications form connections with remote computers to send and receive
packets. For example, when you want to download your email, your computer
opens up a TCP connection with your mail server and downloads the mail.
n UDP is virtually identical to TCP except that it lacks the error correcting features
of TCP. UDP is used for interactive, streaming, and otherwise time-sensitive
transmissions. Because there are no error correction procedures with UDP, the
transmissions are a little faster. For example, if you play a multi-player Internet
game like Quake, your computer sends and receives UDP packets to coordinate
your on-screen movements with those of other players on the Internet.
However, protocols are only half the picture. When computers send and transmit
information they also open and close special connection points, or “ports”, as described
in the next section.
Ports
When computer applications “talk” to the Internet, they open and close special
communication channels or “ports”. For example, web servers transmit all web site
information over TCP port 80. When you access a web server, your computer makes a
request to TCP port 80 on the remote web server. If the server is listening on that port,
it responds to your request and sends the proper web pages back to your computer.
Ports allow for categorization and modularization of network communications.
Applications such as web servers, chat programs, and computer games isolate their
transmission to specific connection ports ensuring their communications do not
interfere with other applications. There are 65535 TCP and 65535 UDP ports available.
When computers communicate, they do not just pick ports at random. International
standards established over the past 30 years assign and manage which ports are used for
which programs. In general, ports are broken down into three categories: system,
application, and private.
n System ports comprise all TCP and UDP ports from 1 to 1023. System ports are
tightly regulated and used for very specific computer functions. For example, port
110 is only for POP3 e-mail communication. Some of the most common system
ports are listed on the next page.
Common System Ports
Port # Description
21 FTP, File Transfer Protocol
23 Telnet
25 SMTP, Simple Mail Transport Protocol
37 Time, for time servers
53 DNS, Domain Name Services
67-68 Bootstrap, for booting systems over a network
80 HTTP, world wide web
82 XFER
110 POP3, e-mail servers
118 SQL Server
119 NNTP, Internet News Servers
137-139 NetBIOS
161-162 SNMP, Simple Network Management Protocol
194 IRC, Internet Relay Chat
389 LDAP, Lightweight Directory Access Protocol
443 HTTPS, secure HTTP communications
n Application ports comprise all TCP and UDP ports from 1024 to 49151. These
ports are registered with international standard committees for use with network
applications. For example, the Yahoo messenger program uses TCP port 5050.
Many computer applications that are not considered vital system applications use
ports in this range.
n Private ports comprise all the ports above 49152. These ports are used for private
or dynamic use, and are unregistered and freely available to any application.
HACKER ATTACKS
Hackers have a wide variety of attacks they can carry out. However, these attacks are
easily categorized into seven kinds. This section summarizes the kinds of attacks
hackers most commonly attempt.
Automated Scans
Description Automatic scans search for open ports or resource shares on your
computer.
Method These scans blindly monitor large areas of a network or the Internet for
computers. When a computer is located, another automated scanner can
examine the target system for open communication ports that the hacker
can exploit.
Danger By itself, a port or resource scan is not very dangerous. Most hackers
never follow up on such scans. However, if a hacker is searching for a
vulnerable system, port and resource scans are almost always a prelude to
something more severe.
Trojan Horse Attacks
Description Like the fabled gift to the residents of Troy, a Trojan Horse is a computer
program or application that appears to do one thing while hiding
something much more sinister within it. Trojans are dangerous
applications planted on your computer that open up vulnerabilities on
your system.
Method A hacker plants an agent or Trojan Horse virus on your computer.
Trojans are planted on computers in a number of ways. One common
method is to send the victim an executable ( .exe) file that appears
innocuous. While the victim enjoys a movie, cartoon, or other
distraction, the program installs a Trojan on the computer.
The Trojan either opens up communication ports, or surreptitiously sends
information about your system to the hacker’s computer. The hacker then
exploits your computer using the information he acquired from the Trojan
Horse program.
The most common hacking agents are Back Orifice and SubSeven. These
agents, if properly planted, make a computer completely exposed to
hackers.
Danger Trojan Horse hacks are the most common and dangerous attacks because
they provide hackers a “back door” into your computer. There are two
ways to stop these attacks: First, block any communications between the
Trojan agent and the hacker, which BlackICE can do. Second, remove
the agent application, which most virus scanning utilities can do.
Corrupt Packet Attacks
Description A hacker sends packets to your computer that causes the system to slow
down or crash.
Method There are numerous ways hackers can forge packets with incorrect
addresses or information. Some of these methods merely slow the system
down briefly. Others can cause a system to crash or become seriously
unstable.
Danger Most new operating systems have defenses for corrupt packet attacks.
BlackICE can also stop such attacks.
Password Grinding
Description A hacker uses an automated password generation program to “grind”
away on a password until it is guessed.
Method There are numerous, freely available tools on the Internet that a hacker
can use to crack passwords. Since most operating systems lock out users
if they enter the wrong password too many times, most hackers download
password files and grind them “off-line”. Most modern computers can
crack encryption systems rather quickly provided the hacker uses the tool
properly.
Danger Password grinding can be very dangerous. Once a hacker has your
passwords, he can literally do whatever he wants. It is a good idea to
change your passwords frequently and use secure passwords. See Harden
Passwords on page 20 for more information.
Denial of Service (DoS) Attacks
Description A hacker overloads a network connection with billions of packets.
Method DoS attacks are crude, but effective. Quite simply, a hacker with a very
fast Internet connection bombards another system with packets until the
other system collapses. DoS attacks are commonplace for large web
sites.
Danger DoS attacks are hard to stop once they get going. Fortunately, most
intrusion defense systems, like BlackICE, can stop them from
overloading an Internet connection.
Known Vulnerability Attacks
Description A hacker exploits a known weakness in an operating system or Internet
enabled application.
Method Computer operating systems are very complex. As such, there are always
some holes in the system that hackers can figure out. Once a hole is
discovered, the information spreads rapidly via hacker web sites to other
hackers.
Danger Some system vulnerabilities are very serious and can completely expose
your system to attacks. Updating the operating system with the latest
service packs and security patches stops these attacks.
Social Intrusions
Description A hacker poses as a system administrator or other authority figure and
attempts to coerce you to reveal confidential information.
Method Social intrusions are by far one of the most common ways to get into
systems. They are also the easiest to stop.
The scam is pretty simple. A hacker telephones or sends an e-mail
posing as a police officer, network administrator, or other person of
authority. Usually they say there is some problem and they need your
password to update their files. An unsuspecting user may willingly give
out the information assuming the person is trustworthy. The hacker then
uses the legitimate password to get into the system.
In a 1999 study, a security consulting firm reported that over 80% of the
computer users they contacted willingly revealed confidential
information about themselves or their computer to a person posing as a
system administrator. In many cases, the consultants merely asked for it,
without showing any credentials or explaining the situation.
Danger Social intrusions are extremely dangerous because nothing can stop a
hacker armed with legitimate information.
INTRUSION DEFENSE
The task of stopping hackers falls upon a class of computer software and hardware
products called Intrusion Detection Systems (IDS), such as BlackICE. IDS products
have three responsibilities: detection, monitoring, and protection. This section
describes how IDSs detect and stop hackers.
Detection
The most difficult aspect of stopping hackers is merely identifying that an intrusion is
actually occurring. Hackers are clever and know how to disguise their activities inside
the normal traffic of a network. What constitutes an attack versus legitimate use of the
Internet is often very hard to determine. With millions of packets racing by on the
Internet link, locating the 10 packets that are from a hacker is not easy.
Many current firewall systems use a technology called “pattern matching” to locate
intrusions. Pattern matching is similar to how virus detection software works. As
packets are received, the IDS compares information in the packets to a database of
known “signatures” or “patterns” that hackers typically use.
Many pattern-matching firewalls have trouble keeping pace with modern, high-speed
connections. Comparing a billion packets to a database of 2500 patterns is a very huge
processing task, even for modern computers. This makes many pattern-matching
systems prone to overloading and missing intrusions.
Hackers know this and use methods to purposefully evade pattern-matching firewalls.
One method is to fragment transmissions into numerous small packets. Pattern
matching systems need to examine an entire attack to determine if it is dangerous. If
the attack is fragmented into thousands of little packets, the firewall never “sees” the
complete attack and therefore cannot detect it.
BlackICE is not a pattern matching firewall. BlackICE uses a patent-pending seven-
layer protocol analysis engine. This engine dynamically analyzes network
transmissions for hacking activities. The BlackICE technology is significantly faster
than pattern-matching systems and many times more reliable. Additionally, BlackICE
can handle badly fragmented attacks.
Monitoring
Once a hacker’s transmissions are identified, capturing those packets and logging all
contents is a rather easy procedure. Yet many IDS solutions fail to implement even
basic evidence file capturing or logging mechanisms.
Evidence file gathering is crucial to reconstruct what the hacker did. Such evidence
files can also be very useful to law enforcement should it become necessary to pursue a
hacker for criminal activity.
BlackICE includes a powerful network logging and capture function that can collect
information a hacker sends to your computer. This information is logged into specially
coded trace or evidence files, which can then be analyzed using a trace file-decoding
program to determine exactly what the hacker did (or tried to do).
Protection
The last aspect of an IDS is to protect the computer from the hacker. Blocking hackers
requires layers of defense systems that ensure all traffic from the hacker is rejected
before it can interact with the computer operating system.
Dynamic Address Protection
The first layer is a dynamic firewall. When an intrusion is detected, all transmissions
from the hacker’s network (IP) address are blocked. Since hackers can forge addresses
of legitimate systems, the firewall must only block the transmissions long enough for
the hacker to give up.
Standard Packet Protection
One way hackers circumnavigate firewalls is to break up their transactions into many
“fragmented” packets. Most firewalls are not able to analyze all these fragmented
packets and allow transmissions to pass right through.
The standard packet protection firewall blocks such fragmented packets as well as other
packet manipulation techniques.
Port Blocking
The last layer of defense is to block transmissions on specific network ports. Hackers
often search for open ports to exploit.
BlackICE can be configured to block ports that hackers typically exploit such as
NetBIOS share ports.
HANDLING INTRUSIONS
Getting hacked is a pretty common problem on the Internet. When you install
BlackICE, you may be surprised at the number of attacks that are logged. Fortunately,
most attacks are pretty innocuous. However, some are not. This section describes how
to handle attacks and secure your computer from hackers.
HOW TO RESPOND TO AN ATTACK

