There are several methods that are commonly used by other users to take control of our computer, some of which are:
1. Trojan horse programs
It is the most common way used by other users to trick us (often referred to as "social engineering") with Trojan horse programs they install "back door" programs that allow them to access our computers without our knowledge. Trojan horse programs will change the configuration of our computers and infect them with computer viruses.
Example: In application programs such as games that are small in size, hackers will insert a program that can be used to damage the system or run (remotely) our computer.
2. Back door & remote administration programs
Back door & remote administration program on Windows OS, there are three types of software that are often used, namely: BackOrifice, Netbus, & SubSeven. The three back door / remote administration programs, after being installed, will open the possibility for others to access and control our computers. On Linux OS, there are secure remote programs such as ssh.
3. Denial of Service
Denial of Service (DoS) is a condition experienced by clients on a computer network that is affected by an intruder attack so that the clients do not receive service.
Some of the techniques used by intruders to cause DoS include:
3.1 Ping of Death
Ping of Death uses the ping utility program in the computer's operating system. Ping is usually used to check how long it takes to send a certain amount of data from one computer to another. The maximum length of data that can be sent according to the IP protocol specification is 65,536 bytes. In Ping of Death the data sent exceeds the maximum packets allowed according to the IP protocol specification.
Figure 10.1. Illustration of Ping of Death
Consequently, on an unprepared system it will cause the system to crash, hang or reboot when the system receives such a long packet. This attack is not new, all operating system vendors have fixed their systems to handle oversized packets.
3.2 Teardrop
This technique is developed by exploiting the data packet disassembly-reassembly process. In an internet network, data often has to be cut into small pieces to ensure reliability & multiple network access processes. These data packet pieces sometimes have to be cut back into smaller pieces when they are transmitted through a Wide Area Network (WAN) channel so that when they pass through an unreliable WAN channel, the data delivery process becomes more reliable. In the normal packet data cutting process, each piece is given data offset information that roughly reads "this packet piece is a 600 byte piece from a total of 800 bytes of the packet sent".
Figure 10.2. Teardrop Illustration
The teardrop program will manipulate the offset of the data chunks so that eventually there is overlapping between the packets received at the receiving end after these packet pieces are reassembled. Often, this overlapping causes the system to crash, hang & reboot at the other end.
3.3 SYN Attack
The weakness of the TCP/IP specification is that it is open to SYN packet attacks. SYN packets are sent when starting a handshake between two applications before a transaction/data transfer is carried out. Under normal conditions, the client application will send a TCP SYN packet to synchronize the packet on the application on the server (receiver). The server (receiver) will send a response in the form of an acknowledgment of the TCP SYN ACK packet. After the TCP SYN ACK packet is received well by the client (sender), the client (sender) will send an ACK packet as a sign that the data transfer/receive transaction will begin. In a SYN flood attack, the client will flood the server with many TCP SYN packets. Each TCP SYN packet sent will cause the server to respond with a TCP SYN ACK packet. The server (receiver) will continue to record (create a backlog queue) to wait for TCP ACK responses from clients sending TCP SYN packets. The backlog queue space is of course limited & usually small in memory. When the backlog queue is full, the system will not respond to any other incoming TCP SYN packets -- in simple terms, the system will appear to be frozen or hanging. TCP SYN ACK packets that enter the backlog queue will only be discarded from the backlog when the TCP timer times out, indicating that there are no responses from the sending client.
Usually the internal TCP timer is set quite long.
Figure 10.3. Illustration of SYN Attack
The key to a SYN attack is to flood the server with TCP SYN packets using a garbled source IP address. As a result, since the source IP address does not exist, there will obviously be no TCP ACKs sent as responses to the TCP SYN ACK packets. In this way, the server will appear to be frozen or hang so that it does not process responses for a long time. Various computer vendors have now added defenses for this SYN attack and also firewall programmers also ensure that their firewalls do not send packets with garbled source IP addresses.
3.4 Land Attack
Land attack is a simple combination of SYN attack with the source IP address of the attacked system. Even with the SYN attack fix above, Land attack has caused problems on some systems. This type of attack is relatively new, some operating system vendors have provided fixes. Another way to defend the network from this Land attack is to filter on your firewall software from all incoming packets from known bad IP addresses.
Figure 10.4. Land Attack Illustration
In a land attack, the hacker sends a SYN to the victim's computer but this SYN appears to come from the victim's own computer. So the reply in the form of ACK will be sent to the victim's own computer. Therefore the computer will experience Hang or Crash.
