Title: Hacking as Warfare Tony Villasenor Director of Technical Services GeoTrust Inc. Previous Posts: Dire
1Hacking as WarfareTony VillasenorDirector of
Technical Services GeoTrust Inc.Previous
PostsDirector, NASA Science InternetChair,
Federal Network Council (CERT, etc.)Architect
Russian Science InternetConsultant USAID, DOS,
WHO
2Hacking as Warfare
- TECHNOLOGY
- Network-based attack tools
- Network defense tools
- PSYCHOLOGY
- Why do it?
- CYBER TERRORISM
- Terrorist
- Terrorist sympathizers
- Targeted countries
- IMPACT ON CITIZENS
3Network Security Issues
- Part 1 of 2
- (A Playground for Hackers)
4Network-Based Attacks
- Better Accessibility because of the network
- Web sites
- Email Servers
- File Servers
- DNS Servers
- Routers
- Etc.
5Web Attacks
Buffer Overflow - Occurs when a program does not
check to make sure the data it is putting into a
space will actually fit into that space - A
vulnerability exists in Microsoft IIS 5.0 running
on Windows 2000 that allows a remote intruder to
run arbitrary code on the victim machine,
allowing them to gain complete administrative
control of the machine - IIS c11c bug
(http//www.wiretrip.net/rfp/p/doc.asp?id57) Apac
he HTTP Server version 1.3.19 - could allow a
remote attacker to send an HTTP request to cause
the server to crash with unexpected behavior.
6Web Attacks
- Semantic attacks
- changing the web content subtly, thus providing
false information - Active-X,
- Java cookies containing executable code (like
BO2K) - Web Admin utilities
- NATd servers are less visible
- Static IP is bad! http//www.sans.org/newlook/reso
urces/IDFAQ/DIC.htm - FAQs http//www-genome.wi.mit.edu/WWW/faqs/www-sec
urity-faq.html
7Examples of Web Attacks
- Cracking Session ID numbers
- https//www.tonybank.com/account.asp?sid12345678
- URL session tracking
- Hidden form elements
- Cookies
- Cracking a SQL database
- Enter an incorrect string to get an error
message which shows how the database forms a
query. - http//www.wiretrip.net/rfp/p/doc.asp?id42
8Examples of Web Attacks (cont.)
Loki - Uses ICMP (ping) as a tunnel for
communications and control - See Phrack Issue
49 Reverse WWW Shell - Allows command-line access
to machine via HTTP port - Requires inside job
to install/run the Reverse WWW Shell server -
Looks like ordinary HTTP traffic, allowed by
firewalls! Steganography Digital Watermarking -
Distribute MALware by embedding code in .bmp,
.jpeg or .gif images
9Security Mavens Invaded by Trojan (1 of 2)
http//www.wired.com/news/technology/0,1282,41563,
00.html
- by Michelle Delio 1035 a.m. Feb. 1, 2001 PST
- A popular Web discussion board in which the
subject is computer security became the unwitting
host of an attack program directed at security
consultant firm Network Associates Wednesday
night. - A cracker posted to the Bugtraq board what he
said was a script -- computer code that would
allow people to take advantage of a recently
discovered hole in BIND, the software that pushes
information across the Internet.
10Security Mavens Invaded by Trojan (2 of 2)
- But if someone downloaded and ran the posted
script, it instead launched a denial of service
attack against Network Associates (NAI) by
sending packets of garbage information in the
hopes of overwhelming the firm's servers. - Since Network Associates had already patched the
hole, its website's performance wasn't adversely
affected. "We have determined that a distributed
denial of attack was directed at NAI last night,"
an NAI spokeswoman said, "but no penetration to
the corporate network took place. We are
continuing to investigate the origin of this
attack." NAI was the first to raise the alarm
over the BIND exploit, and Bugtraq spokesperson
Elias Levy said he assumes that the attack was
intended to see if NAI had practiced what they
preached and patched the hole.
