ch04.htm

Maximum Security (First Edition) 网络安全 英文版

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>

<HEAD>
	
	<TITLE>Maximum Security -- Ch 4 -- Just Who Can Be Hacked, Anyway?</TITLE>
</HEAD>

<BODY TEXT="#000000" BGCOLOR="#FFFFFF">

<CENTER>
<H1><IMG SRC="../button/samsnet.gif" WIDTH="171" HEIGHT="66" ALIGN="BOTTOM" BORDER="0"><BR>
<FONT COLOR="#000077">Maximum Security: </FONT></H1>
</CENTER>
<CENTER>
<H2><FONT COLOR="#000077">A Hacker's Guide to Protecting Your Internet Site and Network</FONT></H2>
</CENTER>
<CENTER>
<P><A HREF="../ch03/ch03.htm"><IMG SRC="../button/previous.gif" WIDTH="128" HEIGHT="28"
ALIGN="BOTTOM" ALT="Previous chapter" BORDER="0"></A><A HREF="../ch05/ch05.htm"><IMG
SRC="../button/next.gif" WIDTH="128" HEIGHT="28" ALIGN="BOTTOM" ALT="Next chapter"
BORDER="0"></A><A HREF="../index.htm"><IMG SRC="../button/contents.gif" WIDTH="128"
HEIGHT="28" ALIGN="BOTTOM" ALT="Contents" BORDER="0"></A> 
<HR>

</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">4</FONT></H1>
</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">Just Who Can Be Hacked, Anyway?</FONT></H1>
</CENTER>
<P>The Internet was born in 1969. Almost immediately after the network was established,
researchers were confronted with a disturbing fact: The Internet was not secure and
could easily be cracked. Today, writers try to minimize this fact, reminding you
that the security technologies of the time were primitive. This has little bearing.
Today, security technology is quite complex and the Internet is still easily cracked.</P>
<P>I would like to return to those early days of the Internet. Not only will this
give you a flavor of the time, it will demonstrate an important point: The Internet
is no more secure today than it was twenty years ago.</P>
<P>My evidence begins with a document: a <I>Request for Comments</I>, or <I>RFC</I>.
Before you review the document, let me explain what the RFC system is about. This
is important because I refer to many RFC documents throughout this book.
<H2><FONT COLOR="#000077"><B>The Request For Comments (RFC) System</B></FONT></H2>
<P>Requests for Comments (RFC) documents are special. They are written (and posted
to the Net) by individuals engaged in the development or maintenance of the Internet.
RFC documents serve the important purpose of requesting Internet-wide comments on
new or developing technology. Most often, RFC documents contain proposed standards.</P>
<P>The RFC system is one of evolution. The author of an RFC posts the document to
the Internet, proposing a standard that he or she would like to see adopted network-wide.
The author then waits for feedback from other sources. The document (after more comments/changes
have been made) goes to draft or directly to Internet standard status. Comments and
changes are made by working groups of the Internet Engineering Task Force (IETF).


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>The Internet Engineering
	Task Force (IETF) is &quot;... a large, open, international community of network
	designers, operators, vendors, and researchers concerned with the evolution of the
	Internet architecture and the smooth operation of the Internet.&quot; To learn more
	about the IETF, go to its home page at <A HREF="http://www.ietf.cnri.reston.va.us/"><B>http://www.ietf.cnri.reston.va.us/</B></A>.
	
<HR>


</BLOCKQUOTE>

<P>RFC documents are numbered sequentially (the higher the number, the more recent
the document) and are distributed at various servers on the Internet.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>One central server from
	which to retrieve RFC documents is at <A HREF="http://ds0.internic.net/ds/dspg0intdoc.html"><B>http://ds0.internic.net/ds/dspg0intdoc.html</B></A>.
	This address (URL) is located at InterNIC, or the <I>Network Information Center</I>.
	
