Cyberlink White Paper - 10 May 2003 v1.1

A light hearted look at prevalent Network Security problems in the South African Architectural Practice and an introduction to risk reduction systems and network monitoring devices which are economical, efficient and easy to deploy even for the small practice.

Computer Networks are fascinating things but few architects find them attractive or even important. Most who own one are seldom aware of their significance and often treat them like the rest of the wiring in the practice. After all, how big in your life are your office's DB's or the telephone exchange box? 

No doubt you monitor your electricity and telephone bills, block unnecessary calls and switch off equipment when you not using it. But how do you relate to your network? Do you even think of it?

This text presents a good case for putting your Network right on top of your list of professional priorities and concerns.

Let's briefly look at the evolution of the typical small practice network and see how it may have evolved …

The building industry slump ten years ago was so bad that you were either fired, laid off, dismissed or you had broken off that partnership that was going nowhere. So you went into private practice from the cottage at the back of the house.

You started off pushing pencil at the drawing board, producing magnificent drawings on paper and invested your entire capital on an ammonium plan printing machine that now sits in the corner stinking out the place.

Then one day you pulled off that one job that finally brought you out of the Alts & Adds limelight into the mainstream of architectural practice. You smiled for days and woke up every morning in a good mood.

Your smile quickly faded away when, at the First Consultants Meeting, you were asked which version of AutoCad you were running, what your email address was and did you have an FTP server.

Once you got your head around the price of software, the plotter and ink cartridges you then you found out that having the "kit" was only half the problem; now you needed someone to run it and in 1993 the only CAD literate people were kids fresh out of Tech and Varsity. Probably 80's Goths - with an attitude, a focus on style and absolutely no sense of responsibility.

You spoke to your Bank / your parents and one day it all arrived; the PC, AutoCAD and the Goth. The plotter issue remained unresolved because that second (or third) hand plotter that you bought from your cousin's last employer didn't work and you had to find a new one later.

The whole technology episode had by then cost you an arm and a leg and probably wiped off most of your Stage 1 fees. You were behind with your deadlines (of course) and really keen to begin producing CAD drawings.

You eyed out the CAD workstation and the Goth and congratulated yourself for a job well done. You could now pump out those drawings and schedules everyone was crying out for. So you called the Goth to discuss progress and targets and discovered that he was not ready to get to work just yet. He has adjustments to do.

So you find out that the Goth needs time to "set up the system" and "connect the Internet". Producing drawings somehow doesn't appear high on the Goth's lists of priorities.

Eventually the Goth settles and goes to work on your drawings and after another delay or two setting up the plotter and getting drawings to print you are finally on the way.

You succeeded in establishing a e-document producing workstation capable of handling most of your drawing requirements. You also established the Core of your Network (LAN) and the ability to join a Public Network (Internet).

Not long after you probably had to expand your work production capability and acquired two or three more CAD workstations. You probably had a few other computers doing Secretarial and Accounting functions. You had established a Practice Network and your business survival became directly dependent on the correct functioning of these systems.

I know that for many this was an uncomfortable feeling - with good reason. The introduction of a Network had pushed up capital and running costs and the practice production capability had become difficult to quantify and monitor - let alone regulate.

The moment your CAD workstation became connected to the Internet (to deliver drawings to Consultants and download virus definition files) the potential for malicious or criminal attack on the Practice became a reality. Over the years we have installed various security systems in a number of architectural practices and businesses in South Africa. In our experience there are a number of factors which impact directly on Practice Networks.

Let's look at these in more detail and see how they could be affecting your Network, your Practice and you.

The Goth Factor

Most Microsoft Windows operating systems deployed in South African Practices (ie Windows 98, etc.) allow the operator to install any software on the machine. Windows is Jimmy the Goth's best friend - it lets him do pretty much anything he likes.

Goths generally have a deployment priority list;

· Firstly they fluff the machine - change colour settings, themes, bells and whistles, desktop images, screensavers, sounds, arrow shapes … They can do this for a long time (under the heading of "setting up") and you will have to put a stop to it at some point. Office computers should not be fluffed by individual users - they should be left in default installation state.

· Then they customise the computer to suit their personal needs. They load their favourite programs (often games), save all their favourite web sites on Explorer and customise their email templates and often award themselves fine titles in the process - which you normally find out about in other people's offices when you see your Practice's emails signed off by Jimmy Goth, Chief IT Administrative Director.

· Jimmy has hung the machine a few times and has had to "re-install Windows" , fluff and personalise the whole things once too often. But then comes the part that he has been waiting for; connecting to the Internet. So far all that Jimmy has really done is waste a lot of time and slow down the computer with useless "utilities" and "system monitors". Once connected to the Internet the Goth will do some serious damage by downloading and installing "free" programs from the Internet - he will, in all likelihood, be completely oblivious to the damage he is doing. You will most definitely not be aware of it. 

