Security

In this new, interconnected world, we are surrounded by security threats. Our network, our ever
increasing complex computers and serves, our PDAs and even our cell phones are all vulnerable
to hackers, crackers and virus writers. This page is presenting some old (and not so old) ideas
and guidelines in hoping that you can benefit in it for securing your own network, computer.

Table of Content

1. Why you should worry?

2. Types of security breaches?
3. Cryptography and encryption technique?
4. Locks, keys and security guard?
5. Firewall and IPsec?
6. Alright enough talk. How do I secure my Windows 98/Me machine?
7. How do I secure my Windows NT Workstation machine?
8. How do I secure my Windows 2000 Professional machine?
9. What's next in the future?

1. Why you should worry?

Bad people do bad things. Hackers / Crackers are people who would like nothing more than to
circumvent your security measures to obtain sensitive information. Although hackers are often
associated as outside people, it is usually the disgruntle employee that does hacking.
Information is valuable and sensitive. Needless to say, information store on the network or
your personal machine is sensitive and valuable. As a student in medical-related field, you
should take extra precaution in protect this kind information. Remember that a seemingly
harmless such as user ID, names or network infrastructure can aid the hacker in his attempts to
break into either your system or other systems.
Network technologies is inherently insecure. Here are some of the short comings

1. WANs. When the network is small (such as a LAN), it is much easier to manage the
network since the location is confined to a single physical location. With the advent of
WANs, and much recently VLANs, the network has spawned across the globe connecting
many machines in many physical locations, running disparate network operating systems
with different classes of hardware.
2. Remote Access. The modems pool that you just installed to allow your users to dial into
your cooperate network has just become a very useful tool for hackers to get in.
Moreover, the hacker can do it leisurely from his comfort home (or from the public
phone). In fact, RAS (remote Access Service) is one of the most favorite pass time
activities for hackers.
3. Mobile Computing. The only good thing about laptop is that it allows user computes
wherever he is. Anything else is bad!
4. The Web and TCP/IP. The internet, in adopting TCP/IP as its protocol, has opened a
can of worms for security breaches. It is possible for hackers to examine packets of
information as they move across the internet as long as he knows the route. More over,
TCP/IP is in itself insecure. The most breaking news was that the ISN (initial sequence
number), part of TCP/IP spec, can be guessed. Until the adoption of IPv6 (version 6) is
wide-spreaded, it is imperative that you understand what risks you are taking when
implement TCP/IP and Internet access.
 2. Type of Security Breaches?
Denial of Service (DoS) nuisances. A DoS attack does not directly damage your system or
change/steal information from it. Rather, it disrupts the normal operation of your organization.
Web servers are typical targets of DoS attack. More recently, as web server operators tighten the
security, hackers have turned their attention to the router as a more attractive target. If you are
responsible for web operation, remember that there are more than just the web servers that need
to be secured.
Illegal Access. Hmm, let's see what the CEO salary is, and how much stock option did he get?
Obviously, great control must be exercising here. This kind of intrusion if generally comes from
the inside where the intruder has some type of network access in the beginning. Running an e-
commerce web-site? Make sure that the right people get to the right database(s) and nothing
else. You don't want to have millions of customers suing you for credit card fraud, do you?
The Imposter. Yup, you just bought a billion dollar worth of TVs and VCRs to be send to
someplace in Siberia. When you are sending an order to buy that new laptop for yourself, you
are sending your bank account / credit card number and other relevant information to Mr. HackIt.
Data Destruction and Corruption. What would happen when people browse to your website
and immediately greeted by profanity with some porno pictures to enhanced the message?
Hmmm...Let exercise the "Delete" key here. Wait...How about just corrupt the entire hard disk. It
sure sounds fun (not to you, the hacker that is). Computer viruses are typical responsible of this
kind of destruction.

3. Cryptography and encryption techniques

Cryptography is the science of scrambling information into an unreadable form so that information
can be kept private. There are many encryption technique. Some are standards and some are
not. Here is a list of standard encryption, algorithm methods. Notes that just because you know
the technique used to encrypt a message does not mean you can decrypt it.
DES (Data Encryption Standard). DES developed by IBM with help from the US government.
DES is a 56-bit key encryption algorithm.
Triple-DES, or 3DES: a variant of DES in which the message is encrypted three times
successively.
Hash: A hash is a numeric representation of some data. A hash function works by using some
data (such user name / password) to generate a fixed-length value.
Diffie-Hellman: Diffie-Hellman is a method utilized to decide which keys will be used for
subsequent messages. The important thing to remember is that the negotiation about the key is
done over an insecure connection (i.e. the internet)
Message Digest. A message digest is a smaller, numeric representation of the original
message. In fact, it is a hash of the original message. Thus it is easy to verify to see if the
received message is the same as the one sent.
MD2, MD4, MD5: These are message digest algorithms. MD5 is harder to crack than MD4, but it
is slower in performance.
SHA, SHA-1: SHA stands for Secure Hash Algorithm. SHAs are used to generate hashes.

