Why is the system so fragile?
Author: Wang yuyue (weekly computer newspaper)
Windows XP system stability has been greatly improved, but it is still inevitable to be under a large number of attacks, these attacks are almost all caused by the inherent system vulnerabilities of Windows XP. Vulnerability attacks like this are everywhere, not only Microsoft operating systems, UNIX, Linux, Solaris ...... This vulnerability can also cause inexplicable attacks. The same is true for other applications, such as Office, Foxmail, and OICQ. However, can program vulnerabilities cause us to be overwhelmed by some malicious threats? No, apart from program vulnerabilities, there are other factors that leave a chance for malicious attackers, this includes system administrator level issues, users' computer habits, network environment issues, and security product performance issues. These are often real bombs, and system vulnerabilities are just a fuse.
System vulnerabilities are an open door
According to the survey, more than 90% of Windows2000/XP/2003 users do not patch system vulnerabilities. As a series of highly dangerous attack codes appear on the network, these users are under severe security threats. Vulnerabilities make the system very dangerous. Attackers or viruses can easily obtain the highest privileges of the system and then "do what you want ". By using public code downloaded from the Internet to attack unpatched systems, the success rate can reach 80%. After a slight technical improvement, the attack success rate is nearly.
The most dangerous is not the hacker attack exploiting this vulnerability, but the virus exploiting this vulnerability will soon emerge. The main manifestation of the violent shock wave virus last year is to restart the system. This is only one aspect of the damage caused by the virus. If it was originally added with the function of damaging the hard disk data, the damage caused by the shock wave virus may be even greater.
There are hundreds of known network attack methods, such as using System Buffer vulnerabilities to gain control of the system or conducting Denial-of-Service and worm attacks, network sniffing and listening to obtain various accounts and passwords, password cracking attacks, IP Address Spoofing, and so on. Before the official start of most attacks, you must first detect network system vulnerabilities.
Generally, a successful network attack consists of the following steps: attackers can hide identities, collect target system information, detect network system vulnerabilities, use vulnerabilities to launch attacks, and open backdoors and clear logs after successful attacks. In this process, the target system information collection and network system vulnerability detection are often performed at the same time. You can use existing tools, but sometimes you need to analyze and mine weaknesses based on existing information. For hackers or attackers, Vulnerability Detection plays a very important role in successful intrusion. For network administrators, it is also necessary to master the basic methods for vulnerability detection, understand the vulnerabilities of their systems, and fix them in a timely manner.
Users who have installed only anti-virus software should be vigilant, because the current security situation is: the vulnerability problem is causing more and more serious crises, simple Anti-Virus products are becoming increasingly ineffective in protecting network security, and networks require three-dimensional protection. Many anti-virus vendors have noticed this point and put some work on studying system vulnerabilities.
Current network structure has many weaknesses
As the core protocol of the Internet, TCP/IP protocol clusters did not consider security issues at the beginning of the design, which made it vulnerable to many vulnerabilities. For example, the HTTP and FTP protocols used by the WWW Service are the application layer protocols in the protocol cluster, and many vulnerabilities exist. In addition, it has the following weaknesses: the source IP address of the IP data packet can be changed, so that attackers can hide their real IP addresses. The space of the TCP serial number is limited, so that attackers can hijack the TCP session connection by guessing the serial number; TCP/IP is not encrypted during transmission and is easy to listen.
In addition to the network transmission protocol, the network infrastructure also has weaknesses. A vro is the neural hub of a Network. All data packets transmitted between networks must pass through the vro. If the IP address of the controlled host is set as the IP address of the router, resulting in IP address conflict, the normal operation of the router can be damaged. Because a single router has limited processing capabilities, sending a large number of spam packets can cause denial of service. Some routers have poor security, and passwords are stored in plain text or simply encrypted, allowing hackers to directly control the vro and there is software on the network that specifically attacks the Cisco router.
In addition to routers, Domain Name Server (DNS) is also an important device in the network. It provides domain name resolution services and is responsible for switching between host names and IP addresses. Some DNS configurations are improper, which makes it easy for hackers to control domain name servers to serve them. DNS provides domain name resolution services through the customer/Server mode, but it is difficult for users to determine whether the obtained answer information is true and valid. Hackers can construct false response information, direct users to other websites, and defraud users of their accounts and passwords.
Because of the weakness of the network structure, more and more viruses are spreading through various channels of the internet, and new malignant viruses are no longer designed to be reserved for enhanced transmission, generally, the attack will occur immediately after the move. When a new virus appears, it can be spread all over the world within several hours.
Users should improve security awareness
Most of the web pages you can view online are enhanced by loading ActiveX controls and javascripts code on the web page, the browser can download or run corresponding programs from the browsed web page. In general, these programs can run securely. However, when browser vulnerabilities are not repaired, they are easily damaged by malicious code. These automatically executed programs are the favorite of malicious attackers.