3.5 Smurf Attack
Smurf attack is a forced attack on the IP specification feature known as direct broadcast addressing. A Smurf hacker usually floods our router with Internet Control Message Protocol (ICMP) echo request packets known as ping applications. Because the destination IP address in the packet sent is the broadcast address of your network, the router will send this ICMP echo request to all machines on the network. If there are many hosts on the network, there will be a very large amount of ICMP echo response & request traffic.
Figure 10.5. Smurf Attack Illustration
Moreover, if the hacker chooses to spoof the source IP address of the ICMP request, the result is that ICMP traffic will not only jam the intermediary computer network, but also the network whose IP address is spoofed - this network is known as the victim network. To prevent our network from becoming an intermediary for this Smurf attack, broadcast addressing must be turned off on the router unless we really need it for multicast purposes, which are currently not 100% defined. Another alternative is to filter ICMP echo requests on the firewall. To prevent our network from becoming a victim of a Smurf attack, it is a good idea to have an upstream firewall (upstream) that is set to filter ICMP echo or limit echo traffic so that its presentation is small compared to overall network traffic.
3.6 UDP Flood
Basically, it links two systems together without their knowledge. By spoofing, a User Datagram Protocol (UDP) flood attack will attach itself to the UDP chargen service on one machine, which for "experimental" purposes will send a group of characters to the other machine, which is programmed to echo every character sent to the chargen service.
Figure 10.6. Illustration of UDP Flood
Because the UDP packets are spoofed between the two machines, what happens is a never-ending flood of useless characters sent between the two machines. To combat the UDP flood, you can disable all UDP services on all machines on the network, or more easily filter all incoming UDP services on the firewall. Because UDP is designed for internal diagnostics, it is safe to reject all UDP packets from the Internet. But if we eliminate all UDP traffic, then some legitimate applications such as RealAudio, which uses UDP as a transport mechanism, will not work.
3.7 Serve as an intermediary for other attacks
Other users very often use the compromised computer to attack other systems. A simple example is how the Distributed Denial of Service (DDoS) attack technique is carried out. In a DDoS attack, the intruder will install an "agent" (usually a Trojan Horse program) on the compromised computer waiting for further instructions. After enough computers are prepared, with a command the DDoS attack process will be carried out on a system. This means that the computer we have becomes a very efficient tool for other attacks.
3.8 Unprotected Windows shares
Can be exploited by other users to place their software on a large number of computers at once that are connected to the Internet. Because security on the Internet is actually interconnected, a computer controlled by another user not only causes problems for the owner of the computer, but also for many other computers on the Internet. This risk is very high, especially since there are quite a lot of computers with unprotected networks that are connected to the Internet. Distributed attack tools, viruses, worms such as the 911 worm are some examples of attacks through open Windows shares.
3.9 Mobile code (Java, JavaScript, and ActiveX)
Using Java, JavaScript, & ActiveX programming languages allows web developers to develop software that will be run by web browsers. Usually the program is fine, but sometimes it can be used by other users for bad purposes. Therefore, it is a good idea to disable the web browser from running scripts. In addition to the web browser, the client e-mail program should also be disabled so that it does not run scripts.
3.10 Cross-site scripting
A malicious web developer will send a script to our web browser when we enter data such as URLs, elements on forms, or database requests. The malicious script will be sent along with the website's responses according to the requested request, finally the malicious script will be or stored in our web browser.
3.11 Email spoofing
Occurs when an email message appears to come from one person, but actually comes from someone else. Email spoofing is often used to trick someone into leaving a bad comment or releasing sensitive information such as a password. It should be noted that no ISP administrator will ask for a password under any circumstances.
3.12 IP spoofing
IP Spoofing is done by changing the source address of a packet, so that it can pass through firewall protection.
Figure 10.7. Illustration of IP Spoofing
In IP Spoofing, it is possible for intruders from different networks to access external networks (such as the internet) because they have limited access. By using the IP address of a network that can access the internet, intruders can freely access outside.
3.13 Forging
One way that someone can steal other people's important data is by fraud. One form of fraud that can be done is by creating a fake website, then luring the party who wants to be deceived to access the fake website. After having the necessary data, the fraudster can access the original website as the party we deceive. An example is the case of fake BCA Bank sites such as www.klickbca.com, www.kilkbca.com where customers pretend to access the original site. After customers enter the fake site, customers are asked for their user and password and after running it, an error message will appear on the action page. And actually the user and password enter the fraudster's database.
