I've been around long enough that I still recall how e-mail had to be addressed in the early days of the Internet. Given the nature of connections between machines and the store-and-forward nature of e-mail, you would have to specify every single hop between source and destination machines, separated by exclamation marks. At that time we actually had a printable diagram of the major nodes on the 'net and it fit on a single page! I still remember that ihnp4 was one of the major hubs and most of my mail was routed through it on the way to the intended recipient.

Links between major nodes were typically leased-lines, although anything faster than 19.2 Kbaud was far too expensive for most. Many of the smaller nodes and the downstream (home) systems were dial-up, typically at a speed of 300 baud. Most people couldn't afford the Bell 212 datasets which could blaze along at 1200 baud. Given the available bandwidth, irresponsible use was strongly discouraged. Usenet newsgroups were downloaded only if the host had local or downstream subscribers. Flame wars were (thankfully) short-lived, often because excessive use of communications bandwidth resulted in the offender having his/her account cancelled!

Times sure have changed! Now don't get me wrong; I'm not waxing nostalgic for the "good old days." I have more computing power in my home today than could be realistically conceived just a decade ago. I enjoy an always-on connection to the 'net with download speeds of up to 1.5 Mbits/sec., 5,000 times faster than 300 baud. I run two different variants of UNIX (Linux and AIX) on three (soon to be 4) servers with large hard-drives, capacious memory and minimum CPU speeds of 375 MHz on the AMDs. I run personal editions of Oracle and DB/2 and can develop sophisticated n-tier applications from the comfort of my home office.

Unfortunately, along with these advances we are witnessing the "dark side" of commercial and human nature. Do you recall the first time you received a "junk" fax? About 50% of what one of the fax machines at the office spews out these days is "junk" or unsolicited. This is an indidious waste of money and resources. It ties up the telephone line, consumes toner and paper supplies, and requires time to separate out from the legitimate documents. It's akin to someone sending you a letter with postage due, save that the contents represent an effort to separate you from even more money. As it is, the bulk mailers get a price break from the USPS and continue to fill up my mailbox with paper which is summarily trashed. I don't even glance at the content; if it's not directly addressed to me then it goes into the garbage sight-unseen.

Marketing types are nothing if not quick to apply new technology to their efforts. Once internet usage began exploding, people began compiling lists of e-mail addresses. They culled the usenet archives and joined as many mailing lists as possible. When that didn't give them enough volume, they applied a ruse which had worked well in another venue: the grocery store. Do you recall that card you could sign-up for which offered "special" deals? Even today, everytime I go to the local Kroger's they try to foist one of these cards on me. But I know their dark secret: sign-up and your mailbox will soon be overflowing with additional junk mail. They sell your name and address information to whoever is willing to pay. That is what subsidizes the in-store "specials".

Not so long ago you could find all kinds of "contests" on the web. Win a car or a free trip to Hawaii! Just fill out this application form (and answer a few demographic questions) and you'll be entered in the draw! Now, who didn't immediately cotton-on to what they were actually after? A car might cost $20,000 but imagine the value of the information they collected. It's even more valuable because they were able to collect demographic information, essential to companies which want to "target" their pitches. Enter one of these contests and you'll see the same result as you did at the grocery store: a steady increase in the appearance of unsolicited e-mail.

The steady increase in the volume of "junk" e-mail (aka SPAM) has attendant costs similar to those of "junk" faxes. Hands up all of you who have to wade through your inbox, separating the wheat from the chaff. This is costing you time and money. Some of the approaches are outright deception. Have you ever noticed that some SPAM contains directions at the bottom, instructing you how to get your name removed from the mailing list? Follow those instructions and you're confirming that the address is live and that you actually opened the message and read it down to the point where the removal instructions appear. "Hey, we got another sucker here!"

