Securing servers is a tricky and continuously evolving process. To secure servers, sometimes you need to think like hackers and sometimes like a mathematician. Each scenario needs independent examination.
Random Passwords
How many times have you tried to access a website, only for them to demand outrageous passwords, your phone number, email address and a list of security questions? This horrifying scenario happens far too often. Sometimes even insurance companies demand it before they secure your IT infrastructure. Suppose you are a malicious hacker who wants to guess someone’s password. Suppose you already know their login, since most people use their email address as a login. That’s a reasonable assumption because email addresses are easy to find. For the first scenario, imagine a ten digit password that only contains lowercase letters. Every digit has twenty six possible characters, so the total number of possibilities is 26 * 26 * 26 * … * 26, or 26 to the power of 10. So the total number of possible passwords is about 141,000,000,000,000. You, as a hacker, need to guess the password. But you know it’s random, so you can only try random passwords. So let’s run some numbers.
Suppose you can make 10 login attempts per second. That works out to 315,360,000 login attempts per year. It seems like a lot, until you realize that it would take about 448,000 years to test every possible password. Unless you are really unlucky, it won’t take that long. Statistically it will take half that time, or around 224,000 years. No hacker in their right mind would try that. They could try logging in using more computers, such as a thousand computers. With a thousand computers it would still take 224 years. Again, that is an unfeasible number. Some websites force lowercase, uppercase and numbers in passwords. And yes, this does increase the number of random passwords. A ten digit password containing possible upper case, lower case and numbers has around 6,000 times more combinations. This would take about 1,340,000 years to guess with a thousand computers. To a hacker, that is no different than 224 years.
Now suppose instead of 10 login attempts per second, you can make one attempt every five minutes. This can be implemented as three initial attempts, to be friendly to the user, followed by a five minute account lock. So a hacker can only make one login attempt every five minutes. Using this approach, the number of computers used to guess passwords no longer matter. The account is safe for about 671,000,000 years. This one simple addition creates a far more secure system with a vastly improved user experience.
While this scenario uses website logins, the same principle applies to all authentication. Passwords should be random. The most frequent method of hacking into servers is with a dictionary attack. A dictionary attack uses the top hundred or five hundred passwords and tries to login using those. Random passwords make dictionary attacks pointless. If you tie random passwords with account-level delays, no hacker would ever try to guess the password because it would take far too long. Nothing else is required because anything atop this changes one unfeasible number to another larger one. It just isn’t needed.
So what if a hacker already knows the password?
Knowing the password
Hackers can get their hands on passwords using many different methods. One method is a key logger. A key logger is malware installed on desktop computers that records all keystrokes. This information, and sometimes screen shots, are sent over the network to a hacker-accessible server. A hacker can search through this information for usernames and passwords. A good security system prevents this with two factor authentication. Two factor authentication isn’t typing additional information along with the password, since that’s just equivalent to a longer password. Security questions can slightly work if there are many questions, but hackers can scrape social media accounts for that kind of information. Real two factor authentication uses data from multiple sources, such as a password combined with email/SMS code.
A hardware key can also work but comes with inherent limitations. A hardware key is a USB device that sends a string. That string has to get to that server. The server can’t directly communicate with the USB key, nor can it communicate with the key through another protocol. So the server is stuck to communicating to the key through the same software used to enter the password. That makes it susceptible to phishing attacks. (More about those later.) Security questions have the same problem.
If a hacker is intent on hacking into your account, they can steal physical objects like USB keys or phones, or they can hack into your email. This means two factor authentication can help with casual hacking attempts but it can’t guarantee defense against dedicated targeted hacking. Two factor makes it more annoying for targeted attacks, and sometimes that’s all you can do.
Two factor authentication can also be really annoying to end users. However the server can be setup so it only uses two factor if the user logs in from a new computer. This reduces annoyance.
So what is this phishing thing?
Phishing
Suppose you are a hacker and you want login information for a particular website. A really easy way to do this is to setup a mirror website. This website has a similar domain to the site you are imitating. When a user connects with it, the mirror website connects with the real website and relays the data. If it receives information from the user, it sends that to the real website. If the real website sends data, it sends that to the user. So the user thinks they are connecting to the actual website. It looks identical. This is actually really easy to make.
Now the hacker needs people to connect with this mirror website. They can register domains with slight spelling mistakes. The user, after typing it in, would probably never notice. The hacker can also send emails with links to this mirror website. The worst method involves things like business directories. Hackers can register information in new directories or even override businesses in existing directories. The information looks identical, the only difference is the new website URL.
To protect against phishing, businesses need to pay attention to business directories, website URLs and more. Two factor authentication through email or a cell phone also helps, since any information gleaned through phishing can’t be used to independently login to a website. Unfortunately that doesn’t apply to information the user enters into the mirror website, such as credit card numbers. It also doesn’t stop the mirror website from changing a user’s security information. This leads to hacked accounts.
Hacked Account
A hacked account is where a third party gains access to your account then changes the authentication information. A hacker will change the password, third party authentication method and more. When this happens, a user can only phone the company and ask them to suspend or revert the account.
