Network Security Audit
A thesis presented by
LIU David
University of Plymouth, Plymouth, United Kingdom
Supervised By
Dr. Bogdan Ghita
Network Research Group, University of Plymouth, Plymouth, United Kingdom
Submitted to the Faculty of Technology of the
University of Plymouth in partial fulfillment
of the requirements for the degree of
MASTER OF SCIENCE IN NETWORK SYSTEMS ENGINEERING
September 2005
School of Computing, Communications and Electronics
Abstract
With the increase of broadband connections users, the number of home computers has
increased importantly. As a consequence security issues have gained in importance in this
domain. Most of these new computer users are novice and do not have the knowledge to
understand exactly the repercussion of their actions in term of security on their machines.
Software companies have developed several products to protect these stand alone computers.
Some of them are designed to produce security audits which evaluate the security risk of the
Personal Computer (PC).
Unfortunately, even with these audit programs, users do not become aware of the danger they
can face on Internet. This project has developed a security audit tool which is intended for
novice computer users. This tool’s objective is to evaluate the materiel security level and the
behaviour security risk of the user. Furthermore to be sure of the users’ understanding, this
tool also contains some explanation and demonstration elements, which show them how a
malicious person can exploit their lack of prudence.
2
Acknowledgements
The author would like to thank Dr. Bogdan Ghita, member of the Network Research Group at
the University of Plymouth, for his help and his availability during the whole project.
The author would like to thank M.Coste Pierre-Alain, Ms Uy Lyna, and M. Abrard Anicet for
their constant help, advices and encouragements during this project.
The author would like to thank all staff members of the University of Plymouth for their help
in this project.
3
Table of Contents
……………………………………………………………………...2
Abstract
Acknowledgements ............................................................................................... 3
Table of Contents .................................................................................................. 4
Table of figures ..................................................................................................... 7
Introduction ……………………………………………………………………...8
Objectives……………. ......................................................................................... 9
Background.. ....................................................................................................... 10
Chapter 1 Current Environment .......................................................................... 12
1.1
Existing audit software .......................................................................................... 12
1.1.a
1.1.c
1.1.d
1.2
Security risks .......................................................................................................... 16
1.2.a
1.2.b
1.2.c
1.3
Confidentiality .................................................................................................. 16
Integrity ............................................................................................................ 16
Availability ....................................................................................................... 16
Hacking tools .......................................................................................................... 17
1.3.a
1.3.b
1.3.c
1.3.d
1.3.e
1.3.f
1.3.g
1.3.h
1.3.i
1.4
Nessus............................................................................................................... 12
GFI LAN scanner……………………………………………………………..14
MBSA (Microsoft Baseline Security Analyser): ............................................. 15
Password cracking ............................................................................................ 17
Packet and password Sniffing .......................................................................... 17
Trojan horses .................................................................................................... 18
Backdoors ......................................................................................................... 18
Internet Worms ................................................................................................. 18
Mobile Code ..................................................................................................... 19
Port Scanner ..................................................................................................... 19
Key logger ........................................................................................................ 19
Denial of services (DOS) ................................................................................. 20
Protection mechanisms .......................................................................................... 21
1.4.a
1.4.b
1.4.c
1.4.d
Firewall............................................................................................................. 21
Antivirus ........................................................................................................... 22
Patches .............................................................................................................. 22
Passwords ......................................................................................................... 23
4
Chapter 2
Important issues .............................................................................. 24
Chapter 3
Project approach ............................................................................. 26
3.1
3.2
3.3
3.4
3.5
3.6
Research .................................................................................................................. 26
Conception .............................................................................................................. 26
Human aspect ......................................................................................................... 27
The Technology ...................................................................................................... 27
The architecture ..................................................................................................... 27
The audit programs ................................................................................................ 29
1.6.a
1.6.b
Chapter 4
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
Achievement ................................................................................... 40
Achievement ............................................................................................................ 40
Limitations .............................................................................................................. 41
Chapter 6
6.1
6.2
6.3
Implementation ............................................................................... 31
The port scanner..................................................................................................... 31
The antivirus tester ................................................................................................ 33
The MCQ ................................................................................................................ 34
The password tester ............................................................................................... 35
The Key logger ........................................................................................................ 36
Explanation pages .................................................................................................. 37
Java requirement .................................................................................................... 37
Feedback and Profiling .......................................................................................... 38
Chapter 5
5.1
5.2
Material audit tools........................................................................................... 29
Human behaviour assessments ......................................................................... 29
Survey ............................................................................................. 42
Introduction ............................................................................................................ 42
Results ..................................................................................................................... 42
analysis of the results ............................................................................................. 45
Chapter 7 Improvements ..................................................................................... 46
Conclusion… ....................................................................................................... 48
References… ....................................................................................................... 49
Appendix…. ........................................................................................................ 51
A.
Codes ....................................................................................................................... 51
A.1
A.2
A.3
Server: .................................................................................................................. 51
Portscan : .............................................................................................................. 52
Quick port scan: ................................................................................................... 53
5
A.4
A.5
A.6
A.7
A.8
A.9
A.10
A.11
Portscan CLI: ........................................................................................................ 54
Client: ................................................................................................................... 55
Test virus: ............................................................................................................. 57
Test virus CLI: ..................................................................................................... 57
Password: ............................................................................................................. 58
MCQ: .................................................................................................................... 60
Key logger server: ................................................................................................ 66
Keylogger CLI: .................................................................................................... 67
B.
Explanation pages ........................................................................... 69
B.1
Audit tools ............................................................................................................... 69
B.1.i
B.1.ii
B.2.iii
B.2
Computer's ports .............................................................................................. 69
Key loggers ..................................................................................................... 71
Antivirus test ................................................................................................... 71
Explanation pages ................................................................................................. 72
B.2.i
B.2.ii
B.2.iii
B.2.iv
B.2.v
B.2.vi
B.2.vii
B.2.viii
B.2.ix
B.2.x
B.2.xi
B.2.xii
B.2.xiii
B.2.xiv
B.2.v
What is a Firewall ........................................................................................... 72
Patches updates ............................................................................................... 74
Antivirus .......................................................................................................... 74
Passwords ........................................................................................................ 75
Download from unknown sources ................................................................... 77
Illegal software ................................................................................................ 78
Internet configuration ...................................................................................... 78
per2per softwares ............................................................................................ 81
Operating Systems security difference ............................................................ 82
Web Pages security level................................................................................. 82
Shares .............................................................................................................. 83
Anti-Spy ware tools ......................................................................................... 84
Connected time ................................................................................................ 84
Data storage ..................................................................................................... 84
Personal information ....................................................................................... 85
6
Table of figures
Figure1: the wide range of options to set up a customised vulnerability audit. ....................... 13
Figure 3: security advices given by ATK after the audit. ........................................................ 13
Figure 4: the elements that compose the internal scan of GFI LAN scanner. .......................... 14
Figure 5: the security assessment result of MBSA. ................................................................. 15
Figure 6: the basic role of a firewall (firewall-net, 2004) ........................................................ 21
Figure 7: the delay between the discovery of vulnerability and its exploitation
22
Figure 8: The architecture of this project ................................................................................. 28
Figure 9: the 31 well known ports of the “quick” scan ............................................................ 31
Figure 10: summarises the functioning of the port scan tool. .................................................. 32
Figure 11: the port scan interface, with a scan result displayed. .............................................. 33
Figure 12, the user interface of the antivirus test tool. ............................................................. 33
Figure 13: the result of the password tester when the password is a dictionary word. ............ 35
Figure 14: the result of the password tester when the password is not a dictionary word. ...... 36
Figure 15: the interface of the key logger . .............................................................................. 36
Figure 16: the returned data from the key logger server ……………………………………..37
Figure 17: Repartition of users who have tested this project. .................................................. 42
Figure 18: repartition of opinions about the interface of the project........................................ 43
Figure 19: repartition of users who have already tested an audit software. ............................. 44
Figure 20: repartition of opinions concerning the comparison with existing audit programs. 44
7
Introduction
Security has become a critical issue for modern companies, they are actually spending
important amount of money to prevent any malicious persons to access their data. With this
increasing level of protection, hackers are turning away from banking and high technology
companies, and are more targeted into small organisations or ordinary single PC/home
networks which are less secure.
Aware of this, software producers have developed very efficient products adapted to ordinary
Internet home users like personal firewall, personal antivirus. Unfortunately, on the other
hand, their use generates a wrong feeling of security. Most of time, these tools are not
configured properly by users, who do not have the right knowledge. In this case the computer
is still unsecured.
The present dissertation will give an overview of the MSc project “Network Security Audit”.
This project will try to analyse the current weaknesses of home computers which can be
exploited by hackers, find out existing solutions to address them and finally to develop a set
of audit programs which will allow very novice computer users to audit the security level of
their computers.
8
Objectives
Nowadays, most of computer users do not have any knowledge about Internet and security.
This project is going to try to make them understand by simple demonstrations and
explanations, the risks they can face on Internet network.
The audit program this project should develop will be composed of three main parts.
First of all, a software application will be built to execute technical test of the computer and
produce a physical security audit. To be able to provide external and internal test, the
application must have a client server configuration. The server side of the application will be
put online, and will execute external test and attacks. The client part of the application will be
run on the local host and will offer local tests possibilities.
This program must be as easy as possible to use, to make it accessible for every ordinary
computer users.
Unfortunately, a technical audit is not enough to evaluate the security level of a computer,
human behaviour is also a key element. Secondly a MCQ will be integrated to the software
application in order to assess the user. In this questionnaire some questions will focus on the
existing security element of the PC, and some others will deal with the user’s behaviour in
front of different events: for instance a website which asks the user to download and execute a
program. Combined with the technical audit results, the user will be able to have a very
accurate and customised security audit based both on the machine security configuration and
the user behaviour. Moreover to provide a better understanding of the MCQ questions, they
will be illustrated by screenshots and schemas.
Finally once the audit results have been given, the application should be able to help the user
to understand them. It is important to keep in mind that ordinary PC users have really few
knowledge to exploit theses results. For the third part of the project, some informative pages
should be included and linked to the audit results to provide explanation and give advices to
the users to avoid problems which have been detected.
9
Background
When connected to Internet, computers are linked to an incredible information resource. But
most of users are not even aware of the danger they could face by plugging this small
connection cable into their PC.
Internet is composed of many computers connected together by TCP/IP protocol, this seems
to be a very well know information. But what are less well known are the applications which
use this connection. The tree more common applications are: email, file transfer, and the
World Wide Web. These three elements are using different services: SMTP for emails, FTP
for file transfer, HTTPD for the World Wide Web. These three protocols contain security
weaknesses which could be exploited by malicious people (Kozierok, 2004).
Currently ISPs (Internet Services Providers) are using the simplicity to set up an Internet
connection as a marketing argument and provide to their customers softwares which manage
Internet communications. These softwares are easy to install and can set up an Internet
connection with a few click from the user. When people are not Internet functionality
specialist, they just set up the softwares and let all default settings, from the moment it works
they do not really care about the connection parameters. This kind of users is easy prey to
hackers.
Additionally some Internet users think that having protection software installed (firewall, antivirus, IDS) is enough for their computer from any external attacks. This misunderstanding can
be very dangerous for them. It is improbable for a home user to be fully protected from
intruders. But it is possible to make any intrusion as difficult as possible.
Before detailing the possible risks, it is imperative to understand the enemy; why are intruders
trying to break into users’ computers?
Dr-k (2000 B) a hacker himself, explains that when this first question is asked to hackers,
most of them would answer it is for fun, for their curiosity or for their knowledge. These
hackers are called white hat hackers and are not really dangerous. It is a pleasure for them to
find security holes by exploring new methods and new softwares. Most of time when they
10
find any security weaknesses, they contact the company and give some advices to solve the
problem. But there is another type of hackers called black hat hackers or crackers whose aim
is to obtain unauthorised access into computer for stealing data or disturb its functionality.
This second type is far more dangerous and is most of time motivated by the money they can
earn by selling data they have stolen. They are more targeted in companies, because there is
the money, but to protect their identity from authorities they will take control of ordinary
Internet users PCs and launch attack from them.
11
Chapter 1 Current Environment
Security audit has become a very important aspect in modern companies. To be able to
provide the maximum security, the IT department is induced sometimes to play the role of
hackers: trying to bypass their own installed protections. These tests have lead software
designers to produce some programs which are able to test automatically the security
protection of a company without damaging it. They are called Security Audit Softwares and
allow system administrators to have easily and quickly an overview of the current protection
status based on the softwares’ reports.
With the explosion of the number of broadband users, the security audit’s need has become
widespread. Several security audit softwares have been adapted to provide home computer
users the possibility to test their security level. Theses familial versions are less complex to
use and to understand.
1.1
Existing audit software
Before starting the conception of this project’s audit software, it is important to have an
overview of existing audit tools used by network administrators. Here can be found the
analysis of four of them.
1.1.a Nessus
It is maybe the most famous one. It is a free vulnerability scanner based on client-server
architecture. Normally it runs on UNIX like systems, but recently a windows version has been
adapted: Tenable NeWT Security Scanner (Nessus, 2005). It is this version tested in this
project. The functionality of Nessus is very similar to the audit tool this project should
produce. The client part of Nessus allows the interaction between the user and the machine,
by sending to the server the user’s instructions. The server receives the user’s information,
then runs the appropriate command (attack test) and finally sends the result to the user. This
program has three main positive points: first of all, it is free; secondly, it is coded as a plug-in,
making him easy to update; and at last, it contains a wide range of options to parameter the
vulnerability audit.
12
Figure1: the wide range of options to set up a customised vulnerability audit.
1.1.b ATK: attack tool kit: is also a free audit software, it is based on a mix of a
vulnerability scanner and a exploiting frameworks (ATK, 2005). This application has two
main benefits: firstly it is very easy to use and uses schemas representations to explain to
users its functionality; secondly, it provides advices to avoid the security hole if vulnerability
has been discovered.
