Hacking as Warfare Tony Villasenor Director of Technical Services GeoTrust Inc. Previous Posts: Dire

1
Hacking as WarfareTony VillasenorDirector of
Technical Services GeoTrust Inc.Previous
PostsDirector, NASA Science InternetChair,
Federal Network Council (CERT, etc.)Architect
Russian Science InternetConsultant USAID, DOS,
WHO
2
Hacking as Warfare

• TECHNOLOGY
• Network-based attack tools
• Network defense tools
• PSYCHOLOGY
• Why do it?
• CYBER TERRORISM
• Terrorist
• Terrorist sympathizers
• Targeted countries
• IMPACT ON CITIZENS

3
Network Security Issues

• Part 1 of 2
• (A Playground for Hackers)

4
Network-Based Attacks

• Better Accessibility because of the network
• Web sites
• Email Servers
• File Servers
• DNS Servers
• Routers
• Etc.

5
Web Attacks
Buffer Overflow - Occurs when a program does not
check to make sure the data it is putting into a
space will actually fit into that space - A
vulnerability exists in Microsoft IIS 5.0 running
on Windows 2000 that allows a remote intruder to
run arbitrary code on the victim machine,
allowing them to gain complete administrative
control of the machine - IIS c11c bug
(http//www.wiretrip.net/rfp/p/doc.asp?id57) Apac
he HTTP Server version 1.3.19 - could allow a
remote attacker to send an HTTP request to cause
the server to crash with unexpected behavior.
6
Web Attacks

• Semantic attacks
• changing the web content subtly, thus providing
  false information
• Active-X,
• Java cookies containing executable code (like
  BO2K)
• Web Admin utilities

• NATd servers are less visible
• Static IP is bad! http//www.sans.org/newlook/reso
  urces/IDFAQ/DIC.htm
• FAQs http//www-genome.wi.mit.edu/WWW/faqs/www-sec
  urity-faq.html

7
Examples of Web Attacks

• Cracking Session ID numbers
• https//www.tonybank.com/account.asp?sid12345678
• URL session tracking
• Hidden form elements
• Cookies
• Cracking a SQL database
• Enter an incorrect string to get an error
  message which shows how the database forms a
  query.
• http//www.wiretrip.net/rfp/p/doc.asp?id42

8
Examples of Web Attacks (cont.)
Loki - Uses ICMP (ping) as a tunnel for
communications and control - See Phrack Issue
49 Reverse WWW Shell - Allows command-line access
to machine via HTTP port - Requires inside job
to install/run the Reverse WWW Shell server -
Looks like ordinary HTTP traffic, allowed by
firewalls! Steganography Digital Watermarking -
Distribute MALware by embedding code in .bmp,
.jpeg or .gif images
9
Security Mavens Invaded by Trojan (1 of 2)
http//www.wired.com/news/technology/0,1282,41563,
00.html

• by Michelle Delio 1035 a.m. Feb. 1, 2001 PST
• A popular Web discussion board in which the
  subject is computer security became the unwitting
  host of an attack program directed at security
  consultant firm Network Associates Wednesday
  night.
• A cracker posted to the Bugtraq board what he
  said was a script -- computer code that would
  allow people to take advantage of a recently
  discovered hole in BIND, the software that pushes
  information across the Internet.

10
Security Mavens Invaded by Trojan (2 of 2)

• But if someone downloaded and ran the posted
  script, it instead launched a denial of service
  attack against Network Associates (NAI) by
  sending packets of garbage information in the
  hopes of overwhelming the firm's servers.
• Since Network Associates had already patched the
  hole, its website's performance wasn't adversely
  affected. "We have determined that a distributed
  denial of attack was directed at NAI last night,"
  an NAI spokeswoman said, "but no penetration to
  the corporate network took place. We are
  continuing to investigate the origin of this
  attack." NAI was the first to raise the alarm
  over the BIND exploit, and Bugtraq spokesperson
  Elias Levy said he assumes that the attack was
  intended to see if NAI had practiced what they
  preached and patched the hole.

