Information Security: A Current Perspective http://arjunvenkatraman.com/work/techno/infosec.

html

Information Security: A Current Perspective

ARJUN VENKATRAMAN
Back
1.0 Abstract
2.0 Introduction: The Need For Security Consciousness
3.0 Vulnerabilities
3.1 Anatomy of a vulnerability:
3.2 Vulnerability Attributes
4.0 Attacks
4.1 DoS (Denial of Service ) Attack
4.1.1 Introduction to DoS:
4.1.2 How DoS works:
4.1.3 Distributed Denial of Service:
4.2 Virus/Worm Attack
4.2.1 What are Viruses and Worms?
4.2.2 How do Viruses/Worms Spread?
4.3 Trojan Attack
4.3.1 What is a Trojan
4.3.2 How are Trojans spread?
5.0 Defenses
5.1 Firewalls
5.1.1 What is a Firewall?
5.1.2 Firewalls are not bulletproof
5.1.3 Pitfalls of Firewalling
5.2 Vulnerability Assessment Tools
5.2.1 A brief history of Vulnerability Assessment Tools
5.2.2 How Vulnerability Assessment works
5.2.3 Fundamental Shortcomings of Scanners
5.3 Intrusion Detection Systems
5.3.1 An introduction to IDS
5.3.2 Working of an IDS
6.0 Case Studies
6.1 Vulnerabilities
6.1.1 Windows
6.1.2 Linux
6.1.3 Other Software
6.2 Attacks
6.2.1 Ping of Death
6.2.2 Smurf
6.2.3 Trin00
6.2.4 Hare breed of Virus:
6.3 Defenses
6.3.1 Firewall Toolkit (FWTK):
6.3.2 The Open Source Nessus Project:
6.3.3 Cisco Secure IDS:
7.0 Conclusion:
8.0 References

Information Security: A Current Perspective

ARJUN VENKATRAMAN

1.0 Abstract
As the world moves more and more towards becoming a networked environment, where almost every activity
finds an electronic parallel, it becomes increasingly important to realize the need for security of information.

1 of 11 1/4/2010 1:26 AM
Information Security: A Current Perspective http://arjunvenkatraman.com/work/techno/infosec.html

The aim of this paper is to present a clear picture of how exactly security breaches occur, what are the methods
used by crackers today to harm systems, and how even the most basic user of a computer is at risk.
This paper deals primarily with the various types of attacks perpetrated against the IT community by malicious
crackers. It attempts to explain the three most popular attacks, i.e. Denial of Service, Trojan and Virus/Worm
attacks, and their effect on non corporate users.
It also touches upon the possible methods of protection against these attacks.
Finally the paper concludes that information security is no longer only a corporate issue, and that all users of
computers, whether at home or at work must consciously secure themselves against such attacks.

2.0 Introduction: The Need For Security Consciousness

It is not news to anyone that in the last few years, particularly from the 1990’s onwards, the world has moved
more and more towards becoming one gigantic electronic network. Almost all activities that are part of any
individual’s life now have an electronic parallel. For example mail has evolved into e-mail, commerce has evolved
into e-commerce and banking is fast moving towards becoming e-banking.
In fact from an Indian perspective, our very own gurukuls find an electronic persona in the form of
E-Gurucool.com (http://www.egurucool.com).
Under such circumstances, it would not be inaccurate to conclude that information is now the most important
resource in the world.
Any other resource without an appropriate information infrastructure is no longer as valuable as it was ten years
ago.
Hence it is only logical that such an important resource be subject to threat from malicious elements. This threat
could be in the form of theft, fraud, corruption, or even destruction.
Therefore, it is the need of the times to protect information adequately.
This need extends not only to the larger corporations but also to the simplest user of a computer. How does this
occur?
A simple user, who uses his computer to browse the internet, create presentations, perhaps a little word
processing, and a little multimedia viewing may well ask, “What does my system have that someone would be
after?”
Well, the answer to that question in very simple terms is, “A lot”.
A malicious user, or a cracker as they are called, may use an unsuspecting user’s computer for any or all of the
following purposes
1) As a testing ground for new malicious applications e.g. viruses, Trojans, worms etc.
2) As a layer of defense while attacking another system
3) As a dumb agent in a Distributed Denial of Service attack
These are just some of the possible uses a cracker may find for an unprotected system.
In the following sections, it will become increasingly clear why the average user needs to be security conscious.

