The Internet is a two way street

The Internet has been designed in such a way that all Internet users have equal access to one another. In other words it is a network of peers, there is no distinction between an Internet client and an Internet server. When you are accessing the Internet as a client (e.g. accessing web sites or checking your email) you may unknowingly be acting as a server yourself.

Each and every Windows workstation has a built-in file server, which many people use on their Local Area Network (LAN) to share files with other users. Without the protection of a firewall, this server may be accessible by other Internet users. All Windows workstations are now supplied with a "Personal Web Server". Many users activate this feature in order to build and test their own web sites. Often, what they don't realise is that this too is accessible to other Internet users.

Additionally there are numerous bugs and security flaws in these servers that may allow remote attackers to take control of your computer with relative ease.

How will the attacker know that I'm there?

We are all used to finding web sites, either by name or through the use of a search engine. Underlying this naming system is the IP Address system. This is the numbering system that allows clients and servers to target each other. Each Internet connected computer has its own unique IP address. Those of us browsing on the Internet don't need to know our IP address, as we are the party initiating connections to web servers, but we do have one. This IP Address will accept connections as well as make them.

A Port Scanner is a tool used by hackers and crackers to find vulnerable computers. They can have it scan thousands of IP Addresses at random in a matter of minutes. Usually, they're not looking for a specific target. Anyone will do.

The Internet currently consists of over 4 billion IP addresses. Hackers and crackers will concentrate on portions of that address space that are rich in unsecured machines. At any given time there are thousands of individual crackers running port scans of thousands of IP Addresses. If you were being port scanned while you're reading this page, you probably wouldn't know it.

How will the attacker break-in?

That depends on your system. This is a brief and far from complete run-down:

Windows 95/98/ME:

The attacker might attack your built-in file server. Quite often Windows users will share access to their hard drive on the LAN either without a password, or with a very weak password. One great feature of Windows 9x/ME from a crackers perspective is a complete lack of logging. An attacker can try every word in the Oxford english dictionary as a password, and you have no logs or alerts telling you that it's happening.

The Personal Web Server of Wndows9x/ME has several bugs that may allow the attacker to read files from your hard drive or execute commands. If you are vulnerable to this, the attacker can download your encrypted password files and crack them at his leisure. This probably won't even be necessary, as he can now have your computer download backdoor software such as Back Orifice.

Windows NT/2000/XP:

As with Windows 9x attacks against the built-in file server are possible. This should be more difficult, as both a login and password will be required, but every Windows NT/2000/XP comes with an Administrators account. This is likely to be the target account for the attacker. The attacker must be more careful than he would be against a Windows 9x machine, as every failed login attempt will be logged.

Again the web server will be targeted. IIS is the NT/2000/XP web server. IIS has a long list of vulnerabilities that may allow the cracker access to or control of the system.

Linux/Unix/BSD:

The most common attacks against Unix (including Linux and the BSDs) involve the exploitation of buffer overflows in certain services. A buffer overflow occurs in response to an attack on software that contains a certain type of bug (or flaw). Usually the aim of provoking this buffer overflow is to have the service execute commands for the attacker.

In recent years there have been bugs in the BIND DNS server, several FTP servers and the LPR print server. These packages are often installed by default on Unix systems. An unpatched Redhat 5.x/6.x/7.x with a default installation will most likely be vulnerable to one of these vulnerabilities.

Surely Bug-fixes and good passwords will protect me!

In an ideal world software bugs would not exist, but they do and for the time being they're here to stay.

New vulnerabilities in software are discovered on a daily basis. You would have to check the security alert lists every day to be guaranteed to be up to date.

You can only patch your software against known vulnerabilities. Quite often the hacking/cracking community know of vulnerabilities months before the software vendor learns of them. It's not in the crackers interest to let the rest of us know what he knows.

Minimise or Eliminate your exposure

Steps to minimise exposure:

1. Don't run unnecessary services. If you don't need to run file-sharing, web servers and mail servers then remove them from your system. Unfortunately most operating systems come with a host of services pre-installed. You should identify which ones are of use to you and eliminate the rest.
2. Firewall your network. A Stateful-inspection firewall can prevent unwanted connections from being accepted by your network, while allowing you full access to the Internet.
3. Segment your network. Exposed services should not be hosted on the same network segment as non-servers (i.e. workstations). Your servers are the weakest point in your network. If they are compromised, the rest of that network segment is sure to follow. Unlike servers, non-servers can be completely protected from direct exposure. By placing them in a separate network segment, they can also be protected from your potentially compromised servers.
4. Patch your servers. If you must expose services, patch them religiously. Subscribe to the vendor's security mailing list and other mailing lists such as Security Focus's BugTraq.