The Download Accelerator : Software like Godzilla is effective in speeding up the download of files from the Internet. Your Goth will beam with pride when he tells you that, at great inconvenience to himself, he has now installed a download accelerator that will speed up the retrieval of drawing files from the net and thus save you lots of money on telephone charges. (He will omit to tell you that it took 4 hours of telephone time to download the software.)

The Download Accelerator is important to the Goth for one reason; he is now going to start building up his collection of MP3 music files, JPEG porn pics and a variety of disgusting videos - like on-camera suicides and dirty flicks.

But here is the catch; all free Download Accelerators are SPYWARE. Your computer now has a "legal virus" installed on it: when the Goth clicked Yes to the Accelerator's License Agreement - he consented (on your behalf) to the Trojan's installation. From that moment on your computer signals the Accelerator's owners every time it is connected to the Internet and will send private information out of your office to people you don't even know exist.

What information? How can it possibly affect you, you may well ask.

Spyware typically "mines" the system for information of a personal nature and then sends it to "Source". It does not steal your files at random and copy your My Documents folder to some remote system; it does smaller things that are more effective. It will search for email addresses and names of companies and individuals associated with them by looking in your Outlook directories or your Address book, it will find ID markers for your system and it will send these to Source. Source will add these to their email database which Bulk Junk Mailers use. 

Trojan can also monitor the network traffic, identify IP addresses and sniff packets for trigger words - trigger words can cause the Trojan to route copies of the packet to Source. For example, if the trigger word is "CONFIDENTIAL" and a document contained that word is sniffed out it could be sent in its entirety to Source.

Spyware can also monitor your usage patterns, the software you use and the places you connect to. This information is sold to target marketing operations and that new breed of scum; Pirated Software Bounty Hunters.

All this happens because the Goth decided to install an Accelerator. The Accelerator will work as promised by Source - it will completely hog all network resources to itself as it turbo boosts the downloads to that specific machine alone at the cost of slowing down all other valid file transfers. Mostly it will accelerate the arrival of hundreds of spam messages selling you anything from Viagra, penis enlargers, to a peek at farm animal sex. Soon, 80% of your connectivity time (and costs) will relate to the collection of unsolicited mail which are probably laced with nasty hyperlinks back to their dark origins - which can spring uglies on your system and make it hang up, misbehave or die.

P2P Networks & The Media Pirates; Now that he can hog all bandwidth to himself and speed up his downloads at your expense, Jimmy the Goth is happy. Now he can kick start his Internet exploration activities which he hides in windows under his CAD application. By Alt-tabbing between the bowels of the Internet and his drawing window, Jimmy can double up on productivity. He can download copies of illegal music CD's, entire movies, computer games and complete sets of proprietary software and (at the same time) produce your working drawings on time. To do this he needs to join a peer-to-peer network.

Jimmy does this by joining the latest "in" P2P - which involves downloading another fine piece of software from a Source that is doing something blatantly illegal; pirating and distributing illegal copies of digital media packages from people like Sony Music, Time Warner, Microsoft … The Goth takes this software and installs it on your computer.

This software opens up your computer completely to the "outside" (the entire Internet) and sections off a part of the disk space for the Goth to make his "contributions" to the network, so that your Practice becomes a proud owner of illegal pirated digital media. It also almost always contains sophisticated Trojan engines that sift through your system and report back to Source.

The downloads available through this method are very large and may run into Gigabytes - hundreds of connectivity hours. Often they take days to complete - during that period your system is completely at the mercy of thousands of malicious Net Dwellers ready to cause chaos for no particular good reason.

Anyone who tells you different doesn't know what he's talking about.

Little Blue Friends : When the Goth gets bored with downloads they become background events to him and he then starts looking for new ways in which to deploy his technical superiority. That is usually when they go through their Little Blue Monkey phase.

Bonzo, or Bozo or whatever they call him, is a digital pet that you download from a free site and install on your computer. Mostly he just swings around the Desktop making noises and talking with an American accent, saying meaningful things like "Good Morning, Jimmy" when the Goth clicks on in the morning.

When the friendly little blue monkey is not making an ass of Jimmy he is really busy behind the scenes; inspecting your system, prodding away at your network, stealing information and shipping it back to Source.

One day the Goth comes to you and informs you that he has a better job up the road for twice the salary, packs his toys and leaves. He leaves behind a completely compromised system (probably loaded with illegal software, games, Trojans, porn, etc.) that will continue to broadcast the contents of your hard drives to all and sundry for years to come. 