BlackICE automatically protects computers from any dangerous network intrusions.
Use the BlackICE Summary Application to monitor who is attempting to attack your
system, and you will likely notice that most of the hacks are really only port scans from
your ISP.
However, if you are experiencing a lot of serious attacks, you have some options for
responding to them.
TIP: See the BlackICE Summary Application Guide for more information about
blocking intruders and configuring BlackICE.
Step One – Determine the Severity

The first step in dealing with attacks is to consider the relative severity of the attack.
BlackICE events are all ranked on a scale that makes determining severity very easy.
Icon Severity Description

100–75 Critical event: Red exclamation point. These are deliberate attacks
on your system for the purpose of damaging data, extracting data, or
crashing the computer. Critical events always trigger protection
measures.
74–50 Serious event: Orange exclamation point. These are deliberate
attempts to access information on your system without directly
damaging anything. Some serious events trigger protection measures.
49–25 Suspicious event: Yellow question mark. These are network activities
that are not immediately threatening, but may indicate that someone is
attempting to locate security vulnerabilities in your system.
Suspicious events do not trigger protection measures.
24–0 Informational event: Green “i”. These indicate that a network event
occurred that is not threatening but worthy of taking note.
Informational events do not trigger protection measures.
Informational and suspicious events do not trigger automatic protection measures.

These attacks are not very dangerous. Most are automated port scans that merely
search the computer for vulnerabilities. These attacks do not actually attempt to access
any information on the computer.
S ECTION 2 u H ANDLING I NTRUSIONS u 13

However, hackers usually conduct these scans just before they hack into a computer.
Therefore, if a single intruder is carrying out numerous scans against a computer, there
is a good chance that a hacker is preparing to break into your system.
Step Two – Respond

For most attacks, you are not required to do anything. BlackICE takes care of blocking
the intruder. All you need to do is keep an eye on the BlackICE Summary Application.
If a hacker attempts numerous attacks to your computer, there are a few ways to
respond to their attacks.
Option 1 – Manually Block the Attacker

BlackICE only blocks intruders when they are directly threatening the operation of your
system. For non-threatening attacks, like port scans, BlackICE does not block the
intruder; it merely reports that the event happened.
However, some hackers carry out repeated, non-threatening attacks merely to be an
annoyance. Therefore, BlackICE provides a way to manually block attackers. Once an
attacker is blocked, he cannot perform any more scans on your system, threatening or
not.
To manually block an intruder, right click on the Intruder’s name on the Intruders tab,
and then select Block Intruder. From the displayed pop-up menu, select the blocking
duration (For an Hour, For a Day, etc.).
Figure 3 – The Intruders Tab in the BlackICE Summary Application
WARNING: Do not block systems from your Internet Service Provider (ISP) or internal
network. Most ISPs have automated scans to check the state of users’ connections.
Blocking scans from your ISP may be a violation of your usage agreement and grounds
for terminating your account. Contact your ISP for help identifying the systems it uses
to scan connections. Most ISPs reveal the DNS address of their system. This address
usually contains the domain name of the ISP (e.g. server.isp.com).

Option 2 – Raise the Protection Level
If you are enduring numerous attacks, use the BlackICE security levels to protect your
network ports. Raising the protection level may interfere with some Internet functions,
especially multimedia content, however this is preferable to having to endure thousands
of attacks.
To raise the protection level, select Edit BlackICE Settings from the Tools menu.
Then select the Protection tab.
Figure 4 – The Protection tab.

