Intrusion Detection - What You Should Be looking For to Protect Your Computer

We all have heard about the horrible stories in regards to the Internet. Viruses, worms, crashes and whatnot seem to plague anyone who dares to show themselves online.

Maybe we were lucky and haven't had an unpleasant experience with a virus or a 'hacker' and if we didn't we will most likely blame it on the fact that we have nothing interesting on our PCs. Why would a hacker be interested in us? We're no more than average internet users, browsing the occasional web site maybe visiting a forum here and there but mostly just checking our email.

The rumor that all 'hackers' are simply maladjusted juveniles that like to go around and break virtual windows is only partially true. Without delving into the difference between hackers, crackers, script kiddies and programmers we will simply point out that a great number of attacks on our computers are done for the personal gain of others.

'Hackers' will use any number of methods to break into our computers and their motivations and reasons are just as varied. Some hackers simply enjoy the utter destruction of our operating system testing their latest home-brew virus on us. Others are interested in gaining marketing insights from us, by checking our browser history and our browser activities they are able to turn this information into (more) annoying ads and force unwanted information on us. Lately the internet has also incurred a large increase of 'identity thieves', a type of people that will go through great lengths to retrieve any and all personal information (name, address, phone numbers, social security numbers and credit card numbers) they can find on our computer to (financially) benefit themselves.

Whatever the motivation of these 'hackers' may be it is safe to say that they have an impressive arsenal of tools at their disposal to attempt to break through/disable our security measures (if any).

This article will attempt to explain a few common types of attacks without establishing exact technical details. This 'awareness' will hopefully lead to better overall protection of our own computers.

In order to make the process of understanding these types of attacks a little easier we will divide them into two categories:

Active involvement
Passive involvement


Active involvement

Active involvement describes a set of attacks that require someone to actively be present to perform the attack. Hijacking a network session or 'spoofing' an IP is both excellent examples of active involvement attacks. Both of them require the attacker to be involved in the attack (at least to a certain extent).

Passive involvement

Typically passive involvement doesn't require the hacker to be present. Trojans, worms and viruses all are more or less autonomous taking action where and how they see fit (or rather exactly as they were programmed). These automated 'attackers' can do anything from causing severe damage to the information on your computer to creating a way for the hacker to get into your computer (Whenever he/she feels like it).

Below you will find a fairly short listing of common 'attacks' made through active and passive activities of a 'hacker'.

Active

Password cracking
Session hijacking
IP spoofing
Server spoofing
DNS poisoning
Source routing


Passive

Virus
Worm
Trojan Horse
Logic Bomb
Denial of Service

Password cracking

Password cracking is the basic act of attempting to figure out someone's password by using software tools specifically designed to do this.

Session hijacking

A hacker present on the network is capable of listening in on a network communication between two computers and then can attempt to 'bump' one of these computers out of the conversation and take its place.

IP spoofing

IP spoofing is a means for the hacker to pretend to be someone else. Every computer has a unique identification. By faking this identification the hacker can pretend to be a computer that is allowed to make a connection to our computer (if applicable).

Server Spoofing

Another type of spoofing: In server spoofing the hacker pretends to be the most important machine on the network (the server). When we try to log into our server (to be able to make a connection to the Internet for example) with our username and password we give the information to the hacker instead of sending it to the server. The hacker can then use this information to log in on the real server with our user privileges.

DNS poisoning

DNS is a basic system to automatically assign unique numbers (IP addresses) to computers on a network. The information sent out by the DNS can be falsified in order to redirect us to the hackers PC when in fact we think we are logging into our online bank account (with all the consequences to boot).

Source Rooting

Often a hacker will attempt to log into our network by breaking in through an outside network that we consider to be secure (and therefore trusted). Often companies will split their network into smaller networks to improve performance and then set these networks to communicate with each other freely. If a hacker manages to break into one of these 'friendly' networks it will have free access to all the other networks. This is known as source rooting.

Virus

A virus is a malicious piece of software that, much like its real-life counterpart, replicates. Generally replication takes place at very high speeds causing our computer to become slower and slower till it eventually runs out of resources and crashes. Viruses can also attack the files they attach themselves to in order to cause damage to your files.

Worm

A worm is similar to a virus but has one very notable difference. A worm can replicate itself rather than relying on other files to spread.

Trojan horse

Emails or pop-ups often spread a Trojan horse. It installs itself on our PC and then creates a hole in our security making it possible for hackers to enter our computer whenever we are connected to the Internet. This gives the hacker the same control over our computer as we have.

Logic Bomb

Not as commonly used today the logic bomb works very much like a worm. Rather than replicating itself or via other files it simply 'destroys' any and all files it is set to destroy. The logic bomb is usually set off by a specific event (date, time, random trigger and others)

Denial of Service

The denial of service attack comes in many flavors but all are intended to slow down or crash a network they are sent to. A denial of service attack (DOS attack) can be anything from a ping broadcast, ping of death or teardrop to a Smurf worm. Behind all these colorful names hide the simple act of attempting to exploit the communications system between computers in a network causing an overload of traffic. This in turn generally causes the network to slow down considerably or crash completely.