| Null or Default Passwords | Leaving administrative passwords blank or using a default
	    password provided by the application package. This is most common in
	    hardware such as routers and BIOSes, though some services that run
	    on Linux can contain default administrator passwords (though Red Hat Linux
	    does not ship with them) | | Commonly associated with networking
		  hardware such as routers, firewalls, VPNs and network attached
		  storage (NAS) appliances; |  | Common in many
		  legacy operating systems, especially OSes that bundle services
		  such as UNIX and Windows; |  | Administrators
		  sometimes create privileged users in a rush and leave the
		  password null, a perfect entrypoint for malicious users who
		  discover the user | 
 | 
| Default Shared Keys | Secure services sometimes
	    package default security keys for development or evaluation testing
	    purposes. If these keys are left unchanged and placed in a
	    production environment on the Internet, any
	    user with the same default keys have access to that shared-key
	    resource, and any sensitive information contained in it | | Most common in wireless APs and
	    preconfigured secure server appliances |  | CIPE (refer
	    to Chapter 6) contains an sample static key that must
	    be changed before moving to a production
	    environment | 
 | 
| IP Spoofing | A remote machine acts as a node on
	    your local network, finds vulnerabilities with your servers, and
	    installs a backdoor program or trojan to gain control over your
	    network resources. | | Spoofing is
	    quite difficult as it involves the attacker predicting TCP/IP
	    SYN-ACK numbers to coordinate a connection to target systems, but
	    several tools are available to assist crackers in performing such a
	    vulnerability |  | Depends on target system running
	    services (such as rsh, telnet,
	    FTP and others) that use source-based
	    authentication techniques, which are not usually recommended
	    compared to PKI or other forms of encryption authentication as used
	    in ssh or SSL/TLS. | 
 | 
| Eavesdropping | Collecting data that passes between two active nodes on a
	    network by eavesdropping the connection between the two
	    nodes. | | This type of attack works mostly with plain text transmission
		  protocols such as telnet, FTP, and HTTP transfers. |  | Remote attacker must have access to a compromised
		  system on a LAN in order to perform such an attack; usually
		  the cracker has used an active attack (such as IP spoofing or
		  Man-in-the-middle) to compromise a system on the LAN |  | Preventative measures include services with
		  cryptographic key exchange, one-time passwords, or encrypted
		  authentication to prevent password snooping; strong encryption
		  during transmission also advised | 
 | 
| Service Vulnerabilities | An attacker finds a
	    flaw or loophole in a service run over the Internet; through this
	    vulnerability, the attacker compromises the entire system and and
	    any data that it may hold and could possibly compromise other
	    systems on the network. | | HTTP-based services such as CGI are
	    vulnerable to remote command executions and even shell access. Even
	    if the HTTP service runs as a non-privileged user such as "nobody",
	    information such as configuration files and network maps can be
	    read, or the attacker can start a denial of service attack which
	    drains system resources or renders it unavailable to other
	    users. |  | Services sometimes can have vulnerabilities
	    that go unnoticed during development and testing; these
	    vulnerabilities (such as buffer overflow,
	    where attackers gain access by filling addressable memory with a
	    quantity over what is acceptable by the service, crashing the
	    service and giving the attacker an interactive command prompt from
	    which they may execute arbitrary commands. |  | Administrators should make sure that services do not run
	    as the root user; stay vigilant of patches and errata updates for
	    their applications from vendors or security organizations such as
	    CERT and CVE. | 
 | 
| Application Vulnerabilities | Attackers find
	      faults in desktop and workstation applications such as e-mail
	      clients and execute arbitrary code, implant trojans for future
	      compromise, or crash systems. Further exploitation can occur if
	      the compromised workstation has administrative privileges on the
	      rest of the network. | | Workstations and desktops are more prone to exploitation
	      because workers do not have the expertise or experience to prevent
	      or detect a compromise as servers run by an administrator; it is
	      imperative to inform individuals of the risks they are taking when
	      they install unauthorized software or open unsolicited
	      mail |  | Safeguards can be implemented such that
	      email client software does not automatically open or execute
	      attachments. Additionally, the automatic updating of workstation
	      software via Red Hat Network or other system management service can
	      alleviate the burdens of multi-seat security
	      deployments. | 
 | 
| Denial of Service (DoS) Attacks | Attacker or
	      group of attackers coordinate an attack on network or server
	      resources by sending unauthorized packets to the target machine
	      (either server, router, or workstation). This forces the resource
	      to become unavailable to legitimate users. | | The most reported DoS case occurred in
	      2000 when several highly-trafficked sites were rendered
	      unavailable by a coordinated ping flood attack using several
	      compromised systems with high bandwidth connections acting as
	      redirected broadcasters |  | Source packets are
	      usually forged (as well as rebroadcasted), making investigation to
	      the true source of the attack difficult. |  | Advances
	      in ingress filtering (IETF rfc2267), and Network IDS technology
	      assist administrators in tracking down and preventing distributed
	      DoS attacks. | 
 |