3.0 Vulnerabilities
Vulnerabilities are the tricks-of-the-trade for hackers, giving an intruder the ability to heighten one’s access by
exploiting a flawed piece of logic inside the code of a computer. Like the hackers that seek them out,
vulnerabilities are usually quite mysterious and hard to prove they even exist.
As security experts get acquainted with vulnerabilities and how they are exploited, the methods of exploitation
appear random and chaotic – each and every one with seemingly unpredictable results. It has been theorized
that this comes from the fact that logic flaws are mistakes, and does not follow the course of intelligent reason.
However, vulnerabilities can be categorized in ways that make more sense to the person investigating the
problems at hand.

3.1 Anatomy of a vulnerability:

A vulnerability is a flaw in the security structure of a system. A computer vulnerability usually gives an
attacker a measure of extra influence over the system thereby allowing him/her to use the computer in
potentially harmful ways.
It is possible to break down the logic to computer security vulnerabilities so that they can fit within specific
categories that make them understandable. Provided with a vulnerability, the danger and function of each
possible type of vulnerability can be explained, and paths of access enhancements can be determined.
There are four basic types of vulnerabilities, which are relative to two factors: what is the specific target of
the vulnerability in terms of computer or person, and the other is how quickly the vulnerability works. One
could imagine this as a matrix:

2 of 11 1/4/2010 1:26 AM
Information Security: A Current Perspective http://arjunvenkatraman.com/work/techno/infosec.html

Affects Affects
Person Computer
Instantaneous Social Engineering Logic Error
Requires a duration of Policy Oversight Weakness
time
Logic error is a short cut directly to a security altering effect, usually considered a basic bug. These types
of problem occur due to a special circumstance (usually poorly written code) that allows heightened access.
This is the type of vulnerability usually thought of first.
Weakness is a security measure that was put into place, but has a flaw in its design that could lead to a
security breach. They usually involve security that may or may not be distinctly solid, but is possible for
people to bypass. The term “Security through Obscurity” fits in this arena, being that a system is secure
because nobody can see or understand the hidden elements.
Social Engineering is a nebulous area of attacking associated with a directed attack against policy of
working followed by an individual or user. Policy is being used in a high level sense, because it could be an
internal worker committing sabotage, a telephone scam directed at a naive employee, or digging for
information that was thrown away in dumpsters.
Policy oversight is a flaw in the planning to avoid a situation, which would be such conditions as not
producing adequate software backups, not having proper contact numbers, not having working protection
equipment and so forth.

3.2 Vulnerability Attributes

Vulnerabilities have five basic attributes, which are Fault, Severity, Authentication, Tactic, and Consequence.
Examining these
attributes can provide a complete understanding of the vulnerability.
Fault describes how the vulnerability came to be, as in what type of mistake was made to create the
problem.
Severity describes the degree of the compromise. There are six levels of severity that can be used to
define a vulnerability: administrator access, read restricted files, regular user access, spoofing,
non-detectability, and denial of service.
Authentication describes if the intruder must have successfully registered with the host proof of identity
before exploiting the vulnerability.
Tactic describes the method in which the vulnerability can be exploited, both in terms of location and of
procedure. Some of the ways are: Internal Tactic, Physical Access Tactic, Server Tactic, Client Tactic,
Man-in-the-Middle Tactic.
Consequence describes the outcome. Consequence is the mechanics behind access promotion, and
demonstrates how a small amount of access can lead to far greater compromises.

4.0 Attacks
As described in section 3.2 there are a number of ways, or tactics that a malicious user can employ to take
advantage of the vulnerabilities of a system. Some of the ways that such tactics can be implemented are
described here.

