Computer security is the equivalent of playing cops and robbers with a computer. On one side are the bad guys, trying to destroy, modify, or steal data. On the other side are the good guys, trying to protect that data.
In the early days of computers, the biggest threat to data was losing it through an accident. Then malicious computer hackers emerged. Unlike the original band of computer hackers, responsible for creating operating systems and language compilers, malicious hackers use their programming skills to break into computers and hurt others.
Initially these computer break-ins were more of a nuisance than a danger. Computer hackers might tie up resources, but they rarely wrecked anything except by sheer accident. In fact, many computer administrators grudgingly allowed hackers to stay on their computers as long as they didn't disturb anything, and many hackers returned the favor by warning computer system administrators of flaws in their programs that could allow less honorable hackers to sneak in and destroy files.
As more people picked up hacking skills, inevitably a small percentage of these hackers began using their skills for destructive purposes. At first, there was only the joy of crashing a computer or wrecking data for bragging rights to other hackers, but hackers soon had a new motive for breaking into computers. As more people began shopping online and more computers began storing credit card numbers and other personal information, such as Social Security numbers, hackers were now motivated by money.
Malicious hackers are bad enough, but what makes them an even greater threat is when they have the financial support and legal protection of corporations. Corporations have borrowed hacker tricks for financial purposes ranging from spying and stealing corporate secrets to flooding computers with unwanted advertising. The bad guys are no longer stereotypical computer nerds staying up late at night. Today's threats are well-financed organizations intent on breaking into computers for financial gain.
With so much money at stake, it's no surprise that one of the hottest fields of computer science is now computer security. Computer security is more than just locking doors and guarding computer rooms. Today, computer security is stopping threats, repairing damage, and hunting the criminals by using nothing more than programming skills.
One of the earliest and most prominent threats to computers is malicious software, often called malware. Malware is any program designed specifically to damage another computer, such as by erasing all its files. What makes mal-ware particularly dangerous is that it's so common and capable of spreading without the intervention of the original programmer. The four common types of malware include
Viruses
Worms
Trojan horses
Spyware
Computer viruses are nothing more than programs that attach themselves onto another file, such as a program or a word processor document. The virus spreads when you copy an infected file to another computer.
When a computer virus infects a file, it sometimes damages that file. What's worse is that most viruses also carry a payload. This payload can range from the harmless (such as displaying a humorous message on the screen) to the malicious (such as erasing every file stored on a hard disk). The most effective way to stop viruses is to capture one and dissect it to see how it works.
To dissect a virus (or any program), you need to use a disassembler, which essentially converts, or reverse engineers, a program into assembly language source code. By studying the assembly language code of a virus, you can understand how it works and, more importantly, how to identify the virus, essentially capturing that virus's digital fingerprint.
Capturing the digital fingerprint of a virus is crucial because that's how most antivirus programs work. Antivirus programs scan all the files on a hard disk for known signs of specific viruses. Because new variations of viruses appear every day, the database of an antivirus program must be updated constantly.
Similar to viruses are worms. Unlike a virus, a worm doesn't need to infect a file to propagate itself. Instead, a worm can duplicate and spread to other computers all by itself. In the early days of computers, when computers were isolated from one another, the only way files could spread from one computer to another was by physically copying a file to a floppy disk and inserting that floppy disk into another computer. That's why viruses were so popular in the early days of computers.
Nowadays, most computers are connected to the Internet, so there's no need to infect any files to spread. Instead, worms can spread on their own by looking for connections to another computer and then copying themselves over that connection, such as through a group of networked computers.
Here are two steps to protecting a computer against a worm. First, security professionals must capture a worm and dissect it like a virus to see how the worm works. After they capture a worm's digital fingerprint, they can store this information in an antivirus program's database so it knows how to recognize and remove that particular worm.
A second way to guard against worms is to block their access to other computers over a network. The way computers connect to one another is through virtual openings, or ports. Worms simply look for open ports on an infected computer so they can travel out and infect another computer.
The simplest way to block ports on a computer is to use a special program called a firewall. Firewalls can defeat worms in two ways. First, a firewall can block a computer's ports to keep a worm from infecting the computer in the first place. If the worm has already infected the computer, a firewall can also block its ports that could allow the worm to sneak out and infect another computer.