To properly revert an account requires planning. Old authentication information must be saved. Audit logs should show all activity on an account. Transactions should be cancelable. There should be a method to easily revert an account to a previous state. Many systems don’t account for this. If you are selecting software, or having it built, ensure this is properly handled. It takes time to setup and adds complexity to the code, so programmers typically don’t add it unless necessary.
Protecting Passwords
Passwords are protected using one way encryption. Well, to be honest some programmers are so unskilled that they don’t encrypt the passwords. However let’s assume the programmer knows a little about programming and encrypts the password. So a user types in a password. Now comes another common mistake. A browser can send information to the server using different methods. One method encodes all data into the URL string. This is known as a GET request. This is clear text. Anyone who sees this can get the password. Even worse, this kind of information is typically logged. If the programmer is skilled then he uses a POST instead. This ensures the password is within the encrypted portion of a web request. (That’s assuming that HTTPS has been setup on the server.)
Suppose all of that is properly setup. So the user sends a password, it’s encrypted through the request then decrypted by the server. Next the server encrypts it using a one-way encryption method. Once encrypted, the password can not be decrypted. The server can only compare the encrypted password with the stored encrypted password. Sounds pretty safe, right? It’s actually not safe.
If a hacker gains access to encrypted passwords, he doesn’t have to decrypt them to know what they are. If a system requires a ten digit alpha password then there are 141,000,000,000,000 potential passwords. As discussed before, it’s impractical to guess the password by trying to login to the system. However if you have the encrypted password then you encrypt random passwords until the encrypted password matches. You can do this very rapidly and you can throw thousands of servers at it, speeding up the process. Since the encryption method is typically simple, you can also use GPUs to speed processing. Suppose you can encrypt 500,000,000 passwords per second, which is a conservative estimate. It would take, on average, 39 hours to find a matching password. 1,000 computers working side by side will find the password in about 2.35 min. Even if you require capital letters, numbers and more, it is still feasible.
So how can you protect passwords? You protect passwords or other sensitive information with separation.
Separating Information
Divide servers into two categories, those that allow outside access and intranet only. An intranet server only allows connections from other computers on the intranet, or preferably from specific servers. Suppose you have a web server and a data server. The data server only allows connections from the web server. The web server accesses this data through a custom API. Web servers can do a lot of processing but they will never access the data directly. So if the web server is compromised, the data server is far less likely to be compromised. That is a completely acceptable situation. The web server can be easily replaced, but sensitive data can cost millions if stolen. The loss of reputation and trust can cost even more. Additionally if the web server is infected with ransomware, no data will be lost because ransomware can’t access data through an API.
Protecting Points of Entry
Suppose you need to design extremely secure systems, and price isn’t a factor. This can be done but it’s tricky. The key is to take Separating Information one step further. You don’t add another step, instead you completely secure the points of entry or access. This requires a custom server. It requires a good deal of work but not an extreme amount. You won’t need a pile of different drivers. You won’t even need an operating system. All you need are network drivers, or some way to send and receive information, and whatever’s needed to run on the server. (Such as HTTP, FTP, SMTP, SSH, etc.) This code is stored on a PROM and run directly from there. It becomes a static computer, one you can’t change unless you give it a new PROM. However it will be very stable and is hack proof. Even if someone manages to find an exploit, the code can’t be changed so they can’t gain access to the system. (Assume the programs are well written and there are no backdoors.)
This is extreme and is probably not required.
Man in the Middle
Hackers have other tricks in their toolbox. One is a man in the middle. Man in the middle is similar to phishing, but instead of setting up a mirror server you listen to information going over the network. This used to be simple. Back in the days of network hubs, all you had to do was plug a computer into the hub, switch the Ethernet card to promiscuous mode then watch all the traffic. In the initial days of networking, network hubs linked the wires together. If one computer sent data, every other computer on the hub would see it. Newer hubs are now switched hubs. A switched hub filters all network traffic and only sends information to a computer if they are meant to see it.
In reality, man in the middle attacks are very rare. Simple security measures make them virtually impossible to achieve. For example, your servers could be multi-homed. Multi-homed refers to internet connections. If you are connected to two different ISPs, and send some information to each, then even if the ISP listens they won’t get all the data. Thankfully there’s an even simpler method of preventing man in the middle attacks, and that is symmetric key encryption.
Symmetric key encryption puts the same encryption key on both computers. When one computer wants to communicate with the other, it first encrypts it with that key then sends it. The other computer decrypts with the same key then processes the information. To put the key on the computers, you either need to bring them together or one person can travel back and forth with the key.
For example, suppose the bank wants to create an extremely secure app. It could require you to bring your phone into the bank to setup the app. Once in the bank, the key can be copied to it. After that, no computer listening on network traffic will be able to decipher the information. A nice long encryption password would make the data virtually undecryptable, even by brute force.
