Computer Security

In the last 6 months, we have seen an increase in the number of computers broken into. This problem has been seen on campus and REC computers alike. Recently however, the number of computer break-ins at REC's has been climbing rapidly. In the last two weeks we have had a number of new machines broken into.

The result of these break-ins is usually the same. Many times the hacker wishes to use the computer as their own personal file server of sorts. The types of files they share include music, movies, and games. Other uses they have include scanning other machines and networks as well as attacking them. [image] On some machines we have even found documents placed there by the hacker that listed a number of compromised machines along with administrator logins and passwords. They were apparently sharing this information through their file servers.

 

Software used

When they break into these machines, they will usually install a number of different programs to accomplish their tasks. Some of these programs are:

ftp servers - usually programs such as Serv-U, this program is denoted by an icon with a large green "U". They have been known to re-name this program, however the icon remains the same.

remote administration - the program DameWare for NT is a common program they use to take over a computer. It is usually installed silently so it is not noticed. This program can allow the intruder to visually see your desktop as you see it from your monitor.

service programs - programs such as Fire Daemon allow programs to run in the background as an NT service. This allows the program to startup and run every time the computer is restarted.

scanning programs - allow a computer to be used to scan other computers and networks for weaknesses. These same weaknesses can then be later exploited by the intruder using the currently hacked machine as a springboard, helping to hide his/her footsteps.

 

Why are these computers attacked so often?

Fast internet access - these intruders are looking for the fastest access they can find with which to share their files

Poor (or missing) passwords on computers - This is arguably the most important reason. This is the most common (and most overlooked) security hole commonly found on NDSU computers.

There are many programs out on the internet that will allow a person to connect to a win2k/winxp machine and discover all the user accounts on that machine including administrator access accounts. Once they have these, they will begin to attempt to log in, first trying with no passwords and then by using a dictionary program [example]. In order to prevent this, it is critical that all accounts (servers and desktops) have login passwords and that they are at least 6 - 8 characters in length.

No firewall protection - Because we are an educational institution which is expected to have unrestricted access to the internet, we are placed outside the state's firewall.

A firewall is a barrier between our computers/networks and the internet. It prevents unauthorized access into our systems.

Attacks are caused by troublesome software. - Believe it or not, sometimes these attacks can be avoided by refusing to download unknown software. Many times, these attacks are started by a Trojan hiding inside some program downloaded off the internet. These Trojans can and will connect to a system out on the internet alerting people to the fact your computer has been compromised and can now be accessed.

 

How do you find out what software has been installed and where it is?

To do this we have been using tools known as port monitors. In terms of connecting to the internet, a port is basically a door to the internet that a program may use to send or receive information. A typical windows machine has roughly 65,000 available ports on the machine. Most of these are never in use and are considered closed.

Whenever a program needs to either send or receive information, it will simply open a port and allow data through it.

What we monitor for is unusual activity. Certain programs always use the same ports. For example, ports 135, 139, and 445 are ports commonly used by windows for it's networking. What we look for are ports associated with programs we have never heard of or for ports in the higher numbers (10,000+).

Port monitors we use to do this are:

Vision by Foundstone Tools
Active Ports (Aports) by Smartline Inc.

 

Why does it seem like when one computer is compromised, others are discovered shortly after?

When it comes to networks, many people have a false sense of security. Many people tend to believe that hackers only attack their computers from across the internet.

In truth, many times hackers will break into one machine and use that machine to gain access to others on the same network. This is especially true of servers, if a desktop with shared drives or other server access is compromised, the hacker will then have access to the server through that computer's shares. It also works with other's shared folders - especially if they did not password it. This is why it is very important to be sure every computer on the network is secured.

 

What can be done to improve the situation?

Use passwords - Make sure Windows 2000/XP is password protected. Try to use upper and lower case letters as well as numbers. We recommend a password at least 6 - 8 characters long.

Update windows - Microsoft always seems to be releasing a new security patch for windows. Be sure to run the windows update (located in the start menu) at least once a week to keep up on the latest security patches.

NDSU is an equal opportunity institution.