Figure 2: ATK attacks tool kit uses
schemas to explain its functionality.
Figure 3: security advices given by
ATK after the audit.
13
1.1.c
GFI LAN scanner: is a comprehensive security software. Once launched, it will
perform an external vulnerability scan, and also an internal security audit (GFI, 2005). This
internal security scan will check in the current computer or on every host of the LAN ( Local
Area Network ) the softwares which are installed, their patches, the passwords used, the USB
connections, the register entries, the shared folders, the wireless access points and other
elements
Figure 4: the elements that compose the internal scan of GFI LAN scanner.
14
1.1.d MBSA (Microsoft Baseline Security Analyser): is a security tool created by
Microsoft for Windows based computers. “It scans for common misconfigurations in the
operating system, IIS, SQL, and desktop applications, and can check for missing security
updates for Windows, Internet Explorer, Windows Media Player[…]” (Microsoft, 2005).
MBSA is directly connected to the Microsoft Vulnerability database, which gives him the
advantage to be constantly up to date. Moreover it provides to users clear explanations and
solutions to discovered problems.
Figure 5: the security assessment result of MBSA, explanations and advices are given
for each problem.
15
1.2
Security risks
A good knowledge of existing risks that could be exploited by hackers is a key element in
order to find a solution to protect a computer and its data. In this chapter, a set of most
common method used by hackers to gain control of users’ computers will be listed. In his
book Stajano (2002) claims these risks can be divided into tree main parts: Confidentiality,
Integrity, and Availability. For a better understanding of these areas, they will be explained
from a company’s point of view, which is a more adapted context.
1.2.a
Confidentiality: for a company, it is vital to keep some information secret. For
instance it’s sales, or its current research project results; the release of this kind of data to
a wider public can lead to some unexpected consequences. For the sales, a fall in stock
valuation could happen; about the research result, it would be a waste of time and money
if competitors obtain your results for free when the company has spent two years of
research on a project. To keep information confidential, it access should be restricted to
authorised persons. So a user identification process should be implemented, it can be
based on passwords, encryption, or different authentications: for instance the IP address of
the computer.
1.2.b
Integrity: the data integrity of an organisation is a direct factor for its brand
image. Simple errors in company’s data can cause failures which cost thousands of dollars
or undermine confidence in the company. Because, if costumers are billed for not received,
unwanted goods, or they got double billed, they would bring their business somewhere
else. To avoid integrity problems, the system should be designed to prevent any errors.
Redundancy and regular back up are the key solutions to this problem. Instead of having
one file, one copy is created every time modifications are added, thus if the original
document is corrupted the back up file will replace it.
1.2.c
Availability: ensuring the confidentiality and the integrity of an organisation’s
data is useless unless this data could be used by the right person at the right time. There
are a great number of incident which could happen and disturb the availability of a
database. The main hard disk could wipe out, a vital hub or router could fail, the main
server could crash. Redundancy and appropriate security policy will decrease considerably
the failure risk.
16
Now the tree major risk area has been discussed, some of the common attacks which could be
used by the hackers will be explained. That will help for the understanding of the rest of this
dissertation.
1.3
Hacking tools
1.3.a Password cracking
Password is a crucial line of defence possessed by computers. Without passwords,
hackers would be able to access a remote system or modify a protected file. In their
book Russel and Ganjemi (1992 A) explain there are actually three methods which can
be used to crack a password. The common method used by hackers is the “dictionary
attack”: they use every words and names from a dictionary and try to see if one of
them is the right password. Associated with a program which can try thousands words
per second, the right password can be found very quickly: generally a few seconds.
There are two other types of cracks “hybrid attack” and “brute force attack” which are
designed for more complicated password. The “hybrid attack” is based on the
“dictionary attack”, but is more complete. It takes the dictionary word and tests it with
every possible prefix and suffix. The “brute force attack” is the simplest one but the
most efficient; it success every time but its inconvenient is the amount of time
required to find out the right password, it is unpredictable: it can be hours, days, weeks,
or months. Basically it tries every keyboard keys combination until it finds the
password; it is only limited by the calculation power of the computer used for cracking.
1.3.b Packet and password Sniffing
It is not usually easy to guess the right password, so another method, much more
simple can be used: the “password sniffing”. Gollmann, (1999 A) explains in his book
that this method is based on the functionality of TCP/IP: protocol used for Internet
communication. In a few words when a computer wants to communicate with another,
it will send its data associated with the IP address of the receiver it wants to talk to.
Once sent, all computers sitting on the road between these two PCs will receive the
data, check the destination address and drop it if it does not match with their own IP
address. However many computers can be programmed to pick up every message sent
17
through a network, in this case this computer will be able to see messages which are
not intended for him.
Any hackers how have a“sniffing” program can easily catch some information about
the sender from those data, for instance login and password if the computer is
communicating with a server or some websites.
1.3.c
Trojan horses
Trojan horses are malicious programs which once executed will create a backdoor
access on the PC. Generally they are sent by emails as an attached file and have some
attractive names to encourage users to download and launch them. They are
commonly used by hackers to take control of PCs, and then launch attacks from these
infected computers against some more sensible web sites like government organisation.
Trojan horses’ usage will provide hackers the possibility to stay anonymous.
1.3.d Backdoors
Backdoors are entry points to a computer system. It does not sound very dangerous,
but actually all access passing by this entry point will bypass the security detection of
the computer. By this access, intruders can access and control the infected computer
without its user could notice anything. These backdoors are installed usually by a
malicious program like Trojan horses.
Backdoors have not been always used for a malicious purpose. Some program
designers let especially a backdoor to make easier any maintenances or reparations.
We can cite one of the most famous examples: the authors of UNIX: Ken Thompson
(Linux world, 2004) admitted in 1983 that a backdoor has been voluntarily introduced
in the earliest versions of UNIX.
1.3.e
Internet Worms
Worms can be considered as an automated autonomous device, they contain codes
which will exploit some known security vulnerabilities on certain host. These
18
vulnerabilities can come from Operating Systems or Softwares. The worm will first
scan the network searching for connected host with those security weaknesses, then
break into the target machines. Once inside the computer, it will replicate itself and set
itself to continue spreading. Worms have the capacity to infect a huge number of hosts
in a very short time. One of the most famous worms attack happened in 1988, the
“Morris Worm” used some holes of UNIX system to spread and infected 3 thousands
machines in a few hours. “[…] estimates of the cost of system fixes and testing range
from $1 million as high as 100 millions.” (Russel and Ganjemi, 1992 B).
1.3.f
Mobile Code
Recently, some problems associated with mobile codes have been discovered. Mobile
codes are used to create some animations written by web designers and which can be
run on the web browser when the host is visiting their web site (Java, JavaScript, and
ActiveX). According to Oppliger (1999), once executed by the web browser, it can
contain some malicious code which would allow its writer to gather information about
the compromised computer: login/password, etc…
1.3.g Port Scanner
When a computer is connected to Internet each network service and protocol has
allocated communication port to communicate with the network, it is a gate in some
sort. For instance HTTP protocol (web browse) will use port 80 to communicate with
the network and SMTP protocol (email) will use port 25. Poole (2003 A) says that the
danger comes from the standardisation of the allocation of ports. If a hacker knows
exactly which ports are open on your computer, they will be able to build up a good
vision of what service applications are running on it. Normally, the scan of the
victim’s ports is the first step of any attack, thanks to this scan, the hacker will then
adapt his/her attack strategy according to the prey’s computer’s configuration.
1.3.h Key logger
Key loggers are programs that run in the background of the operating system and
record all the user’s keystrokes. Its legal use was for parents who wanted to keep an
19
eye on their children’s activities on the computer. Unfortunately, hackers turned this
kind of programs into another purpose. Now, they are sent attached to emails, and if
the victim has the bad idea to double click on it, it will be discreetly installed, then
send all captured data to an email address or a FTP address. Key loggers are used by
hackers to steal users’ passwords or private information.
1.3.i
Denial of services (DOS)
At last but not the least, the Dos attacks regroup all attacks which exploit TCP/IP
protocol’s vulnerabilities. These attacks are not really complicate, but are truly
efficient. They can reach every computer, no matter which Operating System is
running, because it is target on TCP/IP protocol, no PC is fully secured against them.
One of well known example of DOS attack is SYN flooding. For all TCP connection,
when a host wants to connect to a server they got to exchange a determined set of
messages first. Normally if the host A wants to connect to the server B, it has to send a
Synchronize Sequence Number (SYN) to B, then B will respond to A by sending back
the SYN with a Acknowledge bit set, and wait for an answer from A, once the final
SYN answer has been received by B, the connection will be operational. Garfinkel,
Spafford and Schwartz (2003) explain that this tree state connection can be easily
abused by hackers who send a huge number of connection request, the server would
automatically answer by the SYN with Acknowledge set bit, and the hacker do not
send anything back to finalise the connection. The server is still waiting with a great
number of ‘half-negotiated’ TCP connections, and cannot manage any more
connection request.
Poole (2003 B) explains in his book that one of the most important DOS attacks
occurs in February 2000 against Yahoo: a very popular website. Some hackers used a
large number of computers infected by backdoors or Trojans to flood one of the router
designed to handle the Yahoo website traffic. The traffic was so important that the
router was unable to cope. This attack result was that the website was unavailable for a
few hours.
20
This chapter has just displayed some simple attacks used by hackers to break into or disturb
the integrity of computers. And after reading it, any users would like to know if their own
machine is protected against those horrible things. That is the aim of this MSc project, to
detect the security level of a Personal Computer. Then if any vulnerability is found, find a
solution to address them.
1.4
Protection mechanisms
Most of network administrators are aware of these security risks, and have the knowledge to
build an appropriate solution for them. Unfortunately home Internet users do not have the
capacity to face this kind of dangers. Of course they will be targets of less sophisticate attacks;
but it is not a reason to let their computers without any defence against intruders.
1.4.a Firewall
Firewall is a significant security element of a computer or network. It could be software ore
hardware based, and will provide an access control to the PC. By building a barrier between
the machine and Internet, it would prevent unauthorised access to computers’ private
information.
Figure 6: the basic role of a firewall (firewall-net, 2004)
Gollmann (1999 B) explains that there are different sorts of firewalls, with advantages and
disadvantages for each of them. Depending of the users’ needs and their network topology,
the most adapted firewall should be installed. Basically, the firewall checks the data packets
going in and out of the computer, for each of them it verify the source, destination IP address
and the port used. Then it compares the result with the security rules that has been defined by
21
the user and finally takes a decision about packets which are allowed to pass though and
which are not.
Firewall is the first point to check in order to assess the security level of a computer. If it is
absent, that would mean the current PC’s integrity is already compromised. A firewall is
useless if it is not monitored. Some people install a firewall on their PC and forget it; in this
case, the firewall will just give an illusion of security. If the firewall’s settings are not adapted
to security risks it will not protect anything.
1.4.b Antivirus
Antivirus is the software usually associated with the firewall, their roles are complementary.
Firewalls verify which information can enter your computer, but once the access is granted it
would not look at the content of this information. Antivirus has as mission to scan the content
of data which have pass through the firewall. For instance, some downloaded programs would
be scanned for virus before the user could launch them. If there is no antivirus, users would
not even know if files they are downloading on Internet contain malicious code and would
infect their computer with some virus or worms.
1.4.c
Patches
Nowadays weaknesses on softwares are discovered and exploited by hackers very quickly.
Here is a graphic which show the delay between the discovery of softwares’ vulnerability and
the moment it is exploited.
Figure 7: the delay between the discovery of vulnerability and its exploitation by
hackers
. (Pinkney, 2004)
22
To prevent your machine from new exploits, program designers are producing patches for
every new security hole discovered on their programs. Users should regularly patch their PC
and keep their softwares up to date. If not, in a very short time your host’s security would be
compromised.
1.4.d Passwords
Passwords are a crucial element for users’ security. When you are opening your online email
box you are sending your login and password through Internet with an encryption system.
This method seems to be secure, but as seen in the previous chapter, hackers can actually use
packet sniffing programs which would catch your data and obtain your password with some
password cracking tools. If your password is a dictionary world or a name, it would take
approximately a few second to crack it.
Here are some questions provided by US Department of Homeland Security (2002) to verify
the quality of your password security. Every year thousands of computers are illegally
accessed because of weak passwords. How many users are guilty of any of the following
things?
* Writing down a password on a sticky note placed on or near your computer.
* Using a word found in a dictionary. That's right, a dictionary. Any dictionary!
* Using a word from a dictionary followed by 2 numbers.
* Using the names of people, places, pets, or other common items.
* Sharing your password with someone else.
* Using the same password for more than one account, and for an extended period of time.
* Using the default password provided by the vendor.
Chances are, if you are anything like the majority of computer users, you answered yes to one
or more of the above questions. The problem is, hackers are aware of these problems as well
and target those who don't take the correct precautions.
23
Chapter 2
Important issues
There are different issues that give a real sense to this project.
All security risks and protection elements discussed in the previous chapters are all well
known from professional security administrator, but at the other side, ordinary people can
have some problems to understand them. Even if they use a familial version of security audit
software, they may not be able to interpret its results.
Software designers try to make their product as simple as possible to affect as many users as
possible; but unfortunately, because of the complexity of the network security area, it is very
difficult to create something really comprehensible for any ordinary user. Nessus for instance:
even an intermediate knowledge level user will need about ten minutes to realise what are the
possibilities of this program and how to exploit it efficiently.
Moreover today’s security audit programs can be very complete in a technical point of view,
but they do not take into account the human behaviour factor which is the weakest link in the
network security chain. Even if the users have some security programs installed and properly
set up on their computers, their behaviour can make them defenceless. For instance, if the user
is used to download illegal software copies from Internet, the security of the computer may
certainly be compromised. Because most of time hackers who create these copies add some
hacking tools like Trojan or worm it. As explained in a previous chapter, the commercial
audit softwares that have been tested during this project do not contain any human behaviour
tests.
