Worm

Viruses Are far from The only maverick programs that can disrupt a computer system.Worms are constructed to infiltrate  legitimate data processing programs and alter or destroy  the data. Often what  people believe is a virus infection is, in fact , a worm program. This is not as serious because worms do not replicate themselves.But the damage caused by a worm attack can be just as serious as a virus, especially if not discovered in time. For ex. suppose a worm program instructs a bank's computer to transfer funds to an illicit account.The fund transfers may continue even after the worm is destroyed.However, once the worm invasion is discovered , recovery is much  easier because there is only single copy of worm program to destroy since the replicating ability of the virus is absent .A worm is similar to a benign tumor while a virus is like a malignant one.

How Secure Should My Linux Be?

Security is process,not a permanent state. once you've taken the initial steps to secure your box,you must engage   in regular maintenance to ensure that box continue to remain secure. To ensure continue security,regular do the following:

> Keep current with patches:- Keep current with your distribution's security updates and patch on a regular basis.

>Monitor Log files:- Logfiles should be monitored regularly for anomalous events. Monitoring with automated tools is acceptable provided you do a regularly manual audit of log files as well.

>Audit password strength:- Run a password auditing tool such as jhon ripper every month or so to check for insecure password.

>Check your binaries:- Regularly scan your system for trojaned or otherwise altered binaries using both an integrity checker ,and trojan scanner.

>Check for remote vulnerability:- Periodically run a current vulnerability scanner against your machine from another box, preferably one outside of your firewall.

Protecting The Registry

All the initialization and configuration information used by windows NT is stored in the registry .
Normally ,the keys in the registry are changed indirectly, through the administrative tools such as the control panel. This method is recommended. The registry can be altered directly, with the Registry Editor. Some keys can be altered in no other way.

The Registry Editor supports remote access to the Windows NT registry.To restrict network access to the registry,use the registry Editor to create the following registry key:
Hive: HKEL_LOCAL_MACHINE
Key:\CurrentcontroleSet\Control\SecurePipeServers
Name:\winreg

The security permission set on this key define witch users or group can connect to the system for remote access. the default Windows NT Workstation installation does not define this key and does not restrict remote access to the registry .Windows NT Server permits only administrators remote access to the registry.

Legancy system

With Windows 95,Windows 98,Windows Me and windows NT,administrators can use a special file to be merged into the registry, called a policy file (POLICY>POL).The Policy file allows administrators to prevent non-administrator users from changing registry setting like ,for instance,the security level of Internet Explorer and the desktop wallpaper.the policy file is used in business with large no.of computers where the business needs to be protected from careless users.

The default extension for the policy file is .POL. The policy file filters the setting it enforces by user and by group(a "group"is a defined set of users). To do that policy file merges into the registry,preventing users from circumventing  it by simply changing back the setting. The policy file is usually distributed through a LAN,but can be placed on the local computer.

The policy file is created by a free tool by Microsoft that goes by the file name poledit.exe for Windows 95/98 and with a computer management  module for NT-based system.The editor requires administrative
permissions to be run on system that use permission.The editor can also directly change the current registry setting of the local computer and if the remote registry service is installed and started on another computer it can also change the registry on that computer.

The policy editor loads the setting it can change from .ADM files, of which one is included, that contains the setting the Windows shell provides. The .ADM file is plain txt and supports easy localization by allowing all the strings to be stored in one placed.

Cyber Forensic

Cyber forensics can be defined as the process of extracting information and data from computer storage media and guaranteeing its accuracy and reliability. The challenge of course is actually finding this data, collecting it, preserving it, and presenting it in a manner acceptable in a court of law.
Electronic evidence is fragile and can easily be modified. Additionally, cyber thieves, criminals, dishonest and even honest employees hide, wipe, disguise, cloak, encrypt and destroy evidence from storage media using a variety of freeware, shareware and commercially available utility programs.
A global dependency on technology combined with the expanding presence of the Internet as a key and strategic resource requires that corporate assets are well protected and safeguarded.
When those assets come under attack, or are misused, infosecurity professionals must be able to gather electronic evidence of such misuse and utilize that evidence to bring to justice those who misuse the technology.
Cyber forensics, while firmly established as both an art as well as a science, is at its infancy. With technology evolving, mutating, and changing at such a rapid pace, the rules governing the application of cyber forensics to the fields of auditing, security, and law enforcement are changing as well. Almost daily, new techniques and procedures, are designed to provide infosecurity professionals a better means of finding electronic evidence, collecting it, preserving it, and presenting it to client management for potential use in the prosecution of cyber criminals