Cautious is ideal for most computers. Raising the security level may cause some
interference with interactive programs such as Internet telephones or games like Quake.
Please see the BlackICE Summary Application Guide for complete details.
Option 3 – Upgrade Older Operating Systems

All the major operating systems regularly release updates to their software. The most
current releases and service packs often patch known vulnerabilities. Your operating
system vendor’s web site is a good place to begin looking for updates.

REPORTING HACKERS
Hackers have to get on the Internet somewhere. Many hackers are kids with standard
accounts on ISPs, or employees taking advantage of their company’s high-speed
Internet connection.
The laws regarding hacking and computer security are still in development. However,
in many states it is considered theft to break into a person’s computer and steal
information. Merely attempting to break into computers is often a violation of an ISP’s
terms of usage. ISPs regularly terminate accounts of users who attempt to hack other
computers. Likewise, corporations can terminate employees who improperly abuse
company Internet connections.
One way to stop hackers is to report their activities to their ISP. At a minimum, the
ISP may begin monitoring that user for illegal activity. At best, the ISP may terminate
that user’s account.
Abuse@domainname.com
Most ISPs, corporations, and universities have web sites or email addresses where you
can report hacking activities. Typically the email address is something like
abuse@domainname.com. Keep in mind that these organizations handle hundreds,
possibly thousands of illegal use complaints each day.
Furthermore, reporting every system that scans your computer is probably more trouble
than it is worth. Scans and probes are kicked off all the time on the Internet. Simply
accessing a web site might kick off a scan. These are normal networking events and
not always indicative of an attack. It is best to report only those hackers that have
carried out severe or repeated attacks on your system.
Before you complain to a hacker’s ISP, make sure you have adequate supporting
evidence. This is where the back tracing and evidence logging features of BlackICE
becomes a real asset.
How to Report a Hacker

If BlackICE was able to get a DNS name from the hacker 4, then use this to locate the
origin of the intruder. For example, if BlackICE reported an attack from
USER1.SAMPLEISP.COM, the hacker was obviously a user on Sample ISP. Use an Internet
search engine to locate the web site for the origin.
If you are unsure who owns the domain, use the Network Solutions WHOIS server at
www.networksolutions.com/cgi-bin/whois/whois/ to lookup a domain name.
Send e-mail to the ISP with your complaint. Please do not call; most ISPs and
corporations do not have the staff to handle individual abuse complaints. When e-
mailing the ISP, make sure to include the following information. You can select the
corresponding attacks from the Attacks tab, or the intruder from the Intruders tab, and
then copy and paste the information into the e-mail.
n Exact time the attack occurred.
n Your time zone.
n The type of attack.
n The Intruder’s IP, DNS, NetBIOS, and MAC addresses, if available.
4
If you do not have a DNS name for the hacker it is probably best to just block the
attacker and forget about it. Savvy hackers can hijack connections and spoof IP
addresses, which makes it impossible to report them to anybody who could stop them.

n Your name, e-mail address, and ISP.
n Attach the following support files to your e-mail. Make sure to explain that the
evidence file is a “sniffer” type trace file. Most network administrators are familiar
with this file format.
l Back Trace File: Attach the BlackICE back trace file for the intruder. These
files are stored in Hosts folder, which is located in the directory where
BlackICE is installed. If you installed BlackICE to the default location, it is
located at: C:\
C:\Program Files\
Files\Network ICE\ICE\BlackICE\
BlackICE\Hosts. The file names
are the IP address and a .txt extension.
l Evidence File: An evidence file contains network traffic related to the event.
The file is encoded as a “sniffer” trace file. You will need a trace file decoding
application to view the contents of this file. Windows NT Server includes the
Network Monitor service and tools, which can decode such files. Other third
party vendors also supply such applications. Evidence files are stored in the
folder where BlackICE was installed, the default location is C:\
C:\Program
Files/Network ICE/BlackICE. By default, the file names are prefixed with
the word evd and the date.
To determine which evidence file is correct for a particular attack, you may need to
correlate the time of the attack with the timestamp on the file(s). If there are numerous
files within the same time period, you need to decode the file and locate the IP address
of the attacker. Be careful not to send the wrong evidence file to the hacker’s ISP.
RETALIATION HACKING
It is tempting to turn the tables on hackers and hack them back. Network ICE
strongly discourages any attempts at “retaliation hacking.” It might feel good to
attempt such revenge, but ultimately it is counterproductive and could make matters
worse.
There are four very compelling reasons not to attempt any retaliation hacking.
1. Hacking is probably a violation of your ISP’s usage policies. Hacking is one of the
quickest ways to get your Internet account cancelled. This includes corporate
Internet connections.
2. Retaliating against a hacker could merely incite the attacker to do more. Most
sophisticated hackers are diligent enough to protect their own systems. Therefore,
if you attempt to hack them back, this could encourage them. Less experienced
hackers may find your retaliation as grounds to broadcast your account to various
hacker forums. This could summon more experienced hackers to zero in on your
system.
3. Hacking is usually not a constructive activity. BlackICE Defender protects your
systems from hackers. Retaliating only wastes time and will probably not stop the
hacker. In the realm of networking countermeasures, the best offense is a solid
defense.
4. Some hacking tools are actually Trojans themselves. Devious hackers know the
best target for hacking is a person who fancies him/herself a hacker. Therefore,
they may offer you special applications that make hacking easy. In reality, these
programs can contain Trojans that open your computer to hacking from the hacker
who gave you the tool.
Be safe, block the hacker and forget them. BlackICE can take care of the hacker and
protect your computer.

C O M P U T ER S E C U R I T Y
Computer security is no longer something that only worries network engineers. The
hackers of today are highly skilled and ubiquitous. While you surf the Internet, a
hacker from anywhere in the world might be hacking your computer and stealing your
identity.
You have already taken the first step toward stopping hackers with BlackICE.
BlackICE can detect, monitor, and stop hackers before they get into your computer.
For most casual Internet users, BlackICE can protect your computer completely.
However, there are other things you can do to “harden” your computer from hackers.
This section describes how to further protect your computer from the prying eyes of
hackers.
GOOD SECURITY PRACTICES

