| Null or Default Passwords |
Leaving administrative passwords blank or using a default
password set by the product vendor. This is most common in hardware
such as routers and firewalls, though some services that run on
Linux can contain default administrator passwords (though Red Hat
Enterprise Linux does not ship with them). |
| Commonly associated with networking hardware such as routers,
firewalls, VPNs, and network attached storage (NAS)
appliances. |
| Common in many legacy operating systems, especially OSes that
bundle services (such as UNIX and Windows.) |
| Administrators sometimes create privileged user accounts in a
rush and leave the password null, a perfect entrypoint for
malicious users who discover the account. |
|
| Default Shared Keys |
Secure services sometimes package default security keys for
development or evaluation testing purposes. If these keys are left
unchanged and are placed in a production environment on the
Internet, all users with the same default
keys have access to that shared-key resource, and any sensitive
information contained in it. |
| Most common in wireless access points and preconfigured secure
server appliances. |
| CIPE (refer to Chapter 6 Virtual
Private Networks) contains a sample static key that must be
changed before deployment in a production environment. |
|
| IP Spoofing |
A remote machine acts as a node on your local network, finds
vulnerabilities with your servers, and installs a backdoor program
or trojan horse to gain control over your network resources. |
| Spoofing is quite difficult as it involves the attacker
predicting TCP/IP SYN-ACK numbers to coordinate a connection to
target systems, but several tools are available to assist crackers
in performing such a vulnerability. |
| Depends on target system running services (such as rsh, telnet, FTP and
others) that use source-based
authentication techniques, which are not recommended when compared
to PKI or other forms of encrypted authentication used in
ssh or SSL/TLS. |
|
| Eavesdropping |
Collecting data that passes between two active nodes on a
network by eavesdropping on the connection between the two
nodes. |
| This type of attack works mostly with plain text transmission
protocols such as Telnet, FTP, and HTTP transfers. |
| Remote attacker must have access to a compromised system on a
LAN in order to perform such an attack; usually the cracker has
used an active attack (such as IP spoofing or man-in-the-middle) to
compromise a system on the LAN. |
| Preventive measures include services with cryptographic key
exchange, one-time passwords, or encrypted authentication to
prevent password snooping; strong encryption during transmission is
also advised. |
|
| Service Vulnerabilities |
An attacker finds a flaw or loophole in a service run over the
Internet; through this vulnerability, the attacker compromises the
entire system and any data that it may hold, and could possibly
compromise other systems on the network. |
| HTTP-based services such as CGI are vulnerable to remote
command execution and even interactive shell access. Even if the
HTTP service runs as a non-privileged user such as "nobody",
information such as configuration files and network maps can be
read, or the attacker can start a denial of service attack which
drains system resources or renders it unavailable to other
users. |
| Services sometimes can have vulnerabilities that go unnoticed
during development and testing; these vulnerabilities (such as
buffer overflows, where attackers crash a
service using arbitary values that fill the memory buffer of an
application, giving the attacker an interactive command prompt from
which they may execute arbitrary commands) can give complete
administrative control to an attacker. |
| Administrators should make sure that services do not run as the
root user, and should stay vigilant of patches and errata updates
for applications from vendors or security organizations such as
CERT and CVE. |
|
| Application Vulnerabilities |
Attackers find faults in desktop and workstation applications
(such as e-mail clients) and execute arbitrary code, implant trojan
horses for future compromise, or crash systems. Further
exploitation can occur if the compromised workstation has
administrative privileges on the rest of the network. |
| Workstations and desktops are more prone to exploitation as
workers do not have the expertise or experience to prevent or
detect a compromise; it is imperative to inform individuals of the
risks they are taking when they install unauthorized software or
open unsolicited email attachments. |
| Safeguards can be implemented such that email client software
does not automatically open or execute attachments. Additionally,
the automatic update of workstation software via Red Hat Network or
other system management services can alleviate the burdens of
multi-seat security deployments. |
|
| Denial of Service (DoS) Attacks |
Attacker or group of attackers coordinate against an
organization's network or server resources by sending unauthorized
packets to the target host (either server, router, or workstation).
This forces the resource to become unavailable to legitimate
users. |
| The most reported DoS case in the US occurred in 2000. Several
highly-trafficked commercial and government sites were rendered
unavailable by a coordinated ping flood attack using several
compromised systems with high bandwidth connections acting as
zombies, or redirected broadcast
nodes. |
| Source packets are usually forged (as well as rebroadcasted),
making investigation as to the true source of the attack
difficult. |
| Advances in ingress filtering (IETF rfc2267) using iptables and Network IDSes such as snort assist administrators in tracking down and
preventing distributed DoS attacks. |
|