steganography

ste-g&n-o´gr&-fē) (n.) The art and science of hiding information by embedding messages within other, seemingly harmless messages. Steganography works by replacing bits of useless or unused data in regular computer files (such as graphics, sound, text, HTML, or even floppy disks ) with bits of different, invisible information. This hidden information can beplain text, cipher text, or even images.

Steganography sometimes is used when encryption is not permitted. Or, more commonly, steganography is used to supplement encryption. An encrypted file may still hide information using steganography, so even if the encrypted file is deciphered, the hidden message is not seen.

Special software is needed for steganography, and there are freeware versions available at any good download site.

Steganography (literally meaning covered writing) dates back to ancient Greece, where common practices consisted of etching messages in wooden tablets and covering them with wax, and tattooing a shaved messenger's head, letting his hair grow back, then shaving it again when he arrived at his contact point.

Sniffer

Sniffing

A sniffer is a program and/or device that monitors all information passing through a computer network. It sniffs the data passing through the network off the wire and determines where the data is going, where it's coming from, and what it is. In addition to these basic functions, sniffers might have extra features that enable them to filter a certain type of data, capture passwords, and more. Some sniffers (for example, the FBI's controversial mass-monitoring tool Carnivore) can even rebuild files sent across a network, such as an email or Web page.

A sniffer is one of the most important information gathering tools in a hacker's arsenal. The sniffer gives the hacker a complete picture (network topology, IP addresses) of the data sent and received by the computer or network it is monitoring. This data includes, but is not limited to, all email messages, passwords, user names, and documents. With this information, a hacker can form a complete picture of the data traveling on a network, as well as capture important tidbits of data that can help her gain complete control over a network.

How Does a Sniffer Work?

For a computer to have the capability to sniff a network, it must have a network card running in a special mode. This is called promiscuous mode, which means it can receive all the traffic sent across the network. A network card will normally only accept information that has been sent to its specific network address. This network address is properly known as the Media Access Control (MAC) address. You can find your own MAC address by going to the Windows Taskbar and clicking Start?Run and typing winipcfg (for Windows 95/98/ME) or ipconfig /all (for Windows NT/2000/.NET Server). The MAC address is also called the physical address.

The only exception to this is what is called monitor mode. This type of network card status only applies to wireless network interface cards (NICs). Because of the unique properties of a wireless network, any data traveling through the airwaves is open to any device that is configured to listen. Although a card in promiscuous mode will work in wireless environments, there is no need for it to actually be part of the network. Instead, a WNIC can simply enter a listening status in which it is restricted from sending data out to the network. As you will learn later, a network card in promiscuous mode can be detected because of how it interacts with the network. Monitor mode stops all interaction.

There are different layers involved in network communications. Normally, the Network layer is responsible for searching the packets of information for their destination address. This destination address is the MAC address of a computer. There is a unique MAC address for every network card in the world. Although you can change the address, the MAC address ensures that the data is delivered to the right computer. If a computer's address does not match the address in the packet, the data is normally ignored.

The reason a network card has this option to run in promiscuous mode is for troubleshooting purposes. Normally, a computer does not want or need information to be sent to other computers on the network. However, in the event that something goes wrong with the network wiring or hardware, it is important for a network technician to look inside the data traveling on the network to see what is causing the problem. For example, one common indication of a bad network card is when computers start to have a difficult time transferring data. This could be the result of information overload on the network wires. The flood of data would jam the network and stop any productive communication. After a technician plugs in a computer with the capability to examine the network, he would quickly pinpoint the origin of the corrupt data, and thus the location of the broken network card. He could then simply replace the bad card and everything would be back to normal.

Another way to visualize a sniffer is to consider two different personality types at a cocktail party. One type is the person who listens and replies to conversations in which he is actively involved. This is how a network card is supposed to work on your local machine. It is supposed to listen and reply to information sent directly to it.

