Oct 11
Security, the reality…. the facts
2004 at 08.51 am posted by Veerle Pieters
As promised we’re back with the second part of our security post. A big thanks to Kenneth for providing the background info and tips.
It must be unbelievable what sites like Microsoft.com or Apple.com have to cope with if even a lesser known server like the one where this site is hosted has to deal with about 20 serious warnings a day. Not so long ago I heard that Microsoft needs 150 servers to keep Microsoft.com running smoothly (don't know if that's true). So without any further delay here are the real facts from the server farm at Level 3 that we promised on Friday:
Server and firewall
- BXL1 produces 4 GB web-logs/day that are rotating and kept for 3 days (you should keep these for 10 years according to our government, which would cost a small fortune)
- The firewall generates almost 700 warnings a day, this varies from minor warnings to around almost 20 major warnings (password hacks, malformed packets etc)
- The database server gets 3255079 requests/hour and still has about 92% idle-time!
- The server administrator spends about 10 minutes a day to examine the logs of 3 web-servers and the firewall to get a clearer picture where the danger lies.
- Patches in case of a Linux/Xserve are about an hour/month which is pretty reasonable.
- Patching a Windows server (the server below ours is windows) drives this up to a day/month
- The web-server has been running for 126 days without a restart and that's no record.
- The database server (MySQL) has an uptime of 139 days so far.
- Most common hacks are: Trying Windows-hacks on a Apache web-server running on Unix (this happens A LOT)
- Countless attempts to login through FTP and guessing a password (ftp is non coded so very vulnerable) and a couple of ssh-exploits. ssh-exploits are very dangerous because Windows-dummys do not know them so anyone who uses this has both the knowledge and the skills.
Spam
(3000 spam-mails a day) 93% of the mails being delivered to some mailbox on the mail-sever gets the tag of 'spam' by spamassasin
Security something new?
If you think that security is something recent I have to disappoint you, here is a Short History of Computer Viruses and Attacks. Another good read is this article Hacking: A history put on the net by BBC Online.
Also interesting are some facts from"Maximum Security: A hackers guide" from Sams Publishing. This book is written for system administrators who need to know how to keep their systems secure from unauthorized use. The anonymous author takes a hacker's view of various systems, focusing on how the system can be cracked and how you can secure the vulnerable areas.
- Between 1992 and 1995 an organization attacked 38.000 computers of the defense department, they succeeded on 65% of them and 96% hadn't even noticed it after a few days.
- The American Defense department has to cope with 250.000 cyber attacks a year
- A country or organization that wants to start a cyber war needs roughly 120 programs and a budget (with hardware included) of 1 Million Dollar.
- In February 1998 a teenager from Israel succeeded to penetrate into the central network (after entering 3 outer layers) of the Pentagon. Before they knew it was a teenager they called it one of the most organized and systematic attacks of all times.
- In January 2000 thieves stole 300.000 credit cards from CD Universe. At that time it was the biggest theft of credit cards ever published.
As you can see security is not something to consider lightly. It all begins by which password you are using. It is amazing how many people use a password that gets cracked in seconds like john01 or something. We once did a test with "John the ripper" with a password list of users and it only took our 2 Ghz Xserve about 15 seconds to get 8 results. After 30 min. more then 30 passwords where available to us.
So what do you have to do to get a very secure password?
For starters don't use a password the same as your user name, anybody's name (real or imaginary), any phone number, anybody's birth date, Any word in any dictionary. Hackers have dictionaries for languages like Klingon, Urdu, Hindi etc.
Most password crackers work on what is called a dictionary attack. It takes a list of known bad passwords and hashes them and compares them to the hashes in the target machine's password file.
A few tips to improve security:
- The best known way to get a very secure password is using a password generator but usually these things are hard to remember.
- Update your PC to Windows XP Service Pack 2
- Don't leave the firewall in the standard setting since most people use this. Modifying those standards just a little can already safe you from becoming a target.
- Never setup shares that don't require a password because even after TCP/IP routing they are accessible.
- Don't ever double click an attachment even from people you know. (always scan attachments)
In 2003 all viruses combined cost the economy 55 billion Dollar! Money that could be spend on creating a better world for us all. As we saw in the comments on the first part of this security post keeping your PC safe requires a big effort. Sometimes even a daily check to see if there are security updates. The conclusion is that it is possible to keep your PC safe but it comes with a whole baggage of knowledge en a big change in attitude. For me personally that's too much, I like that I don't have to worry about viruses and attachments etc. That's why I am thankful that all those things don't require that much effort on a Mac.
8served
1
Good info. Really puts all this into perspective.