4.1 DoS (Denial of Service ) Attack

4.1.1 Introduction to DoS:
Denial of Service is a type of attack which can cause loss of service or inability to function.
The results can last for minutes, hours or days, and can impact network performance, data
integrity and system operation.
The frequency of DoS attacks has increased alarmingly in the last few years, particularly

3 of 11 1/4/2010 1:26 AM
Information Security: A Current Perspective http://arjunvenkatraman.com/work/techno/infosec.html

since distributed computing has provided an enhanced version of the attack to evolve. This
enhanced version of DoS is called Distributed Denial of Service (DDoS) and is one of the
most feared attacks of modern times.
4.1.2 How DoS works:
DoS attacks are generally brought about by exploiting a programming flaw in the server
software and by writing specialized programs to perform attacks. DoS attacks usually use
one of the following strategies
· Bandwidth Consumption
· Resource Saturation
· System and Application Crash
Bandwidth Consumption refers to the complete use of available network bandwidth by an
attacking computer. This makes network response slow or stops the server completely
while the attack is ongoing. The “Smurf” attack (see section 6.1) is a good example of this
approach.
Resource Saturation makes use of the fact that each computer has only a finite amount of
resources such as memory, storage and processing power. The strategy of resource
saturation is to target one or more of these resources and use it up completely so that
there is none left for allocation to other programs. The SYN flood attack (section 6.2) uses
this strategy
System and Application Crashes are fast and easy approaches wherein an exploitable
programming flaw is used to crash the system or a running application, thereby stopping
service. A well known implementation is the Ping of Death attack (Section 6.3)

4.1.3 Distributed Denial of Service:

DoS attacks are being taken to a higher level of ingenuity with the increasing prevalence of
Distributed Denial of Service (DDoS) attacks. There are several types of DDoS attacks,
but their methods are very similar in that they rely on a large group of previously
compromised systems to direct a coordinated distributed flood attack against a particular
target.
In preparation for these attacks, the culprit will compromise many systems (sometimes
hundreds) on which the agent software can be loaded. The agent software is referred to as
a "Zombie" program since it lies asleep until awakened. The attacker then uses a master
console to communicate with and configure the Zombie agents. At a specified time, all of
the agents initiate an otherwise standard DoS attack against the intended target. The attack
is so devastating because of the tremendous traffic volume generated by the "army" of
agents.

4.2 Virus/Worm Attack

4.2.1 What are Viruses and Worms?
A computer virus is defined as “a program that replicates by ‘infecting’ other programs so
that they contain a copy of the virus” (F. Cohen: A Short Course on Computer Viruses).
The essential feature of a computer program that causes it to be classified as a virus is not
its ability to destroy data, but its ability to gain control of the computer and make a fully
functional copy of itself. It can reproduce. When it is executed, it makes one or more copies
of itself. Those copies may later be executed, to create still more copies, ad infinitum. Not
all computer programs that are destructive are classified as viruses because they do not all
reproduce, and not all viruses are destructive because reproduction is not destructive.
However, all viruses do reproduce. The idea that computer viruses are always destructive is
deeply ingrained in most people’s thinking though. The very term “virus” is inaccurate. The
scientifically correct term for a computer virus is “self-reproducing automaton” or “SRA” for
short. This term describes correctly what such a program does.
A worm on the other hand copies itself across networks without attaching itself to any
program. Some people continue to refer to worms as a subset of the virus genre, since
replication is a characteristic of both varieties of program. However, worms can be
classified separately on the basis of independence from other programs.
Viruses and worms are both written by malicious users, usually as an attempt to prove
coding ability. However, once a virus is released, it may undergo spontaneous
transformations as it infects files and programs and ma evolve further without human

4 of 11 1/4/2010 1:26 AM
Information Security: A Current Perspective http://arjunvenkatraman.com/work/techno/infosec.html

intervention.
4.2.2 How do Viruses/Worms Spread?
A virus/worm is deemed to be “in the wild” once it has escaped or been released into the
general public. The general public refers to computing environments outside the
development area where the virus was created and tested.
Almost all viruses work along these lines:
· A user calls a legitimate program
· The virus code, having infected the program and being in the chain of
command, executes
· The virus code terminates and hands over control to the host
When the virus code executes it finds more infectable files and proceeds to infect them. As
these files are called more and more copies are created. The virus source may also contain
damaging instructions, which over time affect performance of a system or may even crash it
abruptly.
Viruses are characterized by two major features:
· Stealth
· Polymorphism
Stealth is a feature which conceals the virus from the user, so that the virus remains
undetected for a long period.
Polymorphism means that every time a virus infects a new file, it evolves in some manner.
This means that the virus code changes subtly or perceptibly at each new infection. The
utility of this feature to virus writers is that since the patterns are fewer, the virus is that
much harder to trace.