11
Information Security Magazine (Oct. 2001)
http//www.infosecuritymag.com/articles/october01/
images/survey.pdf

• Survey Finds Web Server Attacks Doubled in 2001
• By Amy Newman
• October 10, 2001
• IT and computer security magazine Information
  Security this week released the findings of its
  2001 Information Security Industry Survey. The
  survey was co-sponsored by TruSecure Corp.
  (Information Security's parent company) and
  Predictive Systems.
• Despite enterprises' claims of increased
  corporate spending on computer security, survey
  results revealed that cyber attacks and viruses
  have continued to impact organizations with
  alarming frequency.

12
Information Security Magazine (Oct. 2001)

• Almost half of the more than 2,500 organizations
  surveyed were hit by a Web server attack in 2001,
  nearly double the number hit in 2000. Viruses,
  worms, Trojans Horses, and other "malware"
  infected 90 percent of these organizations, even
  with antivirus protection in place in 88 percent
  of those surveyed.
• "The survey proves just how pervasive and serious
  attacks like Code Red and Nimda are," said Andy
  Briney, editor in chief of Information Security
  and lead analyst of the survey.
• "Even 'security-aware' organizations are being
  attacked on all sides, both internally and
  externally, Briney added.
• One cure for those hit by both Code Red and Nimda
  may be migration to a Web server other than IIS.
  An advisory issued by Gartner last month
  recommended that enterprises hit by both Code Red
  and Nimda begin investigating alternatives to the
  popular Microsoft product, such as moving Web
  applications to less-vulnerable Web server
  products.

13
E-Mail Attacks

• Email bombing
• repeatedly sending an identical email message to
  a particular address.
• http//www.cert.org/tech_tips/email_bombing_spammi
  ng.html
• MALware Attachments
• worms, viruses, trojan horses, etc.
• SPAM
• Unsolicited junk mail
• At sites with mailers that permit relaying

14
E-Mail Attacks

• RTF files are ASCII text files and include
  embedded formatting commands. RTF files do not
  contain macros and cannot be infected with a
  macro virus.
• An MP3 file consists of highly compressed audio
  tracks. MP3 files are not programs, and viruses
  cannot infect them.

15
SPAM Control

• Scheck_rcpt
• anything terminating locally is ok
• R _at_ OK
• anything originating locally is ok
• R (dequote "" client_name
  )
• Rw _at_ OK
• R_at_ _at_ OK
• anything else is bogus
• R error "550 Relaying Denied"

• Three rules for controlling SPAM code is
  inserted in sendmail.cf file

16
Network Attacks

• DOS, DDoS coordinated attack by one or multiple
  sources
• SYN flooding http//www.cert.org/advisories/CA-19
  96-21.html
• Aided by proliferation of DSL home users
• DNS, BIND
• Redirection the site youre on, is not really
  the site you think youre on !
• Vulnerability in BIND to allow remote user to
  gain privileged access
• Routers
• Change routing information to disable network
• Ciscos IOS proliferates the worldwide backbone
  of the Internet
• Sniffers
• examine network traffic going to and from other
  machines
• gather usernames and passwords
• capture electronic mail

17
Network Attacks (cont.)

• Firewalls
• IDS, HoneyPots, SATAN, vulnerability scanners
• http//www.sans.org/newlook/resources/IDFAQ/ID_FAQ
  .htm
• Tripwire to detect configuration changes

18
Example DOS
http//www.cert.org/tech_tips/denial_of_service.ht
ml

• Denial-of-Service attacks are most frequently
  executed against network connectivity. The goal
  is to prevent hosts or networks from
  communicating over the network. A description of
  how this can occur is at http//www.cert.org/advi
  sories/CA-1996-21.html
• In this case, the hacker begins the process of
  connecting to the victim machine, but in such a
  way as to PREVENT the completion of the
  connection. Since the victim machine has a
  limited number of data structures for
  connections, the result is that legitimate
  connections are denied while the victim machine
  is waiting to complete bogus half-open
  connections.

19
Example DOS (cont.)

• This type of attack does not depend on the
  attacker being able to consume your network
  bandwidth. Here, the intruder is consuming
  kernel data structures involved in establishing a
  network connection. The implication is that an
  intruder can execute this attack from just a
  dial-up connection against a machine on a very
  fast network.
• An intruder may also be able to consume all the
  available bandwidth on your network by generating
  a large number of packets directed to your
  network. Typically, these packets are ICMP ECHO
  packets, but in principle could be anything
  (smurfing). Further, the intruder need not be
  operating from a single machine he may be able
  to coordinate or co-opt several machines on
  different networks to achieve the same effect
  hence, DDoS.
• In addition to network bandwidth, intruders could
  consume other resources for example, anything
  that allows data to be written to disk can be
  used to execute a DOS attack if there are no
  bounds on the amount of data that could be
  written.