11Information Security Magazine (Oct. 2001)
http//www.infosecuritymag.com/articles/october01/
images/survey.pdf
- Survey Finds Web Server Attacks Doubled in 2001
- By Amy Newman
- October 10, 2001
- IT and computer security magazine Information
Security this week released the findings of its
2001 Information Security Industry Survey. The
survey was co-sponsored by TruSecure Corp.
(Information Security's parent company) and
Predictive Systems. - Despite enterprises' claims of increased
corporate spending on computer security, survey
results revealed that cyber attacks and viruses
have continued to impact organizations with
alarming frequency.
12Information Security Magazine (Oct. 2001)
- Almost half of the more than 2,500 organizations
surveyed were hit by a Web server attack in 2001,
nearly double the number hit in 2000. Viruses,
worms, Trojans Horses, and other "malware"
infected 90 percent of these organizations, even
with antivirus protection in place in 88 percent
of those surveyed. - "The survey proves just how pervasive and serious
attacks like Code Red and Nimda are," said Andy
Briney, editor in chief of Information Security
and lead analyst of the survey. - "Even 'security-aware' organizations are being
attacked on all sides, both internally and
externally, Briney added. - One cure for those hit by both Code Red and Nimda
may be migration to a Web server other than IIS.
An advisory issued by Gartner last month
recommended that enterprises hit by both Code Red
and Nimda begin investigating alternatives to the
popular Microsoft product, such as moving Web
applications to less-vulnerable Web server
products.
13E-Mail Attacks
- Email bombing
- repeatedly sending an identical email message to
a particular address. - http//www.cert.org/tech_tips/email_bombing_spammi
ng.html - MALware Attachments
- worms, viruses, trojan horses, etc.
- SPAM
- Unsolicited junk mail
- At sites with mailers that permit relaying
14E-Mail Attacks
- RTF files are ASCII text files and include
embedded formatting commands. RTF files do not
contain macros and cannot be infected with a
macro virus. - An MP3 file consists of highly compressed audio
tracks. MP3 files are not programs, and viruses
cannot infect them.
15SPAM Control
- Scheck_rcpt
- anything terminating locally is ok
- R _at_ OK
- anything originating locally is ok
- R (dequote "" client_name
) - Rw _at_ OK
- R_at_ _at_ OK
- anything else is bogus
- R error "550 Relaying Denied"
- Three rules for controlling SPAM code is
inserted in sendmail.cf file
16Network Attacks
- DOS, DDoS coordinated attack by one or multiple
sources - SYN flooding http//www.cert.org/advisories/CA-19
96-21.html - Aided by proliferation of DSL home users
- DNS, BIND
- Redirection the site youre on, is not really
the site you think youre on ! - Vulnerability in BIND to allow remote user to
gain privileged access - Routers
- Change routing information to disable network
- Ciscos IOS proliferates the worldwide backbone
of the Internet - Sniffers
- examine network traffic going to and from other
machines - gather usernames and passwords
- capture electronic mail
17Network Attacks (cont.)
- Firewalls
- IDS, HoneyPots, SATAN, vulnerability scanners
- http//www.sans.org/newlook/resources/IDFAQ/ID_FAQ
.htm - Tripwire to detect configuration changes
18Example DOS
http//www.cert.org/tech_tips/denial_of_service.ht
ml
- Denial-of-Service attacks are most frequently
executed against network connectivity. The goal
is to prevent hosts or networks from
communicating over the network. A description of
how this can occur is at http//www.cert.org/advi
sories/CA-1996-21.html - In this case, the hacker begins the process of
connecting to the victim machine, but in such a
way as to PREVENT the completion of the
connection. Since the victim machine has a
limited number of data structures for
connections, the result is that legitimate
connections are denied while the victim machine
is waiting to complete bogus half-open
connections.
19Example DOS (cont.)
- This type of attack does not depend on the
attacker being able to consume your network
bandwidth. Here, the intruder is consuming
kernel data structures involved in establishing a
network connection. The implication is that an
intruder can execute this attack from just a
dial-up connection against a machine on a very
fast network. - An intruder may also be able to consume all the
available bandwidth on your network by generating
a large number of packets directed to your
network. Typically, these packets are ICMP ECHO
packets, but in principle could be anything
(smurfing). Further, the intruder need not be
operating from a single machine he may be able
to coordinate or co-opt several machines on
different networks to achieve the same effect
hence, DDoS. - In addition to network bandwidth, intruders could
consume other resources for example, anything
that allows data to be written to disk can be
used to execute a DOS attack if there are no
bounds on the amount of data that could be
written.
