Gotcha!: Hack AttacksBy David F. Carr | Posted 2005-03-07 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Many of today's computer security problems aren't newjust trickier. Learn how to safeguard your corporate identity.
Many of today's computer security problems aren't really new - just trickier, nastier and more pervasive.
Problem: Forging or "spoofing" e-mail addresses, so that messages appear to come from your Internet domain when they do not.
Resolution: Monitor bouncebacks to your e-mail servers. If an attacker is sending out hundreds or thousands of messages that appear to come from your domain, they're likely to target some bad addresses.
So analyze e-mail messages that come back to you with subject lines such as "Mail delivery failed: returning message to sender," recommends Johannes Ullrich of the SANS Internet Storm Center. Inspect them for clues for where the e-mail actually originated, such as routing data in the message header. The content of the message also clues you in to the nature of the scam.
Another good practice is to establish an e-mail address where consumers can send you examples of suspected phishing attacks. A standard alias used by institutions such as banks to receive such tips is "spoof," as in firstname.lastname@example.org.
In the long term, this problem may be solved by fundamental changes in the Internet infrastructure or by educating consumers on how to verify the digital signature on a message.
Problem: A Web site masquerades as a legitimate one-yours.
Resolution: Identify fake sites and alert your customers. You can't stop phantom sites from being constructed. But you have to keep your antennae up. Log the "referrer" header, part of the invisible data automatically transmitted to your Web server, when a user clicks through or is forwarded to your site.
Because faked sites often only amount to a page or two of content, designed to grab personal information, the unsuspecting visitor is often redirected to the legitimate site when the dirty work is done.
So, watching whether traffic is coming in from unknown sites lets you identify suspicious activity and corrupt sites.
Once you discover a criminal site, you can start displaying a warning to consumers who are referred from that address-giving them a chance to cancel credit cards or take other protective measures now that they know they've been scammed. Unfortunately, these scam sites are moving targets, often located temporarily on the hard drive of some unsuspecting cable modem user.
Problem: User names and passwords are the main line of defense.
Resolution: Consider going beyond user names and reusable passwords to authenticate visitors. Alternatives include one-time passwords, hardware security tokens, digital certificates, and identity verification over non-Internet channels (such as a call to the cell phone number in a user's profile).
For consumer applications, businesses have traditionally been reluctant to use anything more complicated than a password for fear of scaring away customers. But consumers often use the same user name and password for multiple sites, making it easy for keyboard loggers and phishers to gather names and passwords that can be used to open doors to many sites. The proliferation of these schemes is also having an impact on consumer attitudes-60% of those surveyed told Gartner they want the option of using additional security measures, and 19% would accept additional security requirements as a condition of doing business.
Certainly, businesses providing access over the Web to their internal systems should consider providing employees with something like RSA Security's SecurID devices, which generate one-time passwords that change every half-minute or so. That way, if the airport Internet kiosk or Internet café PC from which a user logs on contains a keystroke logger, the password will have already expired before an evildoer can use it to try to penetrate corporate systems.
Problem: Your servers and computers are turned into "bots," controlled remotely to send spam, generate automated page requests that flood sites or participate in other forms of Internet attacks.
Resolution: Block and patch. Keep your antivirus and intrusion detection systems in top shape. Keep current on patches to your operating systems and applications. Make sure your firewalls are strong, and filter executables out of incoming e-mail. If you leave yourself open for it, one compromised computer can be used to attack others until you have a "botnet" within your network wreaking havoc-or, maybe worse, quietly gathering corporate secrets.
Also set your corporate firewall to block Internet Relay Chat connections, which attackers frequently use to send instructions to and collect data from their bots.
Don't depend on protection only at the border of your network. While firewalls remain important, bots, worms and viruses often get past them through a virtual private network connection from an employee's home PC or a contractor's laptop that's plugged in inside the firewall while he's in the office. Security experts increasingly stress a "defense in depth" strategy that requires computers throughout your network to have their own protection, on the assumption that the outer defenses will be breached. If you provide remote access to employees, make sure their laptops and home PCs are kept clean, too.