Most significant hacking problems are easily prevented when users adhere to good
security practices. This section lists some things you can do to make your computer
even more secure.
n Turn computer off when not in use. If you have a DSL or cable modem
connection, turn your computer off when not using it. These “always on”
connections are particularly vulnerable because they provide more opportunities for
hackers to find your computer.
n Protect network addresses. Never reveal your cable modem, DSL, or ISP
connection’s IP address or other system networking information to anyone. Your
telephone company and Internet Service Provider should already have this
information. They will never ask you for this information.
n Protect passwords. Never give out a password or any sensitive information to an
unsolicited telephone call or e-mail. Get the person’s telephone number and tell
them you will call them back.
n Be careful what goes out over e-mail. Never e-mail sensitive information such as
passwords, credit card information, etc. to people unless you have software
installed that can encrypt your e-mail. There are several good e-mail encryption
programs on the market.
n Know the web sites you visit. Never submit private or sensitive information via a
web page unless the web site uses secure connections. You can identify a secure
connection with a small “key” icon on the bottom of your browser (Internet
Explorer 3.02 or better) or a closed “lock” (Netscape 3.0 or better). If a web site
uses a secure connection, it is safe to submit information. Secure web transactions
are quite difficult to crack.
n Be very careful of files e-mailed to you, even those from people you know. One
common way of getting viruses on a computer is to embed them into an e-mail
attachment. While you are laughing at the antics of some dancing baby cartoon,
hackers are opening up your system and stealing your files.
S ECTION 3 u C OMPUTER S ECURITY u 18

n Never execute a file sent to you with a *.VBS extension. These are visual basic
scripts that may contain viruses or worms that could plant remotely controlled
hacking programs (Trojans) on your computer.
n Change your passwords regularly. Also, use passwords that are not easy to figure
out. The most difficult passwords to crack are those consisting of non-dictionary
words, upper and lower case letters, numbers, and symbols such as % or #.
n Upgrade your software and operating system regularly. Many older versions of
software, especially web browsers, have well known security deficiencies. When
you upgrade to the latest versions, you get the latest patches and fixes. Check with
your browser and operating system vendor to locate the latest patches and updates.
n Chat rooms. If you use “chat rooms” or IRC sessions, be careful with any
information you reveal to strangers. Hackers are notorious for “address harvesting”
from chat rooms and other interactive areas.
n Games. Avoid hosting interactive games like Quake 3 Arena or Half-Life. This
exposes your IP address and can summon hackers (especially if you win!)
n Pay attention to odd computer behavior. If your system starts exhibiting odd
behavior, check the BlackICE summary application for signs of possible attacks.
Some hackers set off attacks that slowly cause your system to become unstable or
unusable. If this happens a lot, notify your ISP and reboot your machine. In
extreme cases, hackers can damage the operating system on your computer, which
would require re-installing the operating system.
n Beware the Blue Screen of Death. If you are using Windows 2000 or Windows
NT and your system suddenly displays a blue screen, write down the information at
the top of the screen. Proceed to check the BlackICE summary application to see if
any attacks occurred at the time of the problem. If so, contact your ISP. Some
serious Windows errors are the result of hackers or viruses on a system.
n Always shred confidential information, particularly about your computer, before
throwing it away. A dedicated hacker will dig through the trash of companies or
individuals for information that might help them access your system, a practice also
known as “dumpster diving”.
COMPUTER HARDENING
Hardening refers to configuring a computer to be more resistant to attacks. Hardening
aims to make a computer virtually impenetrable to hackers.
This section describes how to harden Windows-based systems. For additional
information about hardening systems, see the Network ICE advICE web site at
www.networkice.com/advice .
Many of these instructions require some advanced understanding of Windows-based
systems. For help performing any of these tasks, refer to the on-line help included with
your copy of Windows. You may also want to refer to the Microsoft on-line
Knowledge Base at support.microsoft.com .
Options for hardening a computer depend on the operating system you are using.
Windows NT/2000 and Windows 95/98/Me are technically very different systems even
though they look alike. In this section, hardening options indicate the operating
system(s) where they are applicable.

Install the latest Security Patches and Service Packs
This option is applicable in:
Windows NT/2000 Yes
Windows 95/98/Me Yes
Perhaps the simplest way to make Windows systems safe is to keep up to date on the
latest security fixes. The easiest way to get the latest patches is to use Microsoft’s
Windows Update web site at www.windowsupdate.com . This site can automatically
detect what is installed on your computer and identify which updates you need to
install. For additional information visit the Microsoft web site at www.microsoft.com .
Harden Passwords
Windows NT/2000 Yes
It is best to use passwords that are extremely difficult to guess. The best passwords are
odd combinations of letters, numbers, and symbols, in both lower and upper case.
Names of pets, family members, and favorite cars might be easy to remember but they
are also easy to hack.
The User Manager in Windows NT/2000 can actually go a step further and require users
to create hardened passwords. It can also establish strict password policies that prevent
hackers from running cracking programs on the operating system. It is a good idea to
implement the following hardening policies on Windows NT/2000 machines.
n Enable lockout on all normal accounts. 3 to 5 attempts is a good limit.
n Force long passwords, at least 6 characters.
n Require unique passwords so that when users change a password, they cannot re-
use an old one.
Figure 5 – Windows 2000 includes a Local Security Settings feature to control password
policies.

n You may also want to install the passfilt.dll file as described at:
msdn.microsoft.com/library/psdk/logauth/pswd_about_9x7w.htm . This special
add-on allows you to define specific rules for passwords. For regular Windows
NT/2000 workstations, this is not necessary. Windows 2000 has password filtering
capabilities built into the operating system. See the documentation included with
Windows for more information about implementing password filtering.
Use the NTFS Hard Drive Partition Format

Windows NT/2000 Yes
Windows 95/98/Me No
Windows NT/2000 systems can access hard drives that use the NTFS format. NTFS is
much more secure than FAT or FAT32 partitions. Use the convert.exe program
located in the directory where Windows NT/2000 is installed to convert a FAT partition
to NTFS.
Do Not Multi-Boot
Windows NT/2000 Yes
Use only one operating system. Do not dual boot to any other operating system.
Multiple operating systems may allow a hacker to exploit weaknesses in one operating
system while the other is running.
Secure All Shares with Passwords

Windows NT/2000 Yes
If you create any shared resources, particularly shared hard drives, protect those shares
with passwords. Use passwords that are not easily guessed. The most difficult
passwords to crack are those consisting of non-dictionary words, upper and lower case
letters, numbers, and symbols such as % or #.
Disable All Unnecessary Accounts

Windows NT/2000 Yes
Windows 95/98/Me No
Unless your computer requires anonymous access for a web site or database, it is a
good idea to disable all unnecessary accounts, especially the Guest account. If you are
unsure which accounts to disable, at least change the password on these accounts to
something very secure.

Explicitly Select Users with Network Access
Windows NT/2000 Yes
Windows 95/98/Me No
Windows NT/2000 allows you to explicitly select which users can access the system
over the network. It is a good idea to restrict this to only those user groups that should
be allowed to access your computer.
For most DSL and home users, you can completely disable all network access for users.
This will not interfere with local access; only remote access from other computers is
blocked.
Figure 6 – Windows NT/2000 allows you to explicitly select the user groups that can access
your computer over the network.
Disable Telnet
Windows NT/2000 Yes
Windows 95/98/Me No
Without a doubt Telnet is the most abused service for hackers. Unless you have a very
specific need to have telnet access to your computer, check the computer services and
specifically disable the telnet service.

