Networks dominate today's computing landscape and commercial technical protection is lagging behind attack technology. As a result, protection program success depends more on prudent management decisions than on the selection of technical safeguards. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology.
In some sense, this article is about how to get around the so-called security measures provided by ISPs. In another sense, it is about how ISPs are starting to unnecessarily and, in my view, improperly, limit the use of the Internet by legitimate users for their commercial advantage.
None of the techniques I will be pointing out here are new in any sense, but they may be new to you, which is almost as good from your point of view. I didn't first think of them and probably didn't first implement them either. They are all well known amount those who get past security.
These methods should also serve as a lesson to those who try to defend systems because...
Yes - that's right. Chances are good that some of the same techniques I am listing here will work against your network. And that means that you need to watch out for them, or at least realize that they are there.
Formatting of such articles can be a pain, so I have decided to go to the Q and A format used for so many years...
Q: How does this formatting work?
Q:My ISP restricts port 25 outbound so I cannot do outbound email - how do I get around it?
A: Two methods come to mind. The better one is to use a 'proxy' server out on the Internet that translates from some other port to port 25. This will be thematic - you use some Internet server on a permitted channel to get the channel you are denied. I implemented one of these to avoid the restrictions of my temporary ISP when the @home network was brought down by its owners for financial / political gains.
Q:How do I get around the web access restrictions that prevent me from visiting web sites with words like 'breast' (for example when I want to know how to prepare chicken for a dinner)?
A: The first problem here is that these sites should not be restricted in the first place but are because the ISP doesn't know better. You might try contacting the ISP and informing them a bit better. In some cases the part of the Internet you are trying to get to simply is not accessible from where you are, so you need to go somewhere else to get to it. Try a proxy web server - a free anonymizer service would be a good example of such a provider.
Q:My ISP disconnects me every 8 hours or so and my IP address keeps changing, so how can I run a server when they keep doing this?
A:ISPs don't want you to run servers, but you can get around this by using a more dynamic domain name service than they use dynamic IP addresses. The basic trick is that your computer should come back online real quickly after it is disconnected (e.g., do a constant ping of some far off site and as soon as it is unavailable for more than a few seconds, reconnect) and as soon as it comes back, it should update the remote domain name server with e new IP address. By configuring the DNS for short cache times (i.e., a minute), you will not get more than a minute or two of outage.
Q:How do I avoid prohibitions against inbound TCP connections?
A:Some years ago, I had legitimate cause to provide a means to access information behind a firewall from outside the firewall without the knowledge or permission of the firewall maintainer. I ended up doing everything 'backwards'. The inside system contacted me and I entered commands to it. I used the 'nc' tool and a 2-line shell script on each side of the connection.
Q:How do I run an unauthorized server?
A: The easiest solution is usually to use a 'high' port number - something above 1024. Most systems allow traffic to be initiated inbound to TCP ports from 1024 to 65535 (don't ask me why - mine don't). But if this doesn't work, there are always alternatives. The basic strategy is to figure out what's allowed and make your server look like one of those things. I know of an email-based web browsing service and at one time a well known security guru created an IP proxy server that ran entirely through email. It allowed any IP service to run freely.
Q:What if I don't want my ISP to be able to sniff all my traffic?
A: It turns out that if you are sending the bits to the ISP, they will be able to observe and record them if they so desire. But just because they can see them doesn't mean that they can use them for anything worthwhile. The first strategy is encryption. Wherever possible, use encryption, and it will make the task of checking for meaningful content far more complex. The next strategy is obfuscation (even the use of the word obfuscates my meaning) which comes in the form of using thing in unexpected ways and using context to replace content. Another important technique is the use of covert channels. This can range from false DNS traffic (such as that used by some antivirus vendors) to protocol anomalies. Next, but not last, but last for this list, steganography. Conceal things inside other things like jpeg and gif images.
Q:How do I keep my ISP from finding out my email passwords?
A: Since email is normally recovered using plaintext passwords via the pop3 protocol, the passwords are easily sniffable and exploitable. One solution is to not use the pop3 protocol, but that is rarely an option. I use different passwords for my email accounts than for other accounts so that those passwords have limited value, and I fetch my email almost continuously so that having one of my passwords won't normally prevent me from getting most of my email. It's not perfect, but we don't live in a perfect world. I don't send email with this mechanism, so forgeries are easily identified.
Q:How do I get around their keystroke loggers?
A: With the increasingly small number of larger and larger ISPs and their increasing requirement that you use their software to use their network, not only might Microsoft and AOL force users away from other operating systems, they might also plant surreptitious listening devices in computers and otherwise include Trojan horses in the name of remote maintenance and assistance. The path around these every tighter controls is increasingly good emulations of their products. For example, SAMBA provides SMB access to allow some ISPs to think you are running Microsoft when you are running Linux. Another strategy is to use a virtual computer embedded in your regular computer. The virtual computer looks to the software like a real computer but it's really embedded in another operating environment and allows the user to 'tag along' with the 'authorized' services.
Q:How do I do anything else like these things?
A: The generic answer is that you (1) avoid them, (2) use an external server as an intermediary, (3) provide deceptions so that they believe you are doing what they want you to do.
Clearly, there are moral and contractual issues associated with the commercialization of the Internet. The corporate interests will, in time, do everything they can to get control over content, access, methods, etc. in an effort to suck every penny they can out of those who want or need what they, through monopoly, can solely provide. This is not a moral issue - it is the way the system works.
Those of us who do not command the power or the will to battle it out their way will have to find our own ways. This is not an excuse to break the law, and it is not a call for defeating protection measures used by the strong to exploit the weak. It is, rather, a call for those who wish to promote freedom of expression, to keep the good thing that the Internet is and has been, and to retain civil liberties in the information arena, to stand up for what they believe in.
I, for one, think that this should be battled out in the courts, discussed widely in the media, and taught to all who are growing up to live in the information age. It is, in my view, an issue as important to the future of humanity as freedom of speech was when the United States was formed. I believe that it is more important than the so-called safety and security we gain by giving up our freedoms.
About The Author:
Fred Cohen is researching information protection as a Principal Member of Technical Staff at Sandia National Laboratories, helping clients meet their information protection needs as the Managing Director of Fred Cohen and Associates, and educating cyber defenders over-the-Internet as a practitioner in residence in the University of New Haven's Forensic Sciences Program. He can be reached by sending email to fred at all.net or visiting http://all.net/