| Null or Default Passwords | Leaving administrative passwords blank or using a default
password set by the product vendor. This is most common in
hardware such as routers and firewalls, though some services that
run on Linux can contain default administrator passwords (though
Red Hat Enterprise Linux does not ship with them). | | Commonly associated with networking
hardware such as routers, firewalls, VPNs, and network
attached storage (NAS) appliances. | | Common in
many legacy operating systems, especially OSes that bundle
services (such as UNIX and Windows.) | | Administrators sometimes create privileged user accounts in a
rush and leave the password null, a perfect entrypoint for
malicious users who discover the account. |
|
| Default Shared Keys | Secure services sometimes
package default security keys for development or evaluation
testing purposes. If these keys are left unchanged and are placed
in a production environment on the Internet,
all users with the same default keys have
access to that shared-key resource, and any sensitive information
contained in it. | | Most common
in wireless access points and preconfigured secure server
appliances. | | CIPE (refer to Chapter 6 Virtual Private Networks) contains a sample static key that must be
changed before deployment in a production
environment. |
|
| IP Spoofing | A remote machine acts as a node on
your local network, finds vulnerabilities with your servers, and
installs a backdoor program or trojan horse to gain control over your
network resources. | | Spoofing is quite difficult as it involves the
attacker predicting TCP/IP SYN-ACK numbers to coordinate a
connection to target systems, but several tools are available to
assist crackers in performing such a vulnerability. | | Depends on target system running services (such as
rsh, telnet, FTP and others)
that use source-based authentication
techniques, which are not recommended when compared to PKI or
other forms of encrypted authentication used in
ssh or SSL/TLS. |
|
| Eavesdropping | Collecting data that passes between two active nodes on a
network by eavesdropping on the connection between the two
nodes. | | This type of attack works mostly with plain text
transmission protocols such as Telnet, FTP, and HTTP
transfers. | | Remote attacker must have
access to a compromised system on a LAN in order to perform
such an attack; usually the cracker has used an active attack
(such as IP spoofing or man-in-the-middle) to compromise a
system on the LAN. | | Preventive
measures include services with cryptographic key exchange,
one-time passwords, or encrypted authentication to prevent
password snooping; strong encryption during transmission is
also advised. |
|
| Service Vulnerabilities | An attacker finds a
flaw or loophole in a service run over the Internet; through this
vulnerability, the attacker compromises the entire system and
any data that it may hold, and could possibly compromise other
systems on the network. | | HTTP-based services such as CGI are
vulnerable to remote command execution and even interactive shell
access. Even if the HTTP service runs as a non-privileged user such
as "nobody", information such as configuration files and network
maps can be read, or the attacker can start a denial of service
attack which drains system resources or renders it unavailable to
other users. | | Services sometimes can have
vulnerabilities that go unnoticed during development and testing;
these vulnerabilities (such as buffer
overflows, where attackers crash a service using
arbitary values that fill the memory buffer of an application,
giving the attacker an interactive command prompt from which they
may execute arbitrary commands) can give complete administrative
control to an attacker. | | Administrators should make
sure that services do not run as the root user, and should stay
vigilant of patches and errata updates for applications from vendors
or security organizations such as CERT and CVE. |
|
| Application Vulnerabilities | Attackers find
faults in desktop and workstation applications (such as e-mail
clients) and execute arbitrary code, implant trojan horses for
future compromise, or crash systems. Further exploitation can
occur if the compromised workstation has administrative privileges
on the rest of the network. | | Workstations and desktops are more prone to exploitation as
workers do not have the expertise or experience to prevent or
detect a compromise; it is imperative to inform individuals of the
risks they are taking when they install unauthorized software or
open unsolicited email attachments. | | Safeguards
can be implemented such that email client software does not
automatically open or execute attachments. Additionally, the
automatic update of workstation software via Red Hat Network or other system
management services can alleviate the burdens of multi-seat
security deployments. |
|
| Denial of Service (DoS) Attacks | Attacker or
group of attackers coordinate against an organization's network or
server resources by sending unauthorized packets to the target
host (either server, router, or workstation). This forces the
resource to become unavailable to legitimate users. | | The most reported DoS case in
the US occurred in 2000. Several highly-trafficked commercial
and government sites were rendered unavailable by a coordinated
ping flood attack using several compromised systems with high
bandwidth connections acting as zombies, or
redirected broadcast nodes. | | Source
packets are usually forged (as well as rebroadcasted), making
investigation as to the true source of the attack difficult. | | Advances in ingress filtering (IETF rfc2267)
using iptables and Network IDSes such as
snort assist administrators in tracking down
and preventing distributed DoS
attacks. |
|