Microsoft didn't forsee the explosive growth of the Internet. In their usual arrogant manner, they decided that the LAN was the be-all and end-all of computer networking. As a result, they "enhanced" their products to provide work-group functionality. Office automation mechanisms such as macros and Object Linking and Embedding (OLE) became the flag Microsoft rallied around. Quite frankly, in all of the organizations I've visited, large and small, I've never seen much use or application for these "features." Microsoft seems to have missed the bigger picture here, adding more bells and whistles to their flagship products while ignoring the underpinnings. I'd rather have a system with a rock-solid TCP/IP stack and a reliable kernel than more Word features I'll never use.

Given the Microsoft focus, it didn't take long for some inventive people to co-opt the capabilities included in everything from Internet Explorer to Outlook to Word. First we had the .normal macro viruses. These weren't too bad since you actually had to open an infected document in order to contract the virus. Also, since Word is such a widely used application, fixes appeared very rapidly, followed shortly thereafter by more permanent solutions. It's important to keep in mind that the virus was only possible due to the inclusion of macros in Word. Also note that there have been numerous other breaches in other applications in the Office suite but they don't get as much exposure simply because not as many people use Access or PowerPoint as use Word.

With the Word hole sealed, people started looking at other vectors for infecting systems. Visual Basic Script was added to the Office suite a number of years ago, again as an office automation feature. What hackers needed was a way to access the functionality provided by this wide-open environment. They found it in Outlook. There are two "features" in Outlook which facilitate execution of external VBS code. First is the message preview option. It's supposed to display the first few lines of a message so that you can readily determine the content since apparently the subject line isn't enough. Hackers found that they could include VBS code at the top of the message body and, if message preview was enabled, execute their own code.

Another "feature" of Outlook is the suppression of display of file extensions in an attachment. Some brilliant engineer decided that people didn't really have to see the extension; the pretty little icons would show them visually what kind of file it was (or at least what Microsoft application could open it.) Hackers started sending out messages which included attachments like xxx.jpg.vbs, knowing that they would be displayed as "xxx.jpg". People would think it was a picture (not all users are as thick as a brick) and open it. Hence the AnnaKournikova virus travelled extensively, utilizing the ability of VBS to access the address book and send mail messages without user intervention.

Your internet browser might be a wonderful tool, but it can also be used for evil. What many people don't realize is that once you visit a page on the world-wide web, various pieces of information may have been collected on the server. Things like username, browser version, IP address, etc. can be logged to files and the information mined at some later date. Another Microsoft office productivity technology incorporated into Internet Explorer is ActiveX. Unlike Java applets, which operate in a "sandbox" and generally cannot access machine resources, ActiveX controls have almost free-rein over your system. At least now you can disable ActiveX or only accept "signed" controls, but this is merely patching a fundamentally flawed architecture.

Much has been written on the increasing use of cookies. This is actually a fairly benign technology with advantages which far outweigh any potential drawbacks. I've never read definitive evidence of cookie abuse, since browser controls effectively prevent the transmission of cookies to any server other than the one which stored it in your browser. When used for the intended purpose, cookies can make navigation on frequently visited much more rewarding. It should also be noted that many "shopping cart" applications use cookies to record the state of your order, permitting you to leave a site and return some time later and resume at the point you left off.

I mentioned my cable-modem earlier on, but both this technology and xDSL can be attractive to hackers. With an "always-on" connection, you're likely to lease an IP address from DHCP for a significant period of time. It's not a static address, but I've had the same address (system just keeps renewing the lease) for weeks at a time. Hackers find the address ranges used by cable-modem and xDSL ISPs and probe the connected systems for vulnerabilities. It's a lot easier to take advantage of systems when you can be reasonably assured that the IP address will be the same for a few days at least. Trying to locate a particular machine which uses a dial-up ISP is time consuming (IP address changes every time they connect) and of limited value since such connections are usually short-lived.

