Portà Serviceà Application àErrors >> Vulnerabilitiesè Compromise Security:
Have you got any clue on what I am going to write here by seeing the above equation?
From the result of the equation you might be have got the hint that I am going to write about the factors that compromise security.
My previous post focused on breaking in to computers by re-setting passwords or changing the admin/root passwords and also gaining admin privileges from guest accounts. These are breaking in to computers for which you have physical access. Then, what about remote computers? If the computer is connected to internet then there is every chance of it being attacked. It can be your own computer if connected to internet or LAN.
You see, when you are connected to the Internet, then you have millions of other untrusted systems connected to it as well. If somehow someone found out your IP address, then they could do probably anything to your system. They could exploit any vulnerability existing in your system, damage your data, and even use your system to hack into other computers.
What I mean to say by that is that there are a number of Scripts and utilities available which scan all IP addresses between a certain range for predefined common vulnerabilities. For Example, Systems with File Sharing Enabled or a system running an OS which is vulnerable to the Ping of Death attack etc etc As soon as a vulnerable system is found, then they use the IP to carry out the attacks.
Let’s see how one can break in to a computer at remote location connected to internet.
I will also shed light on how to secure your system whether connected to internet / LAN or simply a standalone system.
Before going further, let’s understand the terms port and port numbers.
What is a port?
In computer networking, the term port can refer to either physical or virtual connection points. Physical network ports allow connecting cables to computers, routers, modems and other peripheral devices. Several different types of physical ports available on computer network hardware include: Ethernet ports, USB ports, serial ports.
Virtual ports are part of TCP/IP networking. These ports allow software applications to share hardware resources without interfering with each other. Computers and routers automatically manage network traffic traveling via their virtual ports. Network firewalls additionally provide some control over the flow of traffic on each virtual port for security purposes.
What is a Port number?
A port number is a way to identify a specific process to which an Internet or other network message is to be forwarded when it arrives at a server. For the Transmission Control Protocol and the User Datagram Protocol, a port number is a 16-bit integer that is put in the header appended to a message unit. This port number is passed logically between client and server transport layers and physically between the transport layer and the Internet Protocol layer and forwarded on.
Port numbers are the entry and exit points of your computer. Standard services run on standard port numbers and from the port number, you get to know the service running on your computer, service is used to access an application and, any errors in the application is a vulnerability which makes the job of attacker easy. A software/script/code can be written to take advantage of this vulnerability. So, are the open ports a threat to security? Then, how can I find the open ports on my computer?
We can find out the network statistics using netstat command. In the command prompt, type “netstat –a” without quotes and press enter. The –a option is used to display all open connections on the local machine. It also returns the remote system to which we are connected to, the port numbers of the remote system we are connected to (and the local machine) and also the type and state of connection we have with the remote system.
Here we go,
Let me pick up the last line and explain the output:
Proto Local Address Foreign Address State
TCP prince: 4226 bom01s01-in-f83.1e100.net: https ESTABLISHED
lets see what each term means,
Protocol: TCP (This can be Transmission Control Protocol or TCP, User Datagram Protocol or UDP or sometimes even, IP or Internet Protocol.)
Local System Name: prince (This is the name of the local system that you set during the Windows setup)
Local Port opened and being used by this connection: 4226
Remote System: bom01s01-in-f83.1e100.net (This is the non-numerical form of the system to which we are connected.)
Remote Port: https (This is the port number of the remote system bom01s01-in-f83.1e100.net to which we are connected.)
State of Connection: ESTABLISHED
So from the above what we can see is ‘netstat –a’ shows the open ports on my system and anyone can connect to them.
How do I know if an open port is a threat to my system's security or not? How can I close those ports?
Before going in to that, let us know a bit more about the ports
Ports and their ranges:
Standard well known ports range: 0 to 1023.
