6/3/2015Hacking as Warfare1 Hacking as Warfare Tony Villasenor Director of Technical Services GeoTrust Inc. Previous Posts: Director, NASA Science Internet.

04/18/23 Hacking as Warfare 1

Hacking as Warfare

Tony VillasenorDirector of Technical Services

GeoTrust Inc.

Previous Posts:Director, NASA Science Internet

Chair, Federal Network Council (CERT, etc.)Architect: Russian Science InternetConsultant: USAID, DOS, WHO


Hacking as Warfare• TECHNOLOGY

– Network-based attack tools– Network defense tools

• PSYCHOLOGY– Why do it?

• CYBER TERRORISM– Terrorist– Terrorist sympathizers– Targeted countries

• IMPACT ON CITIZENS


Network Security Issues

Part 1 of 2

(A Playground for Hackers)


Network-Based Attacks

Better Accessibility because of the network– Web sites– Email Servers– File Servers– DNS Servers– Routers– Etc.


Web Attacks

Buffer Overflow:- Occurs when a program does not check to make sure the data it is putting into a space will actually fit into that space- A vulnerability exists in Microsoft IIS 5.0 running on Windows 2000 that allows a remote intruder to run arbitrary code on the victim machine, allowing them to gain complete administrative control of the machine- IIS %c1%1c bug (http://www.wiretrip.net/rfp/p/doc.asp?id=57)

Apache HTTP Server version 1.3.19- could allow a remote attacker to send an HTTP request to cause the server to crash with unexpected behavior.


Web AttacksSemantic attacks

• changing the web content subtly, thus providing false information

Active-X, • Java cookies containing executable code (like BO2K)

Web Admin utilities

•NAT’d servers are less visible•Static IP is bad! http://www.sans.org/newlook/resources/IDFAQ/DIC.htm

•FAQs http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html


Examples of Web Attacks

• Cracking Session ID numbers– https://www.tonybank.com/account.asp?sid=12345678

– URL session tracking

– Hidden form elements

– Cookies

• Cracking a SQL database– Enter an “incorrect” string to get an error message

which shows how the database forms a query.

– http://www.wiretrip.net/rfp/p/doc.asp?id=42

https://www.tonybank.com/account.asp?sid=12345678

http://www.wiretrip.net/rfp/p/doc.asp?id=42


Examples of Web Attacks (cont.)

Loki- Uses ICMP (“ping”) as a tunnel for communications and control- See Phrack Issue 49

Reverse WWW Shell- Allows command-line access to machine via HTTP port- Requires “inside job” to install/run the Reverse WWW Shell server- Looks like ordinary HTTP traffic, allowed by firewalls!

Steganography & Digital Watermarking- Distribute MALware by embedding code in .bmp, .jpeg or .gif images


Security Mavens Invaded by Trojan (1 of 2)

by Michelle Delio 10:35 a.m. Feb. 1, 2001 PST

A popular Web discussion board in which the subject is computer security became the unwitting host of an attack program directed at security consultant firm Network Associates Wednesday night.

A cracker posted to the Bugtraq board what he said was a script -- computer code that would allow people to take advantage of a recently discovered hole in BIND, the software that pushes information across the Internet.

http://www.wired.com/news/technology/0,1282,41563,00.html


Security Mavens Invaded by Trojan (2 of 2)

But if someone downloaded and ran the posted script, it instead launched a denial of service attack against Network Associates (NAI) by sending packets of garbage information in the hopes of overwhelming the firm's servers.

Since Network Associates had already patched the hole, its website's performance wasn't adversely affected. "We have determined that a distributed denial of attack was directed at NAI last night," an NAI spokeswoman said, "but no penetration to the corporate network took place. We are continuing to investigate the origin of this attack." NAI was the first to raise the alarm over the BIND exploit, and Bugtraq spokesperson Elias Levy said he assumes that the attack was intended to see if NAI had practiced what they preached and patched the hole.


Information Security Magazine (Oct. 2001)

Survey Finds Web Server Attacks Doubled in 2001

By Amy Newman

October 10, 2001IT and computer security magazine Information Security this week released the findings of its 2001 Information Security Industry Survey. The survey was co-sponsored by TruSecure Corp. (Information Security's parent company) and Predictive Systems.

Despite enterprises' claims of increased corporate spending on computer security, survey results revealed that cyber attacks and viruses have continued to impact organizations with alarming frequency.

http://www.infosecuritymag.com/articles/october01/images/survey.pdf


Information Security Magazine (Oct. 2001)Almost half of the more than 2,500 organizations surveyed were hit by a Web server attack in 2001, nearly double the number hit in 2000. Viruses, worms, Trojans Horses, and other "malware" infected 90 percent of these organizations, even with antivirus protection in place in 88 percent of those surveyed.