Do Not Install a Web Server
Windows NT/2000 Yes
Unless you are using your computer as a web server, do not install Internet Information
Server or Personal Web Services. These services open the computer up to numerous
attacks as they enable Internet services.
If you do plan to use the system as a web server, enable only those services needed.
For example, if you do not plan on offering FTP services, disable the FTP services.
You may also want to assign non-standard ports to your web services. For example,
configure FTP services to use port 21111 rather than the default 21. This might keep
inexperienced hackers from attempting to break into your FTP server.
Disable NetBIOS (WINS)

Windows NT/2000 Yes
Windows uses an implementation of NetBIOS called Windows Internet Naming Service

or WINS. NetBIOS allows Windows-based computers to access resource shares (hard
drives, printers, etc.) over the network and use the Network Neighborhood lookup.
Unless your computer is connected to other computers on a network, there is no reason
to leave NetBIOS enabled. BlackICE can block all access to the NetBIOS ports.
Uncheck the Allow Internet File Sharing and Allow NetBIOS Neighborhood options
on the Protection tab of the BlackICE Settings dialog box.
Figure 7 – The Protection tab.

WARNING: If you have your home/office computers connected to a local area network
where you share files with other computers, you should not disable file sharing. See
Protecting Home/Office Networks on page 26 for more information about how to
protect your home/office LAN from hackers while still allowing file sharing.
Secure the Registry

Windows NT/2000 Yes
Windows 95/98/Me No
Windows NT and 2000 support remote access to the registry using the Registry Editor
program and a special Windows interface command (Win32 API call).
The following registry key dictates which users/groups can access the registry
remotely:
HKEY_LOCAL_MACHINE\
SYSTEM\
CurrentControlSet\
Control\
SecurePipeServers\
Winreg
If this key does not exist, remote access is not restricted, and only the underlying
security on the individual keys control access.
In a default Windows NT Workstation installation, this key does not exist. In a default
Windows NT Server installation, this key exists and grants administrators full control
for remote registry operations.
Another good idea is to alter the security settings on each main key in the registry to
only allow the system and administrators access to the keys. This can be done using
the regedt32.exe program in the system32 folder where Windows NT is installed.
Figure 8 -- Registry Security Settings

For more information about properly securing the registry, refer to the Microsoft web
site.

Never Cache Passwords
Windows NT/2000 Yes
Windows systems allow you to save passwords for numerous applications. These
passwords are saved in encrypted files or in areas of the registry that a hacker might be
able to access. Once a hacker gets a hold of these files, it is merely a matter of time
before a password grinding utility can extract your passwords from the files.
Therefore, when Windows prompts you to save a password, uncheck the option. It may
be a little inconvenient, but that is better than hackers getting access to your computer.
Disable Userdata Persistence

Windows NT/2000 Yes
Internet Explorer 5.0-5.5 can cache passwords and logon information. This information
could allow a hacker to access web sites you visit, including e-mail. It is a good idea to
disable this feature so Internet Explorer does not save this information locally.
This feature is not available in Internet Explorer 3.02 – 4.0 or Netscape Navigator.
1. To disable this feature, select Internet Options from the Tools menu in Internet
Explorer.
2. Select the Security tab. Then click Custom Settings.
3. Scroll down to the Userdata persistence entry and select Disable.
4. Click OK.
Figure 9 – Disable the userdata feature in Internet Explorer 5.0 – 5.5.

P R O T E C T I N G H O M E /O F F I C E N E T W O R K S
If your computer is connected to an internal network where you share files between
computers, disabling file sharing and Network Neighborhood makes it impossible for
other users to access files on your computer.
Because BlackICE can handle this blocking for you, if you have a home network you
must reconfigure the network to block NetBIOS access to hackers while still leaving
your internal network free to access file sharing.
There are a few ways to still allow internal file sharing on your home network while
preventing hackers
Solution One – Install NetBEUI Protocol

One solution is to install the NetBEUI protocol on all the computers on your network.
NetBEUI is a non-routable protocol for use on internal networks. With NetBEUI and
TCP/IP installed, the network can use NetBEUI for accessing internal shares while still
communicating with the Internet using TCP/IP.
However, NetBEUI is intended for small networks only. If you are installing BlackICE
on a large network, it is not advisable to use NetBEUI, as it cannot be routed across
multiple subnets. This may ultimately slow down your communications with remote
computers on your networks.
To use NetBEUI for internal access:
1. Install NetBEUI on all the computers on your internal network.
2. Keep Internet File Sharing and NetBIOS neighborhood enabled in the Edit
BlackICE Settings Protection tab.
3. In the network properties of Windows, disable NetBIOS over TCP/IP. Since the
computers on the internal network communicate and route over the Internet using
TCP/IP, this prevents your computer from reporting any NetBIOS information over
the Internet.
When you disable NetBIOS over TCP/IP, Windows will use NetBEUI for
NetBIOS resolution. Because NetBEUI is non-routable, Windows cannot expose
shared resources to the Internet.
See the documentation included with your copy of Windows for more information about
how to install NetBEUI.
Solution Two – Install a Hardware Router

Several manufacturers sell DSL/cable modem routers. These routers can isolate your
internal network, providing some protection from hackers while allowing you to keep
NetBIOS enabled.
Additionally, many hardware routers can offer Network Address Translation (NAT)
firewall features. NAT firewalls are quite simple and easy to penetrate, but they stop
many casual or inexperienced hackers from probing your computer for open ports or
vulnerabilities.

Solution Three – Build a Dual-Interface Proxy Server
Another way to solve the sharing problem is to build a dual-interface proxy server and
disable the WINS/NetBIOS interface on the external network interface.
Figure 10 – One way to isolate an internal network is to use a dual-interface proxy server
with the WINS/TCP/IP client disabled on the external interface.
Such an arrangement requires some advanced experience with computer networking. It
also requires proxy server software. This solution is ideal for larger networks that
cannot use NetBEUI and need the services of a proxy server.
This arrangement requires two network interface cards in the proxy server computer.
Building a dual-interface proxy server will stop attacks directed at the proxy server
system, but will not protect computers on the internal network. Therefore, make sure to
purchase copies of BlackICE for your internal computers.

FOR MORE HELP
NEED MORE A D V IC E?
For more help with computer security, visit the Network ICE advICE web site at
http://advice.networkice.com/Advice/default.htm . This site provides in-depth articles
and instructions on securing computers and stopping hackers.
Accessing advICE from BlackICE
The BlackICE Summary Application includes a direct link to the advICE web site. Just
click the advICE button located on the Attacks tab.
Figure 11 – BlackICE Summary Application.

