Q. What is GTISCs mailing address?
A. Georgia Institute of Technology
Georgia Tech Information Security Center
266 Ferst Drive
Atlanta, GA 30332-0765
Q. Should I be concerned about security?
A. The growth in security breaches has paralleled the growth in the Internet itself, which now links an estimated 20 million computers in some 200 countries. As a result, network security breaches are widespread, costly and commonplace. According to CERT, the number of intrusions into computer networks without authorization has skyrocketed, from 406 in 1991 to almost 53,000 last year.
Q. What is a computer virus?
A. A computer virus is executable code that, when run by someone, infects or attaches itself to other executable code in a computer in an effort to reproduce itself. Some computer viruses are malicious, erasing files or locking up systems; others merely present a problem solely through the act of infecting other code. In either case, though, computer virus infections should not go untreated. Closely related to computer viruses are Trojan Horses and worms. A Trojan Horse is a program that performs some undesired yet intended action while, or in addition to, pretending to do something else. One common class of trojans are fake login programs - collecting accounts and passwords by prompting for this info just like a normal login program does.
Q. How can I get a computer virus?
A. Computer viruses often originate from email, shared diskettes, shared files, and opening files from unknown sources. There are other sources but the general principle is that viruses travel through shared resources. It's often in the news about viruses that are transmitted through email. Some of these viruses are written so that they access your address book and then propagate by automatically resending the virus to each address. This eventually clogs email servers with messages to the point that their storage space is completely used up. Other types of viruses are activated when you open the message and then it goes to work on your own computer system by writing over or renaming operating system files. These can eventually disable your system or, at the very least, disable important functions on your system and destroy important files.
Q. Are computer viruses getting worse?
A. Yes. In 1986 the National Computer Security Association estimated that there were only four known computer viruses. Today there are over 5,000 known computer viruses, with an average of 110 new viruses discovered each month.
Q. What can I do to protect my PC?
A. One of the best things you can do is purchase anti-virus software from a leading vendor such as Norton or McAfee. In addition, if you have a DSL or Cable modem connection, you should consider purchasing a firewall product such as Norton Firewall or McAffee Firewall, so your computer is not vulnerable to attacks from hackers.
Q. What is “domain forwarding”?
A. You may have a free Web site with your Internet Service Provider, but the address (URL) is long and cumbersome (for example, http://members.aol.com/username/index.html). For a small fee, some Web hosting companies will set up domain name (i.e. www.yourcompany.com). This ensures that visitors are automatically rerouted to your Web site when they type in your domain name.
Q. What does “bandwidth” mean?
A. In Internet terms, “bandwidth” refers to the amount of data sent through a network connections, and is usually measured in bits-per-second. For instance, a 56k modem theoretically allows connections of 57,600 bits per second. Some Web hosting companies charge clients for the amount of bandwidth used per month (in other words, the amount of data transferred back and forth)
Q. What if someone has already registered my business name as a domain name?
A. If your company name is trademarked, and someone has registered your domain name (perhaps with the intent to sell it back to you at a profit), you may want to seek legal advice. Otherwise, you will probably want to be creative and come up with another domain name. For instance, if www.mycompany.com is not available, try www.my-company.com or www.mycompany.net.
Q. What is an IP address?
A. Each computer, or “host,” on the Internet has at least one address that uniquely identifies it from all other computers on the Internet. This is known as an IP (or Internet Protocol) address. When you type in a domain name in your browser, your host seeks out the IP address of that domain name, and sends its own IP address for the data to be sent to.
Q. Are some Web server software programs more secure than others?
A. Yes, although it would be foolhardy to give specific recommendations on this point. As a rule of thumb, the more features a server offers, the more likely it is to contain security holes. Simple servers that do little more than make static files available for requests are probably safer than complex servers that offer such features as on-the-fly directory listings, CGI script execution, server-side include processing, and scripted error handling.
