(Be sure to read the “Secure your Lan” page!)
LAN security risks come in different forms. Here is some information on the most common ones.
Viruses are generally not a “security” threat to the computers on your LAN (although they can cause plenty of problems). The main effect of viruses can be erratic operation of your computers, possible data loss, and the ability to pass on the virus to other networked users.
Viruses are most commonly spread through two methods:
- floppy disks or other removable media that are used to transfer files from one computer to another
- email attachments
Your best defense against viruses is to run a good anti-virus program and keep the virus database updated (at least monthly).
In case you’ve just come out of a coma or have returned to the planet after a long absence, I’m doing my cyber-civic duty by repeating what should be firmly embedded in your brain by now:
Rule #1: Never, never, never open email attachments that come from people that you don’t know.
J U S T P R E S S D E L E T E !
Rule #2: If the attachment is a forwarded joke, video, audio, .vbs or whatever kind of file
J U S T P R E S S D E L E T E !
Rule #3: As Melissa and LoveBug and their variants have shown, if you receive an unexpected email attachment from someone that you do know, check with them before opening it to be sure that they meant to send it and to find out what is in it.
Rule #4: If the attachment is a legitimate file from a known source, you should still scan it with up to date anti-virus software before opening it.
(Your anti-virus program should have a mode where it will do this scan automatically, but you should check and make sure that it is running!)
Get the picture? If in doubt, throw it out! If it’s a legitimate file, it can always be resent, after you check with the sender! The people who create these things are getting nastier and cleverer, and it just isn’t worth taking the risk of losing even one file due to what boils down to curiousity!
Probes or port scanners check for improperly secured servers or services that may be running on computers on your LAN (especially the one that is directly connected to the Internet). These checks are usually performed by programs that take a range of IP addresses selected by the person running the program, and look for common services like Web, mail, FTP, Telnet, pcAnywhere, or proxy servers. (Check here for a list of “well-known” TCP/IP port numbers).
If any of these (or other) services are found, the program tries to see if it can login or otherwise gain access to that service. If it can, it flags that IP address and service to the person running the program and what happens after that depends on what they have in mind for your system!
Your best defense against probes is to not run any servers or services that you don’t understand, or are not sure what they are used for. You also should properly secure any services that you do run. Finally, if you are a relative “newbie” and/or especially paranoid about intruders, don’t run the free Wingate 2.1d version, which is easily misconfigured and can allow intruders into your LAN.
“Trojan Horses”, are programs that are somehow downloaded and installed on computers in your LAN. Although physical access to the target computer is a common method of installation, these programs can be installed via network access to an unprotected shared network drive.
Back Orifice and NetBus are perhaps the most infamous in the Windows world. They can allow an unknown person to do almost anything that they want with the computer that B.O. is running on. (Check here or here for a list of port numbers commonly used by “Trojan horse” programs.)
Your best defense against B.O. and other Trojan horses is to never open any email attachments that come from people who you don’t know, or that come as part of a widely distributed or forwarded email. If in doubt about any file attachment, delete it first, and ask questions later!
These troublemakers are self-replicating, self-propagating programs that are spread through the Internet and generally don’t require any action on the part of the computer owner to be activated. All they need is an unprotected connection to the Internet.
The “netlog” worm
I recently encountered one of these in the form of the netlog worm (read about it here). I run a dialup connection that I thought I had properly secured and haven’t had any problems before now. But I had recently run a webserver log analysis that required me to keep my computer connected to the Net overnight, and had left my C drive shared with no password and had left Client for Microsoft Networks and File and Printer Sharing for MS Networks bound to my Dialup Adapter’s copy of TCP/IP. Stupid, Stupid, Stupid!
My system had been acting funny for a few days, i.e. very sluggish, slow Internet connection, the clock was losing time. I thought it was “normal” Windows stuff. On the third day, I finally decided to run the Windows System Monitor and found my Processor Useage was solidly at 100%. I closed all the programs I was running. Still at 100%. Closed all the programs on my System Tray. Still at 100%. Finally brought up the “Close Program” box and saw “Wscript” running. Killed it and the Processor Useage went to 0!
Checked my Startup folder and found a shortcut to a file called “network.vbs“. Searched my C drive and found about 5 copies of this sucker. I right-clicked on them to Edit them and found that some were the legitimate Windows Scripting Host sample program that is supplied by Microsoft as part of the Win98 Install. But the one in my startup folder started out like this:
dim octa dim octb dim octc dim octd dim rand dim dot
and was not from Redmond! Needless to say, I deleted all copies of the file and immediately updated my anti-virus program DAT file (which had been recently updated to catch this worm.)!
Moral of the story: Follow your own advice! <blush>
Now that you know what you’re up against, you might want to use some of the tools on this page to help detect and remove threats to your LAN’s security.