The last issue of this project which makes it so different from other commercial audit
softwares concerns the usage; actually all existing softwares need to be installed on the
computer they are auditing. This obligation can be a serious problem for very novice
computer users who do not know how to install, or users who do not have an administrator
account on the current computer then do not have the right to install any programs on it.
This MSc project will try to offer appropriate solutions to these issues. Firstly, it will not
require any installation obligation, thus it will provide to any users no matter the computing
24
knowledge level the possibility to run easily a security audit on the current computer.
Secondly, on top of all technical audit elements, this project will contain some tools which
will evaluate the security level of users’ human behaviour. Finally, the users’ understanding is
a key element in this project, they will be provided clear explanations about how to use the
different audit elements, what are they auditing, how to avoid the problems….
25
Chapter 3
3.1
Project approach
Research
Network security is a very wide ranging and a well documented domain; this is at the same
time a strength and a weakness for this project. It is a strength because when some studies on
a specific domain are needed, they can be easily found. It is a weakness because there so
many subjects to master that it gives the feeling to be very complex. The project’s aim is to
audit the security level of a home computer. Unfortunately most of existing security studies
and texts are dealing with companies’ networks, so only issues applicable to this research
domain should be picked up.
3.2
Conception
The conception of the software requires a very methodical progression.
An analysis of existing security audit tools has been done. The author is not going to reinvent
a whole brain new program, if there are good ideas in existing tools, they can be reused in the
conception. The most common element in existing audit programs is the port scanner, so one
will be integrated in our project program. In >>>>>, users can test the efficiency of their
antivirus with a inactive virus file, this concept has been adapted in this project.
Softwares used by hackers are also a very good source of ideas; some of them can be
integrated into this project to test the vulnerability of the computer against precise types of
attacks. Programs similar to a password cracker and one similar to a key logger have been
added to this project’s product. It should be also keep in mind that the programs developed
during this project are designed for ordinary computer users; the simplicity is a very important
element.
Moreover, it is imperative to have opinions from expert computer users about the programs
during the development stage of the project. They will be able to provide advices or warnings
if the research is taking a wrong direction.
26
3.3
Human aspect
As said in a previous part of this dissertation, human behaviour is an important issue of the
security audit. Hence, some tests to evaluate how dangerous the users are according to their
behaviour will be integrated. Some demonstrations elements can also be very revelling in this
project, instead of using pages of text to explain the danger; it would be more efficient to
show its direct impact. A set of general security advices should also be added, depending on
the audit result generated by the software, it will give recommendations to users to improve
the current security level.
3.4
The Technology
As explained earlier, the audit programs of this project should not require any installation to
run. So from this point the author has decided to implement the auditing programs in a
webpage, which brings several advantages. The easy accessibility from all over the world is
one of them, users do not have to download or install anything, and all they have to do is to
have the webpage address. Moreover to have the full auditing programs on an online webpage
makes any updates and debugging of the project programs much simpler. There are a few
languages which can be run on a webpage; the author has chosen JAVA to code the security
audit programs of this project. JAVA is a object oriented language, it is very suitable to code
Internet programs and webpages can contain several JAVA programs each of them can be run
independently. The disadvantage of JAVA is strictness of its security policy. In this project
users will need to modify manually this policy.
3.5
The architecture
The project’s audit program is essentially composed of several elements, the audit tools and
the explanation pages linked to them. The audit programs are integrated in a HTML page that
should be launched with the user’s web browser. This page contains some basic audit tool
coded in Java: there are a port scanner, a MCQ to evaluate the users’ behaviour, a password
analyser, an Antivirus tester and a key logger; each of them can be used independently. Then,
this HTML page will be put online at the address: http://dcool75.free.fr/projet/ .
27
Basically, this audit page describes to the users how to use each tool and some hyperlinks will
guide them to the explanation pages where more details are given. These explanation pages
will allow the user to understand what has been audited with each tool, how to interpret the
results, and how to overcome the problems found.
Launch the
client program
Port scanner
client program
Port scanner
MCQ
Port scanner
server
MCQ Program
Antivirus tester
Antivirus test program
Password tester
Password program
Key logger
client program
The key logger
The audit HTML page
User hard disk
Online english word list
Key logger server
Communication
Display
Figure 8: The architecture of this project
28
3.6
The audit programs
The audit tools can be grouped into two categories, the ones which analyse the material
security risk and the ones dealing with the human behaviour risk.
1.6.a Material audit tools
The port scanner; it is based on a client/server architecture. The client is launched from the
audit webpage on the user’s computer and then it sends request to an external server which
will scan the current PC’s ports. Port scanner is one of the basic elements of security audit
softwares, but most of them are based on a local port scan which means that the auditing
computer verify itself if its ports are opened or not. In this project it has been decided to
perform the scan process from an external node essentially because nowadays most of home
computers are in a local LAN and placed behind a router. Having a port closed on the current
computer does not mean that it is closed at the router side. So this architecture allows a more
complete view of the ports status. People who have tested this project during its development
stage found that it was usual to have in an audit program a port scanner. But they were
surprised to obtain a scan result after 30 seconds when ordinary online port scanners require a
few minutes. The main difference between the port scanner of this project and others is the
number of port it has to scan. When online port scanner like Sygate Online Services (Sygate,
2005) spend 30 minutes to scan all ports of the user’s computer (like the long scan of this
project), this project’s port scan will only looks at 30 well known and more exposed ports
with the quick scan. The simplicity and the quickness are the priorities of this project.
The Antivirus tester analyses the reactivity of the antivirus installed on the machine. Recently,
some online antivirus have been developed, they can perform a complete hard disk scan of
people who connect to their WebPages. But do not perform real tests which can audit the
efficiency of the installed antivirus. Using an inoffensive file which has a virus signature is a
very efficient way to prove the antivirus is working properly.
1.6.b Human behaviour assessments
The password analyser, depending on the password entered by the user, will estimate the
amount of time needed to crack it. There are several free password crackers which can be
29
used to show to users how easy it is to crack a weak password. But their main defect is the
delay required to crack it. If the password is not a dictionary word, it may take a few minutes
or hours to break it, and users can not wait so long. So instead of integrating one of them, the
author has decided to develop this time estimator which gives a quicker response. Users who
tested this project found the concept of this tool very interesting. To calculate the time needed
to crack the password provided by the user instead of cracking it really with an appropriate
software require less energy and can provide a better impact on the end user.
In the MCQ the users have to answer some questions about their behaviour when they meet
some specific situations. The human behaviour is known as the weakest link of the security
chain. But most of the existing security audit softwares do not take into account effects of
human aspect on the security. In addition, even expert computer users who manage perfectly
the security of their computer may have a very dangerous behaviour.
The key logger is more a demonstration tool than an auditing tool. It can be relevant to show
to users how a real hacking tool works. So they will realise by themselves how dramatic it
could be if a hacking tool of this kind was installed on their computer. This kind of
demonstrations can really left its mark on the end users and remove any misconception about
security they could have. When they will see that someone they do not know can easily
receive what they write on their computer, they will no more easily have the feeling of
security or privacy even if they have some security softwares installed.
30
Chapter 4
4.1
Implementation
The port scanner
It is a basic security audit test; here the user will be given the choice between a “quick” scan
(codes in appendix page 53) and a “long” scan (codes in appendix page 52). It has been
decided to add this option because a complete port ( long scan ) scan takes about 20 minutes,
and it is not possible to impose a so time consuming test. The “quick” scan takes about 30
seconds, and it checks 31 “well-known” ports showed below.
Keyword
Port
echo
daytime
msp
ftp-data
ftp
ssh
telnet
smtp
msg-auth
time
name
nicname
domain
whois++
gopher
finger
www-http
pop3
auth
sqlserv
nntp
netbios-ns
netbios-dgm
netbios-ssn
at-rtmp
at-nbp
at-echo
at-zis
ipx
imap3
set
7
13
18
20
21
22
23
25
31
37
42
43
53
63
70
79
80
110
113
118
119
137
138
139
201
202
204
206
213
220
257
Description
Echo
Daytime (RFC 867)
Message Send Protocol
File Transfer [Default Data]
File Transfer [Control]
SSH Remote Login Protocol
Telnet
Simple Mail Transfer
MSG Authentication
Time
Host Name Server
Who Is
Domain Name Server
whois++
Gopher
Finger
World Wide Web HTTP
Post Office Protocol - Version 3
Authentication Service
SQL Services
Network News Transfer Protocol
NETBIOS Name Service
NETBIOS Datagram Service
NETBIOS Session Service
AppleTalk Routing Maintenance
AppleTalk Name Binding
AppleTalk Echo
AppleTalk Zone Information
IPX
Interactive Mail Access Protocol v3
Secure Electronic Transaction
Figure 9: the 31 well known ports of the “quick” scan, adapted from VIAS
encyclopedia, 2004
31
Once the user has clicked on the start button of the user interface (codes in appendix page 54),
the java applet will run the client program (codes in appendix page 55) which will send a
scanning request to the server (codes in appendix page 51). Then, the server will analyse the
request, find out the IP address of the user from the connection settings and finally run the
appropriate IP scanning program. There are actually two scanning programs, one for each
type of scan (quick and long), but their functioning principle is the same. They try to create a
socket connection with the given port in a specific timeout. If this try fails that would mean
the port is closed, inversely if it success it would mean that the port is opened. For the “wellknown” ports scanning, the timeout is set to one second, and for the complete one, it is set to
200 milliseconds. The longer is the timeout, the more it can be certain that the port is closed.
For scanning 65535 ports, it is not possible to set important timeout; otherwise the scanning
process will take hours.
The scanning result it recorded in a table and transferred to the server who will convert it into
a single data flux and send it back to the client program. Once the client has received the
result it will display it in the user interface of the audit page.
Port scann User interface
Client
program
Audit main page
Scan
program
Internet
Server
program
Figure 10: summarises the functioning of the port scan tool.
32
Figure 11: the port scan interface, with a scan result displayed.
4.2
The antivirus tester
To test the reactivity of user’s antivirus; this tool uses elements of EUCAR virus test file.
“This test file has been provided to EUCAR for distribution as the EUCAR Standard AntiVirus Test File", […]. It is safe to pass around, because it is not a virus, and does not include
any fragments of viral code. Most products react to it as if it were a virus (though they
typically report it with an obvious name, such as "EICAR-AV-Test")” (EUCAR, 2004). The
tester creates an “eicar.exe” file on the hard disk on the user’s machine then copies the
following 68 bytes ASCII characters in it: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICARSTANDARD-ANTIVIRUS-TEST-FILE!$H+H*. (codes in appendix page 57)
Normally, the antivirus should alert the user that an infected file has been detected. If nothing
happens, that would mean that the antivirus is not properly configured or not efficient, then
the tool will give to the user the possibility to delete the file.
Figure 12, the user interface of the antivirus test tool.
33
4.3
The MCQ
It is a human behaviour test. The user is invited to answer some questions to evaluate the
overall security level. Depending of their answer, a specific amount of points will be added to
the risk counter (codes in appendix page 60). Here are the questions of the MCQ and the
amount of risk point to add associated with each answer. This association is based on the
importance of the security element of the question and the consequences if this element is
missing. The absence of an important security element will add 3 point to the risk counter, if
its lack does not imply immediate danger to the computer 1 point will be added to the risk
counter.
1. Do you have a firewall installed on your computer?
Yes: + 0 ; No : + 3
2. If yes, do you think it is configured properly?
Yes: + 0 ; No : + 1
3. Do you have an antivirus installed on your computer?
Yes: + 0 ; No : + 3
4. Is your antivirus program up to date?
Yes: + 0 ; No : + 2
5. Do you frequently update your computer’s software components? Yes: + 0 ; No : + 3
6. Do you have an anti-spy-ware tool?
Yes: + 0 ; No : + 1
7. Do you use a password to access your computer?
Yes: + 0 ; No : + 3
8. Is your password a dictionary word?
Yes: + 1 ; No : + 0
9. Do you change your password regularly?
Yes: + 0 ; No : + 1
10. Do you verify the security level of WebPages you visit?
Yes: + 0 ; No : + 1
11. Do you download files from unknown sources?
Yes: + 3 ; No : + 0
12. Do you use any Per2Per software?
Yes: + 1 ; No : + 0
13. Do you leave any personal information on the net?
Yes: + 1 ; No : + 0
14. Have you ever configured your Internet access parameters?
Yes: + 0 ; No : + 1
15. Do you have any software with unknown or illegal origin on your computer?
Yes: +1; No: +0
16. Are you using Windows, Mac or Linux as Operating system?
Windows: +3; Mac OS: +2; Linux: +1
17. How long do you spend online every month?
0-10H: +0; 10-50H: +1; 50-200H: +2; over 200H: + 3
18. Do you share any file on Internet?
Yes: +2; No: +0
19. Do you regularly process to the storage of your data?
Yes: +0; No: +1
The firewall, the antivirus, software patches and passwords are very important security
elements. If the users answer they do not have these elements, 3 points will be added each
time. Security softwares updates are also vital, but users will face fewer security risks if they
have them out of date than not having any at all. So 2 points will be added to risk counter. The
missing of anti-spy-ware tools can be dangerous for the user’s privacy, but usually it does not
bring immediate danger to the computer: 1 point will be added. Downloading files from
unknown websites may be very dangerous, because they can contain malicious codes which
34
infect its user’s computer, so if the user is used to do that 3 points will be added. Details about
each question can be found in appendix B.2 “Explanation pages” page 72.
If the overall risk is under 5, the security risk is very low; if it is between 5 and 15, it means
that the security risk is medium, if it is between 15 and 25, the security risk is high and if it is
over 25 that would mean that the security risk is very high.
4.4
The password tester
It is more a demonstration tool than a password cracker. The user is asked to enter a password,
and then the tool import a list of English dictionary words from a specific webpage
(http://dcool75.free.fr/mot.txt). Once the list is imported, the analyser will compare the user’s
password with its content. If there is a match, it will inform the user that only a few seconds
are required to crack this password. (codes in appendix page 58).