Hackers want long-lived addresses so that they can take over "stables" of machines. They inject code into these systems or exploit existing vulnerabilities to gain control. Sometimes they rely on code which has been inadvertantly downloaded from sites on the world-wide web. In any case, these captive machines are most often used for DDoS (Distributed Denial of Service) attacks. This "fun" activity for hackers permits them to bring targets to their knees by flooding their servers. It's also reasonably anonymous since the attacks are not coming from their own machine, which could be readily tracked back to the operator. It's also far more difficult to track down 200 machines than 1. Stealing financial information is far less likely since the chances of being caught are significant.

Okay, so we've established that it's a nasty world out there. We have inconveniences and outright attacks coming at us from all quarters. What's a user to do? There are actually a number of ways we can reduce our exposure. Savvy users will not find anything new here, although I do have some specific tips at the bottom of this column. What you basically want to do is throw up some roadblocks. While I can't claim that using these techniques will protect you completely, they do offer you some insulation. As with property protection plans, the more difficult you make things for the villain, the more likely they are to move on to a softer target. I also like to use multiple layers of protection. Again, you're trying to make it harder for an attacker to penetrate your security so anything which slows them down is advantageous.

The Windows 95/98 platform is inherently insecure but there are a couple of tools I recommend (and use.) The first is Zone Alarm (free for personal use) which very effectively controls access to and from your machine. It's easy to configure and maintain and gives you early warning if any application on your system tries to establish an outgoing connection. If you have an ad-bot on your system, this program can freeze it in its tracks. You can disallow the connection and even check a box ("Remember this answer...") which makes the ban permanent. Similarly, if an external system attempts to make a connection to your machine, you can permanently block any access from that source. Highly recommended.

If you keep any personal information on your PC then you should seriously consider PGP (Pretty Good Privacy.) This software package can be used to secure e-mail messages and so much more. My favorite module is PGP Disk. You can create a file which can then be mounted as a separate drive. The real value is in the password protection. Choose a reasonably long phrase (a sentence, for example) which you will always remember but nobody is likely to associate with you. Perhaps a line from Shakespeare or some other author you read in high school and which you will never be able to forget. Any time you need access to the secured information you can pull up the application and request that the disk be mounted. You will then have to enter the key phrase (not echoed to the screen) in order for the mount to succeed. Unmount it when you're done and not even someone who has physical access to your machine will be able to access your private data.

Given the prevalance of viruses these days, anti-viral software should be considered an essential part of your system. Interestingly enough, Microsoft hasn't tried to dominate this market segment by including protection in the operating system. Perhaps because doing so would be tacitly admitting that their software is to blame? Both Norton AntiVirus and McAfee VirsuScan are solid products with large customer bases. Make sure that you keep your product current; downloads of new engines and virus definitions can be done over the 'net. Depending on your level of activity, perform regular scans of all your hard drives. Even though I don't download much on my Windows platform, I do a scan about every two weeks. Make this activity a priority, perhaps including it in your regular backup schedule. You do perform backups on a regular basis, don't you?

The next layer of protection takes the form of a firewall. A firewall can be implemented in either hardware or software. Zone Alarm provides some of the capabilities of a firewall but having a separate device only increases the level of protection. Products from Linksys , Cisco, Nortel Networks, 3Com and D-Link can function as firewalls as well as provide NAT (Network Address Translation) and DHCP services. When combined with a hub (or utilizing an integrated hub,) they enable the sharing of a single broadband connection across multiple machines. It also prevents a potential attacker from targetting specific ports on the systems inside the firewall, unless so configured. One step which should always be taken subsequent to installing a firewall is an external probe. Try Shields UP! and DSL Reports and verify that your system is truly secure from typical attacks.

