|
Null or Default Passwords
|
Leaving administrative passwords blank or using a default password provided by the application package. This
is most common in hardware such as routers and BIOSes, though some services that run on Linux can contain default
administrator passwords (though Red Hat Linux does not ship with them)
|
|
Commonly associated with networking hardware such as routers, firewalls, VPNs and network attached storage (NAS)
appliances;
|
|
Common in many legacy operating systems, especially OSes that bundle services such as UNIX and Windows;
|
|
Administrators sometimes create privileged users in a rush and leave the password null, a perfect entrypoint
for malicious users who discover the user
|
|
|
Default Shared Keys
|
Secure services sometimes package default security keys for development or evaluation testing purposes. If these
keys are left unchanged and placed in a production environment on the Internet, any
user with the same default keys have access to that shared-key resource, and any sensitive information contained
in it
|
|
Most common in wireless APs and preconfigured secure server appliances
|
|
CIPE (refer to Chapter 6 Virtual Private Networks) contains an sample static
key that must be changed before moving to a production environment
|
|
|
IP Spoofing
|
A remote machine acts as a node on your local network, finds vulnerabilities with your servers, and installs
a backdoor program or trojan to gain control over your network resources.
|
|
Spoofing is quite difficult as it involves the attacker predicting TCP/IP SYN-ACK numbers to coordinate a connection
to target systems, but several tools are available to assist crackers in performing such a vulnerability
|
|
Depends on target system running services (such as rsh, telnet,
FTP and others) that use source-based authentication techniques, which are
not usually recommended compared to PKI or other forms of encryption authentication as used in ssh
or SSL/TLS.
|
|
|
Eavesdropping
|
Collecting data that passes between two active nodes on a network by eavesdropping the connection between the
two nodes.
|
|
This type of attack works mostly with plain text transmission protocols such as telnet, FTP, and HTTP transfers.
|
|
Remote attacker must have access to a compromised system on a LAN in order to perform such an attack; usually
the cracker has used an active attack (such as IP spoofing or Man-in-the-middle) to compromise a system on the
LAN
|
|
Preventative measures include services with cryptographic key exchange, one-time passwords, or encrypted authentication
to prevent password snooping; strong encryption during transmission also advised
|
|
|
Service Vulnerabilities
|
An attacker finds a flaw or loophole in a service run over the Internet; through this vulnerability, the attacker
compromises the entire system and and any data that it may hold and could possibly compromise other systems on
the network.
|
|
HTTP-based services such as CGI are vulnerable to remote command executions and even shell access. Even if the
HTTP service runs as a non-privileged user such as "nobody", information such as configuration files
and network maps can be read, or the attacker can start a denial of service attack which drains system resources
or renders it unavailable to other users.
|
|
Services sometimes can have vulnerabilities that go unnoticed during development and testing; these vulnerabilities
(such as buffer overflow, where attackers gain access by filling addressable
memory with a quantity over what is acceptable by the service, crashing the service and giving the attacker an
interactive command prompt from which they may execute arbitrary commands.
|
|
Administrators should make sure that services do not run as the root user; stay vigilant of patches and errata
updates for their applications from vendors or security organizations such as CERT and CVE.
|
|
|
Application Vulnerabilities
|
Attackers find faults in desktop and workstation applications such as e-mail clients and execute arbitrary code,
implant trojans for future compromise, or crash systems. Further exploitation can occur if the compromised workstation
has administrative privileges on the rest of the network.
|
|
Workstations and desktops are more prone to exploitation because workers do not have the expertise or experience
to prevent or detect a compromise as servers run by an administrator; it is imperative to inform individuals of
the risks they are taking when they install unauthorized software or open unsolicited mail
|
|
Safeguards can be implemented such that email client software does not automatically open or execute attachments.
Additionally, the automatic updating of workstation software via Red Hat Network or other system management service
can alleviate the burdens of multi-seat security deployments.
|
|
|
Denial of Service (DoS) Attacks
|
Attacker or group of attackers coordinate an attack on network or server resources by sending unauthorized packets
to the target machine (either server, router, or workstation). This forces the resource to become unavailable to
legitimate users.
|
|
The most reported DoS case occurred in 2000 when several highly-trafficked sites were rendered unavailable by
a coordinated ping flood attack using several compromised systems with high bandwidth connections acting as redirected
broadcasters
|
|
Source packets are usually forged (as well as rebroadcasted), making investigation to the true source of the
attack difficult.
|
|
Advances in ingress filtering (IETF rfc2267), and Network IDS technology assist administrators in tracking down
and preventing distributed DoS attacks.
|
|