4.3 Trojan Attack

4.3.1 What is a Trojan
A Trojan is defined as “a program which may do something useful but also has unexpected
functions such as stealing passwords or copying files without the user’s knowledge”
Thus, a Trojan may or may not perform a useful function. There are many types of Trojans
ranging from intentionally written malicious programs, through programs performing both
good and bad functions to accidental Trojans, which are intended as useful programs but
end up having undesirable consequences.
The one common characteristic of all Trojans is that they always perform an unexpected
function.
Trojans usually have one of the following intents:
· Intent to gain unauthorized access
· Intent to obstruct availability
· Intent to modify or destroy data
However, more than one of these may be found within the same Trojan.
4.3.2 How are Trojans spread?
Trojans are usually delivered to the victim computer under the guise of useful software.
Once on the system they stealthily perform their task.
Back Door Trojans are usually coded into software and offer unauthorized access to a
system.
Remote Access Tools straddle a line between legitimate systems administration and covert
unauthorized access.
Trojans have also been known to masquerade as Anti-Virus Software.
Logic Bombs are Trojans which execute their payload, or malicious code, when a preset
condition is met. This may be a time period elapse, or an action by the victim.
Trojans are commonly found on Usenet the service. They are also commonly spread by
e-mail and other user communication programs.
The execution of a Trojan may be stealthy, or the victim may be persuaded by social
engineering methods to run the appropriate program.

5.0 Defenses

5 of 11 1/4/2010 1:26 AM
Information Security: A Current Perspective http://arjunvenkatraman.com/work/techno/infosec.html

We now proceed to some of the possible methods of defending against the attacks listed above.
While none of these methods provide foolproof security, their use deters malicious computer use to a large
extent.
5.1 Firewalls
5.1.1 What is a Firewall?
A firewall is any device used as a network level access control mechanism for a particular
network or set of networks. In most cases firewalls are used to prevent outside users from
accessing internal networks. However, firewalls can also be used within a network to
provide more secure pockets for highly sensitive functions, e.g. payroll management etc. A
fast upcoming application of firewall technology is in the field of personal firewalls. As high
speed internet makes its way into homes, it is common to find a home PC acting as a
server. Such users usually feel the need for a personal firewall.
Apart from access control firewalls may also provide some or all of the following services
· Content Filtering
· Virtual Private Networking
· Network Address Translation
· Load Balancing
· Fault Tolerance
· Intrusion Detection

There are mainly three types of firewalls

1) Packet filter based
2) Stateful packet filter based
3) Proxy based
Packet filer based firewalls analyze incoming packets for possible signs of malicious intent.
Typically, the systems administrator can grant or deny access based on parameters like
source address, destination address, protocols and port number.
Stateful packet filter based firewalls build on the packet filtering concept and take it further
by keeping track of sessions and connections in internal state tables. This makes stateful
packet filtering a more stable approach.
Proxy based firewalls act as an intermediate between the host and the remote user. The
firewall forms the connection with the remote user and then relays acceptable information to
the host via its own secure connection. The IP packets are not transmitted directly to the
host but a kind of translation occurs at the firewall level with the firewall acting as conduit
and interpreter.

5.1.2 Firewalls are not bulletproof

It is common for users of firewalls to develop a sense of security about their networks due
to the presence of a firewall.
In fact certain security professionals hold that firewalls may n fact prove a detriment, since
the false sense of total security that they give to users may make them more susceptible to
social engineering attacks. Thus when using a firewall it is best to keep in mind that even
firewalls have certain vulnerabilities.
For some examples of firewall vulnerabilities please refer to section 6.
5.1.3 Pitfalls of Firewalling
Firewalling for all its advantages has a few pitfalls as well. One major pitfall is that security
can be configured so stringently that it can actually impair the process of networking.
Especially for networks dependent on distributed applications, this may prove detrimental.
Thus while implementing a firewall one should try and make a provision for a case by case
examination of situations and act accordingly.

5.2 Vulnerability Assessment Tools

5.2.1 A brief history of Vulnerability Assessment Tools
The Vulnerability Assessment Tool or scanner, as it is popularly known, first appeared in the
early 1990’s. At that time, the World Wide Web was a relatively new concept.
In 1992 a computer science student named Chris Klaus we experimenting with Internet
security concepts. He created a scanning tool, Internet Security Scanner (ISS) that could be
used to remotely probe UNIX systems for a set of common vulnerabilities.