You might want to include that adding a number to your password somewhere in the middle improves the security a lot as it makes sure you’re not on any lists. (Partically converting your password to 1337 speak is a good way make it safe while keeping it easy for you to remember)
PS. One nitpick: “the tag of ‘spam’ from spamassasin” should be “the tag of ‘spam’ by spamassasin”
2
Hi AkaXaka, the error is adjusted for your reading pleasure, thanks ;-) Yes I’ve heard the same advice too, using some numbers somewhere in the middle is indeed advicable.
3
As IT-coordinator and system administrator of one of the biggest schools in Flanders, security is a big concern for me. Not only directly, for our school’s network, but also indirectly: every single day more than one colleague, or student, or friend, ... tries to find me to express his or her concern and frustration. Dozens of times i heard them say: “I’m sick of it: i paid xx for my cmputer, i pay xx for my internet connection, i paid xx for a serious anti-virus program, and still i can’t work safely. I have to put hours just in trying to be safe, while i’m always afraid to do something wrong or that something will go wrong...”
I made webpages full of tips and tricks, clearly explaining the dangers and how to arm your computer against them. But sometimes it happens that even i can’t help them: heavy problems, ever-coming back malware, deeply rooted viruses…
WinXP isn’t that bad at all, but without an active and constant security policy, it turns your computer into a jungle in no time. You’re right: that security policy needs a whole baggage of knowledge and a big change in attitude.
Everyone who dares to say that those security issues are an exaggeration, is laughing with our job and with the work of thousands of sys admins and network managers. The whole thing just eats lots of my free time. It *IS* a problem.
By the way: the last months our webserver is under serious attack, and our forum gets all the time subscriptions from non existing users (always with password qo9iuTY8), pointing to not so decent commercial sites.
4
Very useful information indeed. You actually had me going all sunday researching whether or not my Mac is as invulnerable as I like to think. It turns out that it is quite safe as long as common sense is applied, but I did learn a lot anyway. Quite a lot of passwords got changed today.
-m
5
for a normal pc user would it not suffice to
a - use a decent AV with weekly updates
b - use a decent firewall
c - use a safe browser
d - use a spyware scanner
e - use care with attachments
all of these options are free: AVG, Sygate, Firefox, Adaware ...
i spend hours online every day and apart from spam the above solution keeps all problems out. i havent had a virus in months
or am i missing something?
veerle btw i use your css pdf daily. you have so many good resources!
groetjes uit brussel.
6
For the record, Microsoft have ‘behind the scenes’ information about their website at a microsite: http://www.microsoft.com/backstage It’s really quite an interesting read.
Those stats on patching a Linux/XServe/Windows box really put the MS “Get the facts on Linux” campaign into perspective! Lower TCO my foot!
You’re absolutely right: security is a big issue and more of us (even casual home PC users) need to start paying attention. We all need to keep our systems patched, run up-to-date AV software and have some kind of firewall. For a broadband connection, I highly recommend a hardware-based firewall, for the simple reason that it’s so cheap and easy. Even in Australia, the cost of a DSL router with firewall features is less than AUD$200 (USD$145, EUR$120)--buy the firewall as part of your modem/router!
If you don’t know why you need to worry about security, read Bruce Schneier’s Secrets and Lies; I consider it essential reading for anyone managing or making decisions on PC or network security.
7
Concerning the passwd advice you guys were talking about. Putting numbers in passwds doesn’t add anything to the security. There are brute force lists available that contain w0rds l1k3 th3s3. Launching a brute force attack using these lists will find them in seconds.
Beter alternative is the use of passphrases like: “I like belgian wafels”. It’s easy to remember and passwd bruteforcers will have a very hard time in finding these ones.
Without going into detail. The real strength in a good passwd lies in the randomness.
If you want to read more there is an excellent article recently published on http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx
8
Mac Home User - keep up to date with security patches, make sure firewall is tweaked sufficiently, monitor logs once a month for suspicious entries, not one bit o trouble.
Win XP Work User - big company, good security at Lotus Notes and MS patch level, all by SMS. Never had a problem. However, other users have definitely wrecked their machines by sodding off to all sorts of websites and then running to me when their machines have been hi-jacked by spyware. They also are the types who double click that suspicious looking, but oh so tempting, email with the title Re: Hi!.
Just what is so attractive to a human about the word Hi?
Regarding awareness, I used to manage a Mac network and just running a serious firewall and using Etherpeek was enough to scare me into understanding the amount of malicious attempts, not successes, but desire to break and enter.
True, the OS needs to be hardcore in the security department, but that brings trade offs, which the average user does not wish to know about when buying that spanky new PC. Browsers being a particularly good example. Mac’s Safari recently went through a few, hmm, that handy redirecting schema or direct application access from the browser sure is handy but sure is unsafe.
So in the end, like all things in life, the balance must be struck between user awareness and corporate OS responsibility.
I don’t think this will be a problem in 10 years as most 5 year olds know how to program better than I do, so the next generation will be that much more conscious of it all.