Figure 13: the result of the password tester when the password is a dictionary word.
If there is no match, the audit tool will process to the structure analysis of the password;
depending on characters it is built with; the program will calculate an estimation of time
needed to crack it with any ordinary password crackers.
This estimation is based on the password’s length, and the type of characters it contains.
Basically, if the user’s password contains capital letters, numbers, and special characters, it
would take approximately 4320 minutes to find out one character. If it contains only lower
case characters, the cracker will need about 4 minutes per character. If it has some number on
it, 30 minutes are required for each character. And finally if it contains numbers and upper
case characters, it will take about 150mins to find out a character. These numbers come from
statistics the author has done with L0phtcrack 5.04 a very popular password cracker.
35
Figure 14: the result of the password tester when the password is not a dictionary word.
4.5
The Key logger
It is also a demonstration tool, which will show to the user the functioning of this very basic
hacking tool. In order to avoid any installation requirement to use it, it has been prefered a
simple design with an easy usage instead of complex codes similar to commercial key loggers
which would require manipulation from the user. So the program that has been included into
the audit page has nothing to do with a real key logger except the concept. It does not run in
the background of the computer to capture every keystroke, but clearly asks the user to write a
few words in a designed square of the audit page. When the user has written 10 characters the
JAVA program (codes in appendix page 67) will create a socket connection with the key
logger server (code in appendix page 66), and everything that is in this square will be sent
then, the server will process the data. Here to give a quick demonstration to the user, the
server will send the data back to the audit page which will display it in a pop up page.
Figure 15: the interface of the key logger where the user is invited to write a few
words in the indicated area.
36
Figure 16: the returned data from the key logger server where what the user has
written is displayed.
4.6
Explanation pages
As this security audit test has been designed for very novice computer users, it is very
important to make them understand with simple and clear words what they are actually doing.
So these explanation pages will have tree main functionalities: firstly they will tell the users
what element the audit tool will test and why it is important; secondly, they will give details
about how the tool works; and finally, they will give advices to users if any problem is
discovered.
Each audit tool has some explanation pages associated to them; also in the MCQ each
question has an explanation page which gives more detail and clarification about the question,
which allows a better understanding. They are built up with HTML language and can be seen
at the following address: http://dcool75.free.fr/test or in Appendix page 69.
4.7
Java requirement
To be able to run all these java applets programs, it is necessary to have a Java J2SE runtime
environment installed on the computer. Moreover by default for security reasons, Java
runtime environment has a very strict policy concerning Java applets. They are not allowed to
manipulate local files of the machine, to import data from any WebPages, and create
connections with any distant servers.
So to exploit the full possibilities of these audit tools, the user has to change the Java security
policy manually. For that, at the beginning of the audit page, the user is invited to follow an
37
instructions guide page to modify the java policy file. Firstly, they have got to access the Java
security policy folder, which can be found at C:\Program Files\Java\jre1.5.0_04\lib\security.
The “jre1.5.0_04” indicates the current version of java runtime environment installed on the
local computer, so it can be different on each computer. Then, the user should open the
“java.policy” file with WordPad or an equivalent; this file contains the permissions granted to
Java applications.
The user has to add the following line “permission “java.security.AllPermission;” Which will
give all permission to any java application. Once the changes done and saved, web browsers
should be restarted to load the new security policy.
After the audit, the user is asked to return the “java.policy” file as it was before by erasing the
added line. Otherwise, any future Java application the user would meet in the future will have
all permissions on the computer, creating a security weakness.
4.8
Feedback and Profiling
Users’ feedback is an important element for program designers who will bring amelioration
and debugging to their product. This project is no exception to the rule. At the bottom of the
main audit HTML page, users can access to a formulary page where they can give their
opinion about the security audit they have just had.
To have more accurate opinions the formulary contains questions concerning different aspect
of the security audit.
1. What is your age?
2. What is your profession?
3. What is your computer acknowledgement level?
4. Do you think this audit page contains relevant audit tools?
5. What is your opinion about the interface of this page?
6. What do you think about the explanation pages associated to this page?
7. What is your overall impression about this security audit page?
8. Have you ever used any security audit programs?
9. If yes, what was this program?
10. What is your opinion by comparing these audit programs whit this security audit page
you have just tested?
38
Based on this survey, it is possible to first of all figure out what type of user he/she is;
secondly know the user’s opinion about the technique, graphical interface and the simplicity
of the explanations; and finally discover the strength and weaknesses of the project comparing
to other security audit programs. The results of the survey will be discussed in chapter 6.
39
Chapter 5
5.1
Achievement
Achievement
In the domain of security audit, there are already several commercial softwares, but here the
author tried to design something different.
The achievement of this project is the creation of an online webpage which contains some
network security auditing programs in JAVA. To make them easy to use and to understand,
each tool can be manipulated by the user via a JAVA applet interface which is composed of
simple elements like buttons to launch the tool and text fields where the audit result will be
displayed. The combination of these java applets and the texts which explain to the user how
to use each audit tool allows this project to have a very intuitive Human Computer Interaction
(HCI).
The final security audit program of this project has been integrated in an online web page,
when existing audit software require an installation on the computer it is testing. So the
accessibility is far simpler, the users have just to go to this page in order to test the security of
their computers.
Another good point of this project is that it has been designed to be used by very novice users.
When existing audit softwares only perform their tests and provide a final result, this project’s
program gives clear explanations about the audits elements, why they have been chosen, how
they are functioning, how to exploit the results and what are the security risks.
The last important difference of this security audit project with other programs is that it is
commercially neutral. An important part of existing audit programs are designed by security
software companies, and sometimes they try to make the audit result worse than it is really to
encourage people to buy their products. It is frequent to see in an audit result: “Your computer
has a very high security risk, if you want to fix the problem buy the following products of our
company”.
Here, the audit project has no commercial purpose and always advice the users to download
freeware security programs.
40
5.2
Limitations
Implementing auditing programs in an online HTML has some easy using advantages, but has
also some technical limitations.
Firstly, the JAVA runtime environment which allows audit programs codes to be run has a
security policy. This security policy forbids the functioning of some security audit tools of the
project (port scanner, antivirus tester and the key logger). So some manipulations are
necessary to change the security policy before starting the audit. A complete description of
these manipulations will be given in the next chapter.
Secondly, an Internet connection is essential. Since the audits tools are loaded by the web
browser from the audit web page, nothing can happen if the user’s computer can not access to
Internet. That would mean that if users want to audit the security of a computer in a LAN
(Local Area Network) which has no Internet connection, it will not be possible.
Finally, as it is the first development of this project, the author has designed some really basic
audit programs, which may not cover completely the network security domain. To become as
efficient as some commercial security audit softwares, this project should be taken up in the
future in order to integrate more audit tools.
41
Chapter 6
6.1
Survey
Introduction
A survey has been added in the main audit page, in order to collect users’ opinions about this
project and its programs. It does not contain a huge number of questions, but it will give the
possibility to know if this project has reached its main objectives. In addition, it will provide a
very interesting comparison from the user point of view of this audit program with
commercial security audit softwares.
As this project has been designed to provide to novice computer users an easy understanding
audit program, the most interesting relevant results will come from some of users who do not
have a developed computing acknowledgement.
Additionally the MCQ can also provide very interesting information. Unfortunately nothing
has been implemented in this project in order to save the users’ answers. It can be added to the
future possible improvement of this project. With the data base which contains users’ answers,
it will be possible to develop an analysis of general users behaviour and target precisely the
domain the user has important security lacks.
6.2
Results
At the moment, 24 persons have tested this project’s audit program and have given their
opinion for feedbacks. In these 24 persons 7 are novice computer users, 4 are intermediary,
and 13 consider themselves as experts. Most of them are students, and the others do not have
a profession in direct relation with IT domain.
Novice
Intermediary
Experts
Figure 17: Repartition of users who have tested this project.
42
Do you think this audit page contains relevant audit tools?
For this question 19 users have found the audit tools which make this project up are relevant,
5 have not answered this question. Which means that for the first development of this project;
the audit tools provide a nearly complete analyse of the security risks.
What is your opinion about the interface of this page?
For this question, 16 users have found the interface of the audit web page clear, 5 have found
it poor and 3 of them have not given their opinion. So the interface should be the key
developing element in the continuation of this project to improve the Human Computer
Interaction.
Clear
Poor
No opinion
Figure 18: repartition of opinions about the interface of the project.
What do you think about the explanation pages associated to this page?
This question provides very surprising feedback, 7 users have found the explanation pages
associated to each audit tool very clear, but the 17 users do not have any opinion.
Furthermore only 3 novice users have given their opinion; which probably means that the 4
others did not have looked at them.
What is your overall impression about this security audit page?
This question may certainly be the most interesting one of the feedback: users are asked to
give their overall opinion about the entire audit project. In the 7 novice computer users, 3
have had some problems to understand and exploit the full possibilities of the audit tools.
After investigations, it turns out that some of them had a firewall which blocks the
client/server communication of the port scanner and key logger; and others did not have
properly modify the JAVA security policy on their computer. Concerning the intermediary
and expert users, most of them did not have any trouble to use the programs. But they agree to
say that the java security policy modification step acts like a brake to encourage them to
continue the audit tests. Furthermore the security issue has also been discussed, if they did not
43
know the origin of the web page, most of them would not modify their JAVA security policy
file.
Have you ever used any security audit programs?
For this question, 10 users have answered they had already used a security audit software and
14 had not.
If yes, what was this program?
In question six, 2 users answered that the security audit software they have already used is
Nessus, for 7 of them it is Microsoft Baseline Security Analyser (MBSA), and for 4 others it
is GFI LAN guard.
Nessus
MBSC
GFI LANguard
Figure 19: repartition of users who have already tested an audit software.
What is your opinion by comparing these audit programs whit this security audit page
you have just tested?
For the last question, the 10 users are invited to give a comparison between the audit software
they have used and this audit project. 9 of them agree to say that this project is easier to use
and to understand than other audit softwares, 4 of them found that it is a very interesting idea
to avoid any installation to run the audit, and 5 users have found this project less complete
than other commercial audit softwares.
Easier to use
Interesting concept
Not complete
Figure 20: repartition of opinions concerning the comparison with existing audit
programs.
44
6.3
analysis of the results
The results of the survey described previously have brought a critical overview to this project.
A part of the novices users questioned had not fully exploited the audit programs which
compose this project. That means that the project has only reached partially one of its main
aims which is to create an audit project accessible to everybody. As explained earlier, they
could not use some audit tools because of their current settings (router and firewall which
blocked the socket connection of some audit programs) and their failure to change the JAVA
security policy file. Allowing TCP connection on port 6001 (for the port scanner
communication), 6002 (for the key logger communications) and modifying the JAVA security
Policy file are the two requirements to make this project run. Even with clear explanations
(texts and screen shots) to guide the users to complete these requirements, a few novice users
have not succeeded. So some vital improvements should be made in the future to this project
in order to avoid manipulation needs.
Additionally the analysis of expert and intermediary users’ feedback has proved that they
were able to use the audit programs without any technical problem. Most of them have found
this project simple to understand and easy to use comparing to existing security audit
softwares. Thus, it is reasonable to say that this project has provided to its user another vision
of security audit programs.
Finally in an overall point of view, users appreciated the easiness of this project’s usage. They
also loved some key concept of this audit program like the fact it is online and no installation
was required in order to run. Consequently it can be concluded that some choices that have
been made at the beginning of this project were right. Favouring the usage conveniences
instead of a complex but complete material audit tools was one of them.
45
Chapter 7 Improvements
The analysis of the survey displays some improvements that can be brought to this project in
the next steps.
The JAVA policy file modification is certainly the main technical problem to solve for the
next students who will undertake this project. Modifying by hand some security element of
the user’s computer is certainly not something reassuring. Especially for novice computer
users who do not really know what they are doing and prefer to not exploit the audit test than
embark on some complex manipulation. Unfortunately, there is no way to bypass the JAVA
security policy as long as the audit programs are coded in JAVA, so the author recommends
to use another language like PHP which allows access to the user’s hard disk. Another
possibility is to create a Visual Basic script or a C++ based executive file that can modify the
JAVA policy file automatically when the user launch the audit page.
Explanation pages were an important part of this project, but according to the feedbacks just a
few users have looked at them. Simple hyperlinks may not be the best way to encourage users
to exploit them. Some graphical elements or animations can be developed to focus the users’
attention on them. For instance, by adding some Flash codes, it would be possible to display
the explanation pages’ content when users have their cursor on some key words.
Among the audit programs included in this project, the port scanner is probably the most time
wasting test. It takes about fifteen to twenty minutes to practice a complete port scanning of
the computer. A solution to consider in order to reduce this amount of time, could be to add
multithread elements in the scanner codes at the server side. That would mean that instead of
having one thread scanning all ports, there would be several ones doing the same job and the
time required for complete this test would be divided by the number of threads.
As expressed by some users in the feedbacks, this audit project is simple, easy to use, but may
not be very complete comparing to some commercial softwares. Integrating new audit
programs would probably be an interesting step for the future development of this project in
order to make it more competitive than other commercial versions of security audit softwares.
For instance, inspiring from Microsoft Baseline Security Analyser, an upgrade analyser can
46
be added to the project, it would analyse the upgrade level of the Microsoft products:
Microsoft Windows, Microsoft office, Microsoft Internet explorer; with the latest version
published by the Microsoft web site.
47
Conclusion
By studying some existing security audit programs, this research has identified some key
issues which could be improved for very novice computer users in terms of understanding and
manipulations.
This project has developed an online webpage which contains a set of security audit tools and
clear explanations texts. This project brings to novice users a simpler overview of their
computers’ security via technical audits and human behaviour assessment. Moreover this
research gives to the end users the possibility to have a better understanding in the domain of
computer security thanks to its explanations texts which describe in detail each security
element broached in the audit web page.
