03/27/22 Hacking as Warfare 1 Hacking as Warfare Tony Villasenor Director of Technical Services GeoTrust Inc. Previous Posts: Director, NASA Science Internet Chair, Federal Network Council (CERT, etc.) Architect: Russian Science Internet Consultant: USAID, DOS, WHO
34
Embed
6/3/2015Hacking as Warfare1 Hacking as Warfare Tony Villasenor Director of Technical Services GeoTrust Inc. Previous Posts: Director, NASA Science Internet.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
04/18/23 Hacking as Warfare 1
Hacking as Warfare
Tony VillasenorDirector of Technical Services
GeoTrust Inc.
Previous Posts:Director, NASA Science Internet
Chair, Federal Network Council (CERT, etc.)Architect: Russian Science InternetConsultant: USAID, DOS, WHO
• CYBER TERRORISM– Terrorist– Terrorist sympathizers– Targeted countries
• IMPACT ON CITIZENS
04/18/23 Hacking as Warfare 3
Network Security Issues
Part 1 of 2
(A Playground for Hackers)
04/18/23 Hacking as Warfare 4
Network-Based Attacks
Better Accessibility because of the network– Web sites– Email Servers– File Servers– DNS Servers– Routers– Etc.
04/18/23 Hacking as Warfare 5
Web Attacks
Buffer Overflow:- Occurs when a program does not check to make sure the data it is putting into a space will actually fit into that space- A vulnerability exists in Microsoft IIS 5.0 running on Windows 2000 that allows a remote intruder to run arbitrary code on the victim machine, allowing them to gain complete administrative control of the machine- IIS %c1%1c bug (http://www.wiretrip.net/rfp/p/doc.asp?id=57)
Apache HTTP Server version 1.3.19- could allow a remote attacker to send an HTTP request to cause the server to crash with unexpected behavior.
04/18/23 Hacking as Warfare 6
Web AttacksSemantic attacks
• changing the web content subtly, thus providing false information
Active-X, • Java cookies containing executable code (like BO2K)
Web Admin utilities
•NAT’d servers are less visible•Static IP is bad! http://www.sans.org/newlook/resources/IDFAQ/DIC.htm
Loki- Uses ICMP (“ping”) as a tunnel for communications and control- See Phrack Issue 49
Reverse WWW Shell- Allows command-line access to machine via HTTP port- Requires “inside job” to install/run the Reverse WWW Shell server- Looks like ordinary HTTP traffic, allowed by firewalls!
Steganography & Digital Watermarking- Distribute MALware by embedding code in .bmp, .jpeg or .gif images
04/18/23 Hacking as Warfare 9
Security Mavens Invaded by Trojan (1 of 2)
by Michelle Delio 10:35 a.m. Feb. 1, 2001 PST
A popular Web discussion board in which the subject is computer security became the unwitting host of an attack program directed at security consultant firm Network Associates Wednesday night.
A cracker posted to the Bugtraq board what he said was a script -- computer code that would allow people to take advantage of a recently discovered hole in BIND, the software that pushes information across the Internet.
But if someone downloaded and ran the posted script, it instead launched a denial of service attack against Network Associates (NAI) by sending packets of garbage information in the hopes of overwhelming the firm's servers.
Since Network Associates had already patched the hole, its website's performance wasn't adversely affected. "We have determined that a distributed denial of attack was directed at NAI last night," an NAI spokeswoman said, "but no penetration to the corporate network took place. We are continuing to investigate the origin of this attack." NAI was the first to raise the alarm over the BIND exploit, and Bugtraq spokesperson Elias Levy said he assumes that the attack was intended to see if NAI had practiced what they preached and patched the hole.
04/18/23 Hacking as Warfare 11
Information Security Magazine (Oct. 2001)
Survey Finds Web Server Attacks Doubled in 2001
By Amy Newman
October 10, 2001IT and computer security magazine Information Security this week released the findings of its 2001 Information Security Industry Survey. The survey was co-sponsored by TruSecure Corp. (Information Security's parent company) and Predictive Systems.
Despite enterprises' claims of increased corporate spending on computer security, survey results revealed that cyber attacks and viruses have continued to impact organizations with alarming frequency.
Information Security Magazine (Oct. 2001)Almost half of the more than 2,500 organizations surveyed were hit by a Web server attack in 2001, nearly double the number hit in 2000. Viruses, worms, Trojans Horses, and other "malware" infected 90 percent of these organizations, even with antivirus protection in place in 88 percent of those surveyed.
"The survey proves just how pervasive and serious attacks like Code Red and Nimda are," said Andy Briney, editor in chief of Information Security and lead analyst of the survey.
"Even 'security-aware' organizations are being attacked on all sides, both internally and externally,“ Briney added.
One cure for those hit by both Code Red and Nimda may be migration to a Web server other than IIS. An advisory issued by Gartner last month recommended that enterprises hit by both Code Red and Nimda begin investigating alternatives to the popular Microsoft product, such as moving Web applications to less-vulnerable Web server products.
04/18/23 Hacking as Warfare 13
E-Mail Attacks• Email bombing
– repeatedly sending an identical email message to a particular address.
• Denial-of-Service attacks are most frequently executed against network connectivity. The goal is to prevent hosts or networks from communicating over the network. A description of how this can occur is at: http://www.cert.org/advisories/CA-1996-21.html
• In this case, the hacker begins the process of connecting to the victim machine, but in such a way as to PREVENT the completion of the connection. Since the victim machine has a limited number of data structures for connections, the result is that legitimate connections are denied while the victim machine is waiting to complete bogus “half-open” connections.
