|
Reducing a computer's vulnerability to hackers is much like
using anti-theft devices and common sense to guard against
your car being broken into. Strangely, few people would leave
their keys in the ignition while away from their vehicle,
yet most might as well hand over their workstations and servers
to the lowliest hacker as they don't have any security in
place.
Just like vehicle protection measures, you can stop a lot
of potential intruders but never all. Most hackers are of
the "script kiddie" variety, non-programmers using
commonly available hacker tools to penetrate systems if only
for their own amusement. Since their skills are limited, they
hunt for the easy kill rather than a challenge, so our mission
here is to make your computer as unattractive as possible.
The rules outlined below are a checklist of things you must
do to properly secure your system. At the end of this article
you'll find useful links that will help you actually implement
these measures.
Rule 1: Mind your passwords. It is simply incredible
that in this day and age most computer users persist in choosing
the weakest passwords, typically because they're easy to remember.
Forget convenience: Under no circumstance should you ever
use real words or combinations of real words, nor should you
use numbers that have any significance to you such as your
birth date. Script kiddies will use password guessing tools
and it might take only seconds to guess yours. Additionally,
using the same or similar password everywhere is foolish,
sort of like leaving your credit cards and house keys in your
car! The best policy is to use random sequences of characters
for passwords.
Rule 2: Use encrypted connections. The Internet tools
most commonly used on workstations and servers are inherently
insecure. For instance, never use the popular Telnet, POP,
or FTP programs unless passwords are passed in a strongly
encrypted format over the Internet. Sadly, authentication
is typically in plain text, which makes life easy for hackers
using packet sniffers to automatically grab scores of plain
text passwords from Internet noise while they sleep. Remote
shell sessions such as with telnet should be completely encrypted
if you use such sessions to switch to other userids or root
id, lest you want to give script kiddies a big break! SSH
is the best substitute for Telnet and can also be used instead
of FTP. By the same token, sensitive information should NEVER
be sent via email. Note that any encryption between client
and server requires that both ends support the encryption
method.
Rule 3: Hide! Cloaking your computer's Internet presence
via a firewall is the first line of defense. All hackers use
scanning tools to quickly find weaknesses in a computer's
Internet interfaces. Firewalls work at the packet level and
not only can detect scan attempts but also block them, thus
making your system look unattractive or even hide its existence
altogether.
|
Rule 4: Don't trust anybody! Be very careful about
what programs you download from the Internet. Do not install
software from little known sites especially. Programs can
hide "trojans" that once launched will modify your
system and/or connect to remote servers without your knowledge,
perhaps allowing hackers to slip into your system. Nowadays,
most download sites will include a checksum, typically PGP
or MD5 encoded, which can be used to verify that the program
is authentic before you install it. It's not too paranoid
to make it a rule to never trust anything from the Internet,
as even the biggest website could be subverted by hackers
and you wouldn't notice.
Rule 5: If you're managing a server, limit what other
users can do on the system. From limiting them to certain
areas of the filesystem and which applications they can run
to limiting their memory and process usage, there are many
things you can do to reduce the serious risk posed by reckless
users.
Rule 6: Keep your system up to date. Vulnerabilities
are continuously being found in popular programs and operating
system kernels, some of which might allow an intruder to gain
root access to your system. Unfortunately, word of such "holes"
travels quickly in hackerdom, so it's important to be on top
of them yourself. Software creators post "patches"
and/or new versions of their programs to fix those defects.
It's hard to keep track of them all, but you can save yourself
a lot of grief by subscribing to mailing lists that warn you
of such incidents. Again, software producers often maintain
such lists themselves, as do sites specializing in computer
security, and it's usually free to subscribe. You can also
reduce the risks by avoiding using new applications or those
that a long history of vulnerabilities.
Communicate with your customers!
Let your customers
know what you're up to. Send email
newsletters and promotions to communicate news, announce
events, new products and services, and seasonal items.
/rd/ccwp4.html
|
Rule 7: Disconnect from the Internet when you're not
actually using it. This is the ultimate protection to stop
intrusions, but of course it doesn't stop trojans unless you
literally unplug your physical connection. In the case of
servers, where your connection is always on, disable any daemons
that aren't needed or seldom used. Note that the daemons running
by default on a newly installed operating system are quite
often the most vulnerable, and most hosting services won't
bother to disable them for you.
Rule 8: Don't continue using a computer that you know
has been compromised by hackers. To do so allows the hacker
to potentially gain access to more systems and exposes you
to the possible theft of some of your sensitive data. The
only solution is to reformat the hard disk(s) and re-install
the operating system, or smash your computer to bits if you
prefer!
Rule 9: Use every security mechanism you can, not
just one or a few. They serve different purposes and thus
complement each other. Always rolling-up the car windows and
locking the doors is a good start, but you wouldn't really
call that a security system, would you?!
Stick to the rules or let the script kiddies rule the day!
Some useful links you can follow to get further knowledge
on the subjects discussed today:
SSH:
http://www.ssh.com
http://www.openssh.org
http://www.fsecure.com
Vulnerability reports:
http://www.securityfocus.org
http://cve.mitre.org
Firewalls:
http://www.zonelabs.com
http://www.firewallguide.com
Hacking:
Yahoo!
Directory of Hacking
AUTHOR:
Tom Germain has been our ace programmer here at iEntry.com.
He has
expertise in several different languages and operating systems.
Basically, he's just a geek stud. -Pete
|