4. Locks, Keys and security guards

Encryption works by scrambling the original information into an unreadable form. However, for
this to work, the intended receiving party must know how to decrypt the scramble information.
This is how "key" is defined. A key is a piece of information that describes how information is
encrypted as well as decrypted. Needless to say, having the same key is essential between the
two parties. Otherwise, no one would be able to decrypt the message.
There are two types of key schemes. They are either secret or public.
Secret key system: In this type of scheme, there is only one key. This key is used to encrypt as
well as decrypt. If one have access to this key, one could decrypt any message sent by any party
using this key. Needless to say, the key is kept very, very, very secret. The advantage for this
scheme is that it is very, very fast. The problem with this scheme is to maintain the secret of the
key. In a typical scenario, the two parties agree on the type of key to be use. Next, a key is
generated by one of them, and then it is passed to the other. This is where the problem is. Since
both parties are worried enough that they are encrypting their messages, using the same medium
to pass the key is not a good idea. Thus they must resort to some other methods to maintain the
same key and yet keep it very secret.
Public Key system (PKI): In a PKI (Public Key Infrastructure) scheme, there are two keys. Both
keys are needed to encrypt as well as decrypt. One of the keys is a public key and the other is
the private key. The important thing here is the both keys form a matched pair. You can not use
a public key from one pair and a private key from another.
As their name implied, the public key is made public. That is public keys are easily accessible to
anyone who might need to exchange secure information. The private key however is....private.
That is only the owner of the key pair has it.
Certificates and Digital Signature are implementation of PKI. It allows you to identified you as
yourself as opposed to an imposter. the way it works is that the certificate you (or someone else)
present must come from an entity that everyone trusts. This entity is known as CA (Certificate
Authority). It is up to the end users whether or not to trust a CA. i.e. you might trust any
certificate issued by Verisign, or the State of Texas but not from FAKEit.com
Physical Barrier: Sometimes people tend to skip the most obvious things. What good is to
secure your server, but the door to the server room is always open? Let's make it clear: anyone
who has physical access to your machine will be able to hack it regardless of what type of
operating system it runs on. There is no buts, ifs or maybes. You need solid internal security to
protect all the hardware where sensitive information is stored. Hire a security guard, lock the
door, install retina scanner, deploy finger print verification, monitor with cameras, deploy a KVM
(keyboard, mose, monitor) switch and lock the servers room (behind a camera monitoring room)
High tech or not, use a combination of common senses and good planning to make sure that
machines are under lock, key and physically secure.

5. Firewall and IPsec

Firewall: A firewall is a combination of hardware / software that monitors traffic into and out of a
corporate network. Based on rules set up by the security administrator, a firewall allow certain
data in or out. Think of firewall as a security guard. A good firewall will also record all of the
comings and goings so that you can review who's been and out of your network.
A false assumption that many people make is that by using a firewall, their network is safe. This
is definitely wrong. A firewall is just one component of your solution. Remember that hacking
happens from the inside as well as outside. Keep this in mind when you try to design your
security solution.
IPsec: The IP Security Protocol (IPSec) is a peer-reviewed proposed Internet standard that can
authenticate and encrypt IP traffic. The long-term solution to network eavesdropping is
encryption. Only if end-to end encryption is employed can near-complete confidence in the
integrity of communication be achieved. Encryption key length should be determined based on
the amount of time the data remains sensitive--shorter encryption key lengths are permissible for
encrypting data streams that contain rapidly outdated data and will also boost performance.

