What is an intrusion?
An intrusion, also known as a system compromise, is any security incident that involves taking control of a computer system from the owner and/or authorized administrator of the computer. This can be done by an "insider" (someone with permission to use the computer with normal user privileges) who uses a hole in some operating system to escalate their privilege level, or it can be by an "outsider" (someone on another network or perhaps even in another country) who exploits a vulnerability in an unprotected network service on the computer to gain unauthorized entry and control.
Intrusions can take many forms, including (but not limited to):
- A virus, worm, or "Trojan horse" program that is either downloaded from some site on the Internet, that you receive in the form of an attachment to an email message that you open, or that is delivered via an embedded Active X control or JavaScript program in a Web page
- A password stolen by any of the following methods: a sniffer, "shoulder surfing" (watching over someone's shoulder while they type their password), brute-force guessing, or breaking ("cracking") the password by trial and error using a password cracking program
- A hijacked terminal or file transfer session that does not use encryption (e.g., old-style telnet, ftp, IMAP or POP email, etc.)
- An exploitable vulnerability in a network service like ftp, Apache or Microsoft IIS, SSH, a name server, etc.
- Physically accessing a computer and rebooting it to an unsecured administrative mode or taking advantage of other weaknesses that come from a vendor who assumes that anyone using the keyboard and mouse directly is "trusted"
Once someone has gained elevated privileges on a computer, they often install other "Trojan horse" programs, commonly known as " root kits" that hide the intruder's presence on the system. A Trojan horse is a program that acts like a real program a user may wish to run, but also performs unauthorized actions (see CERT's " glossary of security terms").
These Trojan horse programs will make it look like nothing at all is wrong with your system, even though it may have gigabytes of pirated software installed on it, may be flooding the network and disrupting service for everyone on your local area network, or may be used silently as a "stepping stone" to break into another network at a university, government agency, or corporation.
Another common post-intrusion action is to install a sniffer or password logger, perhaps by replacing the operating system's own SSH or ftp server. This exploits trust relationships that often exist with other local or university computers (e.g., the Homer or Dante clusters), other institutions and government agencies that you may have a research relationship with, or even to/from people's home computers on cable modem or DSL lines. You may not think about the act of logging in from one computer to another as a trust relationship, but these are indeed relationships between computers that involve a level of trust (namely secret passwords, which are the first line of defense). Intruders prey on these trust relationships to extend their reach into computer networks.
Determining whether or not an intrusion has taken place is sometimes a very difficult task. Root kits and Trojan horses make the job even more difficult and work so well because they take advantage of a discrepancy between the knowledge level of the intruder and the system administrator and users. Often the only way to know for sure if an intrusion has occurred is to examine the network traffic external to the suspect computer system, or to examine the computer and system using trusted tools (perhaps by rebooting it from a special forensic CD-ROM or by taking the disk drive to another computer that you know is secure). UW Technology Security Operations can assist in diagnosing whether an intrusion has taken place. For assistance, schedule a security assessment, or use the Report a security incident form.
Other resources:
- CERT advisories about several types of Trojan horse programs:
- Intruder Detection Checklist (Unix)
- Windows NT Intruder Detection Checklist