To view in-depth information about a particular kind of attack, select the attack in the
attacks list and click advICE. A web browser window is opened to the advICE site
displaying a complete description about the attack.
A PPENDIX A u F OR M ORE H ELP u 28

PRODUCT DOCUMENTATION
The latest product documentation is available from the Network ICE web site at
www.networkice.com/support/documentation.html .
TECHNICAL SUPPORT
Web: www.networkice.com/support/online_resources.html
E-mail: support-l1@networkice.com
For updates and upgrade information, please visit the Network ICE web site at
www.networkice.com . For information on how to download the latest update of
BlackICE Defender please see the BlackICE Summary Application Guide.
A PPENDIX A u F OR M ORE H ELP u 29

GLOSSARY
Agent: A computer program that reports information to another computer or allows

another computer access to the local system. Agent software can be used in good ways,
as in the case of BlackICE software reporting intrusion information to an ICEcap server
for reporting and analysis. Agents can also be dangerous as in the case of hacking
programs like SubSeven or Back Orifice that expose backdoors to the computer.
ARP: Address Resolution Protocol. A TCP/IP protocol used to convert an IP address
into a physical address (called a DLC address), such as an Ethernet address. A host
wishing to obtain a physical address broadcasts an ARP request onto the TCP/IP
network. The host on the network that has the IP address in the request then replies
with its physical hardware address.
Attack: See Event.
Authenticity: Proof that the information came from the person or location that
reportedly sent it. One example of authenticating software is through digital
signatures.
Back Door: A deliberately planned security breach in a program. Back doors allow
special access to a computer or program. Sometimes back doors can be exploited and
allow a cracker unauthorized access to data.
Back Orifice: Back Orifice is a remote administration tool that allows a user to control
a computer across a TCP/IP connection using a simple console or GUI application.
Back Orifice is a potentially disastrous Trojan horse since it can provide the user
unlimited access to a system.
Blue Screen of Death (BSoD): When a Windows NT based system encounters a
serious error, the entire operating system halts and displays a screen with information
regarding the error. The name comes from the blue color of the error screen.
Brute Force Hacking: A technique used to find passwords or encryption keys. Brute
Force Hacking involves trying every possible combination of letters, numbers, etc. until
the code is broken.
Camping Out: Staying in a "safe" place once a hacker has broken into a system. The
term can be used with a physical location, electronic reference, or an entry point for
future attacks.
Cipher Text: Text that has been scrambled or encrypted so that it cannot be read
without deciphering it. See Encryption
Cookie: A string of characters saved by a web browser on the user's hard disk. Many
web pages send cookies to track specific user information. Cookies can be used to
retain information as the user browses a web site. For example, cookies are used to
'remember' the items a shopper may have in a shopping cart.
Countermeasures: Techniques, programs, or other tools that can protect your
computer against threats.
Cracker: Another term for hackers. Generally, the term cracker refers specifically to
a person who maliciously attempts to break encryption, software locks, or network
security.
A PPENDIX B u G LOSSARY u 30
Cracker Tools: Programs used to break into computers. Cracker tools are widely
distributed on the Internet. They include password crackers, Trojans, viruses, war-
dialers, and worms.
Cracking: The act of breaking into computers or cracking encryptions.
Cryptoanalysis: The act of analyzing secure documents or systems that are protected
with encryption for the purpose of breaking into the systems or exposing weaknesses.
Decryption: The act of restoring an encrypted file to its original, plain text state.
Denial of Service (DoS): Act of preventing customers, users, clients, or other
machines from accessing data on a computer. Denials of service attacks are usually
accomplished by interrupting or overwhelming the computer with bad or excessive
information requests.
Digital Signature: Digital code that authenticates whomever signed the document or
software. E-mail, software, messages, and other electronic documents can be signed
electronically so that they cannot be altered by anyone else. If someone alters a signed
document, the signature is no longer valid. Digital signatures are created when
someone generates a hash from a message, then encrypts and sends both the hash and
the message to the intended recipient. The recipient decrypts the hash and original
message, makes a new hash on the message itself, and compares the new hash with the
old one. If the hashes are the same, the recipient knows that the message has not been
changed. Also see Public-key encryption.
DNS: Domain Name System. A database of domain names and their IP addresses.
DNS is the primary naming system for many distributed networks, including the
Internet.
Encryption: The act of substituting numbers and characters in a file so that the file is
unreadable until it is decrypted. Encryption is usually done using a mathematical
formula that determines how the file is decrypted.
Event: BlackICE can detect numerous network activities. Some activities are direct
attacks on your system, while others might be attacks depending on the circumstances.
Therefore, any activity, regardless of severity is called an event. An event may or may
not be a direct attack on your system. BlackICE categorizes all events into four
severity levels:
Icon Severity Description