Although you could write your own firewall in your favorite programming language, it's much easier just to use an existing firewall program and configure it properly. Configuring a firewall means defining exactly what the firewall allows and what the firewall blocks.
On the simplest level, you can tell a firewall to allow certain programs to connect over the Internet; on a more complicated level, you can configure a firewall to allow only certain types of data to pass in and out. Allowing certain data to pass through a firewall, rather than just allowing certain programs, can defeat both Trojan horses and spyware.
Trojan horses are programs that masquerade as something else to entice you to copy and run them. The moment you run them, the Trojan horse unleashes its payload, which can range from attacking your hard disk to installing another program, such as a virus, on your computer. The main reason to sneak a virus or worm on a computer through a Trojan horse is to get the virus or worm past the computer's defenses.
If a firewall allows a browser to access the Internet, that browser can be used to download a Trojan horse, which the firewall will allow. However, if you configure the firewall to allow only certain data (such as Web pages) but block any other data (such as a downloaded file that might contain a Trojan horse), the firewall can protect a computer from Trojan horses.
One common version of a Trojan horse is a remote access Trojan, or RAT. A RAT sneaks on to a computer and then allows a hacker to control that computer remotely over a network connection. RATs are often used to steal passwords, read e-mail, and even delete files.
The two main defenses against a Trojan horse are a firewall and an antivirus program. A firewall can block a Trojan horse from getting into a computer and also keep it from communicating with another computer. An antivirus program can search for digital fingerprints of a Trojan horse and remove it.
Spyware are special programs that install themselves on a computer and connect to an outside computer over the Internet. Instead of allowing a hacker to remotely control an infected computer, spyware simply sends advertisements on to the infected computer.
Seeing advertisements pop up can be annoying, but the real problem is that most spyware programs display a constant barrage of advertisements that can keep you from actually using your computer. Even worse, a computer with multiple spyware programs can actually crash your computer.
The process of removing spyware is similar to removing other forms of mal-ware. First, you have to get a copy of the spyware to dissect it and figure out how it works. Then, you have to write a program to detect and remove that spyware.
Like viruses that can infect multiple files, spyware often copies and hides itself in multiple locations on a hard disk. The moment you wipe out one copy of the spyware program, the other copies immediately re-infect the computer. Because spyware is motivated by advertising dollars with the support of corporations, spyware is often written by teams of professional programmers, which can make spyware particularly difficult to remove.
Malware is a constant threat to computers that can strike at any time. Besides worrying about malware infection, computer security professionals have to also worry about the source of malware: The hackers who create malware in the first place.
Unlike malware, which can behave predictably, every hacker is different and can attack a computer network from inside or outside that network. As a result, stopping computer hackers involves both programming skills and detective work at the same time.
The basic defense against a hacker is a firewall. Hackers can sneak in only through an open port on a computer, so a firewall shuts the hacker out as effectively as locking the front door. Unfortunately, although firewalls can stop worms from sneaking in, firewalls aren't as effective against hackers. That's because a hacker can always find another way into a computer network that can circumvent any firewalls.
The simplest way to circumvent a firewall is to use a computer that's already located beyond the protective firewall. This is the way insiders can break into a computer network because as employees of a company, they're already authorized to use that computer network anyway. To detect intruders on a computer network, computer security professionals have to rely on special programs known as intrusion detection systems (IDS).
An intrusion detection system acts like a burglar alarm. The moment the program detects suspicious activity, such as someone on the network at 2 a.m., the IDS sounds the alarm to alert a human system administrator. At this point, the system administrator's job is to study the activity on the computer net-work to determine whether it's a valid or a false threat.
The problem is that seemingly false threats could actually turn out to be real. Seeing an authorized user on a computer network at 2 a.m. may look suspicious, but if that authorized user regularly accesses the computer at that time of night, a system administrator may simply ignore that alert. However, a hacker could have hijacked an authorized user's ID and password to masquerade as an authorized user.
At this point, a system administrator might study the authorized user's actions to determine whether anything looks out of place, such as deleting files or accessing files in other parts of the computer that the authorized user should have no business peeking at (such as an engineer poking around the accounting department's files).
To help identify potential hackers, many system administrators rely on a special program called a honeypot, which acts like a trap to snare hackers. A honeypot creates an entirely phony part of a computer network and loads it with tempting, but fake data, such as blueprints for a new weapon, a list of Social Security numbers, or usernames and passwords of nonexistent employees.