Servers also vary in their ability to restrict browser access to individual documents or portions of the document tree. Some servers provide no restriction at all, while others allow you to restrict access to directories based on the IP address of the browser or to users who can provide the correct password. A few servers, primarily commercial ones provide data encryption as well.
A table comparing the features of a large number of commercial, freeware and public domain servers has been put together by the WebCompare site:
Q. Are CGI scripts insecure?
A. CGI scripts are a major source of security holes. Although the CGI (Common Gateway Interface) protocol is not inherently insecure, CGI scripts must be written with just as much care as the server itself. Unfortunately some scripts fall short of this standard and trusting Web administrators install them at their sites without realizing the problems.
Q. How secure is the encryption used by SSL?
A. SSL uses public-key encryption to exchange a session key between the client and server; this session key is used to encrypt the http transaction (both request and response). Each transaction uses a different session key so that if someone manages to decrypt a transaction, that does not mean that they've found the server's secret key; if they want to decrypt another transaction, they'll need to spend as much time and effort on the second transaction as they did on the first.
Servers and browsers do encryption using either a 40-bit secret key or a 128-bit secret key. Many people feel that using a 40-bit key is insecure because it's vulnerable to a "brute force" attack (trying each of the 2^40 possible keys until you find the one that decrypts the message). This was in fact demonstrated in 1995 when a French researcher used a network of workstations to crack a 40-bit encrypted message in a little over a week. It is thought that with specialized hardware, 40-bit messages can be cracked in minutes to hours. Using a 128-bit key eliminates this problem because there are 2^128 instead of 2^40 possible keys. To crack a message encrypted with such a key by brute force would take significantly longer than the age of the universe using conventional technology.
Q. How safe is restriction by IP address or domain name?
A. Restriction by IP address is secure against casual nosiness but not against a determined hacker. There are several ways around IP address restrictions. With the proper equipment and software, a hacker can "spoof" his IP address, making it seem as if he's connecting from a location different from his real one. Nor is there any guarantee that the person contacting your server from an authorized host is in fact the person you think he is. The remote host may have been broken into and is being used as a front. To be safe, IP address restriction must be combined with something that checks the identity of the user, such as a check for user name and password.
IP address restriction can be made much safer by running your server behind a firewall machine that is capable of detecting and rejecting attempts at spoofing IP addresses. Such detection works best for intercepting packets from the outside world that claim to be from trusted machines on your internal network.
One thing to be aware of is that if a browser is set to use a proxy server to fetch documents, then your server will only know about the IP address of the proxy, not the real user's. This means that if the proxy is in a trusted domain, anyone can use that proxy to access your site. Unless you know that you can trust a particular proxy to do its own restriction, don't add the IP address of a proxy (or a domain containing a proxy server) to the list of authorized addresses.
Q. How safe is restriction by user name and password?
A. Restriction by user name and password also has its problems. A password is only good if it's chosen carefully. Too often users choose obvious passwords like middle names, their birthday, their office phone number, or the name of a favorite pet goldfish. These passwords can be guessed at, and WWW servers, unlike Unix login programs, don't complain after repeated unsuccessful guesses. A determined hacker can employ a password guessing program to break in by brute force. You also should be alert to the possibility of remote users sharing their user names and passwords. It is more secure to use a combination of IP address restriction and password than to use either of them alone.
Another problem is that the password is vulnerable to interception as it is transmitted from browser to server. It is not encrypted in any meaningful way, so a hacker with the right hardware and software can pull it off the Internet as it passes through. Furthermore, unlike a login session, in which the password is passed over the Internet just once, a browser sends the password each and every time it fetches a protected document. This makes it easier for a hacker to intercept the transmitted data as it flows across the Internet. To avoid this, you have to encrypt the data.
Q. What is user authentication?
A. User verification is any system that for determining, and verifying, the identity of a remote user. User name and password is a simple form of user authentication. Public key cryptographic systems, described below, provide a more sophisticated form authentication that uses an unforgeable electronic signature.