How does all this affect you? You decide. And a final word on the subject for all those computer literate architects who are breathing a sight of relief because they never hired anyone to do their drawings and did it all themselves; remember - there is a bit of Jimmy the Goth in all of us.


The Virus Factor

The virus factor is old news now and we are all constantly aware of its potential for damage or destruction. With most ISP pre-screening for viruses, fewer end users are affected by the scourge. But the danger remains and contamination through removable media (floppy disks, Zip drives and CD's) is as rife today as ever.

A more insidious method of distribution which has become commonplace is the deployment of web page driven virus delivery mechanisms. It is possible to ingest a virus into the system by simply browsing the web - and your Anti-Virus package will not necessarily pick it up.

Unrestricted access to the web often results in such incidents as "Goths" frequently visit Warez and Porn sites which are loaded with dangers.

The Trojan is possibly the most dangerous of all Virus types. They are generally "non-destructive" and stealth in nature and focus on stealing data from your system without ringing alarm bells. There are thousands of Trojan variants which cannot be detected by Anti-Virus software and once lodged in the system are very difficult to detect and remove. It is a proven fact that the Microsoft Windows 98 operating system and others have built in Trojan "hooks" which can report to the USA's security apparatus NIS when activated - there is zip you can do about it but unless you're hiding old Bin Laden in a drawing cabinet there's not much to worry about.

The only way to detect Trojan activity effectively is to closely monitor all Network behaviour and traffic. The most effective way to render such mechanisms useless is to control network traffic with Firewalls which have been carefully and intelligently programmed. There is no other way.


The Cracker Factor

A Cracker is someone who aspires to Hacker status but does not have the ability or moral fibre to attain it. Crackers attack their employer's computers as a means of venting their frustrations whilst seeking to gain something from the effort. The attacks are often stupid and meaningless but sometimes do have serious consequences. The likelihood of having a true Hacker behind your CAD workstation is pretty remote. It just doesn't happen - so all you are likely to encounter is a Cracker. A Cracker is more dangerous because the potential for system damage is high and they are by definition dishonest - unlike real Hackers.

A Cracker will prod and probe all sections of the Network within his reach. He will poke about in the correspondence files, the accounts and file servers or shared directories. They often go looking "stuff" which they can use or sell; this may be an entire contract's documentation file set - including all correspondence, all financial information, all minutes, all schedules and every single drawing on record.

A Cracker can be easily spotted because he will have installed an FTP client on the machine - probably CuteFTP. He will use this to siphon off every last bit of valuable data from your practice and he will use it again to stash this data at various free repositories around the world. That word "free" again …

It is not uncommon for a Craker to stash tons of private and confidential drawings and documents in numerous free space servers around the world. It's his "insurance" from which he builds a personal portfolio as well as drawing libraries which he sells on CD.

Often he loses interest in them and leaves them abandoned on these free space sites - where any baby Cracker around the globe can inspect or copy them.

The Cracker's low level of computer skill and knowledge may often result in file deletions and system crashes. Hacks seldom - if ever - enter your network from the outside; they almost always reside within the organisation.

External Crackers or Rogue Hackers, on the other hand, will enter from the outside if they need to do so. A recent attack on a client's network brought home the reality that Network security is a multi faceted issue which often defies even the most careful planning.

We now refer to the event as a Fax Attack because a Trojan Virus was successfully introduced into the network via the fax modem. The attack failed because the Anti-Virus software picked up on the next reboot and the Router Firewall blocked outgoings. It also failed because I (coincidentally) witnessed the event and was able to delete the Trojan in time. Had I not witnessed the event I would not have known how to block off the security crack that permitted its occurrence.

How could this happen? Technically it is quite easy and you can try it out yourself if your Practice uses a Fax Server in place of a Fax machine. If you have a PC/Laptop with a modem at hand you can test the vulnerability of your own Fax Server right now.

In Microsoft Windows you will find a program called Hyper Terminal. (Under Accessories > Communications) Run it and dial the fax number you wish to test. One of two things will happen; the terminal will establish Data Communications with the Fax Server and offer you the option of logging on to the computer or the system will not respond the connection will be dropped. You may activate Voice Mail…

Why does this Data Communication option - which gives anybody free access to the remote computer - frequently occur with Fax Servers in South Africa? There is an incredibly easy, simple and innocent explanation to the problem; Pacific Fax Software, which comes free with the majority of modems sold in South Africa today (56K Voice, Data, Fax modems) is the "culprit". The Fax Software comes with a low security built in BBS system for remote connectivity and the post installation default status is to answer both Fax and Data calls. If the option to respond to Data calls is not switched off the modem will respond to Data calls and will offer an opportunity for open entry into the system because no password has been set by default.

