===============================================================
T H E   S E C U R I T Y   O U T P O S T   B U L L E T I N
===============================================================
February 18, 2000 | Vol. 1, #03 | http://www.securityoutpost.com

Contents
1. FEATURE: Attack of the Packet Monkeys
2. TIPS: Defense-in-Depth Against DDoS 
3. TOOLS: Network Security -- Personal Firewalls
4. TOOLS: Filesystem Security -- Encryption Plus for Folders
5. TOOLS: Physical Security -- Anti-theft Devices

===============================================================
A service of PC Guardian | San Rafael, California
"Protecting Computers & Data Worldwide Since 1984"
===============================================================

--------------------------------------------------------
1. FEATURE: Attack of the Packet Monkeys
--------------------------------------------------------
Imagine your phone rings. No one there. Then it rings again and
again, every 30 seconds. No one there each time. Pretty soon you
stop picking up the phone. Then a friend tries to call but can't
get through. It's a denial-of-service attack, conceptually similar
to those that struck major Internet sites last week including
Yahoo!, eBay, Amazon.com, CNN, and Buy.com.

I'm starting this issue right where I left off last time ... musing
about Distributed Denial-of-Service (DDoS) attacks. For a high-level
description of DDoS, see last month's newsletter.[1] In short: the
attacker first compromises a number of Internet servers and plants
a Trojan horse program. The owners of these "zombie" systems
typically don't even know that their computers are now owned by
someone else. At the bad guy's behest, the zombies flood the target
system with a variety of weird packets and requests (Yahoo
apparently received as much as a gigabit of attack traffic per
second, bandwidth equivalent to 30,000 dialup modems). This
effectively blacks out the victimized systems, denying all
legitimate use.

Before we crack open this topic in depth, I'd like to make note
of a couple of points regarding terminology:

* A DDoS attack is not a "hack". A hack is "an incredibly good,
and perhaps very time-consuming, piece of work that produces
exactly what is needed."[2] Remember, hackers are good guys who
fix things. Reporters love to mangle language by attributing DDoS
attacks to "hackers" when they really mean to say "criminals" or
"attackers". I prefer the usage "packet monkey" to describe these
bottom-feeders. Denial-of-service attacks represent the lowest
form of computer criminal activity, analogous to child molesters
in the strata of real world criminals. While the topology of DDoS
attacks is complex, the attackers themselves are using downloaded
tools written by others -- no creativity required. As Marcus
Ranum points out: "I've always been bemused by the whole denial
of service thing. It seems so pointless. It's just vandalism; not
even as cool as virus writing, and virus writing is very uncool."[3]

* A DDoS attack is not a "crack" in the sense that the enemy
actually breaks in or gains access to the victim systems. It does
not violate confidentiality -- so don't worry that the credit
card you provided to Amazon.com last week has been stolen. Nor
does it violate integrity -- the web sites attacked by the packet
monkeys have not had their pages altered or defaced.

It's highly unlikely that the culprits behind the latest attacks
will ever be caught. Why? Although they're not criminal geniuses,
they were smart enough to use stealthy tools. I don't envy the
task of the FBI investigators who have to pour over gigabytes
worth of logs and only to find millions of spoofed source IP
addresses.

The victims of these attacks have NOT been random selected. They
form a pattern: publicly-traded ecommerce companies (Buy.com was
attacked the day it went public). Investigators are almost
certainly looking at trading activity in these companies' stocks.
If they aren't, they should be.

The attacks are likely to continue, given the pattern thus far.
Nothing indicates this week's attacks are a one-off. We all need
to prepare ourselves for more disruption. As more and more
critical systems are made available via the Internet, there's a
temptation to phase out traditional systems. No one should ever
rely on the availability of any given web site at any given time
for anything critical. 

--------------------------------------------------------
2. TIPS: Defense-in-Depth Against DDoS
--------------------------------------------------------
How can you protect yourself against Distributed Denial-of-Service
attacks? In a strict sense, you can't. DDoS traffic looks just like
regular traffic, except there's a lot more of it. Distinguishing
between the two is what's known in computer science as a "hard
problem".

If you're responsible for the security of an Internet Service
Provider or an ecommerce site and have a substantial budget
and/or corporate commitment to information security, there
are steps you can take but they're neither cheap nor easy.[4]

Most of us aren't network engineers at the type of large site
that's been hit by DDoS. The best way for the Internet community
to prevent these kinds of attacks is to deprive the attackers of
their zombie hosts. What we really need now is an all-out push by
businesses and individuals to secure each and every computer on
the Internet against the "well-known vulnerabilities" that enabled
last week's attacks. We all need to implement defense-in-depth.