6. How to secure a Windows 98/ME machine?

The most important thing to realize about Windows 98 is that it was not designed to be a secure
operating system. Fortunately it was also not designed to be a true multiuser operating system,
so it has extremely limited remote administration features.
There are only two ways for attackers to gain complete control over a Win 98 system: either trick
the system's operator into executing code of their choice, or gain physical access to the system's
console.
Win 98's architecture makes it nearly impossible to attack from a remote location unless the
system owner makes key errors, some misconfiguration or poor judgment. There are three
mechanisms Win 98 provides for direct access to the system: file and print sharing, optional dial-
up server, and remote Registry manipulation.
Countermeasures against remote hacking
Fixing this problem is easy -- turn off file and print sharing. You can use the System Policy Editor
(POLEDIT.EXE) utility to disable file and print sharing across all systems. POLEDIT.EXE can be
found in the \tools\ reskit\ netadmin\directory on most Win 98 CD-ROMS, or at
http:// support.microsft.com/support/kb/articles/Q135/3/15.asp.
If you must enable file sharing, use a complex password of eight alphanumeric characters ( that is
the maximum allowed by Win 98) and include metacharacters( such as [!@#$%&). Its also wise
to append a $ symbol, to the name of the share to prevent it from appearing in the Network
Neighborhood, in the output of net view commands, and even in the results of a Legion scan.
Win 98 Dial-Up hacking countermeasures
Not surprisingly the same defenses hold true: don't use the Win 98 Dial-Up Server, and enforce
this across multiple systems with the System Policy Editor. If Dial-Up capability is absolutely
necessary, set a password for Dial-In access, require that it be encrypted using the Server Type
dialog box in the Dial-Up Server Properties, or authenticate using user-level security (that is, pass
through authentication to a security provider such as a Windows NT domain controller or Netware
server). Set further passwords on any shares (using good password complexity rules), and hide
them by appending the $ symbol to the share name.

Intruders who successfully crack a Dial-Up Server and associated share passwords are free to
pillage whatever they can find. However, they will be unable to progress further into the network
because Win 98 cannot route network traffic.

7. How to secure a Windows NT Workstation machine?

There are three primary mechanisms for guessing NT passwords over a network: manual,
automated, and eavesdropping on NT login exchanges to gather passwords directly off the wire.
Countermeasures against password guessing
There are several defensive postures that can eliminate or at least deter such password
guessing. The first is advisable if the system in question is an Internet host and should not be
answering requests for shared Windows resources: block access to TCP and UDP ports at the
perimeter firewall or router, disable bindings to WINS Client (TCP/IP) for any adapter connected
public networks.
Preventing password eavesdropping
Disabling LANMan Authentication
In NT 4.0 Service Pack 4, Microsoft has added a Registry key and value that will prohibit an NT
host from accepting LANMan authentication. Add the "LMCompatabilityLevel" Value with a Value
Type "REG_DWORD = 4" to the following Registry Key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
The Value Type 4 will prevent a domain controller from accepting LANMan authentication
requests.
Password cracking countermeasures
Choosing Strong NT Passwords
The best defense against password cracking is decidedly nontechnical, but nevertheless is
probably the most difficult to implement: picking good passwords. Picking dictionary words or
writing passwords under keyboards on a sticky note will forever be the bane of network
administrators, but perhaps the following explanation of some of the inherent weaknesses in NT's
password obfuscation algorithms will light some fires under the toes of your user community.
NT relies on two separate encrypted versions of a user's password - the LANMan version (LM
hash) and the NT version (NT hash) - both of which are stored in the SAM (Security Accounts
Manager). The SAM contains the usernames and encrypted passwords of all users on the local
system, or the domain if the machine in question is a domain controller.
The most critical weakness of the LM hash is its separation of passwords imto two 7-character
halves. Thus, an 8-character password will be interpreted as one 7 character password and one 1
character password. Tools such as LOphtrack take advantage of this weak design to
simultaneously crack both halves of the password as if they were separate passwords.To ensure
password composition that does not fall prey to attack using LOphtrack, choose passwords that
are exactly 7 or 14 characters in length.

Protecting the SAM

Restricting access to the SAM file is also critical, of course. Physically locking servers is the only
way to prevent someone from walking up with a floppy and booting to DOS to grab SAM, or
copying the backup SAM._ from the repair folder.
Implementing SYSKEY
The SYSKEY SAM encryption enhancement was introduced after the release of Service Pack 2.
SYSKEY establishes a 128-bit cryptographic password encryption key, as opposed to the 40-bit
mechanism that ships by default. It can be configured by selecting Start Menu-Run-and typing
SYSKEY
Updating Security
Apply the most recent Service Packs and hotfixes. The major motivation behind many of the
patches released by Microsoft is security, and there is often no other recourse for some kernel-
level vulnerabilities such as getadmin. NT hotfixes can be found at
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/.

8. How to secure a Windows 2000 professional machine?