ch16.htm

Maximum Security (First Edition) 网络安全 英文版

an algorithm (these variables are used as the keys). The extraordinary thing is that
if, in the creation of a new account, a cracker issues the same username and PID
as the target, the resulting SID will be identical. Why didn't techs at Microsoft
base this process on using the time and as a random number generator? This at least
would create a digital value that would be reasonably unusual. In any event, this
is academic. All legacy databases created in Microsoft Access 1.0 are vulnerable
to another attack that is so simple, I will not print it here. Many businesses rely
on such legacy databases, and I do not see how revealing that method will contribute
to security. The problem has never been fixed by Microsoft and never will be. However,
programmers are well aware of this flaw.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>Hints about the flaw: The &quot;unique&quot;
	SID created at setup for the Admins is written to disk 1 of the distribution. Also,
	anyone with another version of <TT>SYSTEM.MDA</TT> can access restricted files. Lastly,
	and perhaps most importantly, the SID of any user can be read and manually altered,
	allowing any user to inherit the privileges of any user. Did you create any databases
	while having Admin rights? If so, anyone can completely seize control of your Access
	database.<BR>
	
<HR>
</P>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>If you are interested
	in this flaw, check out <A HREF="ftp://ftp.zcu.cz/mirrors/winsite/win3/misc/acc-sec.zip"><TT>ftp://ftp.zcu.cz/mirrors/winsite/win3/misc/acc-sec.zip</TT></A>
	for more information.<BR>
	
<HR>
</P>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>It is interesting to note that in
	the retail version of Windows 95, very few instances of the word <I>security</I>
	occur in the help files. Indeed, these references refer to whether the software on
	your machine is legal. Microsoft appears to have little interest in the security
	of 95, except in terms of whether you have stolen it from them. This is in complete
	contrast to Windows NT. 
<HR>


</BLOCKQUOTE>

<P>No doubt about it. Out-of-the-box security for Windows 95 sucks. What can be done
about it? Well, many imaginative software authors have been put to the task. Some
of their innovations are...well...interesting.
<H4><FONT COLOR="#000077"><B>CyberWatch</B></FONT></H4>
<P>CyberWatch is probably the most extreme solution I have encountered yet. This
software operates in conjunction with video cameras attached to the machine. The
software recognizes only those faces that are registered in its face database. The
machine actually looks at you to determine whether you are an authorized user. The
company claims that the technology on which CyberWatch is based is neural net material.</P>
<P>Although it is an interesting proposed solution to the problem, be assured that
given 10 minutes alone with a machine so configured, the talented cracker could bypass
the entire authentication procedure. Thus, this technology is most useful in offices
or other places where such access is unlikely to occur (or where individuals are
forbidden to turn off or reboot machines). CyberWatch can be found here:

<UL>
	<LI><A HREF="http://www.miros.com"><TT>http://www.miros.com</TT></A>
</UL>

<H4><FONT COLOR="#000077"><B>WP WinSafe</B></FONT></H4>
<P>WinSafe, a promising utility, allows control of individual drives on the machine
(see Figure 16.6). This allows you to bar unauthorized users from, say, a CD-ROM
drive.</P>
<P><A NAME="06"></A><A HREF="06.htm"><B>FIGURE 16.6.</B> </A><I><BR>
The WinSafe drive protection properties settings.</I></P>
<P>Of particular interest is that WinSafe protects network drives. Users can sample
the application by checking out the available shareware application.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>WARNING:</B></FONT><B> </B>The documentation suggests that
	using the Policy editor to set the REAL Mode DOS settings could potentially conflict
	with WinSafe. 
<HR>


</BLOCKQUOTE>

<P>WinSafe is available here:

<UL>
	<LI><A HREF="http://kite.ois.com.au/~wp/wpws.htm"><TT>http://kite.ois.com.au/~wp/wpws.htm</TT></A>
</UL>