It would be very interesting if this project could be taken up again by next years’ students, in
order to make it technically more complete and competitive with existing commercial audit
programs.
48
References
ATK: Attack Tool Kit, (2005), http://www.computec.ch/projekte/atk/, accessed in September
2005
Kozierok Charles M., (2004), TCP common applications and server port assignment,
http://www.tcpipguide.com/free/t_TCPCommonApplicationsandServerPortAssignments.htm
accessed in September 2005.
Dr. K, (2000 B) ‘Introduction to hacking’ in A complete hacker’s handbook, Carlton Books,
GB, page 8, 9.
Eucar Online, May 2003, The Anti-Virus Test File.
URL: http://www.eicar.org/anti_virus_test_file.htm#dl accessed in August 2005
Firewall-net website www.firewall-net.com accessed in November 2004.
Garfinnke Simson and Spafford Gene and Schwartz Alan, (2003) ‘Clogging’ in Practical
UNIX and Internet Security, O’Reilly, page 792, 793.
GFI, (2005), http://www.gfi.com/lannetscan/ accessed in September2005
Gollmann Dieter, (1999 A) ‘Sniffing and Spoofing’ in Computer security, Wiley, page 226,
227.
Gollmann Dieter, (1999 B) ‘Firewalls’ in Computer security, Wiley, page 237-240.
Linux world website: ‘Dan O'Dowd Reminds World of UNIX Creator Ken Thompson's
Security Stunt’, (2004), http://www.linuxworld.com/story/44468_p.htm (accessed November
2004)
Microsoft,
(2005),
accessed in March 2005
http://www.microsoft.com/technet/security/tools/mbsahome.mspx,
Nessus, (2005), www.nessus.com/about/, accessed in Septembre 2005.
Pinkney Grahem’s lecture material (Symantec), lecture given the 7th December 2004 at
Plymouth University on network security.
Poole Owen, (2003 A) ‘port scanners’ in Network Security a practical guide, Computer
weekly professional series, page 62-64.
Poole Owen, (2003 B) ‘denial of service’ in Network Security a practical guide, Computer
weekly professional series, page 45, 46.
Rolf Oppliger, (1999) ‘Executable content: JavaScript, DirectX’ in Security technologies for
the World Wide Web, Artech House-Computer security Series, page 248-271.
49
Russel Deborah and Sr Ganjemi G.T. (1992 A) ’Computer System Security and access
Control’ in Computer Security Basics, O’reilly and association inc, page 60.
Russel Deborah and Sr Ganjemi G.T. (1992 B) ‘introduction’ in Computer Security Basics,
O’reilly and association inc, GB, page 4, 5.
Stajano Franck, (2002) ‘Computer Security’ in Security for Ubiquitous computing, Wiley,
GB, pages 60, 69, 75.
Sygate, (2005), Sygate online Services, http://scan.sygatetech.com/, accessed in September
2005.
US Department of Homeland Security Website,The article Password Protection 101 (May
2002) http://www.nipc.gov/publications/nipcpub/password.htm. (accessed November 2004)
VIAS encyclopaedia, 2004, Most important Tcp ports.
URL: http://www.vias.org/encyclopedia/tcp_importantports.html accessed in August 2005.
50
Appendix
A.
Codes
A.1
Server:
import java.net.*;
import java.io.*;
public class server
{
public static void main(String[] args) throws IOException
{
SimpleServer ss = new SimpleServer(6001);
}
}
class SimpleServer
{
ServerSocket sock;
Socket conn;
BufferedInputStream instream;
String str;
boolean med = true;
SimpleServer(int port) throws IOException
{
sock = new ServerSocket(port);
while(true)
{
try {
System.out.println("started on port" +port);
conn = sock.accept();
InetAddress addr = conn.getInetAddress();
System.out.println("addresse:" + addr);
String namehost = addr.getHostName();
System.out.println(""+namehost);
BufferedReader in =new BufferedReader( new
InputStreamReader(conn.getInputStream()));
PrintWriter out =new PrintWriter( new BufferedWriter( new
OutputStreamWriter(conn.getOutputStream())),true);
String message=in.readLine();
System.out.println(""+message);
if (message.equals("Quick"))
{
PortScanv2Quick ps = new PortScanv2Quick(namehost,addr);
System.out.println("" +message);
for (int j=0; j<31; j++)
{
if (ps.Ports[j]!=0)
med = false;
}
if (med == false)
{
int i = 0 ; String po ="your opens ports are:";
while (ps.Ports[i]!=0)
{
po = po + ps.Ports[i]+ ","; i++;
}
out.println(po);
}
else out.println("you have no opened port");
}
51
if (message.equals("Long"))
{
PortScanv2 ps = new PortScanv2(1,65535,namehost,addr);
System.out.println("" +message);
for (int j=0; j<65535; j++)
{
if (ps.Ports[j]!=0)
med = false;
}
if (med == false)
{
int i = 0 ;
String po ="your opens ports are:";
while (ps.Ports[i]!=0)
{
po = po + ps.Ports[i]+ ",";
i++;
}
out.println(po);
}
else out.println("you have no opened port");
}
in.close();
out.close();
conn.close();
}
catch ( Exception e)
{
System.out.println("error: " +e);
}
System.exit(1);
}
}
}
A.2
Portscan :
import java.net.*;
class PortScanv2
{
Socket sock; int startPort, endPort; int[] Ports=new int[65535];
int timeout; InetAddress hostAddress;
String host;
PortScanv2(int startPort, int endPort, String host, InetAddress hostAddress) throws
UnknownHostException
{
this.startPort=startPort;
this.endPort=endPort;
this.host=host;
boolean b=false;
timeout=100;
try {
hostAddress=InetAddress.getByName(host);
}
catch (Exception e)
{
this.hostAddress = hostAddress;
}
for(int i=0;i<65535;i++)
Ports[i]=0;
52
for(int currentPort=startPort,i=0;currentPort<=endPort;currentPort++)
{
try{
sock= new Socket();
sock.connect(new InetSocketAddress(hostAddress,currentPort),timeout);
b=true;
System.out.println("port opened"+currentPort );
}
catch(java.io.IOException e)
{
System.out.println("port closed "+currentPort);
b=false;
}
finally
{
try{
sock.close();
}
catch(java.io.IOException e){}
catch(NullPointerException e)
{
System.out.println(""+e);
}
}
if(b==true)
{
Ports[i]=currentPort;
b=false;
i++;
}
}
for(int i=0;i<65535;i++)
{
if(Ports[i]!=0)
System.out.println(""+Ports[i]);
}
}
}
A.3
Quick port scan:
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.net.UnknownHostException;
class PortScanv2Quick
{
Socket sock;
int startPort, endPort;
int[] quick = new int[31];
int[] Ports=new int[31];
String host;
int timeout;
InetAddress hostAddress;
PortScanv2Quick( String host, InetAddress hostAddress) throws UnknownHostException
{
this.host=host;
53
boolean b=false;
timeout=400;
quick[0]=257;quick[1]=7;quick[2]=13;quick[3]=18;quick[4]=20;quick[5]=21;quick[6]=22;
quick[7]=23;quick[8]=25;quick[9]=31;quick[10]=37;quick[11]=42;quick[12]=43;
quick[13]=53;quick[14]=63;quick[15]=70;quick[16]=79;quick[17]=80;quick[18]=110;
quick[19]=113;quick[20]=118;quick[21]=119;quick[22]=137;quick[23]=138;quick[24]=139;
quick[25]=201;quick[26]=202;quick[27]=204;quick[28]=206;quick[29]=213;quick[30]=220;
try {
hostAddress=InetAddress.getByName(host);
}
catch (Exception e)
{
this.hostAddress = hostAddress;
}
for(int i=0;i<31;i++)
Ports[i]=0;
for(int j=0,i=0;j<31;j++)
{
try {
sock= new Socket();
sock.connect(new InetSocketAddress(hostAddress,quick[j]),timeout);
b=true;
System.out.println("port opened"+quick[j] );
}
catch(java.io.IOException e)
{
System.out.println("port closed "+quick[j]);
b=false;
}
finally
{
try {
sock.close();
}
catch(java.io.IOException e){}
catch(NullPointerException e)
{
System.out.println(""+e);
}
}
if(b==true)
{
Ports[i]=quick[j];
b=false;
i++;
}
}
}
}
A.4
Portscan CLI:
import java.applet.Applet;
import java.awt.Button;
import java.awt.TextField;
import java.awt.event.ActionEvent;
import java.awt.event.ActionListener;
import java.io.IOException;
54
public class portscanCLI extends Applet implements ActionListener
{
Button bouton1 = new Button("Long Port Scan");
Button bouton2 = new Button("Quick Port Scan");
TextField address = new TextField("81.57.31.43", 20);
TextField scannresult = new TextField("", 30);
String conaddress;
public void init()
{
add(address);
add(bouton1);
add(bouton2);
add(scannresult);
bouton1.addActionListener(this);
bouton2.addActionListener(this);
}
public void actionPerformed(ActionEvent event)
{
if (event.getSource()==bouton1)
{
conaddress = address.getText();
client c = new client();
System.out.println(""+conaddress);
scannresult.setText("pleas wait during the scan");
repaint();
c.connection(conaddress, 6001);
scannresult.setText(""+c.scanresult);
repaint();
}
if (event.getSource()==bouton2)
{
conaddress = address.getText();
client c = new client();
System.out.println(""+conaddress);
scannresult.setText("pleas wait during the scan");
repaint();
c.connectionquick(conaddress, 6001);
scannresult.setText(""+c.scanresult);
repaint();
}
}
}
A.5
Client:
import java.net.* ;
import java.io.*;
public class client
{
static int port;
static String host;
static Socket conn;
static Mcq QCM;
public static String scanresult;
55
public static void main(String[] args)
{
//QCM = new Mcq();
//QCM.init();
}
public void connection(String address, int port)
{
host = address;
try {
conn = new Socket (host,port);
BufferedReader in =new BufferedReader( new
InputStreamReader(conn.getInputStream()));
PrintWriter out =new PrintWriter( new BufferedWriter( new
OutputStreamWriter(conn.getOutputStream())),true);
String message="Long";
out.println(message);
scanresult=in.readLine();
System.out.println(message);
out.println("END");
in.close();
out.close();
conn.close();
}
catch(Exception e)
{
System.out.println("erreur:" +e);
System.exit(1);
}
}
public void connectionquick(String address, int port)
{
try {
host = address;
}
catch (Exception e)
{
host = "localhost";
port = 13;
}
try {
conn = new Socket (host,port);
BufferedReader in =new BufferedReader( new InputStreamReader(conn.getInputStream()));
PrintWriter out =new PrintWriter( new BufferedWriter( new
OutputStreamWriter(conn.getOutputStream())),true);
String message="Quick";
out.println(message);
scanresult=in.readLine();
System.out.println(message);
out.println("END");
in.close();
out.close();
conn.close();
56
}
catch(Exception e)
{
System.out.println("erreur:" +e);
System.exit(1);
}}
A.6
Test virus:
import java.io.BufferedWriter;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.FileWriter;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.io.PrintStream;
import java.io.PrintWriter;
public class testvirus
{
String cmd;
File f = new File("c:\\eicar.exe");
testvirus()
{
}
void ecrire()
{
PrintWriter out;
try {
out=
new PrintWriter(new BufferedWriter(new FileWriter(f)));
out.println("X5O!P%@AP[4\\PZX54(P^)7CC)7}$EICAR-STANDARDANTIVIRUS-TEST-FILE!$H+H*");
System.out.println("done");
out.close();
}
catch (IOException e)
{
System.out.println(e.toString());
}
}
void efface()
{
f.delete();
System.out.println("file erased");
}
}
A.7
Test virus CLI:
import java.applet.Applet;
import java.awt.Button;
import java.awt.TextField;
import java.awt.event.ActionEvent;
import java.awt.event.ActionListener;
public class testvirusCLI extends Applet implements ActionListener
{
Button bouton4 = new Button("Antivirus Test");
Button bouton5 = new Button("erase the antivirus test file");
57
public void init()
{
add(bouton4);
add(bouton5);
bouton4.addActionListener(this);
bouton5.addActionListener(this);
}
public void actionPerformed(ActionEvent event)
{
if (event.getSource()== bouton4)
{
testvirus tv = new testvirus();
tv.ecrire();
}
if (event.getSource()== bouton5)
{
testvirus tv = new testvirus();
tv.efface();
}
}
}
A.8
Password:
import java.applet.Applet;
import java.awt.Button;
import java.awt.TextField;
import java.awt.event.ActionEvent;
import java.awt.event.ActionListener;
import java.io.BufferedReader;
import java.io.DataInputStream;
import java.io.FileNotFoundException;
import java.io.FileReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.UnsupportedEncodingException;
import java.net.URL;
public class passV2 extends Applet implements ActionListener
{
String pw;
TextField passw = new TextField("enter a password", 20);
TextField time = new TextField("", 60);
Button bouton = new Button("test your password");
private String mot;
public void init()
{
add(passw);
add(bouton);
add(time);
bouton.addActionListener(this);
}
public void actionPerformed(ActionEvent event)
{
byte[] word = null;
if(event.getSource()==bouton)
58
{
pw = passw.getText();
int longueur = pw.length();
if (pw == "enter a password" || pw == null)
{
time.setText("please enter a password");
repaint();
}
else
{
try {
boolean test = dico(pw);
System.out.println(test);
if (test == true)
{
time.setText("your password is a dictionnary word or a similar, it
took a few seconds to crack it");
}
else
{
word = pw.getBytes("ASCII");
int count = comparer(word, longueur);
String text = "it will take approximatively less than"
+count+ "minutes to crack your password.";
time.setText(text);
repaint();
}
}
catch (UnsupportedEncodingException e)
{
e.printStackTrace();
}
catch (IOException e)
{
// TODO Auto-generated catch block
e.printStackTrace();
}
}
}
}
private int comparer(byte[] word, int longueur)
{
int min = 0,maj = 0,cara = 0,chiffre = 0;
int tmp = 0;
for (int i = 0; i< longueur; i++)
{
if (48>word[i] && word[i]>33)
cara ++;
if (253<word[i]&& word[i]>122)
cara ++;
if (word[i]>48 && word[i]<58)
chiffre++;
if (word[i]>96 && word[i]<123)
min++;
if (word[i]>64 && word[i]<91 )
maj++;
if (57<word[i] && word[i]<64)
