0.0.1 to 10.0.0.255. The most common subnet mask used is 255.255.255.0 because it identifies a relatively small group of IP addresses, up to 254 computers. It is commonly used for very small groups of computers, including groups as small as two computers.
100
A
P
P
E
N
D
I
X
Understanding
Internet risks
Norton Personal Firewall protects you from the major risks associated with the Internet. Those risks include the threat of hacker attack, malicious code in active content, exposure to inappropriate content, exposure of private information, and getting viruses from infected files.
Risks from hackers
The word hacker originally meant someone who could solve computer problems and write computer programs quickly and elegantly. However,
the meaning of the term has changed to mean someone who uses his or
her computer knowledge for illicit purposes. Since hacker started out as a complimentary term, some people use the word cracker for the derogatory form. In this text, hacker is used in its current, non-complimentary
meaning.
You might also hear other terms for hackers, including script-kiddies, wannabes, packet monkeys and cyberpunks. These are all terms for hackers-in-training that use applications written by others (more advanced hackers) to attack computers on the Internet.
101
Understanding Internet risks
The process of a hacker attack
Most hacker attacks use the following process:
■
Information gathering: The hacker gathers as much information about
your computer as possible. The hacker attempts to find vulnerabilities without letting you know that your computer is under attack.
■
Initial access: The hacker exploits a vulnerability found during
information gathering and establishes an entry point into your
computer.
■
Privilege escalation: The hacker gains access to more of your
computer.
■
Covering tracks: The hacker hides or removes evidence of the visit,
sometimes leaving a doorway open for return.
Information gathering
The first step in information gathering is acquiring a target. A hacker can choose a person or company to attack, or search the Internet for an
unprotected target that will be easy to hack. The amount of information available about you on the Internet is directly related to your level of Web presence. If you have a domain name and a Web site, a lot more
information is publicly available than would be if you only have an email address.
If a hacker has chosen a specific target, such as a company or organization, many resources on the Internet assist in gathering information. Most of them have legitimate uses, such as InterNic, which provides the Whois
database of registered domain names. There are integrated tools, such as Sam Spade, which provides more than 20 different tools for finding and analyzing Internet information.
Using these tools, a hacker can learn a lot about a potential target. Given a domain name, it’s easy to use the Whois database to find out the name and address of the owner, as well as the name and phone number of the
administrative and technical contacts. While this information usually can’t be used directly to attack a network or computer, it can be used to gather more information. It’s much easier to call a company, impersonate a
network administrator, and ask a user for a password than it is to attack the network.
If a hacker doesn’t have a specific target in mind, many tools are available for scanning the Internet and finding possible targets. The simplest scan is a ping scan, which can quickly scan thousands of computers. The hacker 102
Risks from hackers
uses a program to ping computers at a series of IP addresses. Responses tell the hacker that a computer exists at that IP address. When Norton Personal Firewall is running, your computer is hidden from ping scans
because your computer does not respond. The hacker does not learn that there is a computer at your IP address by pinging it.
Port scans are more comprehensive, usually performed on a single
computer. A port scan can tell a hacker what services are running, such as HTTP and FTP. Each service that is running provides a potential entry point for the hacker. On unprotected computers, unused ports respond that they are closed, thus telling the hacker that a computer exists at that IP address.
Norton Personal Firewall does not respond to scans of unused ports, giving them a stealth appearance.
Initial access
The easiest way for a hacker to access a Windows computer is to use
Microsoft networking. On many computers, Microsoft networking is
enabled so that anyone on the network can connect to it.
Microsoft’s NetBIOS networking uses three of the Well Known Ports. These ports are used to establish connections between computers on a Microsoft network. In fact, they normally advertise the name of your computer over the local network. This is what you want on your own network, but it is not what you want on the Internet. Norton Personal Firewall is preset to block these ports and prevent someone on the Internet from connecting to your computer using Microsoft networking. If your computer is connected to a local network as well as to the Internet, you must change some
settings to allow communication with the other computers on your
network. Norton Personal Firewall still protects you from Internet risks while allowing you to use your local network.
For more information, see “Well known ports” on page 99.
For more information, see “Using Norton Personal Firewall on a home
network” on page 82.
Privilege escalation
Once a hacker has connected to your computer, the next step is to gain as much control as possible. The steps involved and the results obtained vary greatly depending on the version of Windows running on the target
computer.
103
Understanding Internet risks
On computers running Windows 95, Windows 98, or Windows Me, once a
hacker has gained access to the computer, there is no need for escalation.
They have full control of the computer. Luckily, these versions of Windows don’t have much in the way of remote control features, so they are
relatively easy to protect.
On computers running Windows NT or Windows 2000, the hacker will
attempt to gain administrative rights to the computer. The key to getting administrative rights is usually a password. Instead of guessing, the hacker can download your password file and crack it.
Another tactic is to place a Trojan horse program on your computer. If a hacker can place a program such as Back Orifice, Subseven, or NetBus on your computer and get it running, it is possible to take control of the computer.