Pretty dubious article?In some sense, this article is about how toget around the so-called security mea-sures provided by ISPs. In another sense,it is about how ISPs are starting to unnec-essarily and, in my view, improperly,limit the use of the Internet by legitimateusers for their commercial advantage.

None of the techniques I will be pointingout here are new in any sense, but they maybe new to you, which is almost as goodfrom your point of view. I didn’t first thinkof them and probably didn’t first imple-ment them either. They are all well knownamong those who get past security. Thesemethods should also serve as a lesson tothose who try to defend systems because...

They work against your net-work tooYes — that’s right. Chances are good thatsome of the same techniques I am listinghere will work against your network. Andthat means that you need to watch out forthem, or at least realize that they are there.Formatting of such articles can be a pain,so I have decided to go to the question andanswer format used for so many years...

Q: How does this formatting work? A: Like this. Q:My ISP restricts port 25 outbound so Icannot do outbound email — how do I getaround it? A: Two methods come to mind. The bet-ter one is to use a ‘proxy’ server out on theInternet that translates from some otherport to port 25. This will be thematic —you use some Internet server on a permit-

ted channel to get the channel you aredenied. I implemented one of these toavoid the restrictions of my temporaryISP when the @home network wasbrought down by its owners for finan-cial/political gains. Q: How do I get around the Web accessrestrictions that prevent me from visitingwebsites with words like ‘breast’ (for exam-ple when I want to know how to preparechicken for a dinner)? A: The first problem here is that these sitesshould not be restricted in the first placebut are because the ISP doesn’t know bet-ter. You might try contacting the ISP andinforming them a bit better. In some casesthe part of the Internet you are trying toget to is simply not accessible from whereyou are, so you need to go somewhere elseto get to it. Try a proxy Web server — afree anonymizer service would be a goodexample of such a provider.Q: My ISP disconnects me every eighthours or so and my IP address keeps chang-ing, so how can I run a server when theykeep doing this?A: ISPs don’t want you to run servers, butyou can get around this by using a moredynamic domain name service than theyuse dynamic IP addresses. The basic trickis that your computer should come backonline real quickly after it is disconnected(e.g., do a constant ping of some far offsite and as soon as it is unavailable formore than a few seconds, reconnect) andas soon as it comes back, it should updatethe remote domain name server with thenew IP address. By configuring the DNSfor short cache times (i.e. a minute), you

will not get more than a minute or two ofoutage. Q: How do I avoid prohibitions againstinbound TCP connections? A: Some years ago, I had legitimate causeto provide a means to access informationbehind a firewall from outside the firewallwithout the knowledge or permission ofthe firewall maintainer. I ended up doingeverything ‘backwards’. The inside systemcontacted me and I entered commands toit. I used the ‘nc’ tool and a 2-line shellscript on each side of the connection.Q: How do I run an unauthorized server?A: The easiest solution is usually to use a‘high’ port number — something above1024. Most systems allow traffic to be ini-tiated inbound to TCP ports from 1024 to65535 (don’t ask me why – mine don’t).But if this doesn’t work, there are alwaysalternatives. The basic strategy is to figureout what’s allowed and make your serverlook like one of those accepted systems. Iknow of an email-based Web browsingservice and at one time a well known secu-rity guru created an IP proxy server thatran entirely through email. It allowed anyIP service to run freely. Q:What if I don’t want my ISP to be able tosniff all my traffic? A: It turns out that if you are sending thebits to the ISP, they will be able toobserve and record them if they desire.But just because they can see them does-n’t mean that they can use them for any-thing worthwhile. The first strategy isencryption. Wherever possible, useencryption, and it will make the task ofchecking for meaningful content farmore complex. The next strategy isobfuscation (even the use of the wordobfuscates my meaning) which comes inthe form of using tools in unexpectedways and using context to replace con-tent. Another important technique is theuse of covert channels. This can rangefrom false DNS traffic (such as that usedby some anti-virus vendors) to protocolanomalies. Next, but not last, but last forthis list, steganography involves concealing information inside other informationpieces like jpeg and gif images.

17

MANAGING NETWORK SECURITY

‘How to Get Around YourISP’Fred Cohen

Networks dominate today’s computing landscape and commercial technical protec-tion is lagging behind attack technology. As a result, protection programme successdepends more on prudent management decisions than on the selection of technicalsafeguards. Managing Network Security takes a management view of protection andseeks to reconcile the need for security with the limitations of technology.