In fact, the method to prevent such attacks is very simple, that is, to fix vulnerabilities in a timely manner. Windows Update is generally available, and some anti-virus software also provides patches. In addition, it is also important to correctly configure the security options of the browser. When the ActiveX control appears, a message box will pop up in the browser asking you if you want to accept the control. Before selecting "yes", you must clear it. Otherwise, you can only sigh on the screen. Java programs are generally prohibited. The intermediate security settings can basically ensure safe surfing on the Internet.
Email is also the main method to trick people into being fooled, and is the main channel for new virus intrusion. Because there is almost no security control mechanism in the current email, and many people have been very hasty to open attachments in the email. Some viruses (such as the cover letter virus) can automatically open attachments using the Outlook vulnerability, which is more dangerous. At present, it is better to use the mail firewall to filter emails. Some anti-virus software has such functions, such as Norton.
The outbreak of "MSN virus" a few days ago showed a new way of virus intrusion. The virus is transmitted through QQ and MSN, so the transmission speed is very fast. Viruses send a large amount of junk information and funny.exe virus files via QQ and msn, and replace the system files with virus files, which causes some users to fail to boot normally after restarting the machine, causing great troubles to users. Therefore, do not open files sent by QQ or MSN users easily. Currently, many of the viruses are spread through QQ, ICQ, and MSN chat tools. Among them, they are headed by Trojans, allowing users to become larger.
But the method to deal with this virus is actually very simple, that is, do not accept unknown files, but to do this, you really need a strong security awareness. Security experts also recommend that you be alert when using network resources. Do not trust your friends or click the relevant link. We recommend that you set the folder in resource manager to view all files, and display the file extension. Do not take executable files lightly, because no one can predict the consequences of an unknown program running. That is, the antivirus software has been used for inspection and should not be executed easily. We believe that the number of times of virus harassment will be greatly reduced.
Security products require strong keys
Network security products greatly improve the security of network systems, but it is undeniable that these security products also have vulnerabilities. For example, the firewall needs to be manually configured. Once improperly configured, attackers can bypass or directly control the firewall. The firewall cannot prevent attackers from attacking through backdoors. The operation of the firewall is vulnerable to the impact of other systems, such as attacking the Domain Name Server, modifying the data corresponding to the domain name and IP address of the firewall, and interfering with the operation of the firewall. For hosts that open Web services, the CGI program can be used to hold backdoors. The firewall cannot do anything about this. Some firewalls do not check high-end ports, so attackers can open a high-end shell backdoor.
In addition, the recently challenged Intrusion Detection System (IDS) is vulnerable to denial-of-service attacks because it needs to process a large number of data packets, causing high computer resource overhead. Due to the weakness of IDS architecture, IDS generates a large amount of false positive information, which interferes with the system administrator's analysis of attack events. IDS detection algorithms also have vulnerabilities. Many IDS can only detect known attacks. Attackers can change their attack forms to invalidate IDS. For example, IDS checks whether the data packet contains/bin/sh or a large number of NOP commands to determine whether a buffer overflow attack is in progress, attackers can change the/bin/sh encoding format to make it different from the corresponding encoding used for detection in IDS, so that IDS cannot play a role. At present, many security vendors are launching intrusion defense system (IPS) products, which are said to be a substitute for solving IDS false positives.
System Administrator level to be improved
A large number of attack events indicate that a network system has been cracked not for technical reasons, but for management weaknesses. For example, if a user has a weak security awareness and a weak password is set when accessing an important network system, attackers can obtain general system access through password guesses, then, attackers can exploit a local vulnerability to gain system control. Therefore, it is necessary to provide security training for employees. The network information security defense system is a unity composed of multiple parts, including the encryption mechanism, access control and authentication mechanism, firewall and IDS and other security products, emergency response, data backup and data recovery, security awareness and quality of users, and implementation of rules and regulations. There is a management and coordination task, which is mainly undertaken by the network administrator. A cryptography expert said that security is a chain, and any weakness in this chain can damage the entire system. In addition, it is important to obtain support from the senior management.
It is necessary for the current network administrator to understand the vulnerabilities in the network system and how attackers can exploit them to launch attacks. Network administrators can detect vulnerabilities in their systems or conduct malicious attacks on their systems to locate system vulnerabilities and fix them in a timely manner. It can be said that the work of the system administrator is a race against threat attacks. You must find and fix system vulnerabilities before the threat comes. Unfortunately, there are too few system administrators with such awareness, and even many companies do not have dedicated personnel to manage the network. After a system problem occurs, they can ask someone to fix it, sometimes it is too late to do so.
Eight major defense methods against hacker intrusion
In addition to "Denial of Service (DoS)", the common tactics of modern hackers refer to "E-mail bombing) also, stealing others' IP addresses and passwords, and transferring visitors from website a to website B are common methods. Some foreign experts have summarized eight major methods to defend against hacker intrusion.
Formulate network security policies the company's internal security policies should clearly inform employees and clarify their responsibilities so that the system can respond immediately when it is attacked. Provides anti-hacker attack training to employees to improve their vigilance and promptly expose hacker intrusions.
Regular