On the other hand, there are those people at the party who stand quietly and listen to everyone's conversation. This person could be compared to a network card running in promiscuous mode. Furthermore, if this eavesdropper listened for a specific subject only, she could be compared to a sniffer that captures all data related to passwords only.

How Hackers Use Sniffers

Figure 2 shows a sniffer in action. As previously mentioned, sniffers like this are used every day to troubleshoot faulty equipment and monitor network traffic. Hackers can use this or similar tools to peer inside a network. However, they are not out to troubleshoot. Instead, they are out to glean passwords and other gems.


Figure 2

Depending on the program a hacker is using, he will get something that looks like Figure 2. As you can see from the figure, some data is easily readable, while some data is not. The difference is in the type of data that is sent. Computers can send information either in plain text or in an encrypted form. The sample capture shows just how easy it is to read captured plaintext data.

Plaintext communication is any information that is sent just as it appears to the human eye. For most applications, this is the standard means of data transfer. For example, the Internet uses plaintext for most of its communications. This is the fastest way to send data. Chat programs, email, Web pages and a multitude of other programs send their information in plaintext. This is acceptable for most situations; however, it becomes a problem when transmitting sensitive information, such as a bank account number or a password.

For example, take our sniffer screenshot in Figure 2. If you look closely at the plaintext section, you can see just how dangerous a sniffer can be to sensitive information. In the plaintext, you can see the following: Our company will be merging with another company. This will make our stock $$. Don't tell anyone. If this were a real merger, a hacker could make millions overnight.

In addition, email clients and FTP clients do not normally encrypt their passwords; this makes them two of the most commonly sniffed programs on a network. Other commonly used programs such as Telnet, Web browsers, and news programs also send their passwords as plaintext. So, if a hacker successfully installs a sniffer on your network, he would soon have a list of passwords and user names that he could exploit.

Even some encrypted passwords used in a Windows NT network can be sniffed. Thanks to the rather well-known encryption scheme of an NT password, it does not take long to capture and decrypt more than enough NT passwords to break a network wide open. In fact, there are even sniffing programs that have an NT password cracker built right into them. The programs are designed to be very user friendly so that network administrators can test their networks for weak passwords. Unfortunately, these programs often end up in the hands of script kiddies who can just as easily use them to cause problems.

Although sniffers most commonly show up within closed business networks, they can also be used throughout the Internet. As mentioned previously, the FBI has a program that will capture all the information both coming from and going to computers online. This tool, previously known as Carnivore, simply has to be plugged in and turned on. Although it is purported to filter out any information that is not the target's, this tool actually captures everything traveling through whatever wire to which it is connected and then filters it according to the rules set up in the program. Thus, Carnivore can potentially capture all of those passwords, email messages, and chat sessions passing through its connection.

In addition to wired networks, sniffers can also be used in wireless networks. In effect, a wireless network on a corporate LAN is like putting an Ethernet jack in your parking lot. What makes this unique from a hacker's perspective is that sniffing a wireless network is probably not illegal, although it has yet to be tested in court. In many ways, it is no different than a police scanner used by reporters and hobbyists worldwide. If the information is sent in plaintext to the public domain, how can it be wrong to simply listen?

How to Detect a Sniffer

There are a few ways a network technician can detect a NIC running in promiscuous mode. One way is to physically check all the local computers for any sniffer devices or programs. There are also software detection programs that can scan networks for devices that are running sniffer programs (for example, AntiSniff). These scanner programs use different aspects of the Domain Name Service and TCP/IP components of a network system to detect any malicious programs or devices that are capturing packets (running in promiscuous mode). However, for the average home user, there is really no way to detect whether a computer out on the Internet is sniffing your information. This is why encryption is strongly recommended.

How Can I Block Sniffers?

There is really only one way to protect your information from being sniffed: Use encryption! Using Secure Sockets Layer (SSL)-protected Web sites and other protection tools, you can encrypt your passwords, email messages and chat sessions. There are many programs available for free that are easy to use. Although you do not always need to protect the information passed during a chat session with your friends, you should at least have the option available when needed.

Because of the very nature of a WLAN, encryption is a must in any situation. Fortunately, wireless networks come with the option of encryption built right into their software. However, few take advantage of this capability, as few are even aware that this option exists.
Maximum Wireless Security is available here.