<H4><FONT COLOR="#000077"><B>Safe Guard</B></FONT></H4>
<P>The Safe Guard line of products (including Safe Guard Easy, Safe Guard Pro, and
PC/DACS for DOS/Windows) offers hard disk drive encryption, protection against booting
from a floppy, password aging, password authentication, and support for 15 users
per machine. The encryption choices are suitable, including both DES and IDEA, as
well as several others. Of special interest is that these products can be installed
over a network (thereby obviating the need to make separate installations). See the
following for more information:

<UL>
	<LI><A HREF="http://www.mergent.com/utimacohome.nsf/lookup/dms"><TT>http://www.mergent.com/utimacohome.nsf/lookup/dms</TT></A>
</UL>

<H4><FONT COLOR="#000077"><B>Secure Shell</B></FONT></H4>
<P>Secure Shell (SSH) provides safe, encrypted communication over the Internet. SSH
is an excellent replacement for Telnet or rlogin. As of this writing, there is only
a 16-bit version for Windows, but it runs well on any TCP/IP implementation. SSH
is no ordinary utility. It uses IDEA and RSA encryption and is therefore extremely
secure. It is reported that once an hour, the keys are discarded and new keys are
made. SSH completely eliminates the possibility of third parties capturing your communication
(for example, passwords that might otherwise be passed in clear text). SSH sessions
cannot be overtaken or hijacked, nor can they be sniffed. The only real drawback
is that for you to use SSH, the other end must also be using it. While you might
think such encrypted communication would be dreadfully slow, it isn't. Enter the
following URL to visit one of the main distribution sites for SSH:

<UL>
	<LI><A HREF="http://www.datafellows.com/f-secure/"><TT>http://www.datafellows.com/f-secure/</TT></A>
</UL>

<H4><FONT COLOR="#000077"><B>Formlogic Surveillance Agent</B></FONT></H4>
<P>The Surveillance Agent is a simple but powerful tool for monitoring system processes.
It has two modes of operation. In one, evidence of your monitoring is revealed. In
the other, the surveillance occurs without a trace. The program is typically loaded
into memory (this can be done in a variety of ways) and begins logging. Alternatively,
you can specify a <I>trigger</I>, or certain event that will cause the agent to begin
the monitoring process (for example, if someone tries to access your personal diary,
this could trigger the agent to begin monitoring). The authors of this software were
very thorough. For example, you can actually disguise the Agent's process as some
other process (this is in case you have savvy crackers hanging around the workplace).
In all, this very comprehensive tool is tailor-made to catch someone in the act and
is probably suitable for investigating computer-assisted crime in the workplace.
For more information see

<UL>
	<LI><A HREF="ftp://ftp.rge.com/pub/systems/simtelnet/win3/security/spy1116.zip"><TT>ftp://ftp.rge.com/pub/systems/simtelnet/win3/security/spy1116.zip</TT></A>
</UL>

<H4><FONT COLOR="#000077"><B>Fortres 101</B></FONT></H4>
<P>This product is an excellent tool. As stated on the Fortres home page, the product
can prevent:

<DL>
	<DD>users from interrupting boot process; exiting Windows; accessing a DOS prompt;
	adding, moving, or deleting icons; altering anything about the appearance of Windows;
	installing, copying or downloading software; running any programs not specified by
	administrator; using low level system tools; changing printer configurations; changing
	screen saver configurations; erasing important system files; saving files on the
	hard disk; and even looking at files on the hard disk.
</DL>

<P>The utility is supported under both Windows 3.11 and Windows 95. The price is
probably a deterrent for casual users, but system administrators who have labs or
offices with multiple Windows-based machines would do well to grab this product.
Find out more about it here:

<UL>
	<LI><A HREF="http://www.fortres.com/f101.htm"><TT>http://www.fortres.com/f101.htm</TT></A>
</UL>