20
Denial of Service Attacks
http//www.cert.org/present/cert-overview-trends/s
ld001.htm

• Make networks or hosts unusable
• Disrupt services
• Difficult or Impossible to locate source
• Becoming very popular with attackers, especially
• IRC sites
• Controversial sites or services
• Bottom Line COSTLY!

21
Back Orifice 2000
http//www.commandcom.com/virus/backorifice2000.ht
ml

• Ping and query the server
• Reboot or lock up the system
• List cached and screen saver passwords
• Display system information
• Log keystrokes, view the keystroke log and delete
  the keystroke log
• Display a message box
• Map a port to another IP address, application,
  HTTP file server, or filename
• List ports mapped by BackOrifice 2000
• Send a file through another port
• Share a drive, unshare a drive, list shared
  drives, list shared devices on a LAN, mapped a
  shared device, unmap a shared device and list all
  connections

22
Back Orifice 2000 (cont.)

• List current processes, kill a process and start
  a process
• View and edit the registry - create a key, set a
  value, get a value, delete a key, delete a value,
  rename a key, rename a value, enumerate keys and
  enumerate values
• Video and audio capture and playback
• Capture a screen shot
• File and directory commands - list directory,
  find file, delete file, view file, move file,
  rename file, copy file, make directory, remove
  directory and set file attributes
• Receive and send files
• Compress and uncompress files
• Resolve host name and address
• Server control - shutdown server, restart server,
  load plug-in, remove plug-in and list plug-ins

23
Intruder Detection Checklist
http//www.cert.org/tech_tips/intruder_detection_c
hecklist.html

• Look for Signs That Your System May Have
  Been Compromised
• 1. Examine log files
• 2. Look for setuid and
  setgid Files
• 3. Check system binaries
• 4. Check for packet
  sniffers
• 5. Examine files run by
  'cron' and 'at'.
• 6. Check for unauthorized
  services
• 7. Examine /etc/passwd
  file
• 8. Check system and
  network configuration
• 9. Look everywhere for
  unusual or hidden files
• 10. Examine all machines
  on the local network

24
Other Attack Methods

• Piggyback
• gain unauthorized access to a system via an
  authorized user's legitimate connection.
• Redirects
• The action used by some viruses to point a
  command to a different location. Often this
  different location is the address of the virus
  and not the original file or application

25
Other Attack Methods (cont.)

• Social Engineering
• Authority Attack using fake badge, uniform, to
  gain info or access or identify a key individual
  as alleged friend, or claim authority and demand
  information
• Knee Jerk Attack making an outlandish statement
  in order to get an informational response
• Persistent Attack continuous harassment using
  guilt, intimidation and other negative ways to
  obtain information
• Social Attack social parties are a great time
  and place to gain access and information
  from/about employees and activities
• Fake Survey Attack win a free trip to Hawaii,
  just answer these questions about your network
• Help Desk Attack impersonating a current or new
  end-user needing help with access to a net/server

26
Gee, Thanks a Lot !

• http//www.eeye.com/html/press/PR19990608.html
• NEWS HEADLINE - eEye Digital Security unveils
  one of the largest security holes on the Internet
  to date
• Corona Del Mar, CA - eEye Digital Security Team,
  an eCompany LLC venture, dedicated to network
  security and custom network software development,
  has unveiled one of the most vulnerable security
  holes on the Internet to date. The vulnerability
  exists in the latest release of Microsoft
  Internet Information Server. The most commonly
  used Windows NT web server on the Internet.
• The vulnerability allows arbitrary code to be
  run on any web server running the latest release
  of Microsoft Internet Information Server.
  Utilizing a buffer overflow bug in the web server
  software, an attacker can remotely execute code
  to enable system level access to all data
  residing on the server.