6 of 11 1/4/2010 1:26 AM
Information Security: A Current Perspective http://arjunvenkatraman.com/work/techno/infosec.html

A few years later, Dan Farmer and Wieste Venema authored a tool called SATAN (Security
Administrator Tool for Analyzing Networks)
After SATAN an number of scanners have hit the market.
The scanners help find and repair network level faults and errors.
5.2.2 How Vulnerability Assessment works
There are mainly two categories of entry points to a system. These are:
· Local exposure points
· Remote exposure points
Local exposure points are at the host level while remote exposure points are at the remote
level.
In order to exploit a remote exposure point an attacker can use a number of commonly
available tools. For example an attacker may port scan a system using nmap, identify the
running operating system, and then log all the listening ports.
This kind of scanner can also be used by system administrators to scan a system for
vulnerabilities.
Although implementation details differ, scanners generally reveal the following data about a
system:
· The vulnerability data:
· The scanning mechanism
· The reporting mechanism
While choosing a scanner the features to look for are:
· Completeness of vulnerability checks
· Accuracy of the vulnerability checks
· Scope of vulnerability checks
· Timely update
· Reporting capabilities
· Licensing and pricing

5.2.3 Fundamental Shortcomings of Scanners

The major shortcomings of vulnerability scanners can be grouped into three categories:
· Completeness
· Timeliness
· Accuracy
Completeness issues come into the picture when a scanner fails to report all possible
vulnerabilities. The SANS top ten gives a list of vulnerabilities which were not caught by
most scanners.
Timeliness issues arise due to the fact that most of these products are updated once a
quarter. If a vulnerability is announced in January, a scanner may not detect it until March.
Accuracy problems occur since most scanners don’t implement stringent enough measures
to detect vulnerabilities.
Hence it is a good idea to be very careful in ones choice of scanner.

5.3 Intrusion Detection Systems

5.3.1 An introduction to IDS
An IDS is basically a system which detects a hostile user or intruder who is attempting to
gain unauthorized access. Assuming this definition, a number of popular methods are used
to detect intruders.
The roots of modern day IDs lie in the Intrusion Detection Expert System and the
Distributed Intrusion Detection System models that were developed by the US Department
of Defense in the late 80’s and 90’s.
Traditional IDS classification schemes classify most systems into two distinct camps:
misuse detection and anomaly based detection models. However modern day systems fall
into one of the three following categories:
Network-based IDS are basically raw packet parsing engines. These are basically sniffers
which capture network traffic and compare the it with a set of known attack patterns or
signatures. They basically aim to catch intruders in the act.
Host-based IDS vary from vendor to vendor, but they are usually centric in their analysis.
Most host-based IDS will have components that parse system logs and watch user logins
and processes. They are mostly agent based.

7 of 11 1/4/2010 1:26 AM
Information Security: A Current Perspective http://arjunvenkatraman.com/work/techno/infosec.html

Anomaly-based IDS are usually more complex and are more conceptually oriented than
implementation oriented.
They look for deviations in the set patterns of network usage.
The most common models are host based and network based.
5.3.2 Working of an IDS
Network based IDS (NIDS): A network based IDs is designed to look for known patterns,
known as signatures, in incoming network traffic. It is passive in nature, and the rest of the
systems are seldom even aware that it is operational.
The drawback of NIDS is that it detects only known types of attacks. Thus if an attack
occurs for which the NIDS is not programmed, it will pass by unnoticed. Also in high
bandwidth environments with multiple switches, NIDS effectiveness is reduced.
Host-based IDS (HIDS): The host-based IDS varies from the NIDS on a number of fronts.
First and foremost HIDS is more intrusive. HIDS is an active process which requires agents
to be installed on all monitored systems. These work by monitoring the systems internal
working and searching for patterns. The higher end versions even prevent the installation of
Trojans and other malicious code. However the fundamental problem of looking for only
known patterns is still not eradicated. Also HIDS require a lot of computing power and
hence sometimes end up overloading the CPU

6.0 Case Studies

6.1 Vulnerabilities
6.1.1 Windows
Microsoft’s Windows 2000 has a number of security vulnerabilities as listed here
· The Netmon Protocol Parsing Vulnerability
Discovered: Mid 2000
Affects: The Windows 2000 Server and Advanced Server as well as all versions
of Windows NT
Fix: Microsoft released a fix with Windows 2000 Service Pack 2
Description: Several protocols in the Netmon stack have unchecked buffers. When an
attacker sends malformed frames to server that is monitoring network traffic, if the
protocol buffer is unchecked, the malformed frame would either cause a Netmon
shutdown or it would enable code of the attacker’s choice to run on the system. An
attacker can get control of a server this way.

