April 2000

Tom Vs. Hacker A True Story

BY Tom Keating

You can see the angst on his face as he debates whether he should take the call, or listen for the last few movies. He checks his caller ID, but the caller ID box doesnt work with call-waiting. Alas, the temptation is just too much and he clicks to the other line to see who it is. Its the friend who is joining him at the movies. In a panic, the man yells, No, no wait, clicks back over to the Cinema MegaPlex line only to be greeted by Thank you for calling Cinema MegaPlex 36. Goodbye. The commercial ends with the narrator saying You want to know who is on the other line, so get caller ID with call waiting service.

DEJA V
I had a similar experience when my friend called and asked me whats playing at the movies. Instinctively, I booted up my PC, knowing that I would need to access the Internet to check which movies were playing. (I never call the theatre anymore to see what is playing.) After logging on to my PC, I told my friend Vic that I would call him back, since I only had one phone line and only dial-up Internet access at the time. He said (and I quote), You idiot, why the heck dont you have a cable modem or at least a second phone line? Youre a moron, its only $40 bucks a month for broadband and they have it in your area. Some friend, eh?

Talk about a turn of events. I went from insulting a character on a commercial for using the phone to check movie listings to BEING insulted for having only dial-up Internet access and one phone line in my house. In any event, I let the comment pass until about a week later. Vic called and asked me to surf over to expedia.com to check out flights and hotels for a vacation to Cancun we were planning with some other friends. I sheepishly replied, I only have one phone line, remember? After enduring another of his infamous tirades, I decided it was time. It was time to buy a cable modem, cancel my ISP, and endure the extra $20 per month that would no longer be going into my E*trade account!

POWER TOOLS TO INSTALL A MODEM?
I had wanted a cable modem for some time, but I wanted to wait for cable modem prices to drop. With free PCs and free Internet access all the rage, I figured the cable companies might jump on the bandwagon and lower the prices on cable modems to attract Internet subscribers. My theory was right in some respects. Several companies offered $100 rebates or more on cable modems to make the price more attractive. I could wait no longer, so I shelled out the cash at a nearby The Wiz store, which has a deal with our local cable company.

They sold me a 3Com cable modem along with a minimum 2-year service agreement. I drove home, picking up a fellow TMC Labs engineer (Evan Koblentz) along the way, and we proceeded to install the cable modem. The computer in my house was not located anywhere near a coaxial cable outlet, so we decided to draw a coaxial wire from the room above, which does have a cable outlet. Evan proceeded to drill holes in my bedroom floor, leading down to the computer room. Evan drilled about seven holes in my bedroom floor with no success and claimed that he was hitting structural struts in the floor each time. I learned the hard way to keep Evan away from power tools! After taking control of the drill, I was able to drill a hole between the two rooms and draw a cable wire.

We connected the coaxial to the cable modem, connected an RJ45 network wire from the cable modem to my PC, and then turned on my PC. I changed Internet Explorer 5.0 from Always dial my default connection to Never dial a connection, which forced it to use the LAN. Instantly, my home page loaded, and Evan and I shouted, Woo hoo! in our best Homer Simpson voices.

YOU WILL BE ASSIMILATED
In any event, with my cable modem installed and working, my next concern was security.

In fact, with the recent crippling of many popular Web sites by an attack called Distributed Denial of Service (DDOS), security was certainly on my mind. These DDOS attacks could have serious repercussions on the CTI and Internet telephony industries. Can you imagine if someone were to flood a large ITSP with a Distributed Denial of Service attack?

Essentially in this type of attack, a Web site is flooded with massive amounts of traffic generated by an attacker utilizing numerous computers. The attackers traffic then overwhelms the victims site, which in turn denies legitimate users access to the site. In the case of an ITSP, this means no dial tone or disconnected Internet phone calls! The attackers boost the bandwidth of their attack by taking over as many connected computers as possible on compromised computers called drones or zombies.

An attacker installs software on each of these drone systems and then later on connects to and instructs the drone systems to launch Denial of Service attacks against any selected system. It is nearly impossible to defend against an attack once it has been launched. The targeted site receives an overwhelming flood of traffic from the drone PCs, and the owners of the compromised systems are unwitting participants in the attack. The best defense is to prevent becoming a drone in the first place.

My main PC at home is a Windows 98 machine, which certainly would be vulnerable to attack. My first priority was to ensure the security of this PC to prevent this machine from being assimilated into the collective of other (Borg?) drones which have been compromised. The advantage of dial-up Internet access is that you have a dynamic IP address. The IP address changes every time you connect to the Internet. Another security advantage is that dial-up is very slow, making this an unattractive target for hackers.