100 – 75 Critical Event: This is a deliberate attack on your system for the
purpose of damaging data, extracting data, or crashing the system.
Critical events always trigger protection measures.
74 – 50 Serious Event: This is a deliberate attempt to access information on
your system, yet it does not directly damage anything. These events
can trigger protection measures, if applicable.
49 – 25 Suspicious Event: This is network activity that is not immediately
threatening, but may indicate that someone is attempting to locate
security vulnerabilities in your system. For example, hackers often
scan the available ports or services on a system before attacking it.
Suspicious events do not trigger protection measures, and not all
suspicious events are indicative of a true attack.
24 – 0 Informational Event: This indicates that a network event occurred to
your computer that is not threatening. Informational events do not
trigger protection measures.
Firewall: A hardware or software barrier that restricts access in and out of a network.
Firewalls are most often used to separate an internal LAN or WAN from the Internet.
See Gateway.
FTP: File Transfer Protocol. A common protocol used for exchanging files between
two sites across a network. FTP is popular on the Internet because it allows for speedy
transfer of large files between two systems. Like all networking protocols, it too has
some significant vulnerabilities.
Gateway: A gateway is a system that provides access between two or more networks.
Gateways are typically used to connect unalike networks together. A gateway can also
serve as a firewall between two or more networks.
Grinding: See password grinding.
Hacker: Generally, a hacker is anyone who enjoys experimenting with technology,
including computers and networks. Not all hackers are criminals breaking into
systems. Many are legitimate users and hobbyists. Nevertheless, some are dedicated
criminals or vandals. See Cracker.
HTTP: Hyper Text Transfer Protocol. The most common protocol used on the
Internet. HTTP is the primary protocol used for web sites and web browsers. It is also
prone to certain kinds of attacks.
ICMP: Internet Control Message Protocol. ICMP, an extension to the Internet
Protocol (IP), supports packets containing error, control, and informational messages.
The PING command, for example, uses ICMP to test an Internet connection.
IDS: Intrusion Defense System (or Software). A class of networking products devoted
to detecting, monitoring, and blocking attacks from hackers. This often is comprised of
a number of related components such as a firewall and protocol analyzer working
together to stop hackers. BlackICE is an IDS.
Integrity: Proof that the data is the same as originally intended. Unauthorized
software or people have not altered the original information.
Internet Worm: See Worm.
Intruder: Person or software interested in breaking computer security to access,
modify, or damage data. Also see Cracker.
IP: Internet Protocol. Specifies the format of packets, also called datagrams, and the
addressing scheme. Most networks combine IPs with a higher-level protocol called
Transport Control Protocol (TCP), which establishes a virtual connection between a
destination and a source. IP by itself is something like the postal system. It allows you
to address a package and drop it in the system, but there's no direct link between you
and the recipient. TCP/IP, on the other hand, establishes a connection between two
hosts so that they can send messages back and forth for a period of time. Current IP
standards use 4 numbers between 0 and 255 separated by periods to create the 32-bit
numeric IP address. For example, an IP address could be: 38.158.99.13.
IRC: Internet Relay Chat. IRC was developed in the late 1980s as a way for multiple
users on a system to “chat” over the network. Today IRC is a very popular way to
“talk” in real time with other people on the Internet. However, IRC is also one avenue
hackers use to get information from you about your system and your company.
Moreover, IRC sessions are prone to numerous attacks that, while not dangerous, can
cause your system to crash.
LAN: Local-Area Network. LAN is a computer network that spans a relatively small
area. One LAN connected via telephone lines or radio waves to other LANs over any
distance create a WAN (a Wide-Area network).
Linux: A version of the UNIX operating system.
Logic Bomb: A virus that only activates itself when certain conditions are met. Logic
bombs usually damage files or cause other serious problems when they are activated.
MAC Address: Media Access Control Address. A unique identification code used in
all networked devices. The MAC address defines a specific network node at the
hardware level and cannot be altered by any software.
Name Resolution: The allocation of an IP address to a host name. See DNS.
NetBIOS: Network Basic Input / Output System. NetBIOS is an extension of the DOS
BIOS that enables a PC to connect to and communicate with a LAN (Local Area
Network).
NetBEUI: NetBIOS Extended User Interface. A non-routable networking protocol
developed in the 1980s by IBM. NetBEUI is ideal for smaller, non-subnetted networks
for internal communications. Because NetBEUI is not routable, network transmissions
sent via NetBEUI cannot be transmitted over the Internet.
NAT: Network Address Translation. An Internet standard that enables LAN, WAN
(Wide Area Network), and MAN networks to use extended IP addresses for internal use
by adding an extra number to the IP address. This standard translates internal IP
addresses into external IP addresses and vice versa. In doing so, it generates a type of
firewall by hiding internal IP addresses.
Packet Filter: A filter used in firewalls that scans packets and decides whether to let
them through.
Password Cracker: A program that uses a dictionary of words, phrases, names, etc. to
guess a password.
Password Caching: The storage of a user's username and password in a network
administrator database or encrypted file on a computer. Also called password
shadowing.
Password encryption: A system of encrypting electronic files using a single key or
password. Anyone who knows the password can decrypt the file.
Password Grinding: The process of systematically testing all character combinations
on a password until the correct character string is identified. Password grinding is a
very slow, but effective way to crack password files. There are numerous, freely
available computer programs that can grind password files.
Penetration: Gaining access to computers or networks by bypassing security programs
and passwords.
Phreaking: Breaking into phone or other communication systems. Phreaking sites on
the Internet are popular among crackers and other criminals.
Ping: Packet Internet Groper. PING is a utility to determine whether a specific IP
address is accessible. It works by sending a packet to the specified address and waiting
for a reply. PING is used primarily to troubleshoot Internet connections.
Ping Attack: An attack that slows down the network until it is unusable. The attacker
sends a "ping" command to the network repeatedly to slow it down. See also Denial of
Service.
Pirate: Someone who steals or distributes software without paying the legitimate
owner for it. This category of computer criminal includes several different types of
illegal activities:
n Making copies of software for others to use.
n Distributing pirated software over the Internet or a Bulletin Board System.
n Receiving or downloading illegal copies of software in any form.
Pirated Software: Software that has been illegally copied, or that is being used in
violation of the software's licensing agreement. Pirated software is often distributed
through pirate bulletin boards or on the Internet. In the Internet underground it is
known as Warez.
Plain Text: The opposite of Cipher Text, Plain Text is unencrypted text readable to
any system that intercepts network communications.
POP: Post Office Protocol. This is a common protocol used for retrieving mail
messages.
Port: A connection point where a computer communicates with other devices.
Computers have hardware ports such as parallel ports for printers or USB ports for
digital cameras. Networks use virtual ports for assigning a communications channel
that the computer can control. For example, when browsing the web, most HTTP based
communications take place using the TCP port 80. When a computer needs to access a
web site, it opens a channel on TCP port 80, sends the packets through that port and
then receives them back. There are two types of ports, TCP and UDP. UDP is the
same as a TCP port except it lacks the error checking mechanism that TCP uses. There
are over 131,000 ports available for use in a TCP/IP environment (64K TCP, 64K
UDP). Most of these ports are unused, unassigned, or restricted. Some are very
common ports, such as port 80. Others are used exclusively for a brand of software.
For example, Quake games use TCP port 26000 (and others) for network games.
When hackers break into a system they typically exploit ports that are either
accidentally or purposefully opened. For example, one of the easiest ways to see if the
Trojan application Back Orifice is installed on a computer is to scan for activity on
TCP port 54320. This is the TCP port Back Orifice uses when communicating with
other systems.
Promiscuous Packet Capture: Actively capturing packet information from a network.
Most computers only collect packets specifically addressed to them. Promiscuous
packet capture acquires all network traffic it can regardless of where the packets are
addressed.
Protocol: A “language” for communicating on a network. Protocols are sets of
standards or rules used to define, format, and transmit data across a network. There are
many different protocols used on networks. For example, most web pages are
transmitted using the HTTP protocol.
Proxy Server: A server that performs network operations in lieu of other systems on
the network. Proxy Servers are most often used as parts of a firewall to mask the
identity of users inside a corporate network yet still provide access to the Internet.
When a user connects to a proxy server, via a web browser or other networked
application, he submits commands to the proxy server. The server then submits those
same commands to the Internet, yet without revealing any information about the system
that originally requested the information. Proxy servers are an ideal way to also have
all users on a corporate network channel through one point for all external
communications. Proxy servers can be configured to block certain kinds of connections
and stop some hacks.
Public Key Encryption: System of encrypting electronic files using a key pair. The
key pair contains a public key used during encryption, and a corresponding private key
used during decryption.
Reconnaissance: The finding and observation of potential targets for a cracker to
attack.
Router: A device that connects two networks together. Routers monitor, direct, and
filter information that passes between these networks. Because of their location,
routers are a good place to install traffic or mail filters. Routers are also prone to
attacks because they contain a great deal of information about a network.
SATAN: A UNIX program that gathers information on networks and stores it in
databases. It is helpful in finding security flaws such as incorrect settings, software
bugs and poor policy decisions. It shows network services that are running, the
different types of hardware and software on the network, and other information. It was
written to help users find security flaws in their network systems.
Severity Levels: See Event.
Shoulder Surfing: Looking over someone's shoulder to see the numbers they dial on a
phone, or the information they enter into a computer.
SMB: Server Message Block. SMB is a message format used by DOS and Windows to
share files, directories and devices. NetBIOS is based on the SMB format, and many
network products use SMB. These SMB-based networks include LAN Manager,
Windows for Workgroups, Windows NT, and LAN Server. There are also a number of
products that use SMB to enable file sharing among different operating system
platforms. A product called Samba, for example, enables UNIX and Windows
machines to share directories and files.
SMTP: Simple Mail Transfer Protocol. SMTP is a protocol for sending e-mail
messages between servers. Most e-mail systems that send mail over the Internet use
SMTP to send messages from one server to another; the messages can then be retrieved
with an e-mail client. In addition, SMTP is generally used to send messages from a
mail client to a mail server.
SNMP: Simple Network Management Protocol. SNMP is a set of protocols for
managing complex networks. The first versions of SNMP were developed in the early
80s. SNMP works by sending messages, called protocol data units (PDUs), to different
parts of a network. SNMP-compliant devices, called agents, store data about
themselves in Management Information Bases (MIBs) and return this data to the SNMP
requesters.
Sniffer: Sniffer is a registered trademark of Network Associates, Inc although it has
come to identify a whole class of products that can capture network transmissions and
encode the information in those packets into evidence files. BlackICE uses Sniffer-
style files for evidence capture.
Snooping: Passively watching a network for information that could be used to a
hacker's advantage, such as passwords. Usually done while Camping Out.
SOCKS: A protocol that handles TCP traffic through proxy servers. SOCKS acts like
a simple firewall because it checks incoming and outgoing packets and hides the IP
addresses of client applications.
SPAM: Unwanted e-mail, usually in the form of advertisements or “get rich quick”
schemes.
Spoof: To forge something, such as an IP address. IP Spoofing is a common way for
hackers to hide their location and identity.
SSL (Secured Socket Layer): Technology that allows you to send information that
only the server can read. SSL allows servers and browsers to encrypt data as they
communicate with each other. This makes it very difficult for third parties to
understand the communications.
TCP: Transmission Control Protocol. TCP is one of the main protocols in TCP/IP
networks. Whereas the IP protocol deals only with packets, TCP enables two hosts to
establish a connection and exchange streams of data. TCP guarantees delivery of data
and also guarantees that packets will be delivered in the same order in which they were
sent.
Telnet: A program that connects a computer to a server on a network. It allows a user
to control some server functions and to communicate with other servers on the network.
Telnet sessions generally require a valid username and password. Hackers commonly
use Telnet to hack into corporate network systems.
Tempest: Illegal interception of data from computers and video signals.
Trojan or Trojan Horse: Like the fabled gift to the residents of Troy, a Trojan Horse
is an application designed to look innocuous. Yet, when you run the program it installs
a virus or memory resident application that can steal passwords, corrupt data, or
provide hackers a back door into your computer. Trojan applications are particularly
dangerous since they can often run exactly as expected without showing any visible
signs of intrusion.
UDP: User Datagram Protocol. UDP is a connectionless protocol that, like TCP, runs
on top of IP networks. Unlike TCP/IP, UDP/IP provides very few error recovery
services, offering instead a direct way to send and receive datagrams (packets) over an
IP network. UDP is used primarily for transmitting time-sensitive information over a
network such as streaming media or interactive games.
UNIX: A widely used operating system in large networks.
VPN: Virtual Private Network. These networks use public connections (such as the
Internet) to transfer information. That information is usually encrypted for security
purposes.
Vulnerability: Point where a system can be attacked.
War Dialer: A program that automatically dials phone numbers looking for computers
on the other end. They catalog numbers so that hackers can call back and try to break
in.
Warez: A term that describes Pirated Software on the Internet. Warez include cracked
games or other programs that software pirates distribute on the Internet.
Wire Tapping: Connecting to a network and monitoring all traffic. Most wire tapping
features can only monitor the traffic on their subnet.
Worm: A program that seeks access into other computers. Once a worm penetrates
another computer it continues seeking access to other areas. Worms are often equipped
with dictionary-based password crackers and other cracker tools that enable them to
penetrate more systems. Worms often steal or vandalize computer data. Many viruses
are actually worms that use e-mail or database systems to propagate themselves to other
victim.