· The Telnet Server Flooding Vulnerability

Discovered: Late 2001
Affects: All versions of Windows 2000

Fix: Microsoft has released a patch for this vulnerability. It can be obtained
from http://www.microsoft.com/Downloads
/Release.asp?ReleaseID=22753

Description: This is a remote denial of service vulnerability. A malformed string sent to

the input string box would call the Telnet server to fail, causing loss of any ongoing
work.
6.1.2 Linux
Linux, generally thought to be a highly secure OS is not without its own set of vulnerabilities
· Imlib graphics library vulnerability:
Discovered: August 2004 by Novell SuSE Linux's Marcus Meissner
Affects: The Linux OS’s imlib 1.x and imlib2 1.x are affected

Fix: MandrakeSoft, Gentoo and other Linux vendors are releasing patches for
the flaw.

Description: The problem could be exploited to cause a buffer overflow and execute
malicious code if a user viewed a graphic in any imlib-based application, for example a

8 of 11 1/4/2010 1:26 AM
Information Security: A Current Perspective http://arjunvenkatraman.com/work/techno/infosec.html

Web browser
· LHA archive tool:
Discovered: September 2004
Affects: LHA versions up to and including 1.14
Fix: Fedora, Gentoo and other Linux vendors are releasing patches for the
flaw.

Description: The three LHA bugs are as serious as that in imlib, but are more difficult to
exploit, according to an advisory from Red Hat Inc. The first could take effect if a user
were tricked into extracting or testing a specially crafted archive. The second can only
be exploited if a user were tricked into passing a specially crafted command line to the
lha command. In the third, an attacker could create a directory with special characters
in its name, which could lead to the execution of malicious commands.

6.1.3 Other Software

Here are listed some of the vulnerabilities of other commonly used software
· The MSIE Script Vulnerability
Discovered: Mid 2001
Affects: Microsoft Internet Explorer 4.01 and higher

Fix: The Microsoft fix is available from http://www.microsoft.com/windows

/ie/download/critical/patch11.htm
Description: The vulnerability enables an attacker to embed malicious VB code into MS
Access via Internet Explorer. Simply visiting an infected site or previewing an e-mail that
contains malicious code can compromise your system.
· The RDISK hole
Discovered: Early 2000
Affects: Windows NT

Fix: No specific fix. Varies from system to system. The rdisk command could
be blocked to normal users for example.
Description: RDISK is an NT utility which allows users to create emergency disks.
However it can be used by a malicious user since it can be used to dump all security
information in the c:\WINNT\REPAIR directory. From here the attacker can use a
password cracker to decrypt the passwords.

6.2 Attacks
6.2.1 Ping of Death
Filename: pingexploit.c, win95ping.c
Author: Bill Fenner (fenner@freebsd.org)
Build OS: BSD UNIX
Target OS: Windows 95, Windows NT 3.51
Description: Oversized ICMP echo requests (>64k) are sent to the target, which due to
inappropriate handling, crashes.
Fix: Microsoft has included a fix in its subsequent applications.
6.2.2 Smurf
Filename: smurf.c
Author: TFreak
Build OS: UNIX
Target OS: Any system that responds to ICMP data
Description: Floods the target system with spoofed ICMP echo requests. This congests the
lines to the system and causes a denial of service. Smurf is an example of a bandwidth
consumption attack.
Fix: Disable IP directed broadcasts on the router and configure the OS not to respond to
packets sent to IP broadcast addresses.
6.2.3 Trin00

9 of 11 1/4/2010 1:26 AM
Information Security: A Current Perspective http://arjunvenkatraman.com/work/techno/infosec.html

