Null or Default Passwords | Leaving administrative passwords blank or using a default
password provided by the application package. This is most common in
hardware such as routers and BIOSes, though some services that run
on Linux can contain default administrator passwords (though Red Hat Linux
does not ship with them) | Commonly associated with networking
hardware such as routers, firewalls, VPNs and network attached
storage (NAS) appliances; | Common in many
legacy operating systems, especially OSes that bundle services
such as UNIX and Windows; | Administrators
sometimes create privileged users in a rush and leave the
password null, a perfect entrypoint for malicious users who
discover the user |
|
Default Shared Keys | Secure services sometimes
package default security keys for development or evaluation testing
purposes. If these keys are left unchanged and placed in a
production environment on the Internet, any
user with the same default keys have access to that shared-key
resource, and any sensitive information contained in it | Most common in wireless APs and
preconfigured secure server appliances | CIPE (refer
to Chapter 6 Virtual Private Networks) contains an sample static key that must
be changed before moving to a production
environment |
|
IP Spoofing | A remote machine acts as a node on
your local network, finds vulnerabilities with your servers, and
installs a backdoor program or trojan to gain control over your
network resources. | Spoofing is
quite difficult as it involves the attacker predicting TCP/IP
SYN-ACK numbers to coordinate a connection to target systems, but
several tools are available to assist crackers in performing such a
vulnerability | Depends on target system running
services (such as rsh, telnet,
FTP and others) that use source-based
authentication techniques, which are not usually recommended
compared to PKI or other forms of encryption authentication as used
in ssh or SSL/TLS. |
|
Eavesdropping | Collecting data that passes between two active nodes on a
network by eavesdropping the connection between the two
nodes. | This type of attack works mostly with plain text transmission
protocols such as telnet, FTP, and HTTP transfers. | Remote attacker must have access to a compromised
system on a LAN in order to perform such an attack; usually
the cracker has used an active attack (such as IP spoofing or
Man-in-the-middle) to compromise a system on the LAN | Preventative measures include services with
cryptographic key exchange, one-time passwords, or encrypted
authentication to prevent password snooping; strong encryption
during transmission also advised |
|
Service Vulnerabilities | An attacker finds a
flaw or loophole in a service run over the Internet; through this
vulnerability, the attacker compromises the entire system and and
any data that it may hold and could possibly compromise other
systems on the network. | HTTP-based services such as CGI are
vulnerable to remote command executions and even shell access. Even
if the HTTP service runs as a non-privileged user such as "nobody",
information such as configuration files and network maps can be
read, or the attacker can start a denial of service attack which
drains system resources or renders it unavailable to other
users. | Services sometimes can have vulnerabilities
that go unnoticed during development and testing; these
vulnerabilities (such as buffer overflow,
where attackers gain access by filling addressable memory with a
quantity over what is acceptable by the service, crashing the
service and giving the attacker an interactive command prompt from
which they may execute arbitrary commands. | Administrators should make sure that services do not run
as the root user; stay vigilant of patches and errata updates for
their applications from vendors or security organizations such as
CERT and CVE. |
|
Application Vulnerabilities | Attackers find
faults in desktop and workstation applications such as e-mail
clients and execute arbitrary code, implant trojans for future
compromise, or crash systems. Further exploitation can occur if
the compromised workstation has administrative privileges on the
rest of the network. | Workstations and desktops are more prone to exploitation
because workers do not have the expertise or experience to prevent
or detect a compromise as servers run by an administrator; it is
imperative to inform individuals of the risks they are taking when
they install unauthorized software or open unsolicited
mail | Safeguards can be implemented such that
email client software does not automatically open or execute
attachments. Additionally, the automatic updating of workstation
software via Red Hat Network or other system management service can
alleviate the burdens of multi-seat security
deployments. |
|
Denial of Service (DoS) Attacks | Attacker or
group of attackers coordinate an attack on network or server
resources by sending unauthorized packets to the target machine
(either server, router, or workstation). This forces the resource
to become unavailable to legitimate users. | The most reported DoS case occurred in
2000 when several highly-trafficked sites were rendered
unavailable by a coordinated ping flood attack using several
compromised systems with high bandwidth connections acting as
redirected broadcasters | Source packets are
usually forged (as well as rebroadcasted), making investigation to
the true source of the attack difficult. | Advances
in ingress filtering (IETF rfc2267), and Network IDS technology
assist administrators in tracking down and preventing distributed
DoS attacks. |
|