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>InterNIC</B></FONT></H3>
<P>InterNIC provides comprehensive databases on networking information. These databases
contain the larger portion of collected knowledge on the design and scope of the
Internet. Some of those databases include

<UL>
	<LI>The WHOIS Database--This database contains all the names and network numbers
	of hosts (or machines) permanently connected to the Internet in the United States
	(except <TT>*.mil</TT> addresses, which must be obtained at <TT>nic.ddn.mil</TT>).<BR>
	<BR>
	
	<LI>The Directory of Directories--This is a massive listing of nearly all resources
	on the Internet, broken into categories.<BR>
	<BR>
	
	<LI>The RFC Index--This is a collection of all RFC documents.
</UL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>All these documents are
	centrally available at <A HREF="http://rs.internic.net"><B>http://rs.internic.net</B></A>.
	
<HR>


</BLOCKQUOTE>

<H2><FONT COLOR="#000077"><B>A Holiday Message</B></FONT></H2>
<P>As I mentioned earlier, I refer here to an early RFC. The document in question
is RFC 602: <I>The Stockings Were Hung by the Chimney with Care</I>. RFC 602 was
posted by Bob Metcalfe in December, 1973. The subject matter concerned weak passwords.
In it, Metcalfe writes: The ARPA Computer Network is susceptible to security violations
for at least the three following reasons:

<DL>
	<DD><B>1. </B>Individual sites, used to physical limitations on machine access, have
	not yet taken sufficient precautions toward securing their systems against unauthorized
	remote use. For example, many people still use passwords which are easy to guess:
	their fist [sic] names, their initials, their host name spelled backwards, a string
	of characters which are easy to type in sequence (such as <TT>ZXCVBNM</TT>).<BR>
	<BR>
	<B>2. </B>The TIP allows access to the ARPANET to a much wider audience than is thought
	or intended. TIP phone numbers are posted, like those scribbled hastily on the walls
	of phone booths and men's rooms. The TIP required no user identification before giving
	service. Thus, many people, including those who used to spend their time ripping
	off Ma Bell, get access to our stockings in a most anonymous way.<BR>
	<BR>
	<B>3. </B>There is lingering affection for the challenge of breaking someone's system.
	This affection lingers despite the fact that everyone knows that it's easy to break
	systems, even easier to crash them.
</DL>

<P>All of this would be quite humorous and cause for raucous eye winking and elbow
nudging, if it weren't for the fact that in recent weeks at least two major serving
hosts were crashed under suspicious circumstances by people who knew what they were
risking; on yet a third system, the system wheel password was compromised--by two
high school students in Los Angeles no less. We suspect that the number of dangerous
security violations is larger than any of us know is growing. You are advised not
to sit &quot;in hope that Saint Nicholas would soon be there.&quot; That document
was posted well over 20 years ago. Naturally, this password problem is no longer
an issue. Or is it? Examine this excerpt from a Defense Data Network Security Bulletin,
written in 1993:

<DL>
	<DD>Host Administrators must assure that passwords are kept secret by their users.
	Host Administrators must also assure that passwords are robust enough to thwart exhaustive
	attack by password cracking mechanisms, changed periodically and that password files
	are adequately protected. Passwords should be changed at least annually.
</DL>

<P>Take notice. In the more than 25 years of the Internet's existence, it has never
been secure. That's a fact. Later in this book, I will try to explain why. For now,
however, I confine our inquiry to a narrow question: <I>Just who can be cracked?</I></P>
<P>The short answer is this: As long as a person maintains a connection to the Internet
(permanent or otherwise), he or she can be cracked. Before treating this subject
in depth, however, I want to define <I>cracked</I>.
<H2><FONT COLOR="#000077"><B>What Is Meant by the Term <I>Cracked</I>?</B></FONT></H2>
<P>For our purposes, <I>cracked</I> refers to that condition in which the victim
network has suffered an unauthorized intrusion. There are various degrees of this
condition, each of which is discussed at length within this book. Here, I offer a
few examples of this <I>cracked</I> condition:

<UL>
	<LI>The intruder gains access and nothing more (<I>access</I> being defined as simple
	entry; entry that is unauthorized on a network that requires--at a minimum--a login
	and password).<BR>
	<BR>
	