Cold Hacking
If a hacker attempts to hack into a server he knows nothing about, certain things usually happen. First the hacker will run a port scan. A port scan means the hacker tries to connect to the server using every possible port. Internet ports range from 1 to 65,536. Port scans are extremely easy to detect on the server. So a hacker will try to disguise the port scan by randomizing the ports and trying it over the span of weeks or months. They can do this from more than one computer to make it even harder to detect. This is enough to get around most security software. Another type of port scan involves checking specific ports. Suppose the hacker knows a good FTP hack and a good SMTP hack, he would scan only these ports.
Once connected on a port, the server usually responds with a message. The message shows the software name and version. At this point the hacker looks up that software and a list of hacks for it. If the software is old then many more hacks are possible. That’s a potential point of entry. It may provide a way to guess logins without being logged, it may allow secure access, it may provide access to data and more. To prevent this, a good server admin will remove all possible services that aren’t needed. Any services remaining will be configured so they never identify their software or version. The server will receive regular updates, so all known security vulnerabilities will be fixed. Finally a good server admin will move some services to non-standard ports. This doesn’t hide them, it just makes finding them slightly more annoying.
If a hacker gains access to a server it’s probably on a non-administrator account. System admins should always restrict administrator accounts so they can’t be accessed remotely. Unfortunately once a hacker gains access, even to a non-administrator account, that server is theirs. All they do is drop a rootkit onto the server and they gain complete access. A rootkit is a script or software that utilizes OS bugs to gain system administrator privileges.
In younger days of computing, cold hacking was easier. Security software has improved enough to make this annoying. There are easier methods to hack businesses, such as malware.
Malware
One of the easiest methods to hack is to trick people into running a program or installing software. Once a hacker has software running on a workstation, that software can usually access everything on that system. Anything a user types can be seen. The desktop itself can be seen, or it could even allow remote access. Malware can do anything a user can do.
Often times, office workstations are setup so the user gains access to shared drives, automated logins to web systems and more. This is more convenient for an employee, which makes them more productive. Security conscious system administrators will do what they can to reverse that trend. There are two sides, each with valid arguments. Where to draw the line depends on the security requirements of the organization.
Over the past few decades a type of malware called ransomware has grown more prevalent. Ransomware is software that encrypts files on your workstations and servers. If a workstation is infected then any physical or network drive it can access will be encrypted. They call it ransomware because the hackers notify you about it and demand a ransom for the password. If you pay the hackers then you might receive a password that decrypts your files. Essentially they hold your files hostage on your own computers.
Regular files can be easily backed up or restored, assuming the system admin sets up automated backups. Business workstations are typically setup so all user files are on network drives. These drives are setup with backups. That way if a workstation is infected they can just reinstall the software and restore corrupted files. Some files, such as database files, can not be easily backed up. So system administrators should ensure these files are not directly accessible by workstations. Educating employees helps, so they don’t install malware. Unfortunately some employees are too computer illiterate. A system admin has to plan for this and create contingencies.
Some systems use virtual PCs to protect against malware. A virtual PC is like a fake computer running within your computer. It’s virtual, meaning if something affects it then it won’t corrupt the actual computer. This mostly works but sometimes doesn’t. These are used to check email attachments. Email providers download and execute attachments on a virtual PC. They can check the virtual PC to ensure nothing was done to it. This stops most email malware, but it’s a constant battle between hackers and security specialists. Some malware remains dormant for months before it’s triggered and some can infect the physical PC even when it’s installed on a virtual PC.
This ongoing struggle might be too annoying for some hackers, so they resort to hacking users.
Hacking Users
When browsing the web, you sometimes come across sites that look like they’re scanning your computer. They pretend to detect viruses or malware and ask you to call a number to clean it. When a user calls that number, a scammer tricks them into installing malware. This can be done by nearly anyone. Protect against this with education.
Unfortunately there are other ways to trick users, such as spoofing attacks.
Spoofing
Computers have address much like houses. Before computers existed, if one house wanted to send a message to another they could use the postal service. They write the address on the front then add their return address in case the message can’t be delivered. Computers communicate in much the same way. Information is split up into packets. Each packet is like a letter in the mail. Packets have a delivery address, a return address and information. Spoofing is when you pretend to be your neighbour and send mail using his return address.
Internet protocols were good for their time, but they didn’t consider problems like spoofing. If they had, the fine minds behind internet protocols would have easily prevented it. This small oversight makes some internet protocols vulnerable to spoofing. For example, someone could send a string of packets to a destination email server. Each packet contains a command or data. These packets combine to form an email message. When the email is sent, it looks like a genuine email message from a real user.
Spoofing attacks are often targeted, and are often combined with malware. Suppose a hacker finds a CEO’s email address and the email address of his wife. He could send malware named ‘Shopping List’ and include the message, ‘Could you please pick these up on the way home?’ Or the malware could come from his child with the message, ‘Look what I drew Daddy!’
For this reason we need better internet protocols. Internet protocols should include back and forth negotiation to prevent spoofing attacks.
Conclusion
Security should be a factor when designing computer systems, networks, software and protocols. It can not be successfully added afterwards. For security to be effective it must be part of the design. There are many ways hackers try to access systems and just as many ways IT specialists prevent it. Keep educated so you can keep abreast with new developments.