Network attacks
Nathan Taylor takes a look at how you can get hacked remotely.
Though less common than malware and social engineering, network-based attacks are still a threat to every computer and mobile user, and everyone should have at least a basic understanding of what they are and how to avoid them. So this month let’s look at how these attacks work, and what you can do to guard against them.
Nmap/port scanning
Port scanning, most commonly done through an app called Nmap, is not an attack per se. It’s an attempt to check your system for attack vectors by seeing which ports you have open on your router and therefore what servers you might have running on your network. Then they can tailor an attack to that kind of server.
For example, if you run an email server from your network, you might have forwarded port 25 on your router (which is the port commonly used for SMTP email) so that people from outside your home network can access it. A port scan of your system would then reveal that port 25 was open.
That gives the attackers information: that you’re running a mail server and that they can send data on port 25 and it won’t be rejected by your router’s firewall. That might give them an ‘in’, so, to speak – they might use that to start trying to crack the passwords of users to access the server and read emails.
Port scanning is extremely common. In fact, there’s a pretty good chance you’re going to be port scanned within minutes of connecting to the internet and pretty consistently thereafter. A firewall is how you prevent this. By default, your router should have all ports closed, which means that any port scan produces zero results. That’s the firewall doing its job.
But if you do want to run a home server that is accessible remotely, then you have to open up a port for that server. That’s a necessary evil, so if you do set up port forwarding, you need to 100% make sure that whatever app you’re opening up is secure. If you’re enabling remote access to IP cameras, for example, then you need to make sure that the firmware is up to date and a new (good) password has been set.
One thing you can do easily is scan yourself. You can head to nmap.org and download it and run it yourself. But more simply, there are various websites that will do a scan for you. We recommend www. whatismyip.com/port-scanner/, which offers scans for a select range of ports (full scans are not available for free; most sites that offer full scans charge for it). Head to the website and choose the ‘Package’ option. Start with Basic, and work your way through Web,
Games and Malicious.
All ports should (hopefully) be closed. If one is open, and you were unaware of it being open (ie. you hadn’t manually opened it), you should go to your router and adjust your firewall/port forwarding settings.
LOIC/DOS attacks
Although this is not something that home users often have to worry about, you may have often heard the term DOS (denial of service) or DDOS (distributed denial of service), since such attacks are levied against companies on a regular basis.
A denial of service attack is one that tries to flood a person or company’s internet connection with malformed or useless data that ties up their resources trying to process it. It’s essentially an
attempt to overwhelm a connection, shutting it down or making it so slow as to be unusable.
The most common mechanism for this is a tool called Low Orbit
Ion Cannon (LOIC), which was originally built for stress-testing corporate networks, but can also be used by anybody to attack another party. Commonly such attacks are coordinated, so that multiple parties are using LOIC to attack the same network at the same time (this is called a DDOS).
DOS attacks are not easy to deal with. In the rare instance a home user comes under attack, simply disconnecting and reconnecting the internet connection (thus changing your IP address) might work. Also make sure your router firmware is up to date and the firewall is fully enabled.
Man in the middle and network sniffer attacks
These techniques are not so much about “attacking” your PC as they are about intercepting communications – communications that may include private and financial data.
A man in the middle attack can actually take a number of forms. The attacker works to set themselves up as an invisible communications proxy between you and another party, intercepting data as it’s sent from one party to another. For example, an attacker might hijack your DNS and convince your PC to connect to a fake web site that they create – say a banking site. The attacker still relays all your communications on to the bank, hiding the fact of their existence. So to you, and to the bank, everything looks normal, but instead of directly talking to the bank, you’re talking to the “man in the middle”, who is talking to the bank for you and quietly stealing your information in the meantime.
This technique can be used in a lot of ways. It can even be used on mobile networks, where hackers create a fake mobile cell that your phone will connect to.
The most common instance of this is the fake Wi-Fi hotspot, where a criminal sets up a fake Wi-Fi network in a cafe or other location with free Wi-Fi. They still relay your data onto the internet – so you don’t know that you’re not connected to the real network – but they monitor your communications at the same time.
Packet sniffing has a similar effect as this. Packet sniffing is the process of monitoring communications as they travel across a network. A monitoring PC simply gathers and reads all network information as it passes by on the network. For packet sniffing, the attacker needs to be on the same local network as you, and wired networks are hard to packet sniff, since data on a switched network is routed efficiently and won’t normally pass by the sniffer PC. On Wi-Fi networks, however, everything is game and all traffic on a given channel might be monitored so long as the attacker is connected (which is easy enough on a public Wi-Fi network).
One way to protect yourself from this is using a VPN when connected to public Wi-Fi. VPNs force encryption on all traffic coming to and from your computer, so an attacker might be able to intercept your communications, but cannot read it.
Another thing to do is to pay attention to your browser’s security warnings. Legitimate websites use authentication certificates that man in the middle attacks should not be able to falsify. Your browser should tell you if a certificate is screwy or absent – you’ll get a warning page, and the padlock icon next to the
URL will have a warning.
And finally, make sure your router’s password is updated along with the firmware. We’re not talking about your Wi-Fi password (though changing that is important too) – we mean the password you use to log onto the router. Often it’s left at the default, and router hijacks are one of the largest threat vectors for man in the middle attacks.