The Cracker cruises into the system and simply uploads a small Trojan to the hard drive and lets Windows do the rest - before you know it the entire Network is infected and your documents have been siphoned off. Had I not seen (and heard) the Data call connect to the Fax Server I would never had worked out how the Trojan arrived on the disk drive and would have spent dozens of fruitless hours looking for answers in the network logs.

Resetting Pacific Fax software to respond to fax calls only solved the problem quickly and easily and we later watched as several more attempts were made to connect with Data on the same line - unsuccessfully. Why was the Network being hacked? It's a complete mystery to the architects who owns the network…


The Crap Factor

Complete Rubbish And Procrastination (CRAP) is a leading cause of loss of productivity, work quality and money. Net Games, Surfing, Chatting, Gambling and Streaming Video are the most likely causes of CRAP.

Network Games Crap is the most disruptive. Flight simulators and air battle software is the most popular, followed closely by Formula 1 racing. Today's computers have the capacity to run incredibly sophisticated multi-user games where players can compete against other players on the Local Area Network and well as the Internet.

I have been to Practices in Johannesburg where CAD workstation employees spend entire days engaged in multi-user games - arriving early to work and leaving very late. Network games have the potential to become very addictive, very quickly.

Besides having a completely undesirable impact on your Practice's productivity levels, Crap will also interfere with the function of the Network. Games generate huge amounts of real time traffic in all directions and will slow the Network down considerably.


How does all this affect you? 

You decide. And a final word on the subject for all those computer literate architects who are breathing a sight of relief because they never hired anyone to do their drawings and did it all themselves; remember - there is a bit of Jimmy the Goth in all of us.

The Practice Network has become the backbone of the modern architectural Practice. Give it the time, the resources and the consideration it deserves. 

If you own a PC connected to the Internet you own a Network. It's that piece of wire going from your serial or USB port to your modem - or maybe it is even smaller than that; it's that fragment of motherboard bus that connects to your CPU to your internal modem.

The moment you acquire the ability to connect a computer to the Internet that computer automatically becomes a part of the world's largest network - even if only for the duration of the call. During that period your computer and everything in it is linked to millions and millions of other computers. Anything can - and does - happen but the average user is seldom aware of it. We have seen how Jimmy the Goth made "things" happen without even trying and that is just the tip of the iceberg.

Being connected to the Internet is not simply a matter of convenience for the professional. It is a requirement. There is a need for Network awareness and control but few practices can justify the hiring of a network administrator for a handful of machines.

Someone needs to do it. If you are not fortunate enough to have a handy grown up Goth around perhaps you should consider doing it yourself or outsourcing the function to a specialist firm .


The NET Dragon Network Monitoring System

The Net Dragon Passive Monitoring System from Cyberlink South Africa is a "Practice Blackbox" which plugs into the Ethernet network and records all events and connections on a permanent or periodic basis. The Dragon Analyser (DRAGANA) chews through thousands of lines of log files and produces a short and concise report with the facts you need to understand, control and protect your Network.

One of the Dragon's strongest features is Netwatch. This is what a reviewer had to say about it on the Web.

"Paranoid people (like us) always want to know what goes on when we're not around. Monitoring network traffic is easy enough using a network sniffer, but monitoring traffic off-line is pretty difficult. Logging all traffic and then browsing through it looking for anomalies is so hard it's rarely done, and there's often no reliable way to know if strange network sessions started during the night. Since hackers/cracks usually choose to attack at night (often because they know no one is there to suspect anything), netwatch can help in detecting strange and unknown network connections.

Netwatch gives a visual look of internal and external hosts that sent or received packets since the utility was started. The hosts are coloured according to how recent their last sending or receiving of packets was. When coming to the office in the morning, a brief look at netwatch can tell you what happened when you weren't there: Which external hosts communicated with internal hosts. Maybe one of your internal hosts has a Trojan that tried to communicate with the outside without the user's knowledge?

Netwatch can also be used to monitor network traffic in real-time. Some of its interesting features include IP spoofing monitor, Netbus/Back orifice monitor, displaying last HTTP GET command, FTP and HTTPD server types and more. 

Netwatch can also be used for special alerts: It can be configured to watch for special text in the packets or various events, and notify the operator by e-mail or via the syslog."

Copyright (c) 1995-2003, Architect Africa Collective.  All rights reserved.  Johannesburg - SA
IT/Web : Cyberlink South Africa    SABIC Network Partner     Webmasters Earn Money Here!