03 March.qxd 3/20/02 5:07 PM Page 17

Q: How do I keep my ISP from finding outmy email passwords? A: Since email is normally recovered usingplain-text passwords via the pop3 protocol,the passwords can be easily deciphered andexploited. One solution is to refrain fromusing the pop3 protocol, but that is rarely anoption. I use different passwords for myemail accounts than for other accounts sothat those passwords have limited value, andI read my email almost continuously so thathaving one of my passwords won’t normallyprevent me from getting most of my email.It’s not perfect, but we don’t live in a perfectworld. I don’t send email with this mecha-nism, so forgeries are easily identified. Q: How do I get around their keystrokeloggers?A: With the increasingly small number oflarger and larger ISPs and their increasingrequirement that you use their software touse their network, not only might Micro-soft and AOL force users away from otheroperating systems, they might also plantsurreptitious listening devices in comput-ers and otherwise include Trojan horses inthe name of remote maintenance andassistance. The path around these eventighter controls is to use increasingly goodemulations of their products. For example,SAMBA provides SMB access to allow

some ISPs to think you are runningMicrosoft when you are running Linux.Another strategy is to use a virtual com-puter embedded in your regular computer.The virtual computer appears like a realcomputer to the software but it’s reallyembedded in another operating environ-ment and allows the user to ‘tag along’with the ‘authorized’ services. Q: How do I do anything else like thesemeasures? A: The generic answer is that you (1)avoid them, (2) use an external server asan intermediary, (3) provide deceptionsso that they believe you are doing whatthey want you to do.

ConclusionsClearly, there are moral and contractualissues associated with the commercializa-tion of the Internet. The corporate inter-ests will, in time, do everything they can toget control over content, access, methods,etc. in an effort to suck every penny theycan out of those who want or need whatthey, through monopoly, can solely pro-vide. This is not a moral issue - it is theway the system works.

Those of us who do not command thepower or the will to battle it out their way

will have to find our own ways. This isnot an excuse to break the law, and it isnot a call for defeating protection mea-sures used by the strong to exploit theweak. It is, rather, a call for those whowish to promote freedom of expression,to keep the good thing that the Internet isand has been, and to retain civil libertiesin the information arena, to stand up forwhat they believe in.

I, for one, think that this should be bat-tled out in the courts, discussed widely inthe media, and taught to all who aregrowing up to live in the information age.It is, in my view, an issue as important tothe future of humanity as freedom ofspeech was when the US was formed. Ibelieve that it is more important than theso-called safety and security we gain bygiving up our freedoms.

About the author:Fred Cohen is researching information pro-tection as a Principal Member of TechnicalStaff at Sandia National Laboratories, help-ing clients meet their information protec-tion needs as the Managing Director ofFred Cohen and Associates, and educatingcyber-defenders over-the-Internet. He canbe reached by sending email to fc@all.net.

However, many observers, this one includ-ed, may be excused if our first reaction isskepticism. One fervently hopes that theconversion is a sincere recognition of thehuge change wrought since 11 September.The operators of critical infrastructuresnow face the potential for cyber-attacksagainst major electronic businesses andglobal operations. Not only has the externalthreat now increased, nearly all criticalinfrastructures at this time are heavilydependent on the security functionalityinherent in the WINDOWS software envi-ronment. The prevalence of these platformsin some functions has become so dominantthat some have characterized the currentconditions as a “mono-culture”. As biology

managing network security

18

E-COMMERCE: THE DARK SIDE

A Cool Day in Hades?I am sure readers were as surprised, possibly as pleased and probably as cautiousabout a certain event, which may have seemed only possible, when the souls inHades would enjoy a refreshing glass of ice water. I am referring to Microsoft’sChairman Bill Gate’s sudden conversion to the supreme importance of informa-tion security. Yes, a terse email communiqué from the bunker chairman Bill hasexhorted Microsoft’s finest, the legions of coders and developers, to assure securi-ty features are given the preference they have been so long denied. Withoutacknowledging the embarrassment inflicted on global E-commerce organizationsby the likes of Code Red and NIMDA worms, he committed Microsoft to achieve‘Trustworthy Computing’. Leave aside the cognitive dissonance created when theleader of a company convicted of monopolistic business practices sets an objec-tive of being ‘trusted’, since that may be an unachievable goal. However, creatingproducts that are worthy partners in creating and sustaining global E-commerceis a much more achievable, indeed a critical goal.

03 March.qxd 3/20/02 5:07 PM Page 18