(Ebook) - Hack - BlackICE Guide To Computer Security

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

(Ebook) - Hack - BlackICE Guide To Computer Security

Hochgeladen von

Copyright:

Verfügbare Formate

LACK

G UIDE TO C OMPUTER S ECURITY

Conventions Used in this Manual

TIP: Tip Helpful information about optimizing or using the software.

Intrusions Reference Detailed information about all the intrusions BlackICE

How Hackers Exploit the Internet

Who Are Hackers?

The Proliferation of Always-On Connections

It Will Not Happen To Me

Connecting to the Internet

HOW TO RESPOND TO AN ATTACK

Step One – Determine the Severity

Icon Severity Description

Informational and suspicious events do not trigger automatic protection measures.

S ECTION 2 u H ANDLING I NTRUSIONS u 13

Step Two – Respond

Option 1 – Manually Block the Attacker

Figure 3 – The Intruders Tab in the BlackICE Summary Application

S ECTION 2 u H ANDLING I NTRUSIONS u 14

Figure 4 – The Protection tab.

Option 3 – Upgrade Older Operating Systems

S ECTION 2 u H ANDLING I NTRUSIONS u 15

How to Report a Hacker

S ECTION 2 u H ANDLING I NTRUSIONS u 16

S ECTION 2 u H ANDLING I NTRUSIONS u 17

GOOD SECURITY PRACTICES

S ECTION 3 u C OMPUTER S ECURITY u 18

S ECTION 3 u C OMPUTER S ECURITY u 19

S ECTION 3 u C OMPUTER S ECURITY u 20

Use the NTFS Hard Drive Partition Format

Secure All Shares with Passwords

Disable All Unnecessary Accounts

S ECTION 3 u C OMPUTER S ECURITY u 21

S ECTION 3 u C OMPUTER S ECURITY u 22

Disable NetBIOS (WINS)

Windows uses an implementation of NetBIOS called Windows Internet Naming Service

Figure 7 – The Protection tab.

S ECTION 3 u C OMPUTER S ECURITY u 23

Secure the Registry

Figure 8 -- Registry Security Settings

S ECTION 3 u C OMPUTER S ECURITY u 24

Disable Userdata Persistence

Figure 9 – Disable the userdata feature in Internet Explorer 5.0 – 5.5.

S ECTION 3 u C OMPUTER S ECURITY u 25

Solution One – Install NetBEUI Protocol

Solution Two – Install a Hardware Router

S ECTION 3 u C OMPUTER S ECURITY u 26

S ECTION 3 u C OMPUTER S ECURITY u 27

Figure 11 – BlackICE Summary Application.

A PPENDIX A u F OR M ORE H ELP u 28

A PPENDIX A u F OR M ORE H ELP u 29

Agent: A computer program that reports information to another computer or allows

Icon Severity Description

Das könnte Ihnen auch gefallen