Less than a month later, the Code Red worm
appeared then a few weeks later came Code Red
II, with a back door to allow others to gain
control of the infected machine.
27
Network Defenses

• Firewalls, DMZ, air gap
• VPN, SSL encryption
• Intrusion Detection Systems, honeypots and
  burglar alarms, vulnerability scanners
• e-mail filters, SMIME encryption

Bastion Host - A strongly protected computer that
is in a network protected by a firewall (or is
part of a firewall) and is the only host (or one
of only a few hosts) in the network that can be
directly accessed from networks on the other side
of the firewall. Filtering routers in a firewall
typically restrict traffic from the outside
network to reaching just one host, the bastion
host, which usually is part of the firewall.
Since only this one host can be directly
attacked, only this one host needs to be very
strongly protected, so security can be maintained
more easily and less expensively. However, to
allow legitimate internal and external users to
access application resources through the
firewall, higher layer protocols and services
need to be relayed and forwarded by the bastion
host. Some services (e.g., DNS and SMTP) have
forwarding built in other services (e.g., TELNET
and FTP) require a proxy server on the bastion
host. http//www.linuxsecurity.com/dictionary/dict
-42.html
28
What Does a Firewall Do?

• Define network components
• Workstations, routers, networks, printers, etc.
• Insiders, Outsiders, Bad Guys
• Typical Policy Rules
• Stop Bad Guys (from Any Source , to Any
  Destination)
• Stop non-Insiders from getting Inside/Outside
• Allow Insiders to get Inside (other nets,
  resources, etc.)
• Allow Insiders to get Outside (I.e., on specific
  ports)
• Deny Everything Else
• Reports, Alarms
• Event logs, various levels of detail
• Notify if certain events occur

29
Network Design Considerations

• Support communications requirements
• Design Goals
• Easy to use
• Inexpensive
• Reliable
• Fast
• Secure
• Counter-Issues
• Access Controls (passwords, permissions, etc.)
• Security Management (policy, maintenance,
  updates)
• Security Overhead (bandwidth, cycles, manpower)

30
Basic Network Architecture
Security Policy?
Management Support?
31
HACKER PSYCHOLOGY

• Achievement
• The Harder the Better
• The Bigger the Better
• Fame
• Recognition (Distrust)
• Respect (Fear)
• Surprise
• Creativity
• Money
• Corporations
• Governments

How to be a Hacker http//www.tuxedo.org/esr/faqs
/hacker-howto.html Phrack http//www.phrack.com/
DarkCyde (for Phreakers) http//www.f41th.com/ c
Dc http//www.cultdeadcow.com/
Note Hackers dont make the Money their
Thrill is in the Game!
32
Lopht We Can Cripple Internet in 30 minutes
WASHINGTON (AP) A Senate committee heard seven of
the nation's top computer hackers claim Tuesday
they could cripple the Internet in a half-hour.
Given more time and money, they boasted, they
could interrupt satellite transmissions or
electricity grids and snoop on the president's
movements. The seven, dressed in business suits,
identified themselves only by their hacker
nicknames Mudge, Space Rogue, Brian Oblivion "due
to the sensitivity of their work," said Sen. Fred
Thompson, R-Tenn. "I'm informed that you think
that within 30 minutes the seven of you could
make the Internet unusable for the entire nation.
Is that correct?" asked Thompson. "That's
correct," replied Mudge, a frizzy-haired computer
security expert. "Actually, one of us, with just
a few packets," he added, referring to bundles of
data that flow across the global computer
network. He went on to describe generally a
process to separate "the different major
long-haul providers," such as ATT, so its
network couldn't exchange information with other
major networks, such as MCI. "It would definitely
take a few days for people to figure out what is
going on," Mudge said.
33
Lopht We Can Cripple Internet in 30 minutes

• MANHASSET, N.Y., April 16 /PRNewswire/ - A group
  of Boston-based, sophisticated computer hackers,
  called the L0pht (pronounced 'loft'), is
  continuing the assault of Microsoft's (Nasdaq
  MSFT) Windows NT operating system. The L0pht has
  made available for download, via their Web site,
  a program L0phtcrack they claim can be used to
  steal the entire registry of passwords off a
  Windows NT network, according to CMP Media's EE
  Times Online.

34
Popular View of Hackers (also by Hackers)