What are the bad guys trying to do?
Some are just bored, some curious, some destructive, and some are really bad guys. These last may try to compromise your security so that they can use your computer (and your IP address or your mail ID) as the apparent source of spam or of attacks on other computers. How would you like the FBI to visit you because your IP address showed up in an attack on the SEC’s website, a corporation’s, or on a military computer?
One nice thing — if you’ve set your system up to be able to identify attacks, you’ve probably prevented most of these attacks from happening. Unless you’ve really annoyed someone in a chat room or a newsgroup, or are otherwise a target for some reason, the bad guy will usually move on when he can’t get in easily. There really is no such thing as totally secure; you just want to make the other guy decide the effort isn’t worth it.
How does he get in?
Of course, the method depends on whether the target system normally provides services (like a web server) or normally uses them. The heart of the problem: you have to be running something that allows him to get in. Unfortunately, you don’t need to have decided to do this.
For example, Frontpage98 installs the Personal Web Server by default. You can only password-protect the PWS if you’re on WinNT/2000/XP. Plus, PWS has known security holes, many of which can allow the intruder to get full access.
Or, you may be running IE and allowing Active-X applications to install automatically, or scripts to run automatically. Some of the trojans have been rewritten to install from Active-X programs which you download just by visiting their webpage. Others install via scripts on webpages. Scripts imbedded in emails and attachments to emails are more problems. Or, you may have downloaded something that had a trojan program hidden in it. All in all, you have to block out attempts and make sure you’re not listening for attempts. The firewall programs can do this.
Running web servers and ftp servers is particularly dangerous from a security point of view (and forbidden by most cable ISP’s Acceptable Use Policies for their non-commercial services).
Most of these have been proven to be subject to flaw after flaw which allow a person to jump to a command prompt on your computer. Not only are these weaknesses known, there are script tools available on the internet which will do all the work for the attacker (nicknamed a "script kiddie").
There are also a number of known security weaknesses in Internet Explorer and Netscape Navigator which can be exploited by the html code on a web page. As mentioned above, Internet Explorer uses Active-X applications that may be automatically downloaded and executed without you knowing it.
Besides their legitimate uses, these can be written to cause your integrated emailer to send an email automatically, to install a trojan program on your system, to install a virus on your system, or to crash your system. Unlike Java, which operates in a "virtual sandbox," Active-X applications have many system capabilities including writing to your drives. Javascript is not the same thing as Java, and is more similar to Active-X than to Java in its security issues. Trojan programs can also get in via email attachments.
and