No authorized users would ever need to browse though the fake files of a honeypot because authorized users won't know the honeypot even exists. The moment anyone accesses the phony honeypot files, the IDS can positively identify that user as an intruder.
A honeypot isolates an intruder into a fictional part of the computer network where he (or she) can't cause any damage. However, after a hacker has accessed a computer network, system administrators have two problems. One, they have to find a way to keep the intruder out. Two, they need to make sure the intruder can never get back in.
After breaking into a computer network, the hacker's first goal is to plant a rootkit. A rootkit provides tools for covering the hacker's tracks to avoid detection along with providing tools for punching holes in the computer network's defenses from the inside. By installing a rootkit on a computer network, hackers insure that if one way into the network gets discovered, they still have half a dozen other ways to get right back into that same network all over again.
Even if a honeypot isolates a hacker from sensitive areas of a network, the mere presence of a hacker means that some part of the network's defenses has been breached. To insure that hackers can't get back into a computer, system administrators need to rely on rootkit removal programs.
Rootkit removal programs simply automate the process a computer expert would follow to look for and remove a rootkit from a network. Unfortunately, hackers develop new rootkits all the time, and one rootkit might hide in a different way than another rootkit. Rather than create a single rootkit removal program, system administrators often have to create custom rootkit removal programs.
An IDS can find a hacker, and a rootkit removal program can detect and wipe out a rootkit from a network. For many companies, those two tasks alone are enough to keep an army of programmers busy. But if a company wants to take legal action against a hacker, they'll need to provide evidence of the hacker's activities, and that evidence falls under the category of forensics.
If you've ever accidentally deleted a file and then recovered it again, you've practiced a simple form of forensics. Basically, forensics is about finding and restoring deleted data. When hackers break into a computer network, the network often keeps track of all activity on the computer in a special file, or a log. To cover their tracks, hackers often modify this log to erase all traces of the hacker's activities on the computer network.
Of course, anything deleted on a computer can always be recovered again, so computer forensics captures and restores this information. Such forensics computer evidence can pinpoint exactly what day and time a hacker entered a computer network, what the hacker did while on the network, and which computer the hacker used to access the network. This pile of evidence can pinpoint the hacker's physical location, which the police can use to find and arrest the hacker.
Computer forensics has another use in supporting criminal cases unrelated to computer hacking. Many Internet predators store e-mail and photographs of their contact with their victims, but if they suspect the police might be watching them, they'll erase this incriminating evidence off their hard disk. To recover this evidence, the police can turn to computer forensics to retrieve these missing e-mails and photographs.
Finally, computer forensics can come in handy if a hacker or malware wipes out an entire hard disk loaded with valuable files. Forensics can simply recover these files as if they were never wiped out at all.
The art of computer forensics involves low-level access to computer hardware, which means forensic practitioners are often skilled in assembly language and C programming. If the idea of combining detective work with mysteries and computer programming sounds appealing, computer forensics and computer security might be a field for you.
Most computer security revolves around preventing intrusions and fixing any problems that occur because of the intrusion. Such a reactive approach is fine, but for a proactive approach that stops malware and hackers from attacking at all, programmers are learning a new field — secure computing.
The idea behind secure computing is to design computer programs with security in mind right from the start. This might seem logical until you realize that nearly all software has been developed without thinking of security at all. If anything, security has always been considered a distant afterthought.
That's one of the reasons why Microsoft Windows XP (and earlier incarnations of Windows) has proven so vulnerable to malware and hackers. Windows was designed under the assumption that only one person would use the computer and no programs (or people) would deliberately try to wreck the computer.
Then along came the first wave of computer viruses, followed by a second wave of computer worms, Trojan horses, and spyware that has cluttered and clogged most Windows computers as effectively as throwing sand and metal shavings inside a Formula One race car engine.
Now the assumption is that malware will try to take down computers and hackers will try to break into them. That's why secure computing tries to build security into a program as part of the design process. So not only must programmers learn the basics of object-oriented programming and algorithm analysis, but they must also learn the practices of secure computing as well.
Because so many programs were originally designed without security in mind, it's no surprise that much computer security work involves analyzing the security flaws of an existing program and then writing a patch that fixes those problems.