cara++;
if (90<word[i] && word[i]<97)
cara++;
}
59
if (maj!=0 && min !=0 && chiffre !=0 && cara!=0)
tmp = longueur*4320;
if (maj==0 && min !=0 && chiffre ==0 && cara==0)
tmp = longueur*4;
if (maj==0 && min !=0 && chiffre !=0 && cara==0)
tmp = longueur*30;
if (maj!=0 && min !=0 && chiffre !=0 && cara==0)
tmp = longueur*150;
return tmp;
}
public boolean dico(String mot)
{
URL u;
InputStream is;
BufferedReader dis;
String ligne;
boolean med = false;
try {
System.out.println(mot);
URL urlDocBase = getDocumentBase();
u = new URL(urlDocBase, "http://dcool75.free.fr/mot.txt");
dis = new BufferedReader(new InputStreamReader(u.openStream()));
/*System.out.println(mot);
is = u.openStream();
System.out.println(mot);
dis = new DataInputStream(is);*/
System.out.println(mot);
ligne = dis.readLine();
while (ligne != null)
{
System.out.println(ligne);
if (mot.equals(ligne))med=true;
ligne = dis.readLine();
}
}
catch(Exception e) {}
return med;
}
}
A.9
MCQ:
import java.applet.Applet;
import java.awt.Button;
import java.awt.Canvas;
import java.awt.Checkbox;
import java.awt.CheckboxGroup;
import java.awt.Color;
import java.awt.FlowLayout;
import java.awt.Graphics;
import java.awt.Label;
import java.awt.Panel;
import java.awt.TextArea;
import java.awt.TextField;
import java.awt.event.ActionEvent;
import java.awt.event.ActionListener;
import java.awt.event.ItemEvent;
import java.awt.event.ItemListener;
import java.io.IOException;
60
import java.util.Properties;
public class Mcq2 extends Applet implements ItemListener, ActionListener
{
int risk=0;
Checkbox Q1Y, Q1N, Q2Y, Q2N, Q3Y, Q3N,Q4Y,Q4N,
Q5Y,Q5N,Q6Y,Q6N,Q7Y,Q7N,Q8Y,Q8N,Q9Y,Q9N,Q10Y,Q10N,Q11Y,Q11N,Q12Y,Q12N,Q13Y,Q13N,Q14
Y,Q14N,Q15Y,Q15N,Q16W,Q16M,Q16L,Q17A, Q17B,Q17C,Q17D, Q18Y,Q18N,Q19Y,Q19N;
Button bouton, bouton1, bouton2, bouton3, bouton4, bouton5, bouton6, bouton7, bouton8, bouton9, bouton10,
bouton11, bouton12, bouton13, bouton14, bouton15, bouton16, bouton17, bouton18, bouton19, bouton20,
bouton21, bouton22, bouton23, bouton24, bouton25, bouton26, bouton27, bouton28, bouton29, bouton30,
bouton31, bouton32, bouton33, bouton34, bouton35, bouton36, bouton37, bouton38, bouton39,bouton40,
bouton41;
Button bouton28;
int counter=0;
//Process r = Runtime.getRuntime();
CheckboxGroup Q1 = new CheckboxGroup();
CheckboxGroup Q3 = new CheckboxGroup();
CheckboxGroup Q5 = new CheckboxGroup();
CheckboxGroup Q7 = new CheckboxGroup();
CheckboxGroup Q9 = new CheckboxGroup();
CheckboxGroup Q11 = new CheckboxGroup();
CheckboxGroup Q13 = new CheckboxGroup();
CheckboxGroup Q15 = new CheckboxGroup();
CheckboxGroup Q17 = new CheckboxGroup();
CheckboxGroup Q19 = new CheckboxGroup();
CheckboxGroup Q2 = new CheckboxGroup();
CheckboxGroup Q4 = new CheckboxGroup();
CheckboxGroup Q6 = new CheckboxGroup();
CheckboxGroup Q8 = new CheckboxGroup();
CheckboxGroup Q10 = new CheckboxGroup();
CheckboxGroup Q12 = new CheckboxGroup();
CheckboxGroup Q14 = new CheckboxGroup();
CheckboxGroup Q16 = new CheckboxGroup();
CheckboxGroup Q18 = new CheckboxGroup();
CheckboxGroup Q20 = new CheckboxGroup();
TextField t = new TextField("",20);
String lvl1 = "Your computer and your behaviours have a low risk";
String lvl2 = "Your computer and your behaviours are not very risky, but there are some dangerous
elements";
String lvl3 = "your computer has a high security risk, you should improve it and change your
behaviour";
String emsg = "you have not completed the MCQ";
public void start()
{
setSize(543,604);
setBackground(Color.lightGray);
Label Question1 = new Label();
Question1.setText(" Do you have a firewall installed on your computer ? ");
Question1.setAlignment(0);
add(Question1);
add(Q1Y= new Checkbox("yes", Q1, false));add(Q1N= new Checkbox("No", Q1, false));
Q1Y.addItemListener(this);
Q1N.addItemListener(this);
Label Question2 = new Label();
Question2.setText(" If yes, do you think it is configured proprely ? ");
Question2.setAlignment(Label.LEFT);
add(Question2);
add(Q2Y= new Checkbox("yes", Q2, false));add(Q2N= new Checkbox("No", Q2, false));
Q2Y.addItemListener(this);
Q2N.addItemListener(this);
Label Question3 = new Label();
Question3.setText(" Do you have a antivirus installed on your computer ? ");
Question3.setAlignment(Label.LEFT);
add(Question3);
add(Q3Y= new Checkbox("yes", Q3, false));add(Q3N= new Checkbox("No", Q3, false));
Q3Y.addItemListener(this);
Q3N.addItemListener(this);
61
Label Question4 = new Label();
Question4.setText(" Is your antivirus program up to date ? ");
Question4.setAlignment(Label.LEFT);
add(Question4);
add(Q4Y= new Checkbox("yes", Q4, false));add(Q4N= new Checkbox("No", Q4, false));
Q4Y.addItemListener(this);
Q4N.addItemListener(this);
Label Question5 = new Label();
Question5.setText(" Do you frequently update your computer's software components ? ");
Question5.setAlignment(Label.LEFT);
add(Question5);
add(Q5Y= new Checkbox("yes", Q5, false)); add(Q5N= new Checkbox("No", Q5, false));
Q5Y.addItemListener(this);
Q5N.addItemListener(this);
Label Question6 = new Label();
Question6.setText(" Do you have a anti-spyware tool ? ");
Question6.setAlignment(Label.LEFT);
add(Question6);
add(Q6Y= new Checkbox("yes", Q6, false));add(Q6N= new Checkbox("No", Q6, false));
Q6Y.addItemListener(this);
Q6N.addItemListener(this);
Label Question7 = new Label();
Question7.setText(" Do you use a password to access your machine ? ");
Question7.setAlignment(Label.LEFT);
add(Question7);
add(Q7Y= new Checkbox("yes", Q7, false));add(Q7N= new Checkbox("No", Q7, false));
Q7Y.addItemListener(this);
Q7N.addItemListener(this);
Label Question8 = new Label();
Question8.setText(" Is your password a dictionnary word ? ");
Question8.setAlignment(Label.LEFT);
add(Question8);
add(Q8Y= new Checkbox("yes", Q8, false));add(Q8N= new Checkbox("No", Q8, false));
Q8Y.addItemListener(this);
Q8N.addItemListener(this);
Label Question9 = new Label();
Question9.setText(" Do you change your password regularly ? ");
Question9.setAlignment(Label.LEFT);
add(Question9);
add(Q9Y= new Checkbox("yes", Q9, false));add(Q9N= new Checkbox("No", Q9, false));
Q9Y.addItemListener(this);
Q9N.addItemListener(this);
Label Question10 = new Label();
Question10.setText(" Do you verify the security level of webpages you visit ? ");
Question10.setAlignment(Label.LEFT);
add(Question10);
add(Q10Y= new Checkbox("yes", Q10, false));add(Q10N= new Checkbox("No", Q10, false));
Q10Y.addItemListener(this);
Q10N.addItemListener(this);
Label Question11 = new Label();
Question11.setText(" Do you download files from unknown sources ? ");
Question11.setAlignment(Label.LEFT);
add(Question11);
add(Q11Y= new Checkbox("yes", Q11, false));add(Q11N= new Checkbox("No", Q11, false));
Q11Y.addItemListener(this);
Q11N.addItemListener(this);
Label Question12 = new Label();
Question12.setText(" Do you use any per2per software ? ");
Question12.setAlignment(Label.LEFT);
add(Question12);
add(Q12Y= new Checkbox("yes", Q12, false));add(Q12N= new Checkbox("No", Q12, false));
Q12Y.addItemListener(this);
Q12N.addItemListener(this);
Label Question13 = new Label();
Question13.setText(" Do you leave any personnal information on the net ? ");
Question13.setAlignment(Label.LEFT);
add(Question13);
add(Q13Y= new Checkbox("yes", Q13, false));add(Q13N= new Checkbox("No", Q13, false));
Q13Y.addItemListener(this);
Q13N.addItemListener(this);
62
Label Question15 = new Label();
Question15.setText(" Have you ever configured Internet access parameters ? ");
Question15.setAlignment(Label.LEFT);
add(Question15);
add(Q15Y= new Checkbox("yes", Q15, false));add(Q15N= new Checkbox("No", Q15, false));
Q15Y.addItemListener(this);
Q15N.addItemListener(this);
Label Question14 = new Label();
Question14.setText(" Do you have any software with unkown or illegal origin on your pc ? ");
Question14.setAlignment(Label.LEFT);
add(Question14);
add(Q14Y= new Checkbox("yes", Q14, false));add(Q14N= new Checkbox("No", Q14, false));
Q14Y.addItemListener(this);
Q14N.addItemListener(this);
Label Question16 = new Label();
Question16.setText(" Are you using Windows, MAC or Linux ? ");
Question16.setAlignment(Label.LEFT);
add(Question16);
add(Q16W= new Checkbox("Window", Q16, false));
add(Q16M= new Checkbox("Mac", Q16, false));
add(Q16L= new Checkbox("Linux", Q16, false));
Q16W.addItemListener(this); Q16M.addItemListener(this);Q16L.addItemListener(this);
Label Question17 = new Label();
Question17.setText(" How long do you spend online everymonth ? ");
Question17.setAlignment(Label.LEFT);
add(Question17);
add(Q17A= new Checkbox("0h - 10H ", Q17, false));
add(Q17B= new Checkbox("10H - 50H", Q17, false));
Label trou = new Label(); trou.setText("
");
add(trou);
add(Q17C= new Checkbox("50H - 200H", Q17, false));
add(Q17D= new Checkbox("+ 200H", Q17, false));
Q17A.addItemListener(this);
Q17B.addItemListener(this);
Q17C.addItemListener(this);
Q17D.addItemListener(this);
Label Question18 = new Label();
Question18.setText(" Do you share any files on Internet ? ");
Question18.setAlignment(Label.LEFT);
add(Question18);
add(Q18Y= new Checkbox("Yes", Q18, false));add(Q18N= new Checkbox("No", Q18, false));
Q18Y.addItemListener(this);
Q18N.addItemListener(this);
Label Question19 = new Label();
Question19.setText(" Do you regulary process to the storage of your data ? ");
Question19.setAlignment(Label.LEFT);
add(Question19);
add(Q19Y= new Checkbox("Yes", Q19, false));add(Q19N= new Checkbox("No", Q19, false));
Q19Y.addItemListener(this);
Q19N.addItemListener(this);
add (bouton28 = new Button("MCQ completed"));
add(t);
bouton28.addActionListener(this);
}
public void itemStateChanged(ItemEvent e)
{
counter++;
System.out.println(""+counter);
}
public void actionPerformed(ActionEvent
event)
{
if(event.getSource()== bouton28)
{
risk = 0;
if (Q1.getCurrent()==Q1Y)
{
risk = risk+0;
System.out.println(" "+risk);
}
if (Q1.getCurrent()==Q1N)
{
risk = risk +3;
System.out.println(" "+risk);
}
if (Q2.getCurrent()==Q2Y)
{
risk = risk +0;
63
System.out.println(" "+risk);
}
if (Q2.getCurrent()==Q2N)
{
risk = risk +1;
System.out.println(" "+risk);
}
if
(Q3.getCurrent()==Q3Y)
{
risk = risk +0;
System.out.println(" "+risk);
}
if
(Q3.getCurrent()==Q3N)
{
risk = risk +3;
System.out.println(" "+risk);
}
if
(Q4.getCurrent()==Q4Y)
{
risk = risk +0;
System.out.println(" "+risk);
}
if
(Q4.getCurrent()==Q4N)
{
risk = risk +2;
System.out.println(" "+risk);
}
if
(Q5.getCurrent()==Q5Y)
{
risk = risk +0;
System.out.println(" "+risk);
}
if
(Q5.getCurrent()==Q5N)
{
risk = risk +3;
System.out.println(" "+risk);
}
if
(Q6.getCurrent()==Q6Y)
{
risk = risk +0;
System.out.println(" "+risk);
}
if
(Q6.getCurrent()==Q6N)
{
risk = risk +1;
System.out.println(" "+risk);
}
if
(Q7.getCurrent()==Q7Y)
{
risk = risk +0;
System.out.println(" "+risk);
}
if
(Q7.getCurrent()==Q7N)
{
risk = risk +3;
System.out.println(" "+risk);
}
if
(Q8.getCurrent()==Q8Y)
{
risk = risk +1;
System.out.println(" "+risk);
}
if
(Q8.getCurrent()==Q8N)
{
risk = risk +0;
System.out.println(" "+risk);
}
if
(Q9.getCurrent()==Q9Y)
{
risk = risk +0;
System.out.println(" "+risk);
}
if
(Q9.getCurrent()==Q9N)
{
risk = risk +1;
System.out.println(" "+risk);
}
if
(Q10.getCurrent()==Q10Y)
{
risk = risk +0;
System.out.println(" "+risk);
}
if
(Q10.getCurrent()==Q10Y)
{
risk = risk +1;
System.out.println(" "+risk);
}
64
if
(Q11.getCurrent()==Q11Y)
{
risk = risk +3;
System.out.println(" "+risk);
}
if
(Q11.getCurrent()==Q11N)
{
risk = risk +0;
System.out.println(" "+risk);
}
if
(Q12.getCurrent()==Q12Y)
{
risk = risk +1;
System.out.println(" "+risk);
}
if
(Q12.getCurrent()==Q12N)
{
risk = risk +0;
System.out.println(" "+risk);
}
if
(Q13.getCurrent()==Q13Y)
{
risk = risk +1;
System.out.println(" "+risk);
}
if
(Q13.getCurrent()==Q13N)
{
risk = risk +0;
System.out.println(" "+risk);
}
if
(Q14.getCurrent()==Q14Y)
{
risk = risk +1;
System.out.println(" "+risk);
}
if
(Q14.getCurrent()==Q14N)
{
risk = risk +0;
System.out.println(" "+risk);
}
if
(Q15.getCurrent()==Q15Y)
{
risk = risk +0;
System.out.println(" "+risk);
}
if
(Q15.getCurrent()==Q15N)
{
risk = risk +1;
System.out.println(" "+risk);
}
if
(Q16.getCurrent()==Q16W)
{
risk = risk +3;
System.out.println(" "+risk);
}
if
(Q16.getCurrent()==Q16M)
{
risk = risk +2;
System.out.println(" "+risk);
}
if
(Q16.getCurrent()==Q16L)
{
risk = risk +1;
System.out.println(" "+risk);
}
if
(Q17.getCurrent()==Q17A)
{
risk = risk +0;
System.out.println(" "+risk);
}
if
(Q17.getCurrent()==Q17B)
{
risk = risk +1;
System.out.println(" "+risk);
}
if
(Q17.getCurrent()==Q17C)
{
risk = risk +2;
System.out.println(" "+risk);
}
if
(Q17.getCurrent()==Q17D)
{
risk = risk +3;
System.out.println(" "+risk);
}
65
if
(Q18.getCurrent()==Q18Y)
{
}
if (counter >= 19)
{
calcul();
}
else t.setText(""+emsg);
}
risk = risk +2;
System.out.println(" "+risk);
}
if
(Q18.getCurrent()==Q18N)
{
risk = risk +0;
}
}
public void calcul()
{
t.setText("your score is:" +risk);
/*if(risk <= 5)
{
t.setText(""+lvl1);
}
if (risk >5 && risk <= 10 )
{
t.setText(""+lvl2);
System.out.println(" "+risk);
}
if
(Q19.getCurrent()==Q19Y)
{
risk = risk +0;
System.out.println(" "+risk);
}
if