Filename: trin00.tgz
Author: Project DoS
Build OS: UNIX
Target OS: UNIX
Description: Floods the target system with spoofed ICMP echo requests. This congests the
lines to the system and causes a denial of service. Smurf is an example of a bandwidth
consumption attack.
Fix: Patch systems to prevent compromise, monitor UDP traffic for trinoo fingerprints and
run DDoS scanner tools like RID. Blocking UDP traffic on high numbered ports may prevent
the problem but this could cause other applications to function unpredictably.
6.2.4 Hare breed of Virus:
Virus name: Hare [x]
Infects: COM and EXE files
Size: 7610 bytes
Description: The Hare breed is a common strain of virus which memory resident and
supports full stealth. It is also encrypted and polymorphic, which makes it that much harder
to track down.

6.3 Defenses
6.3.1 Firewall Toolkit (FWTK):
The TIS Firewall Toolkit is a somewhat outdated but still completely feasible solution for
creating a firewall. The package which is free for noncommercial use includes proxies for
the following services:
· Telnet
· FTP
· Rlogin
· Sendmail
· HTTP
· X Window system
The service requires some rules to be specified. This is easily done by editing the following
files:
· /etc/services: This file specifies what services the machine will support and what
ports those services run on
· /etc/inetd.conf: This is the configuration file for inetd. It specifies what server is
activated when outsiders request a service.
· /usr/local/etc/netperm-table: This is an FWTK file. In it, you specify who can use
the services you provide.
You can choose two schemes for permissions: deny all services which are not expressly
allowed or allow all services which are not expressly prohibited.
Vendor: TIS
Platform: UNIX
6.3.2 The Open Source Nessus Project:
Nessus was written by Renaud Deraison, an open source author living in Paris. Nessus is
quickly becoming the Linux of the vulnerability scanning field. Nessus employ an extensible
plug-in model that enables the security community to add scanning modules at will. This
gives Nessus a development edge because any check that it does not have can be created
with some time and coding abilities on their hands. Nessus uses a console based engine, in
which the console may or may not reside on the same computer as the scanning engine.
This distributed architecture allows for some interesting flexibility.
Vendor: NONE (open source)
Platform: UNIX
6.3.3 Cisco Secure IDS:
Cisco acquired the NetRanger NIDS with its acquisition of the Texas based “Wheelgroup”
corporation in the late 1990’s. NetRanger served as the foundation of what is now the Cisco
Secure IDS suite. Cisco has multiple sensor offerings, ranging from the smallest x86 based
appliance to their more industrial strength appliance offering, to an intrusion detection ‘blade’
which fits into the Catalyst 6500 series of switches.
Vendor: Cisco Systems
Platform: Appliance

10 of 11 1/4/2010 1:26 AM
Information Security: A Current Perspective http://arjunvenkatraman.com/work/techno/infosec.html

7.0 Conclusion:
Information security is everyone’s business. All users of computer networks are responsible to themselves and
the entire community for the protection of individual and common resources. As more and more vulnerabilities
are discovered, better and better methods of security are being implemented.
However, it is important to remember that as better and better methods of computer security are invented, the
efforts and efficiency of crackers will also increase. Hence, in order to stay ahead in this electronic arms race,
one must keep abreast of the latest developments in both the attack as well as defense field.

8.0 References
rd
· Maximum Security, 3 Edition, Anonymous, Sams Techmedia Publishing 2001
· Unofficial Guide to Ethical Hacking, Ankit Fadia, Macmillan India, 2001
· Network Security: Private Communication in a Public World, Kaufman, Perlman, Speciner, Pearson
Education, 2002
· Computer Vulnerabilities, Eric Knight, C.I.S.S.P. Electronic Edition, 2000
· The Little Black Book of Computer Viruses, Mark Ludwig, Electronic Edition, 1996
· Understanding the Various Types of Denial of Service Attack, Technical Paper, Raja Azrina Raja
Othman
· US Government Information Centre: http://usgovinfo.about.com/
· The Pine-Mountain Group: http://www.pmg.com/index.htm
· Geek-Times.com: http://www.geek-times.com
· Slashdot security portal: http://slashdot.org/
· Infosyssec.net security portal: http://www.infosyssec.net/
· Windows Security portal: http://www.windowsecurity.com
· Eweek IT news portal: http://www.eweek.com

11 of 11 1/4/2010 1:26 AM