My best recommendation is to insert a system running Linux between your intranet and the Internet. I use RedHat 6.2 and use ipchains for the firewall. This is a very powerful application which offers low-level control over incoming and outgoing connections. You can specify which hosts or domains have permission to access particular protocols on your gateway. Combine ipchains with tcpd, you can make this system practically unbreachable. Here's what I do: edit /etc/inetd.conf and comment-out those services you won't need at all, things like timed and smtpd (you don't want someone using your system as a SPAM relay.) Make sure that all of the remaining services are "wrapped" by tcpd, i.e. you should have lines like this:


telnet	stream  tcp 	nowait  root    /usr/sbin/tcpd in.telnetd

Leave things like FTP enabled since it's convenient to use on your intranet. The /etc/hosts.deny file should contain a single line:


ALL: ALL

This will deny access to all daemons managed by the tcpd wrapper. Of course, it will also prevent access from the intranet. We have to modify /etc/hosts.allow to permit access from local addresses and any other domains we trust. Assuming that you're using the recommended internal addresses of 192.168.0.0 and that you trust the sudsy.net domain then you would have two entries, looking like this:


ALL: 192.168.
ALL: .sudsy.net

Note that this configuration does not prevent FTP access from the sudsy.net domain. We have to trust that nobody in that domain is going to try to use insecure protocols when connecting to our machine. Finally, we have to set up masquerading (NAT). This maps "internal" addresses to "external" ones. This hides any internal server from external probes. Again, assuming that your internal network is 192.168, add the following lines to the /etc/rc.d/rc.local file:


/sbin/ipfwadm -F -p deny
/sbin/ipfwadm -F -a m -S 192.168.0.0/16 -D 0.0.0.0/0

Now all you have to do is point your internal machines to the Linux box by defining it as the default gateway. Based on previous experience and industry "standard practices" I usually configure the router or default gateway with the lowest possible address, i.e. the router in our example would have an address of 192.168.0.1. Just assign increasing numbers for each of the hosts on your intranet. Just to prevent confusion, I like to add entries in /etc/hosts to keep track of which addresses have been assigned.

Okay, so we've got our firewall configured and all internal machines are using a Linux box as a gateway. What now? Now we have to analyze how we access the big, bad Internet. Most people use the 'net for mail and surfing. Let's attack the mail issue first. Even though it might be the most commonly used mail client (mostly because it comes pre-installed,) I cannot recommend Microsoft Outlook or Outlook Express. As I mentioned earlier, there are some significant holes in the product. Even if you turn off message preview, there are still other nasties out to bite you. Ever receive an e-mail which displays like a web page? Most people have, and it's possible because Outlook calls the same rendering engine as the one used by Internet Explorer. This is the tight integration of the browser with the operating system which caused Microsoft some minor problems with the Department of Justice.

So why is this a problem? A web page usually consists of many elements, some from different sources. View the source of a web page some time and see how many links you find. For every IMG tag which includes a src attribute, the rendering machine will establish a session with the specified server and request the named file. I've already mentioned the amount of information which can be logged for every access to a web server. What if collection of that information is the intent? You don't really want to serve an image, you just want to record who opened the mail message. You also don't want the user to see an image since you're collecting this information surreptitiously. The image they serve up is a 1x1 pixel transparent image. This practice has earned a label: these are called "web bugs". If you're a member of any mailing lists which permit HTML then you might have been hit by web bugs and not even know it.

"But can't I get bitten by web bugs while surfing the net anyway?" Certainly! But assuming that you're visiting legitimate sites, why would they need to use them? Your access to their server has already been logged. There is no benefit in using them in this case. It's far more likely to be used by someone harvesting name and address information. They can flood list servers or newsgroups and hope that the opener is using a rendering engine, a highly likely scenario given the widespread use of Outlook. My suggestion? Don't use a mail client which automatically renders HTML. Note that the mail client in Netscape Communicator is as guilty as Outlook in this regard. I prefer to use a text-only mail client. You should be able to find a variety of freeware or shareware products using your favorite search engine. Does it even need to be restated that you should NEVER, EVER open attachments, even from people you know, unless you were expecting them?