(Q19.getCurrent()==Q19N)
{
risk = risk +1;
}
if (risk >10)
{
t.setText(""+lvl3);
}*/
}
}
System.out.println(" "+risk);
A.10
Key logger server:
import java.io.BufferedReader;
import java.io.BufferedWriter;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.OutputStreamWriter;
import java.io.PrintWriter;
import java.net.InetAddress;
import java.net.ServerSocket;
import java.net.Socket;
import java.net.UnknownHostException;
public class serverkey
{
public static void main(String[] args) throws IOException
{
serverkey sk = new serverkey();
}
serverkey()
{
ServerSocket sock;
Socket conn,conn1;
try {
sock = new ServerSocket(6003);
System.out.println("server launched");
while (true)
{
conn = sock.accept();
InetAddress addr = conn.getInetAddress();
System.out.println("connection etablie");
System.out.println(addr);
66
BufferedReader in =new BufferedReader( new
InputStreamReader(conn.getInputStream()));
String keylogg=in.readLine();
System.out.println(keylogg);
//conn.close();
//conn1 = new Socket(addr, 6002);
String donne = "Retransmitted from the server 81.57.31.43 ";
donne = donne +keylogg;
PrintWriter out = new PrintWriter(new BufferedWriter( new
OutputStreamWriter(conn.getOutputStream())),true);
out.println(donne);
conn.close();
}
}
catch ( Exception e)
{
System.out.println("error: " +e);
System.exit(1);
}
}
}
A.11
Keylogger CLI:
import java.awt.*;
import java.awt.event.*;
import java.io.BufferedReader;
import java.io.BufferedWriter;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.OutputStreamWriter;
import java.io.PrintWriter;
import java.net.Socket;
import javax.swing.JFrame;
import javax.swing.JLabel;
public class clavier extends java.applet.Applet
implements KeyListener
{
String med,med1,keylog;
String S="";
String m ="";
Socket conn;
boolean nb = true;
public void paint(Graphics g)
{
g.drawString("write a few words",10,30);
g.drawString(S, 10, 60);
// g.drawString(m, 10, 90);
}
public void init()
{
addKeyListener(this);
}
public void start()
{
requestFocus();
}
67
public void keyPressed(KeyEvent evt)
{
if (nb == true)
{
char Caract = evt.getKeyChar();
if (S.length()<20)
{
if (Caract!=0)
{
S = S + Caract;
repaint();
}
}
if (S.length()== 20)
{
nb = false;
System.out.println("10 lettres");
try {
keylog =envoie(S);
}
catch (IOException e)
{
e.printStackTrace();
}
}
}
}
public String envoie(String log) throws IOException
{
this.med = log;
try {
conn = new Socket ("81.57.31.43", 6003);
PrintWriter out = new PrintWriter(new BufferedWriter( new
OutputStreamWriter(conn.getOutputStream())),true);
BufferedReader in =new BufferedReader( new InputStreamReader(conn.getInputStream()));
System.out.println(""+med);
out.println(med);
med1=in.readLine();
JFrame fm = new JFrame();
fm.setTitle("data received from server");
fm.setSize(400,200);
JLabel txt = new JLabel(med1);
fm.getContentPane().add(txt, BorderLayout.CENTER);
fm.setVisible(true);
}
catch(Exception e)
{
System.out.println("erreur:" +e);
System.exit(1);
}
return med1;
}
public void keyTyped(KeyEvent evt) { }
public void keyReleased(KeyEvent evt) { }
}
68
B. Explanation pages
B.1 Audit tools
B.1.i
Computer's ports
Programs of your computer can access simultaneously to internet; for instance, you can read a
webpage with your web browser and download a file via FTP. This can happen because each
these programs uses a protocol. And to distinguish data from each program and their protocol,
they are attributed a port. So we can say that every data transmitted has to go through a
specific port.
This schema shows different programs using the same Internet connection, but with different
ports.
What are the risks?
As you have just learned, every data going out from your computer and coming in from
Internet need to use a port. So if a hacker wants to access your computer, he/she needs to use
them too. That is why it is important to configure properly your ports.
There are exactly 65536 ports, from 1 to 1024 are called "well known ports" because they
have been definitely associated with specific programs. Other can be chosen randomly by
other programs for their usage.
69
The port scan process proposed in the previous page will allow you to see which ports are
opened, and which are closed. If you have found a opened port when there is no programs
accessing Internet, there should be something wrong on your computer.
What to do if you have some opened ports
It is totally natural to have some opened ports on your computer, so do not panics about the
result of the port scan.
If you have some opened ports it does not mean that you have somebody trying to break in
your computer, but there is some active programs which use ports to access to Internet.
Basically, before launching the port scan, you should shut down all running programs, then if
there still are some opened ports, you can find out which program is using it, by checking
your firewall logs.
This picture shows the logs of Seagate Personal Firewall where every program accessing
Internet is shown with its associated port.
If you notice any unauthorised programs, just run your antivirus or anti spy-ware tool to fix
the problem.
70
B.1.ii
Key loggers
Key loggers are one of the commonly used hacking tools. They run secretly in the background
of the operating system and record all the user’s keystrokes and send them back to the Hacker.
Its legal use was for parents who wanted to keep an eye on their children’s activities on the
computer. Unfortunately, hackers turned this kind of programs into another purpose. Now,
they are sent attached to emails, and if the victim has the bad idea to double click on it, it will
be discreetly installed, then send all captured data to an email address or a FTP address.
Key loggers are used by hackers to steal users’ passwords or private information.
Here we will just show you how key loggers work, you will be asked to type a few words,
which will be sent to the server, then the server will send the data back to the Webpage. If
some Hackers use key loggers, they will configure the server to send the data to their
computers. This tool will just show you how your personal data can be stolen and sent to
somebody else.
B.2.iii
Antivirus test
In this test, you will download from Internet a file which contains a small part of an inactive
virus; it is totally danger free and will not infect your computer.
If your Antivirus is properly configured, it will detect the part of virus in the file's content,
then warm you about the danger and finally give you the possibility to delete the file.
In the case your Antivirus had no reaction that means it may not carry out its job. Verify
firstly that it is running, then go to its configuration options and check out that it is inspecting
every file you download from Internet and every program before you launch them. If your
Antivirus does not have theses options, I should advice you to install another antivirus.
71
B.2
Explanation pages
B.2.i
What is a Firewall
Firewalls are a significant security element of a computer or network. It could be software
based, which means that it can be installed on your computer or hardware based which means
that it can be integrated on your modem or router. It will provide an access control to your
computer. By building a barrier between the machine and Internet, it would prevent
unauthorised access to computers’ private information.
The most common Personal Firewall uses a packet switching analyses. When a computer
communicates with Internet, all the information transmitted is divided into packets. The
firewall will analyse every packet which come in and out of your computer. If it detects any
unauthorised communications, it will block it.
Firewall is the first point to check when we would like to know the security level of a
computer. If it is absent, that would mean the current PC’s integrity is already compromised.
There are several free personal firewall downloadable from Internet.
What are the risks
If you do not have a firewall installed on your computer, you do not have any barrier between
your computer and Internet. Without this barrier, you have no protections against malicious
persons who try to break in your PC.
The basic elements managed by the firewall are the communications ports of your computer.
To transmit information with Internet, your machine uses different virtual ports for specific
data. For instance E-mails have a specific communication port, WebPages have another one,
FTPs have it's own port. These ports are a very important element for hackers, who can detect
weakness of your computer and break in easily if they are left opened. When the firewall is
activated, it will close them by default and open some of them to allow authorised programs
to access to internet.
What is a Firewall configured properly
It not all to have a Firewall installed on your computer, it is vital to configured it properly.
This means that you should take the right decision about which program will be authorised to
connect to internet and transmit data.
Usually every time a program try to access Internet, the firewall will ask you if you allow it or
not. If you do not know the program, deny the permission.
We will see a example of firewall configuration with Seagate Personal Firewall downloadable
here. Every time a program wants to access to Internet, the following window will appear:
72
Then you can choose to allow or not this program to access Internet.
Here, it is Real One Player, a program that I installed that asks the permission, so I can allow
him.
Another important point in firewall configuration and monitoring is to check frequently its
reports logs.
Reports logs stock information about event met by the firewall like external attack, ports
scanned....
It is very important to verify with these logs that the firewall plays its role.
The following picture shows an example of traffic log.
There is also a security log to see all external attacks, their origin and their risks.
73
B.2.ii
Patches updates
Is your softwares and Operating Systems up to date?
No software product is perfect and their weaknesses are discovered and exploited by hackers
very quickly. Here is a graphic which show the delay between the discovery of softwares’
vulnerability and the moment it is exploited.
To prevent your machine from new exploits, program designers are producing patches for
every new security hole discovered on their programs. Users should regularly patch their PC
and keep their softwares up to date.
If not, in a very short time your host’s security would be compromised.
B.2.iii
Antivirus
Antivirus is the software usually associated with the firewall, their roles are complementary.
Firewalls verify which information can enter your computer, but once the access is granted it
would not look at the content of this information. Antivirus has as mission to scan the content
of data which have pass through the firewall. For instance, some downloaded programs would
be scanned for virus before the user could launch them.
There are several antivirus on the market, the most famous one is Norton antivirus, but there
are also some free ones like AVG or AVast .
They have basically the same functionality: they have a database where all existing viruses
are listed ( this database is called Virus Definition ) and they compare the content of files you
have downloaded with this database. If any files have a match with a virus definition, the
program warms you and deletes the infected file.
This comparison is called a "file scan", you can also use antivirus to scan the entire content of
your computer. To keep your computer safe, it is advised to do a complete scan frequently.
Recently, a new form of antivirus has appeared, they are called online antivirus , they do not
need to be installed on your computer. Using Internet to connect to your computer, they
perform scans of your computer with the most recent Virus Definition. One of the most
famous is from Panda Antivirus.
Antivirus risks
If you do not have any antivirus installed on your computer, you can not check out programs
and files you launch are safe.
Usually, the first thing Hackers do to break in a victim's computer is to make him download
and install him/her self a malicious program. These malicious programs can have several
purposes, they can give to the hacker directly the control of the PC, or they can just inform the
hacker about the victim like passwords used, WebPages visited, content of e-mails sent. With
this kind of information, Hackers can easily find out personal detail about the victim like
his/her profession, bank account number etc....
74
To avoid this kind of intrusion, Antivirus is a key element.
Antivirus update
It is very important to have your antivirus up to date, which means that it has a virus
definition as recent as possible.
Hackers are creating continuously new viruses and malicious code to bypass antivirus and
firewall protection.
Fortunately, security companies develop updates for Antivirus to counter these new threats.
