Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents?

1
Hackers, Crackers, andNetwork IntrudersHeroes,
villains, or delinquents?

• Tim McLaren
• Thursday, September 28, 2000
• McMaster University

2
Agenda

• Hackers and their vocabulary
• Threats and risks
• Types of hackers
• Gaining access
• Intrusion detection and prevention
• Legal and ethical issues

3
Hackerz Lingo

• Hacking - showing computer expertise
• Cracking - breaching security on software or
  systems
• Phreaking - cracking telecom networks
• Spoofing - faking the originating IP address in a
  datagram
• Denial of Service (DoS) - flooding a host with
  datagrams (e.g. by smurfing)
• Port Scanning - searching for vulnerabilities

4
Hacking through the ages

• 1969 - Unix hacked together
• 1971 - Cap n Crunch phone exploit discovered
• 1988 - Morris Internet worm crashes 6,000 servers
• 1994 - 10 million transferred from CitiBank
  accounts
• 1995 - Kevin Mitnick sentenced to 5 years in jail
• 2000 - Major websites succumb to DDoS

5
Recent news

• 15,700 credit and debit card numbers stolen from
  Western Union (Sep. 8, 2000)
• (hacked while web database was undergoing
  maintenance)

6

7
The threats

• Denial of Service (Yahoo, eBay, CNN)
• Graffiti, Slander, Reputation
• Loss of data
• Divulging private information (AirMiles,
  corporate espionage)
• Loss of financial assets (CitiBank)

8
CIA.gov defacement example
9
Web site defacement example
10
Types of hackers

• Professional hackers
• Black Hats
• White Hats
• Script kiddies

11
Top intrusion justifications

• 1. Im doing you a favour pointing out
  vulnerabilities
• 2. Im making a political statement
• 3. Because I can
• 4. Because Im paid to do it

12
Gaining access

• Back doors
• Trojans
• Software vulnerability exploitation
• Password guessing
• Password/key stealing

13
Back doors Trojans

• e.g. Whack-a-mole / NetBus
• Cable modems / DSL very vulnerable
• Protect with Virus Scanners, Port Scanners,
  Personal Firewalls

14
Port scanner example
15
Software vulnerability exploitation

• Buffer overruns
• HTML / CGI scripts
• Other holes / bugs in software and services
• Tools and scripts used to scan ports for
  vulnerabilities

16
Password guessing

• Default or null passwords
• Password same as user name (use finger)
• Password files, trusted servers
• Brute force -- make sure login attempts audited!

17
Password/key stealing

• Dumpster diving
• Social engineering
• Inside jobs (about 50 of intrusions resulting in
  significant loss)

18
Once inside, the hacker can...

• Modify logs
• Steal files
• Modify files
• Install back doors
• Attack other systems

19
Intrusion detection systems (IDS)

• Vulnerability scanners
• pro-actively identifies risks
• Network-based IDS
• examine packets for suspicious activity
• can integrate with firewall
• require 1 dedicated IDS server per segment

20
Intrusion detection systems (IDS)

• Host-based IDS
• monitors logs, events, files, and packets sent to
  the host
• installed on each host on network
• Honeypot
• decoy server
• collects evidence and alerts admin

21
Intrusion prevention

• Patches and upgrades
• Disabling unnecessary software
• Firewalls and intrusion detection
• Honeypots
• Reacting to port scanning

22
Risk management
Prevent (e.g. firewalls, IDS, patches)
Contain Control (e.g. port scan)
Probability
Ignore (e.g. delude yourself)
Backup Plan (e.g. redundancies)
Impact
23
Legal and ethical questions

• Ethical hacking?
• How to react to mischief or nuisances?
• Is scanning for vulnerabilities legal?
• Can private property laws be applied on the
  Internet?