<H3><FONT COLOR="#000077"><B>Holes</B></FONT></H3>
<P>Following are some holes and viruses of note. Some relate specifically to Microsoft,
while others are solely the responsibility of third-party vendors. Many of these
holes have been fixed. However, as I have mentioned, not everyone gets the latest
and the greatest. Many people may be running versions of software that have not been
patched.
<H4><FONT COLOR="#000077"><B>The Microsoft Word Macro Viruses</B></FONT></H4>
<P>It is surprising how many Microsoft users are unaware that sophisticated macros
can be written in the Microsoft Word environment. WordBasic, the language in which
such macros are written, is highly functional. In Word documents alone, WordBasic
can save a user many hours of editing. It fully supports <TT>while...if...then...else</TT>
conditional execution of commands. This level of functionality (when coupled with
recording of keystrokes) can automate almost any task performed in Word. For that
reason, WordBasic qualifies as a bona fide scripting language.</P>
<P>As you might expect, pranksters on the Net have found innovative, new uses for
the WordBasic language. One of those uses is to create malicious macros, or <I>macro
viruses</I>. These can be gotten from the Internet. They will infect your <TT>normal.dot</TT>,
thereby altering (and perhaps severely retarding) your default document environment.</P>
<P>The most well known of these macro viruses is called <I>Concept</I>. Concept infects
not only the <TT>normal.dot</TT> file but any DOC file it can access. Reportedly,
after the first infection (the first instance that Word is opened after initial infection),
every document saved thereafter will also be infected. It also reportedly works on
any platform that runs Word and has been found on at least one commercial CD-ROM
distribution, as noted by Graham Cluley in his article &quot;Another Instance of
Concept Macro Virus in Microsoft CD ROM&quot;:

<DL>
	<DD>We have come across another Microsoft CD ROM containing Concept, a MSWord macro
	virus. The CD ROM is called &quot;The Microsoft Office 95 and Windows 95 Business
	Guide.&quot; The infected file is \OFFICE95\EVIDENCE\ HELPDESK.DOC. The document's
	date is July 28th 1995, and the file date itself is August 17 1995.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>There is a reliable military
	site where you can acquire tools to determine whether your machine has been infected.
	That site is located at <A HREF="http://www-yktn.nosc.mil/Desktop_Support/winword/concept_virus.htp"><TT>http://www-yktn.nosc.mil/Desktop_Support/winword/concept_virus.htp</TT></A>.</P>
	<P>The main tool for identifying the virus is a Word document macro. You can get
	it at <A HREF="http://ded-2-nt.nosc.mil/~pub/MSOffice/Winword/virus/WVFIX.DOC"><TT>http://ded-2-nt.nosc.mil/~pub/MSOffice/Winword/virus/WVFIX.DOC</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>At one point, a fix was issued for this. It was called <TT>scanprot.dot</TT>,
and its primary purpose was to scan for the Concept virus. However, this tool was
somehow confused in the public's eyes as a utility that could identify all macro
viruses. Microsoft finally set the record straight. Since that time, many Word macro
viruses have cropped up. Here are just a few:

<UL>
	<LI>zenixos
	<LI>impostor
	<LI>nuclear.b
	<LI>hot
	<LI>wazzu
</UL>

<P>As you might guess, these types of viruses are becoming increasingly popular.
They are small, require almost no memory, and are easily concealed in downloadable
materials. These viruses do not represent a threat to Internet security, but they
can be caught from the Internet. Most of them do little more than corrupt your documents.
However, they are a nuisance, and you should take measures to prevent them from infecting
your machine. One way to do this is to disable automatically executed macro support
in Word.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>It is reported that the Microsoft
	Word Wizard will not operate if you disable automatic macro execution. If you are
	a frequent user of wizards, you may have to make some sacrifices.<BR>
	
<HR>
</P>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>You can find the authoritative
	sources for information on Word macro viruses at these locations:</P>
	<P><A HREF="http://www.datafellows.com/macro/faq.html">http://www.datafellows.com/macro/faq.html</A></P>
	<P><A HREF="http://gasp.berkeley.edu/virus/wordmacro.html">http://gasp.berkeley.edu/virus/wordmacro.html</A>
	
<HR>