That is why it is crucial to regularly download the new version of the Virus Definition to
allow the antivirus to detect and protect you from new malicious codes.
If your antivirus is not updated, it will be inefficient against recent virus.
A lot of people consider that having just a antivirus is enough, this is a misconception. How
can a be a antivirus created few years ago efficient against viruses created last week, if it has
not been updated recently.
B.2.iv
Passwords
Password is a basic element of your security. By using passwords, you will deny access to
your computer to unauthorised people.
If you do not use password access to your computer, I recommend you to add one. To do that,
go to User Accounts icon from the Control panel, and click on your account.
Here you can see that User Paul do not have any password, so click on Paul and choose to
create a password.
75
Once the new password is set up, click on create password.
Password risks
Passwords are a crucial element for your security. When you are opening your online email
box you are sending your login and password through Internet with an encryption system.
This method seems to be secure, but as seen in the previous chapter, hackers can actually use
packet sniffing programs which would catch your data and obtain your password with some
password cracking tools. If your password is a dictionary world or a name, it would take
approximately a few second to crack it.
Here are some questions provided by US Department of Homeland Security Website (2002)
to verify the quality of your password security. [12]
Every year thousands of computers are illegally accessed because of weak passwords. How
many users are guilty of any of the following things?
* Writing down a password on a sticky note placed on or near your computer.
* Using a word found in a dictionary. That's right, a dictionary. Any dictionary!
*
Using
a
word
from
a
dictionary
followed
by
2
numbers.
* Using the names of people, places, pets, or other common items.
*
Sharing
your
password
with
someone
else.
* Using the same password for more than one account, and for an extended period of time.
* Using the default password provided by the vendor.
Chances are, if you are anything like the majority of computer users, you answered yes to one
or more of the above questions. The problem is, hackers are aware of these problems as well
and target those who don't take the correct precautions.
Change the password regularly
76
Why should we change our password regularly?
As I explained earlier, all passwords can be cracked by using brute force attacks, but it takes
time. It may take weeks or months to a hacker to guess your password. So by changing it
regularly you will make it even harder to guess.
In addition if your password is already compromised, you can not really notice it, so change it
frequently will give you a extra security.
Dictionary words
Commonly, people's passwords are dictionary words or family members' names; it is easier
for them to remember. Hackers do know that, and have created some hacking tools which can
crack them.
Basically, these tools will try to guess your password by submitting to the computer a very
large list of words. Firstly they will enter all existing first names and words from dictionary:
this is called a dictionary attack. If your password is a dictionary word, it takes a matter of
seconds to be found.
If the dictionary attack has no result, the tool will switch to the second sort of attack: brute
force attack. Here the tool will try to guess the password by submitting every possible
combination of keys from the keyboard. This second method is much more time and power
consuming.
B.2.v
Download from unknown sources
The most common way to introduce a malicious program in your computer is to make you
download it yourself.
A huge number of viruses are designed to be sent by e-mails as attached file. The " I love You
" virus may be the most famous example; with an attractive name, it encourage people to
download it.
If you have the bad habit to download all attached files you receive by e-mail without taking
any precaution, you have a very high risk to be infected.
You should verify if you know the sender of the e-mail before downloading any attached file,
then before launching it, you should scan if to check it does not contain any virus.
E-mails are not the only way hackers have found to spread malicious codes; they also exploit
the naivety of some Internet users. They put some viruses on their website, pretending they
are safe and ordinary software, if the user download the file, he/she will infect his/her
computer.
Thus, when you are downloading files from Internet, you should always check the website is
trustable or not. If it is a personal website do not trust it. If it is a big e-commerce website like
Amazon or dowload.com files should be safe, but even here do not forget to scan the file with
your antivirus before launching it.
77
B.2.vi
Illegal software
Illegal copies of commercial software also called "Warez" is a problem that grown in
important recently. With the explosion of broadband connections, it is really a kid’s game to
find and download a commercial software copy from Internet.
There are two important things to know about that.
Firstly, as you can imagine, it is totally illegal to own any software you do not have bought
the licence. If this kind of things is found in your possession, you can be heavily fined.
Secondly, these illegal copies found on Internet are made by anonymous hackers. So you do
not really what is inside. Actually, they could have put some virus or troyen on it
Illegal softwares risks
In a security point of view, these illegal copies can be very dangerous, as hacker could have
put some malicious codes on it, we can never be sure the copy you are using is totally safe.
Once installed, the copied software may work properly, but, some hacking programs could be
installed in the same time, without you notice it, they can transmit to the hacker information
from your computer.
B.2.vii Internet configuration
Internet is the default Web browser of Microsoft Windows, thus, it is the most common
program used to access to Internet. Unfortunately, it has several weaknesses and need an
adapted configuration to provide a good level of security for the user.
Ordinary users just plug in their Internet connection; do not spend any time to understand how
to configure the connection and use default parameters of the Web browser.
In this page, we are going to go though a number of elements to check to ensure a maximum
security level for your internet connection. We will use Microsoft Internet Explorer as
example because it is the most common one, but they are applicable to other Web browsers
like Netscape or Mozilla Firefox.
Firstly, open Internet Explorer and go to its configuration page from the menu tools/Internet
Options.
78
The Home page address is where you can
define the first Webpage you can when you
launch Internet explorer.
Temporary Internet files are copies of content
from
WebPages
you
have
visited.
Theses files can be useful because if you visit
these pages again, Internet Explorer will not
download once more their content, but just
compare with the temporary files and if they
match, it will display them. That process
decrease the time to display and save your
bandwidth. Do not allocate too much space for
theses files: 10 Mo should be alright.
History contains addresses of websites you
have visited; do not conserve them for a long
time to avoid showing your whole Internet
activities to everybody.
Let's go to the next thumbnail: Security:
Internet Explorer has different security
policy depending on the type of
Website you are visiting. These
Websites are regrouped into four
categories called "zone".
Trusted sites and Restricted sites are the
websites you totally trust or mistrust,
you can add manually sites' addresses
on these two categories by clicking on
Sites.
The other two zones: Internet and Local
Intranet are also configurable, just slide
the Security level for this zone bar and
choose between low, medium and high
security policy.
79
The Privacy thumbnail:
Here, you will be able to manage you
cookies.
Cookies are files created when you
visit some websites and where is
recorded your actions on this site.
They will allow the website to provide
you a customised presentation from
your previous activities at your next
visit.
Cookies make your Internet surfing
more comfortable, but they also create
a database of your activities on
Internet, which can be used against
you by malicious people.
Here you can define the cookies
policies depending on the website.
The Content:
The Content Advisor allows you to
define which pages can be viewed by
Internet Explorer and which can not.
This option is a very useful tool for
parents who would like to control
activities of their children on Internet.
Certificates are used by websites to
allow users to verify the trust ability of
their
contents.
Here you can define which certificates
you are trust and which you do not.
In personal information, you can allow
Internet Explorer to auto complete
websites addresses, login and passwords
you are submitting. I advice you not to
use this option, if not anybody who use
your computer will be able to use your
passwords.
80
In connections and programs thumbnails, you can configuration your connection parameters
and define which program should be launched in association with a specific type of files.
In the last thumbnail: advanced, you can find several parameters dealing with the security. It
will be too time wasting to explain each of them, so I will give you the recommended
parameters to set.
B.2.viii
per2per softwares
Per2Per softwares are used by Internet subscribers to share their files. It's like a giant library
where everybody let his/her books to be borrowed by others.
This principle created an enormous database where practically every movie, game, book, or
software can be found and downloaded.
But it has two key problems, firstly you can not be sure about the safety of the file you are
downloading, there is no way to find out who is sharing the file you are downloading.
81
So it is always possible to find some hacked programs on it.
Secondly, a major party of the shared files are illegal copies of software, movies and music,
and by downloading them you can be heavily fined.
B.2.ix
Operating Systems security difference
There are tree main Operating Systems installed on ordinary users' computers:
Microsoft Windows, Mac OS for Macintosh machines and Linux.
Basically, Windows is the most popular and the most easy to use system. Because of this
popularity, it is the target of most of existing virus and other hacking programs.
So we can consider that it is more vulnerable in a security point of view to use Windows than
any other Operating Systems.
Mac Os is the default Operating Systems of Macintosh computers, as they are not widely used,
there are far less malicious programs developed for this OS. We can consider that using Mac
Os is safer.
Linux have been considered for a long time as the infallible system against hackers. It's main
asset is to be Open source, which means that the codes the system is based on is free and
accessible for everybody. As there are thousands of voluntary programmers in the world,
every time a exploitable weakness of Linux is discovered, these programmers develop very
quickly (a question of days) a program to cover the problem.
Hackers want to develop programs that can hit a maximum number of victims, they will not
spend their time to create something especially for Linux based systems (less than 5% of
computer users) when they can affect Windows users ( more than 90% of computers users).
It does not exist a Operating System sure at 100%, even Linux does have some security
problems. But the security risk is more important when you are using Windows.
In the other hand, Linux based Operating Systems are very complex to use, and can be a real
B.2.x
Web Pages security level
With the development of e-commerce and e-services like Internet banking, there are more
and more confidential data transmitted over Internet.
To protect them, there are some encryption systems.
So when you are giving any important information like credit card number, bank account
number, or personal information, it is crucial to verify the security level of the Web Page.
Most of e-commerce or e-banking sites use specific protocols to ensure transmitted data
security. When one site's communication is protected there is a lock symbol at the bottom of
the page
.
82
Recently, hackers have fund a new way to exploit easy trusted users' behavior, they call it
phishing. The name phishing comes from the contraction of fishing and phreaking, it is
considered as a social engineering technique which means that it does not exploit any
technical weakness of your machine but the human failure of its user.
Basically, hackers will sent to the victim an email using the identity of a bank or a ecommerce site. This email contains a hyperlink which drives the user to a webpage with the
same looking as the reel website of the company and where he/she is invited to update the
personal data of his/her profile.
As the hacker selects the victims randomly, the email has usually no sense because the victim
can not be customers of the company the hacker has chosen. But there still has a chance that
the victim has really an account in that bank or e-commerce site.
Once the hacker obtains the login and password of the user, he/she can transfer directly
money if it is a bank account, purchase goods if it is a credit card number.
You got to know that normally banks or other organizations consider this kind of information
too important to be transmitted though Internet, they will never ask you to provide them
online.
B.2.xi
Shares
In Internet terms, shares mean files or folders of your computer which are accessible from any
computer on Internet.
There are a few ways to share files on Internet:
FTP (File Transfer Protocol): is as given by the name a protocol dedicated to files transfer
and
files
sharing
from
distant
computers.
It works in a client/server Principe; the client can access the files on the server.
So if you have a FTP server running on your computer, make sure it is properly configured.
Otherwise, anybody will be able to connect to your computer and manipulate its files.
LAN shares: By default, it is possible to share files in LANs ( Local Area Network ), which
means that users from the LAN can freely access data you have shared on your computer.
Usually, members of a LAN regroup people who know each other ( company, building... ),
thus there is a very low security risk. But, the danger still exist, LAN members can
unconsciously have installed some malicious programs which can compromise the integrity of
shared documents on the LAN. Moreover users who access your data can mismanipulate them:
delete by error, change its content... So to protect your data, you should avoid any file sharing,
when it is really necessary, allow only users to see you files but not to modify it.
83
B.2.xii Anti-Spy ware tools
Nowadays, there are more and more malicious programs that can be unconsciously
downloaded by Internet users. Spy wares are one of them, they are created to collect user
personal data and to send them back to their designer.
We can define two types of spy ware:
Spy ware for commercial use: they collect data from the users and have a visible interaction
with them. This interaction can be customised commercials sent to the user's email, pop up
windows, etc...
Spy ware for malicious use: using the same pprinciple, they steal personal data, and send
them to the designer without the user notice it. These data can be used by hackers to break
into the computer, or to steal the user's identity etc...
To eliminate these problems, it is advisable to avoid any unknown software installation and
run regularly a anti-spy ware tool to check out your hard disk.
You can find on Internet some free anti-spy ware softwares like Ad-Aware, and Spybot
Search & Destroy
B.2.xiii
Connected time
The amount of time your computer is connected to Internet is an important element to
evaluate the security risk.
Recent studies have proved that a computer connected to Interne with no protection ( firewall,
antivirus, anti-spy ware ... ) is infected after in average 20 minutes. So even if you have some
security tools, the security risk increase with the time you are connected.
The user should be aware of that risk. For instance if your computer is connected 24 hours a
day, 7 days a week, your should be fare more vigilant about the security of your Pc than an
user who connects only once a week to check his/her e-mails.
B.2.xiv
Data storage
Your personal data is certainly the most important thing in your computer.
All security softwares have the role to protect the data against unauthorised access (firewall),
and to guaranty its integrity for your access (antivirus).
Modern companies consider their data as a vital element of their business, and spend
thousands of dollars to keep it safe. For instance, they will do a daily record of all their data
files. If something happens to their data (erased by mistake, integrity compromised by
hackers' attacks...) they will return to the yesterday back up. Thus the information losses will
be minimum.
This back up method can also be used by ordinary computer users. As we can never be 100%
sure of computer security, it can be prudent to make a monthly record of your data.
84
B.2.v
Personal information
With the creation of new online services like e-banking, e-renting etc... you are frequently
asked to enter personal information like your address, telephone number, credit card number
etc...
Do you always give this kind of information without think about it?
If the answer is YES, your behaviour may be dangerous. Firstly because the information you
are sending thought Internet can be caught by anybody with some hacking acknowledge. With
your personal information, hackers can for instance steal your identity and purchase with your
credit card what they want.
Fortunately, some encryption systems allow you to transmit information with a much lower
risk to be caught and exploited by hackers. To be sure that the information you are sending
will be encryption, just check at the bottom of your web browser that there is a lock
.
So it is very important to avoid as possible to give any personal information online, but when
it is really necessary, verify the website use encryption communications.
85