Defense-in-depth is an age-old approach to security -- successive
rings of defenses discourage attackers and increase their
workload. The basic idea is to set up redundant security
safeguards. If one fails, another is in place. Think of a medieval
castle. If attackers get through the moat, they still must scale
the outer walls. Once past the outer walls, they face defenders
in the inner ramparts. Once past the ramparts, they must still
reach a keep with only one entry point -- 30 feet above the ground.
And defenders have kicked out the ladder.

The same principles can be applied to computer security. The
outermost ring of most systems is composed of network security
measures like firewalls. An attacker who gets through this
perimeter must still deal with account security, at least on
systems that support user accounts and meaningful user
authentication. At the core of system security is filesystem
security -- files are protected by either user permissions or
access control lists, or by filesystem encryption. Finally,
there's physical security to consider, since the most thorough
way to defeat system security is to steal the machine. The
next three sections will consider each of these in turn with
recommendations for tools that can provide deep defense in each
area.

--------------------------------------------------------
3. TOOLS: Network Security -- Personal Firewalls
--------------------------------------------------------
In building construction, a firewall keeps a fire from spreading
from one building or part of a building to another. A classic
Internet firewall sits between a Local Area Network and the
Internet, or between a trusted network and an untrusted one, and
restricts the flow of information between the two. Internet
firewalls have been around for close to ten years -- there are
dozens of commercial and public domain firewall systems available.
For a partial list, see
http://www.waterw.com/~manowar/vendor.html

Although traditional firewalls are a linchpin of network security,
most of them are problematic in one way or another: they're
complex to install and manage; they require separate dedicated
hardware; they're expensive. By definition, they provide perimeter
defense -- what if the attacker is already inside? What if the
attacker is an insider? What about all the soft and defenseless
Windows PCs that live on most corporate networks? Or all the home
PCs with new high-speed "always on" DSL or cable modem connections?

Enter the personal firewall. This new class of "mini" or
"host-based" firewalls typically protect a single Windows-based
personal computer against network threats. Most of these programs
inspect all incoming and outgoing TCP/IP packets and match them
against known attack or intrusion signatures. When an intrusion
or attempted attack is discovered, the program will log the
attempt and provide an alert. It may also attempt to backtrace
the intruder to discover as much information about who and where
the intruder is. The user usually has the option of blocking all
future connection attempts from the offending IP address or subnet.

BlackICE Defender is one of the pioneering programs in this
emerging category of security software products. It runs in the
background and transparently guards a PC against port scans and
break-in attempts. It's a breeze to set up (compared to a
traditional corporate firewall). Pay your $40, download it,
double-click to install, select one of its four security levels
-- Paranoid, Nervous, Cautious, Trusting -- and then go on with
your business ("Set it and forget it"). For moreinformation about
BlackICE, see
http://www.networkice.com/Products/BlackICE/blackice%20defender.htm

For every simple and elegant product like BlackICE, there's the
inevitable hunk of bloatware cranked out by an industry behemoth.
Symantec has just released Norton Internet Security 2000, a
massive 50 MB program that has a personal firewall, a
cookie-cutting privacy module, a "parental control" unit for
censoring categories of sites like "Sex Education/Basic" and
"Finance", an ad-blocker, etc. The firewall module is nicely
designed. On one hand, it will protect you even if you don't
know a thing about ports and protocols. It observes how you and
your applications use the net and then automatically generates
appropriate firewall rules. Power users, on the other hand, will
enjoy the granular control it provides over each and every kind
of net connection. Unlike BlackICE Defender, NIS 2000 allows you
to block outgoing connections as well as incoming ones. The
product costs $60; $54 if you download it from the Symantec store.
If you're interested in a single product that does it all, take
five hours (on a dialup modem) and download the "Try Before You
Buy" version that will blow up in 30 days at
http://www.symantecstore.com/Pages/TBYB/nis2k.html

If you're like me, you prefer single purpose tools that do one
thing really well. Also, the best things in life are free for
"personal use". Enter Zone Labs Inc., a hip South-of-Market
startup with a simple, effective, and free personal firewall
offering: ZoneAlarm 2.0. Like NIS 2000, ZoneAlarm is "adaptive"
in the sense that it observes what you do -- and the applications
you use in particular -- and prompts you to confirm firewall
rules on the fly. Launch Netscape Communicator, for example,
and it will ask, "Do you want to allow Netscape Communicator
to access the Internet?" with an option to "Remember the answer
each time I use this program". Like BlackICE Defender, it gives
you the opportunity to select simple security settings --
"High, Medium, Low" security for your local network access and
"High, Medium, Low" security for Internet access. It's got a
locking feature that can block all Internet traffic while the
screensaver is engaged. In a panic, it's got a big "STOP" button
that blocks all traffic in a hurry. ZoneAlarm is neat, free, and
just a download click away:
http://www.zonelabs.com/

If you're still not sold on the need for a firewall on your
personal computer, check out Steve Gibson's Shields Up site.
It features an online security checking program that will show
exactly how vulnerable or invulnerable you are:
https://grc.com/x/ne.dll?bh0bkyd2

--------------------------------------------------------
4. TOOLS: Filesystem Security -- Encryption Plus for Folders
--------------------------------------------------------
If all else fails, if someone gets at your system via the
Internet or by stealing it, filesystem security is the last line
of defense. In UNIX and other real operating systems, every file
has an owner and filesystem security is built around account
security -- every user has a unique account, which is assigned
privileges to read, write, or execute files. Sadly, Windows 95/98
includes no notion of account restrictions or file ownership.
Any file can be altered at any time by anyone sitting at the
machine.