3.14 E-mail-borne viruses
Viruses and various malicious programs are spread through attachments in e-mail. Before opening an attachment, it is a good idea to see who sent it. It is better not to open attachments that are suspicious programs or scripts even if they are sent by people we know. Do not send programs to other users just because they are interesting, it is not impossible that the program is a Trojan horse.
3.15 Hidden file extensions
Windows operating system has an option "Hide file extensions for known file types". This option is enabled in the default Windows settings, users can disable the option so that it is not exploited by viruses. The first major attack that exploited hidden file extensions was the VBS/LoveLetter worm that carried an e-mail attachment with the name "LOVE-LETTER-FOR-YOU.TXT.vbs". Of course there are many more viruses of this type with file extensions .vbs, .exe, .pif -- often looking safe because they use the extensions .txt, .mpg, .avi.
3.16 Chat clients
Internet chat applications, such as instant messaging and Internet Relay Chat (IRC), have mechanisms for information to be sent both ways between computers on the Internet. Chat clients allow groups of individuals to exchange dialogue, web URLs, and various files. Because many chat clients allow programs to be sent, the risk is similar to that of viruses sent via e-mail attachments.
3.17 Packet sniffing
Packet sniffer is a program to capture information in data packets as the data moves on the network. This data may include usernames, passwords and various confidential information sent in text form. Imagine if many usernames and passwords could be stolen by other users. Packet sniffer programs do not necessarily require administrator level permission to install them. Packet sniffers capture our usernames and passwords, so it is quite dangerous for WARNET business owners, homes, offices that use modem cable connections.
Figure 10.8. Illustration of Packet Sniffing
Understanding Network Security
As time goes by, when we have a computer that is not connected to a network, it often feels less useful. However, the most worrying thing about connecting a computer to a network is the security or safety aspect. After all, by connecting to a network, it means that we have opened a gap for other parties to access the system that we have, both legally and illegally. For that, we must make an effort to create a secure network connection so that we and other users can communicate safely. Initially, the concept of securing a network explained more about the security of a computer network system connected to the Internet against threats and disturbances aimed at the system. The scope of this concept is getting wider every day so that at this time it does not only discuss the problem of computer network security, but is more directed at the problems of global information network system security.
1. Introduction
When our local network is connected to the internet, there are three things that need to be considered, namely:
- Confidentiality -- information is only available to people who have the right to access the information in question.
- Integrity -- information can only be changed by people who have the right (authorization) to do so.
- Availability -- information must be accessible when it is needed by those who are entitled to it.
These three things apply to us as ordinary users, as well as to offices or government networks. No one likes it when strangers look at important documents that we have. We also certainly want everything that is done using a computer to be done confidentially, whether it is sending emails to family & friends. Also, we usually want that when we log in to the computer the information we need is still there when we need it.
To be able to clearly understand computer network security, we must first understand how computer networks work. To facilitate maintenance and improve compatibility between various parties that may be involved, computer networks are divided into several layers that are mutually independent of each other. According to the OSI / OSI layer standard, these layers are:
- Physical
- Data Link
- Network
- Transportation
- Session
- Presentation
- Application.
2. Threats / Disturbances and Methods Used
2.1 Threats / Disturbances
Some network security threats can be categorized into two, namely:
2.1.1 External threats
External threats arise due to intruders (other users) entering from the Internet, such as:
Hacker -- intended for people who like to tinker with computers including programming languages such as assembly language, C and other intermediate computer languages. Hackers can be classified into 3 parts, namely Black Hat, White Hat, and Gray Hat.
Black Hat is an individual who has hacking skills (damaging a security system). In this group, the weakness of the security system will be shown after the victim gives a reward.
White Hat is an individual who has the expertise to carry out hacking actions, but uses it for the purpose of building and strengthening the security system of an organization or individual.
Gray Hat is a combination of the two above, where sometimes their actions can be damaging, on the one hand they also help in the world of computing security.
Crackers are intended for people who use their hacking skills for destructive purposes.
Script Kiddies are aimed at those who do not have special skills in hacking. They just download hacking tools from the internet and then try to hack with those tools. For example: In web programming, the script on the web will be manipulated according to the hacker's wishes.
2.1.2 Threats from within
Internal threats occur without access to the Internet, such as disasters (hard disk damage, theft, power outages) and threats from employees or users on the local network.