20Denial of Service Attacks
http//www.cert.org/present/cert-overview-trends/s
ld001.htm
- Make networks or hosts unusable
- Disrupt services
- Difficult or Impossible to locate source
- Becoming very popular with attackers, especially
- IRC sites
- Controversial sites or services
- Bottom Line COSTLY!
21Back Orifice 2000
http//www.commandcom.com/virus/backorifice2000.ht
ml
- Ping and query the server
- Reboot or lock up the system
- List cached and screen saver passwords
- Display system information
- Log keystrokes, view the keystroke log and delete
the keystroke log - Display a message box
- Map a port to another IP address, application,
HTTP file server, or filename - List ports mapped by BackOrifice 2000
- Send a file through another port
- Share a drive, unshare a drive, list shared
drives, list shared devices on a LAN, mapped a
shared device, unmap a shared device and list all
connections
22Back Orifice 2000 (cont.)
- List current processes, kill a process and start
a process - View and edit the registry - create a key, set a
value, get a value, delete a key, delete a value,
rename a key, rename a value, enumerate keys and
enumerate values - Video and audio capture and playback
- Capture a screen shot
- File and directory commands - list directory,
find file, delete file, view file, move file,
rename file, copy file, make directory, remove
directory and set file attributes - Receive and send files
- Compress and uncompress files
- Resolve host name and address
- Server control - shutdown server, restart server,
load plug-in, remove plug-in and list plug-ins
23Intruder Detection Checklist
http//www.cert.org/tech_tips/intruder_detection_c
hecklist.html
- Look for Signs That Your System May Have
Been Compromised - 1. Examine log files
- 2. Look for setuid and
setgid Files - 3. Check system binaries
- 4. Check for packet
sniffers - 5. Examine files run by
'cron' and 'at'. - 6. Check for unauthorized
services - 7. Examine /etc/passwd
file - 8. Check system and
network configuration - 9. Look everywhere for
unusual or hidden files - 10. Examine all machines
on the local network
24Other Attack Methods
- Piggyback
- gain unauthorized access to a system via an
authorized user's legitimate connection. - Redirects
- The action used by some viruses to point a
command to a different location. Often this
different location is the address of the virus
and not the original file or application
25Other Attack Methods (cont.)
- Social Engineering
- Authority Attack using fake badge, uniform, to
gain info or access or identify a key individual
as alleged friend, or claim authority and demand
information - Knee Jerk Attack making an outlandish statement
in order to get an informational response - Persistent Attack continuous harassment using
guilt, intimidation and other negative ways to
obtain information - Social Attack social parties are a great time
and place to gain access and information
from/about employees and activities - Fake Survey Attack win a free trip to Hawaii,
just answer these questions about your network - Help Desk Attack impersonating a current or new
end-user needing help with access to a net/server
26Gee, Thanks a Lot !
- http//www.eeye.com/html/press/PR19990608.html
- NEWS HEADLINE - eEye Digital Security unveils
one of the largest security holes on the Internet
to date - Corona Del Mar, CA - eEye Digital Security Team,
an eCompany LLC venture, dedicated to network
security and custom network software development,
has unveiled one of the most vulnerable security
holes on the Internet to date. The vulnerability
exists in the latest release of Microsoft
Internet Information Server. The most commonly
used Windows NT web server on the Internet. - The vulnerability allows arbitrary code to be
run on any web server running the latest release
of Microsoft Internet Information Server.
Utilizing a buffer overflow bug in the web server
software, an attacker can remotely execute code
to enable system level access to all data
residing on the server.
Less than a month later, the Code Red worm
appeared then a few weeks later came Code Red
II, with a back door to allow others to gain
control of the infected machine.