You can work around this limitation of Windows 95/98 by
installing a filesystem encryption tool. If your files are
encrypted, they will be useless to an attacker regardless of
whether the attacker has defeated physical or network security.
Only you -- or another party that you trust -- can access the
key to decrypt the files, usually by providing a secret password
or passphrase.

Encryption Plus for Folders (EP Folders) is an excellent example
of a filesystem encryption product. You select a folder or set
of folders to protect. From then on, the program will automatically
encrypt any file you place in the protected zone. Assuming that
you've provided the password at boot or launch time, EP Folders
will transparently decrypt the protected files as you access them.
The files are re-encrypted on-the-fly as you save them back to
disk. This way, if someone steals your computer, or powers it up
when you're not around, they won't be able to view or steal your
data.

PC Guardian makes an enterprise version of the program as well
as a freeware version that's limited to one folder. You can
download Encryption Plus for Folders Lite at
http://www.pcguardian.com/folders_download/index.html?sob3

Note that you can also buy a full version of the program from
our new PC Guardian web store:
http://www.pcguardian.com/store/commerce.cgi

--------------------------------------------------------
5. TOOLS: Physical Security -- Anti-theft Devices
--------------------------------------------------------
Physical security is a critical linchpin of defense-in-depth,
one that's often overlooked. Hint to the FBI: Check out who has
physical access to the zombie systems used in the attacks. As
a general rule, those who have physical access to your system
can own it. If you're running Win95/98, they can log in as you
and act on your behalf. They can plant viruses, Trojan horses,
or surveillance programs.[5] They can crack open the case and
steal components. Or they can make off with the whole box.
Vis-a-vis the DDoS attacks: Why bother with a laborious effort
to defeat system security via the Internet when you can just
walk up to a machine and stick in a Trojan-bearing floppy?

A complete program of physical security safeguards can be very
expensive, from security guards and alarm systems to server
cages and biometric devices. PC Guardian offers a variety of
simple and effective anti-theft systems that can protect a
computer including its CPU, internal components, monitor,
keyboard, mouse, and peripherals. A steel security cable is
anchored to a stationary object and then attaches to the
computer using screw-mount or adhesive fittings. You can find
out more at
http://www.pcguardian.com/hardware/anti_theft.html?sob103
If you buy, please be sure to tell them that Seth sent you.

Until next month, have fun and keep your guard up.

--------------------------------------------------------
REFERENCES
--------------------------------------------------------
[1] You can find a high-level description of DDoS attacks at
http://www.securityoutpost.com/newsletter/archive/102.txt
[2] From the awesome New Hacker's Dictionary at
http://www.tuxedo.org/~esr/jargon/html/entry/hack.html
[3] You can find Ranum's comments on his Firewall-Wizards list:
http://www.nfr.net/firewall-wizards/mail-archive/mailbox/firewall-wizards.10002
[4] For an overview of steps Internet service providers and
large sites can take see Elias Levy's Bugtraq post:
http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-02-08&msg=20000211003101.A26181@securityfocus.com
Also, check out the Zombie Zapper<tm> at
http://razor.bindview.com/tools/index.shtml
[5] Check out this product, which unobtrusively captures
keystrokes and records screen contents for replay:
http://www.omniquad.com/omniquad_desktop_surveillance_personal.htm

===============================================================
The Security Outpost Bulletin is published monthly by PC
Guardian. For information about our simple and effective
crypto software and anti-theft devices, please visit us at
http://www.pcguardian.com/index.html?so103

To unsubscribe from this newsletter, send an email to
leave-security-outpost-news@lists.securityoutpost.com

To subscribe to this newsletter, send an email to
join-security-outpost-news@lists.securityoutpost.com

Need good security content for your web site?
Ask about our free syndication program.
===============================================================

FEEDBACK OR QUESTIONS

Contact the author directly:
    Seth T. Ross
    Director of Security Publications & Resources
    PC Guardian
    1133 East Francisco Blvd.
    San Rafael, CA 94901
    +1 415-459-0190 x143
    sross@pcguardian.com

===============================================================
Redistribution of this newsletter is permitted, as long as the
entire message body, the mail header, and this notice are included.
Copyright 2000 PC Guardian. All rights reserved.
===============================================================