Every program has flaws, so every program needs patching. Armies of programmers love probing programs — especially the major ones, like Windows XP, Linux, Max OS X, and Vista — so they can be the first one to report a possible flaw in a program. Programmers devote their time to uncovering the flaws in other programs to enhance their own reputation (which can translate into better job opportunities), but also for the sheer challenge of looking for weaknesses in other people's programs.
After someone discovers a flaw in a program, other programmers typically verify that the flaw does exist, examine how the flaw could be exploited as a security risk, and then write a software patch that fixes that problem (and hopefully doesn't introduce any new problems).
Note
Microsoft's service packs for Windows are typically one massive patch to fix numerous flaws found in Windows. Of course, people find flaws in Linux and Mac OS X regularly too, but Windows gets the most attention because it's been the dominant operating system for so many years.
Rather than wait for flaws to appear and then waste time patching these flaws that shouldn't have been in the program in the first place, another form of computer security involves making securing programs from the start. The idea is that if programmers focus on security when designing a program, they won't have to waste time patching up their programs later.
The first type of security involves examining the code of a program to remove any flaws. The most common type of flaw involves code that works but can be manipulated to cause an unexpected result. A common example of this type of problem is a buffer overflow.
A buffer overflow occurs when a program expects data that fits a certain size, such as accepting up to ten characters for a password. If you feed the computer data that's larger than expected, such as a 12-character password, the program should just ignore these extra 2 characters. However, a computer might accidentally store these extra two characters in its memory.
Normally such excess data would be harmless, but sometimes this excess data gets stored in a part of memory that contains other data that the computer uses, such as a list of tasks the computer will follow next. By flooding the computer with excess data, a hacker can literally change the computer's behavior.
One way to exploit this flaw is to shove excessive data to flood the computer's memory and then tack on an extra set of commands for the computer to follow. This tacked-on command then gets buried in the computer's memory, which causes the computer to follow those instructions. Oftentimes, those instructions tell the computer to weaken its defenses, such as opening a hole in the firewall to let the hacker into the computer.
To prevent problems, such as buffer overflows, programmers need to sift through their code and make sure that their code handles unexpected data correctly rather than just dumping it anywhere in memory. Examining code can be tedious, so programmers often use special testing tools that can spot such problems automatically.
Note
Buffer overflow problems are especially common in programs written in C and C++. That's why more programmers are flocking to newer languages, like C# and Java, because these languages prevent buffer overflows, which can result in more secure and reliable software.
Most security patches close common flaws in programs, but just removing these flaws is like locking a screen door to keep out intruders. A more proactive solution is to design security into a program from the beginning, which is like getting rid of a screen door and replacing it with a solid metal door instead.
The idea behind designing security into a program from the start is to anticipate possible flaws and then design the program so those types of flaws can never even appear. This is like designing banks with only one entrance to limit the number of escape routes, and designing the lobby so anyone in the bank can be seen at all times.
Because operating systems are the most common target for an attack, many operating systems include a variety of defensive mechanisms. The most common defense is to divide access to a computer into separate accounts. This is like limiting bank tellers to just handling a certain amount of money while only the bank president and a few other trusted people have actual access to the bank's vaults.
Such access control limits what people can do from within their specific account on the computer. This reduces the chance of a catastrophic accident wiping out data used by other people while also reducing the threat from hackers at the same time. If a hacker breaks into an ordinary user account, the hacker can't cause too much damage, which is like a burglar breaking into a garage but not being able to access the rest of the house.
Another common defense mechanism is data execution protection (DEP), which protects against buffer overflow attacks. Trying to wipe out all possible buffer overflow exploits may be impossible, so DEP simply tells the computer never to run any commands found in its memory buffer. Now hackers can flood the computer with all the malicious commands they want, but the computer simply refuses to run any of those commands.
One way that hackers exploit programs is that they know programs behave predictably by storing data in the same areas. So another defense mechanism is address space layout randomization (ASLR). The idea behind ASLR is to keep changing the address of its memory. If hackers or malware can't reliably predict where a program is storing specific data, they can't insert their own commands or programs into the computer to trick the computer into running those commands instead.
Computer security is actually less about protecting the physical parts of a computer and more about protecting the data stored on those computers. As individual hackers have given way to organized criminals, untrustworthy government agencies, and self-serving corporations, the field of computer security is constantly growing and changing. If there's one certainty in society, it's that crime will never go away, which means guaranteed opportunities for anyone interested in protecting computers from the prying eyes of others.