	<LI>The intruder gains access and destroys, corrupts, or otherwise alters data.<BR>
	<BR>
	
	<LI>The intruder gains access and seizes control of a compartmentalized portion of
	the system or the whole system, perhaps denying access even to privileged users.<BR>
	<BR>
	
	<LI>The intruder does NOT gain access, but instead implements malicious procedures
	that cause that network to fail, reboot, hang, or otherwise manifest an inoperable
	condition, either permanently or temporarily.
</UL>

<P>To be fair, modern security techniques have made cracking more difficult. However,
the gorge between the word <I>difficult</I> and the word <I>impossible</I> is wide
indeed. Today, crackers have access to (and often study religiously) a wealth of
security information, much of which is freely available on the Internet. The balance
of knowledge between these individuals and bona-fide security specialists is not
greatly disproportionate. In fact, that gap is closing each day.</P>
<P>The purpose of this chapter is to show you that cracking is a common activity:
so common that assurances from <I>anyone</I> that the Internet is secure should be
viewed with extreme suspicion. To drive that point home, I will begin with governmental
entities. After all, defense and intelligence agencies form the basis of our national
security infrastructure. They, more than any other group, must be secure.
<H2><FONT COLOR="#000077"><B>Government</B></FONT></H2>
<P>Throughout the Internet's history, government sites have been popular targets
among crackers. This is due primarily to press coverage that follows such an event.
Crackers enjoy any media attention they can get. Hence, their philosophy is generally
this: If you're going to crack a site, crack one that <I>matters</I>.</P>
<P>Are crackers making headway in compromising our nation's most secure networks?
Absolutely. To find evidence that government systems are susceptible to attack, one
needn't look far. A recent report filed by the Government Accounting Office (GAO)
concerning the security of the nation's defense networks concluded that:

<DL>
	<DD>Defense may have been attacked as many as 250,000 times last year...In addition,
	in testing its systems, DISA attacks and successfully penetrates Defense systems
	65 percent of the time. According to Defense officials, attackers have obtained and
	corrupted sensitive information--they have stolen, modified, and destroyed both data
	and software. They have installed unwanted files and &quot;back doors&quot; which
	circumvent normal system protection and allow attackers unauthorized access in the
	future. They have shut down and crashed entire systems and networks, denying service
	to users who depend on automated systems to help meet critical missions. Numerous
	Defense functions have been adversely affected, including weapons and supercomputer
	research, logistics, finance, procurement, personnel management, military health,
	and payroll.<FONT SIZE="2"><SUP>1</SUP></FONT>
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT SIZE="2"><SUP>1</SUP></FONT><I>Information Security: Computer Attacks at Department
	of Defense Pose Increasing Risks</I> (Chapter Report, 05/22/96, GAO/AIMD-96-84);
	Chapter 0:3.2, Paragraph 1. 
<HR>


</BLOCKQUOTE>


<DL>
	<DD>
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B><I>Information Security:
	Computer Attacks at Department of Defense Pose Increasing Risks</I> is available
	online at<TT> </TT><A HREF="http://www.securitymanagement.com/library/000215.html"><B>http://www.securitymanagement.com/library/000215.html</B></A>.
	
<HR>


</BLOCKQUOTE>

<P>That same report revealed that although more than one quarter of a million attacks
occur annually, only 1 in 500 attacks are actually detected and reported. (Note that
these sites are defense oriented and therefore implement more stringent security
policies than many commercial sites. Many government sites employ secure operating
systems that also feature advanced, proprietary security utilities.)</P>
<P>Government agencies, mindful of the public confidence, understandably try to minimize
these issues. But some of the incidents are difficult to obscure. For example, in
1994, crackers gained carte-blanche access to a weapons-research laboratory in Rome,
New York. Over a two-day period, the crackers downloaded vital national security
information, including wartime- communication protocols.</P>
<P>Such information is extremely sensitive and, if used improperly, could jeopardize
the lives of American service personnel. If crackers with relatively modest equipment
can access such information, hostile foreign governments (with ample computing power)
could access even more.