Lions and Noodles and NakedWives-Oh My!
Hackers hunt for holes in top software programs to compromise your systems and steal your data.
By Mary Behr
April 6, 2001

Forget seedy chat rooms and porn sites. The true danger of the Internet is the access it gives hackers to your system, network, and personal information. There have been several security breaks and hacker attacks of note since the beginning of the year.

Microsoft recently posted an alert that your system can be hacked via a hole in Internet Explorer. Red Hat's popular version of Linux suffered three worm attacks: Ramen in January, Lion in March, and Adore in April. Add that to the recent AnnaKournikova and NakedWife e-mail viruses and you get the picture: Hackers are not just the stuff of bad Saturday afternoon movies.

Hacker attacks are more common that you may imagine. The Computer Security Institute (CSI) recently released the results of its sixth annual Computer Crime and Security survey, conducted in conjunction with the San Francisco FBI's Computer Intrusion Squad. Based on responses from 538 computer security professionals in government, medical, and financial areas, as well as universities and a number of U.S. corporations, 85 percent experienced computer security breaches within the last year, and 64 percent admitted to financial losses from such breaches.

Of those acknowledging attacks, 58 percent reported ten or more incidents. Tellingly, only 36 percent reported these attacks to law enforcement, but at least that's an increase over the 25 percent that reported attacks the previous year.

Internet Explorer Exploited
Microsoft announced last week a hole in Internet Explorer 5.01 and 5.5 that could let a hacker run code on your computer, alter and delete data, or reformat your hard drive. Although Outlook and Outlook Express handle most e-mail, they rely on IE to process HTML mail. IE doesn't know how to handle certain types of HTML mail attachments, though, and rather than alert the user, the browser just launches such attachments.

Hackers exploit this by sending e-mail of this unusual type. The File Downloads option, which is enabled by default, provides the entree: You can install a simple patch that fixes the table of MIME (Multipurpose Internet Mail Extensions) types and actions, which in turn stops e-mail from automatically launching executable attachments.

Even the Linux world is now under attack. "It was rare to find worms within the Linux world because there were so many different operating systems and things like that," says Lance Spitzner, founder of the HoneyNet Project, a security group. "But the popularity of versions such as Red Hat has changed that."

Red Hat Worms
For example, Ramen takes advantage of several well-known flaws in the default installation of Red Hat 6.2 and 7.0 to replace certain Web pages with it's own "Ramen Crew-Hackers looooooooooooooooove noodles" home page. Interestingly, the Ramen worm fixed the security opening through which it came, thereby protecting itself from other hackers using the same methodology. Patches are available to fix the hole exploited by Ramen.

Lion was discovered in March and is thought to be a mutation of Ramen. Lion is more sinister, though: It steals passwords to send to a third party to crack, and it makes "back doors" through which the hacker can get administration-level access to a network.

"The Ramen worm was actually a nice worm, as worms go. It didn't do any damage and it would fix the security hole that it broke in on. The Lion worm is more a vicious version, because it steals private confidential information. It's the progression of viciousness that is disturbing," said Spitzner. The Adore worm, or the Red worm, is also thought to be a variant of the Ramen worm. Like the Lion worm, it opens back doors and steals sensitive data.

(And just so you know: a virus is an infected file. It spreads when the infected file is forwarded or transferred. A worm infects a whole hard drive or system. Worms require e-mail to spread from system to system.)

Who Wants to Be Hacked? HoneyNets The IE hole and the Linux worms highlight a more global issue, says Spitzner. "They are the vulnerability du jour. The reality is that default installations of software programs are wide open. Now, that's changing. Vendors are trying to shift things and lock them down. But we need to get aware. People are connecting to the Internet faster than we can make them aware."

Enter the HoneyNet Project, a group of 30 security professionals and reformed "blackhats" (hackers) who spend their own time learning the tools, tactics, and motives of the blackhat community. The year-old project has two aims: to raise awareness and to teach and inform. In order to learn how hackers think and work, the project designs honeynets--that is, networks designed to be hacked. Any traffic, inbound or outbound, is "controlled, captured, contained and analyzed to learn the tools, tactics and motives" of the hackers.

The HoneyNet project has numbers on how fast and how many times a system gets hacked. "A Red Hat Linux system, default installation, has a three day life expectancy on the Internet. Our last one was hacked in three hours. A Windows 98 box with a DSL connection and a shared C drive was hacked within 24 hours-and four times in four days," says Spitzner.

So is the situation hopeless? Spitzner doesn't think so. "Our research focuses on default settings. If a user takes the right steps, a default configuration can be secure. The bad guys are looking for people who have not secured default installations." Patching the system and disabling or removing services you do not need, are the two biggest things you can do, according to Spitzner, who recommends you do both. "If it is not running nor installed, the bad guys can't hack it."

Related Storys

Back to top