27Network Defenses
- Firewalls, DMZ, air gap
- VPN, SSL encryption
- Intrusion Detection Systems, honeypots and
burglar alarms, vulnerability scanners - e-mail filters, SMIME encryption
Bastion Host - A strongly protected computer that
is in a network protected by a firewall (or is
part of a firewall) and is the only host (or one
of only a few hosts) in the network that can be
directly accessed from networks on the other side
of the firewall. Filtering routers in a firewall
typically restrict traffic from the outside
network to reaching just one host, the bastion
host, which usually is part of the firewall.
Since only this one host can be directly
attacked, only this one host needs to be very
strongly protected, so security can be maintained
more easily and less expensively. However, to
allow legitimate internal and external users to
access application resources through the
firewall, higher layer protocols and services
need to be relayed and forwarded by the bastion
host. Some services (e.g., DNS and SMTP) have
forwarding built in other services (e.g., TELNET
and FTP) require a proxy server on the bastion
host. http//www.linuxsecurity.com/dictionary/dict
-42.html
28What Does a Firewall Do?
- Define network components
- Workstations, routers, networks, printers, etc.
- Insiders, Outsiders, Bad Guys
- Typical Policy Rules
- Stop Bad Guys (from Any Source , to Any
Destination) - Stop non-Insiders from getting Inside/Outside
- Allow Insiders to get Inside (other nets,
resources, etc.) - Allow Insiders to get Outside (I.e., on specific
ports) - Deny Everything Else
- Reports, Alarms
- Event logs, various levels of detail
- Notify if certain events occur
29Network Design Considerations
- Support communications requirements
- Design Goals
- Easy to use
- Inexpensive
- Reliable
- Fast
- Secure
- Counter-Issues
- Access Controls (passwords, permissions, etc.)
- Security Management (policy, maintenance,
updates) - Security Overhead (bandwidth, cycles, manpower)
30Basic Network Architecture
Security Policy?
Management Support?
31HACKER PSYCHOLOGY
- Achievement
- The Harder the Better
- The Bigger the Better
- Fame
- Recognition (Distrust)
- Respect (Fear)
- Surprise
- Creativity
- Money
- Corporations
- Governments
How to be a Hacker http//www.tuxedo.org/esr/faqs
/hacker-howto.html Phrack http//www.phrack.com/
DarkCyde (for Phreakers) http//www.f41th.com/ c
Dc http//www.cultdeadcow.com/
Note Hackers dont make the Money their
Thrill is in the Game!
32Lopht We Can Cripple Internet in 30 minutes
WASHINGTON (AP) A Senate committee heard seven of
the nation's top computer hackers claim Tuesday
they could cripple the Internet in a half-hour.
Given more time and money, they boasted, they
could interrupt satellite transmissions or
electricity grids and snoop on the president's
movements. The seven, dressed in business suits,
identified themselves only by their hacker
nicknames Mudge, Space Rogue, Brian Oblivion "due
to the sensitivity of their work," said Sen. Fred
Thompson, R-Tenn. "I'm informed that you think
that within 30 minutes the seven of you could
make the Internet unusable for the entire nation.
Is that correct?" asked Thompson. "That's
correct," replied Mudge, a frizzy-haired computer
security expert. "Actually, one of us, with just
a few packets," he added, referring to bundles of
data that flow across the global computer
network. He went on to describe generally a
process to separate "the different major
long-haul providers," such as ATT, so its
network couldn't exchange information with other
major networks, such as MCI. "It would definitely
take a few days for people to figure out what is
going on," Mudge said.
33Lopht We Can Cripple Internet in 30 minutes
- MANHASSET, N.Y., April 16 /PRNewswire/ - A group
of Boston-based, sophisticated computer hackers,
called the L0pht (pronounced 'loft'), is
continuing the assault of Microsoft's (Nasdaq
MSFT) Windows NT operating system. The L0pht has
made available for download, via their Web site,
a program L0phtcrack they claim can be used to
steal the entire registry of passwords off a
Windows NT network, according to CMP Media's EE
Times Online.
34Popular View of Hackers (also by Hackers)