Broadband on the other hand is very fast, making it a prime target for hackers. Also, the IP address is usually static on broadband, which means you have the same IP address each time you turn on your PC. This means hackers can find you again even if you turn off your PC and turn it back on later.

RAISING THE FIREWALL
I did some research on personal firewall software and found several good shareware and freeware programs. Many of the firewall software programs I found double as proxy servers as well, which is fortunate since I have two PCs at home. I should point out that cable Internet service providers often charge extra to have a second PC connected to the Internet; using a proxy server is one method of circumventing this restriction. For a short list of some good proxy and firewall utilities, see Table 1.

I havent tested all of these above programs in-depth, and the list is but a few of several I have found and tested. However, I did install @Home BrowseGate Proxy Server and ZoneAlarm 2.0 and liked both of these programs, especially ZoneAlarm 2.0. Although ZoneAlarm 2.0 is currently only a firewall solution with no Internet sharing/proxying capabilities, it was very impressive for two reasons. Number one, its very easy to use and configure. It was designed for the home user who doesnt know the difference between an IP address and a subnet mask. The user doesnt need to know anything about IP protocols the program guides you along the way to ensure that security is tight. Number two, the program is free! This is actually one of the few freeware programs I actually wish was shareware or at least cost me something. I feel guilty that I am using such a wonderful program on my home PC and I didnt have to pay a dime for it.

ZoneAlarm 2.0 In A Nutshell
ZoneAlarm 2.0 starts off with everything locked out. When I launched Internet Explorer for the first time, ZoneAlarm prompted me Do you want to allow Internet Explorer to access the Internet? I could pick yes or no, and there was also a check box for Remember the answer next time I use this program. I was prompted this message each time I loaded a new program that required Internet access, including the ping command, RealAudio, ICQ, and others. Once I clicked on yes and checked the box to remember the setting, the program is automatically trusted in the future.

Now, if somehow I went to a Web site that surreptitiously installed a drone or zombie on my PC, ZoneAlarm 2.0 would let me know about it. It traps all outbound Internet requests and lets me know about each and every new type of Internet request that I havent added to its trusted list yet. In many ways, this approach of trapping outbound requests is more powerful than your traditional firewall, which only blocks inbound requests! I should point out that Norton Internet Security 2000 and Conseal Desktop also have this feature according to their product literature.

THINGS GET INTERESTING
Just after installing ZoneAlarm 2.0 and rebooting my PC, I immediately received a warning that IP Address 167.206.112.80 was attempting access to my PC. This was a bit disconcerting to say the least, but I thought it could be a false alarm, as is often is the case with intrusion detection systems. The IP address did not look familiar and wasnt at all similar to my IP address, indicating that it probably didnt come from my ISP. I went to SpamCop to do a reverse lookup on this IP address and see if its a known spammer. The only useful information I was able to get was that the machine was actually a Web server with the URL fear.cv.net. Fear? Was this a hidden message by the hacker? As in, fear me? I typed in this URL, but the Web server only contained Apache manuals.

When I dropped the fear part and replaced it with www I was redirected to Cablevisions Web site. Phew! Maybe Cablevision (my ISP) sends out packets to verify that Im supposed to have access to their broadband network. In any event, Im still suspicious, since I have rebooted my PC and have yet to see that error message again. Its still possible a hacker was running a port scanner utility from the fear.cv.net machine and happened to hit my IP address just as I booted up my PC.

On the other hand, it is possible that the hacker has been happily accessing my files for the weeks since I have had this cable modem. I never did disable NetBios by disabling File and Print Sharing in the Network properties, which certainly is a security risk. The reason I never disabled it was because I needed access to files on this PC from my second home PC. I kept putting off setting up a Linux firewall or a Windows equivalent in my home, since I had other pressing matters and other priorities (like using spackle on the drilled holes created in my ceiling). Now Ive learned my lesson Whether I was or wasnt hacked, it was certainly a wakeup call. When it comes to security, make it your priority.

Table 1. Some good proxy and firewall utilities

Do you think youre safe from hackers? Dont be so sure. Log onto www.grc.com and try the shields and port tests. It will scan your ports via your IP address and point out any weaknesses. It detected my NetBios being enabled as a security risk, which I already knew. However, once I installed ZoneAlert 2.0, and ran the test again, it said that all my ports were acting in a sort of stealth mode, indicating that my PC was not responding to these port requests. This is a good thing. Also, by using ZoneAlert 2.0, I dont have to disable File and Print Sharing anymore (it disables the NetBios port only across the Internet and not the LAN), which means I can safely access files on my home LAN between my two PCs.