I don't use the Windows platform for mail at all any more. I use a Linux box and the ELM client. Now that's going to sound totally retro to those familiar with UNIX, and it is. It's also a pain when I receive messages with embedded HTML since I can only view the source. Then again, people shouldn't be including HTML since mail has traditionally been a text-only medium. If I receive mail with attachements, I just pipe the message through 'metamail -w' and the attachments are properly decoded and stored into appropriate files. This, along with the ability to organize messages in folders, is all I really need my e-mail package to do. The fetchmail utility contacts my POP3 mail server every five minutes and xbiff raises a flag whenever I receive new mail. These utilities have been around for years and do precisely what is expected of them. I'm not suggesting that everyone take this path, I'm just saying that it works just fine for me and gives me additional isolation.

Web surfing requires a browser, and there's no way to get around that. What you should do is carefully investigate the configurable settings. You want to make your browser environment as secure as possible. If you're using Internet Explorer make sure that ActiveX is completely disabled. I'm sorry, but no amount of argument from Microsoft about how it makes it easy to keep my system upgraded is going to convince me to enable this huge security hole. Besides which, if there's an application running transparently, seeking out upgrades for installed software, what other information is it sending back? Java is a completely different kettle of fish since applets execute under the scrutiny of a security manager which prevents any local access without the express permission of the user. JavaScript is somewhere between these two extremes. Unfortunately, disabling it will severly limit your access to certain popular sites. Another good argument for keeping private information on a PGP disk volume.

One thing I've noticed recently is that a lot more sites are using pop-up windows. Banner ads were bad enough and the new, larger ads are even worse, but popping up ad windows is hugely annoying! While I haven't yet found a way to disable window.open in JavaScript, I have discovered that you can singificantly decrease the number of annoying ads by making some configuration changes on your Linux gateway. First you have to figure out the names or IP addresses of the sites that are most offensive. This is sometimes tricky since the windows don't always allow you to see any relevant information. I haven't been able to determine the source for an incredibly annoying Ford of Canada ad, for example. You then need to edit your /etc/rc.d/rc.local file to contain lines like the following:


/sbin/ipchains -I output 1 -d 205.180.85.0/255.255.255.0 -j REJECT
/sbin/ipchains -I output 1 -d adcontroller.unicast.com -j REJECT
/sbin/ipchains -I output 1 -d ad.doubleclick.net -j REJECT
/sbin/ipchains -I output 1 -d ad.us.doubleclick.net -j REJECT
/sbin/ipchains -I output 1 -d ad.ca.doubleclick.net -j REJECT
/sbin/ipchains -I output 1 -d 205.138.3.0/255.255.255.0 -j REJECT
/sbin/ipchains -I output 1 -d ads.x10.com -j REJECT
/sbin/ipchains -I output 1 -d www.overstock.com -j REJECT
/sbin/ipchains -I output 1 -d lowermybills.com -j REJECT

If you don't reboot your system very often (20 days uptime on one of my boxes,) you'll also want to type these commands in a root shell to have the changes take effect immediately. What this does is reject any attempts to make a connection to any of the listed hosts. No connection, no ad. No ad, no popup! This technique can also significantly reduce the number of banner ads displayed. I initially used a destination of DENY which just drops requests on the floor. Unfortunately, my browser is used to the vagaries of the Internet and retries the dropped request. By using REJECT, an ICMP unreachable message is sent back to the browser. This short-circuits the retry phase and the browser gives up immediately.

So there you have it! Yes, it's a lot of work to configure things this way but these techniques should serve you well. They've certainly reduced my exposure. It also doesn't hurt that Linux won't run Windows executables and doesn't support VBS. While I can't speak for the future, I can tell you that I've never been infected. In many ways it's too bad that I've had to entrench myself and my systems but the alternative is unthinkable. Protect yourself: there are a lot of nasty people out there. Ah, for the good old days...

September 8th, 2001

Copyright 2001 by Phil Selby