The ports in this range are bound to services running on them. Each port has usually has a specific service running on it. You see there is an internationally accepted Port Numbers to Services rule, (refer RFC 1700
Here) which specifies as to on what port number a particular service runs. For Example, By Default or normally FTP runs on Port 21. So if you find that Port 21 is open on a particular system, then it usually means that that particular system uses the FTP Protocol to transfer files.
The Registered Ports range: 1024 to 49151.
This range of port numbers is not bound to any specific service. Actually, networking utilities like your Browser, Email Client, FTP software opens a random port within this range and starts a communication with the remote server. A port number within this range is the reason why you are able to surf the net or check your email etc.
If you find that when you give the netstat -a command, then a number of ports within this range are open, then you should probably not worry. These ports are simply opened so that you can get your software applications to do what you want them to do. These ports are opened temporarily by various applications to perform tasks. They act as a buffer transferring packets (data) received to the application and vice-versa. Once you close the application, then you find that these ports are closed automatically. For Example, when you type www.hotmail.com in your browser, then your browser randomly chooses a Registered Port and uses it as a buffer to communicate with the various remote servers involved.
The Dynamic and/or Private Ports: 49152 to 65535.
This range is rarely used, and is mostly used by Trojans, however some application do tend to use such high range port numbers. For Example, Sun starts their RPC ports at 32768.
What we have to do when the netstat command gives us the couple of open ports?
1. Check the Trojan Port List and check if the open port matches with any of the popular ones. If it does then get a Trojan Removal and remove the Trojan.
2. If it doesn't or if the Trojan Remover says: No Trojan found, then see if the open port lies in the registered Ports range. If yes, then you have nothing to worry, so forget about it.
How can you safeguard your system?
How can you know if some one is trying to enter your system through any of the open ports? The answer is a firewall; most anti virus software are providing inbuilt firewalls these days.
What exactly a Firewall do?
Well, in a non-technical language, a firewall is basically a shield which protects your system from the untrusted non-reliable systems connected to the Internet. It is software which listens to all ports on your system for any attempts to open a connection and when it detects such an attempt, then it reacts according to the predefined set of rules. So basically, a firewall is something that protects the network (or system) from the Internet.
Now, for a better 'according to the bible' definition of a firewall: A firewall is best described as software or hardware or both Hardware and Software packet filter that allows only selected packets to pass through from the Internet to your private internal network.
NOTE: This was a very brief description of what a firewall is! I would not be going into the details of their working.
The term 'Firewalls', (which were generally used by companies for commerical purposes) has evolved into a new term called 'Personal Firewalls'. Now this term is basically used to refer to firewalls installed on a standalone system which may or may not be networked i.e. It usually connects to an ISP. Or in other words a personal firewall is a firewall used for personal use.
Firewalls listen to all ports for any connection requests received (from both legitimate and fake hosts) and sent (by applications like Browser, Email Client etc.) As soon as such an instance is recorded, it pops up a warning asking you what to do or whether to allow the connection to initiate or not. This warning message also contains the IP which is trying to initiate the connection and also the Port Number to which it is trying to connect i.e. the Port to which the packet was sent. It also protects your system from Port Scans, DOS Attacks, Vulnerability attacks etc. So basically it acts as a shield or a buffer which does not allow your system to communicate with the untrusted systems directly.
Most Personal Firewalls have extensive logging facilities which allow you to track down the attackers. Some popular firewalls are:
1. BlackICE Defender: It’s an IDS for PC's. It's available at http://www.networkice.com.
2. ZoneAlarm: The easiest to setup and manage firewall. Get it for free at: www.zonelabs.com
Once you have installed a firewall on your system, you will often get a number of Warnings which might seem to be as if someone is trying to break into your system, however, they are actually bogus messages, which are caused by either your OS itself or due to the process called Allocation of Dynamic IP's. For a detailed description of these two, I will post in my forthcoming posts. This comes to an end of our discussion on breaking in to remote computers and safeguarding our systems from remote attacks. Hope this is useful for you.