Q. How does encryption work?
A. Encryption works by encoding the text of a message with a key. In traditional encryption systems, the same key was used for both encoding and decoding. In the new public key or asymmetric encryption systems, keys come in pairs: one key is used for encoding and another for decoding. In this system everyone owns a unique pair of keys. One of the keys, called the public key, is widely distributed and used for encoding messages. The other key, called the private key, is a closely held secret used to decrypt incoming message. Under this system, a person who needs to send a message to a second person can encrypt the message with that person's public key. The message can only be decrypted by the owner of the secret private key, making it safe from interception. This system can also be used to create unforgeable digital signatures.
Most practical implementations of secure Internet encryption actually combine the traditional symmetric and the new asymmetric schemes. Public key encryption is used to negotiate a secret symmetric key that is then used to encrypt the actual data.
Since commercial ventures have a critical need for secure transmission on the Web, there is very active interest in developing schemes for encrypting the data that passes between browser and server.
Q. What is SSL?
A. SSL (Secure Socket Layer) is the scheme proposed by Netscape Communications Corporation. It is a low level encryption scheme used to encrypt transactions in higher-level protocols such as HTTP, NNTP and FTP. The SSL protocol includes provisions for server authentication (verifying the server's identity to the client), encryption of data in transit, and optional client authentication (verifying the client's identity to the server).
Q. What is a Denial of Service attack?
A. Denial of Service (DoS) is an attack designed to render a computer or network incapable of providing normal services. The most common DoS attacks will target the computer's network bandwidth or connectivity. Bandwidth attacks flood the network with such a high volume of traffic, that all available network resources are consumed and legitimate user requests can not get through. Connectivity attacks flood a computer with such a high volume of connection requests, that all available operating system resources are consumed, and the computer can no longer process legitimate user requests.
Q. What is a Distributed Denial of Service attack?
A. A Distributed Denial of Service (DDoS) attack uses many computers to launch a coordinated DoS attack against one or more targets. Using client/server technology, the perpetrator is able to multiply the effectiveness of the Denial of Service significantly by harnessing the resources of multiple unwitting accomplice computers which serve as attack platforms. Typically a DDoS master program is installed on one computer using a stolen account. The master program, at a designated time, then communicates to any number of "agent" programs, installed on computers anywhere on the internet. The agents, when they receive the command, initiate the attack. Using client/server technology, the master program can initiate hundreds or even thousands of agent programs within seconds.
Q. How is a DDoS executed against a website?
A. A website DDoS is executed by flooding one or more of the site's web servers with so many requests that it becomes unavailable for normal use. If an innocent user makes normal page requests during a DDoS attack, the requests may fail completely, or the pages may download so slowly as to make the website unusable. DDoS attacks typically take advantage of several computers which simultaneously launch hundreds of thousands of requests at the target website. In order not to be traced, the perpetrators will break into unsecured computers on the internet, hide rogue DDoS programs on them, and then use them as unwitting accomplices to anonymously launch the attack.
Q. Is there a quick and easy way to secure against a DDoS attack?
A. No. From a simplistic perspective, the best solution is to secure computers from being hijacked and used as attack platforms. This cuts the problem off before it can ever manifest. Thus many experts suggest that we "pull together as a community" to secure our internet computers from becoming unwitting accomplices to such malicious intruders. Unfortunately, for every business that has the knowledge, budget, and inclination to make such changes, there are many more which lack such resources.
Plus, the attackers are most likely going to use non-commercial computers as attack platforms, because they are usually easier to break into. University systems are a favorite, because they are often understaffed or the systems are set to minimum security levels to allow students to explore the systems as part of their education. Further, this is not just a national problem. Any internet server in the world could be used as an attack platform.
Still, the simplest and most effective solution for preventing DDoS is through a global cooperative effort to secure the internet. The first step in the process, therefore, is concerned with scanning your internet computers to make sure they are not being used as unwitting DDoS attack platforms. This is not just good internet citizenry, however, because this also serves to document and verify that your internet computers are not suspect when DDoS attacks occur.