Example: DOS (cont.)• This type of attack does not depend on the attacker being able to
consume your network bandwidth. Here, the intruder is consuming kernel data structures involved in establishing a network connection. The implication is that an intruder can execute this attack from just a dial-up connection against a machine on a very fast network.
• An intruder may also be able to consume all the available bandwidth on your network by generating a large number of packets directed to your network. Typically, these packets are ICMP ECHO packets, but in principle could be anything (“smurfing”). Further, the intruder need not be operating from a single machine – he may be able to coordinate or co-opt several machines on different networks to achieve the same effect: hence, DDoS.
• In addition to network bandwidth, intruders could consume other resources: for example, anything that allows data to be written to disk can be used to execute a DOS attack if there are no bounds on the amount of data that could be written.
04/18/23 Hacking as Warfare 20
Denial of Service Attacks…
• Make networks or hosts unusable
• Disrupt services
• Difficult or Impossible to locate source
• Becoming very popular with attackers, especially– IRC sites
• Display system information• Log keystrokes, view the keystroke log and delete the keystroke log
• Display a message box• Map a port to another IP address, application, HTTP file server, or
filename
• List ports mapped by BackOrifice 2000
• Send a file through another port
• Share a drive, unshare a drive, list shared drives, list shared devices on a LAN, mapped a shared device, unmap a shared device and list all connections
• List current processes, kill a process and start a process
• View and edit the registry - create a key, set a value, get a value, delete a key, delete a value, rename a key, rename a value, enumerate keys and enumerate values
• Video and audio capture and playback
• Capture a screen shot
• File and directory commands - list directory, find file, delete file, view file, move file, rename file, copy file, make directory, remove directory and set file attributes
• Receive and send files
• Compress and uncompress files
• Resolve host name and address
• Server control - shutdown server, restart server, load plug-in, remove plug-in and list plug-ins
04/18/23 Hacking as Warfare 23
Intruder Detection Checklist
Look for Signs That Your System May Have Been Compromised
• Piggyback– gain unauthorized access to a system via an
authorized user's legitimate connection.
• Redirects– The action used by some viruses to point a
command to a different location. Often this different location is the address of the virus and not the original file or application
04/18/23 Hacking as Warfare 25
Other Attack Methods (cont.)
Social EngineeringAuthority Attack: using fake badge, uniform, to gain info or
access or identify a key individual as alleged friend, or claim authority and demand information
Knee Jerk Attack: making an outlandish statement in order to get an informational response
Persistent Attack: continuous harassment using guilt, intimidation and other negative ways to obtain information
Social Attack: social parties are a great time and place to gain access and information from/about employees and activities
Fake Survey Attack: win a free trip to Hawaii, just answer these questions about your network
Help Desk Attack: impersonating a current or new end-user needing help with access to a net/server
04/18/23 Hacking as Warfare 26
Gee, Thanks a Lot !http://www.eeye.com/html/press/PR19990608.html
NEWS HEADLINE - “eEye Digital Security unveils one of the largest security holes on the Internet to date”“Corona Del Mar, CA - eEye Digital Security Team, an eCompany LLC venture, dedicated to network security and custom network software development, has unveiled one of the most vulnerable security holes on the Internet to date. The vulnerability exists in the latest release of Microsoft Internet Information Server. The most commonly used Windows NT web server on the Internet.”“The vulnerability allows arbitrary code to be run on any web server running the latest release of Microsoft Internet Information Server. Utilizing a buffer overflow bug in the web server software, an attacker can remotely execute code to enable system level access to all data residing on the server.”
Less than a month later, the Code Red worm appeared; then a few weeks later came Code Red II, with a back door to allow others to gain control of the infected machine.
Bastion Host - A strongly protected computer that is in a network protected by a firewall (or is part of a firewall) and is the only host (or one of only a few hosts) in the network that can be directly accessed from networks on the other side of the firewall. Filtering routers in a firewall typically restrict traffic from the outside network to reaching just one host, the bastion host, which usually is part of the firewall. Since only this one host can be directly attacked, only this one host needs to be very strongly protected, so security can be maintained more easily and less expensively. However, to allow legitimate internal and external users to access application resources through the firewall, higher layer protocols and services need to be relayed and forwarded by the bastion host. Some services (e.g., DNS and SMTP) have forwarding built in; other services (e.g., TELNET and FTP) require a proxy server on the bastion host.
WASHINGTON (AP) A Senate committee heard seven of the nation's top computer hackers claim Tuesday they could cripple the Internet in a half-hour. Given more time and money, they boasted, they could interrupt satellite transmissions or electricity grids and snoop on the president's movements. The seven, dressed in business suits, identified themselves only by their hacker nicknames Mudge, Space Rogue, Brian Oblivion "due to the sensitivity of their work," said Sen. Fred Thompson, R-Tenn.
"I'm informed that you think that within 30 minutes the seven of you could make the Internet unusable for the entire nation. Is that correct?" asked Thompson. "That's correct," replied Mudge, a frizzy-haired computer security expert. "Actually, one of us, with just a few packets," he added, referring to bundles of data that flow across the global computer network. He went on to describe generally a process to separate "the different major long-haul providers," such as AT&T, so its network couldn't exchange information with other major networks, such as MCI. "It would definitely take a few days for people to figure out what is going on," Mudge said.
04/18/23 Hacking as Warfare 33
Lopht: “We Can Cripple Internet in 30 minutes”
MANHASSET, N.Y., April 16 /PRNewswire/ - A group of Boston-based, sophisticated computer hackers, called the L0pht (pronounced 'loft'), is continuing the assault of Microsoft's (Nasdaq: MSFT) Windows NT operating system. The L0pht has made available for download, via their Web site, a program “L0phtcrack” they claim can be used to steal the entire registry of passwords off a Windows NT network, according to CMP Media's EE Times Online.