"The survey proves just how pervasive and serious attacks like Code Red and Nimda are," said Andy Briney, editor in chief of Information Security and lead analyst of the survey.

"Even 'security-aware' organizations are being attacked on all sides, both internally and externally,“ Briney added.

One cure for those hit by both Code Red and Nimda may be migration to a Web server other than IIS. An advisory issued by Gartner last month recommended that enterprises hit by both Code Red and Nimda begin investigating alternatives to the popular Microsoft product, such as moving Web applications to less-vulnerable Web server products.


E-Mail Attacks• Email bombing

– repeatedly sending an identical email message to a particular address.

– http://www.cert.org/tech_tips/email_bombing_spamming.html

• MALware Attachments: – worms, viruses, trojan horses, etc.

• SPAM– Unsolicited “junk” mail– At sites with mailers that permit relaying

http://www.cert.org/tech_tips/email_bombing_spamming.html

http://www.cert.org/tech_tips/email_bombing_spamming.html


E-Mail Attacks

• RTF files are ASCII text files and include embedded formatting commands. RTF files do not contain macros and cannot be infected with a macro virus.

• An MP3 file consists of highly compressed audio tracks. MP3 files are not programs, and viruses cannot infect them.


SPAM Control

Scheck_rcpt # anything terminating locally is ok R< $+ @ $=w > $@ OK

# anything originating locally is ok R$* $: $(dequote "" $&{client_name} $) R$=w $@ OK R$@ $@ OK

# anything else is bogus R$* $#error $: "550 Relaying Denied"

Three rules for controlling SPAM; code is inserted in ‘sendmail.cf’ file


Network Attacks

• DOS, DDoS: coordinated attack by one or multiple sources

– SYN flooding: http://www.cert.org/advisories/CA-1996-21.html

– Aided by proliferation of DSL home users

• DNS, BIND– Redirection :the site you’re on, is not really the site you think you’re on !

– Vulnerability in BIND to allow remote user to gain privileged access

• Routers– Change routing information to disable network

– Cisco’s IOS proliferates the worldwide backbone of the Internet

• Sniffers– examine network traffic going to and from other machines

– gather usernames and passwords

– capture electronic mail

http://www.cert.org/advisories/CA-1996-21.html


Network Attacks (cont.)

• Firewalls

• IDS, HoneyPots, SATAN, vulnerability scanners– http://www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm

• Tripwire to detect configuration changes


Example: DOS

• Denial-of-Service attacks are most frequently executed against network connectivity. The goal is to prevent hosts or networks from communicating over the network. A description of how this can occur is at: http://www.cert.org/advisories/CA-1996-21.html

• In this case, the hacker begins the process of connecting to the victim machine, but in such a way as to PREVENT the completion of the connection. Since the victim machine has a limited number of data structures for connections, the result is that legitimate connections are denied while the victim machine is waiting to complete bogus “half-open” connections.

http://www.cert.org/tech_tips/denial_of_service.html

http://www.cert.org/advisories/CA-1996-21.html


Example: DOS (cont.)• This type of attack does not depend on the attacker being able to

consume your network bandwidth. Here, the intruder is consuming kernel data structures involved in establishing a network connection. The implication is that an intruder can execute this attack from just a dial-up connection against a machine on a very fast network.

• An intruder may also be able to consume all the available bandwidth on your network by generating a large number of packets directed to your network. Typically, these packets are ICMP ECHO packets, but in principle could be anything (“smurfing”). Further, the intruder need not be operating from a single machine – he may be able to coordinate or co-opt several machines on different networks to achieve the same effect: hence, DDoS.

• In addition to network bandwidth, intruders could consume other resources: for example, anything that allows data to be written to disk can be used to execute a DOS attack if there are no bounds on the amount of data that could be written.


Denial of Service Attacks…

• Make networks or hosts unusable

• Disrupt services

• Difficult or Impossible to locate source

• Becoming very popular with attackers, especially– IRC sites

– Controversial sites or services

• Bottom Line: COSTLY!

http://www.cert.org/present/cert-overview-trends/sld001.htm


Back Orifice 2000

• Ping and query the server

• Reboot or lock up the system

• List cached and screen saver passwords

• Display system information• Log keystrokes, view the keystroke log and delete the keystroke log

• Display a message box• Map a port to another IP address, application, HTTP file server, or

filename

• List ports mapped by BackOrifice 2000

• Send a file through another port

• Share a drive, unshare a drive, list shared drives, list shared devices on a LAN, mapped a shared device, unmap a shared device and list all connections

http://www.commandcom.com/virus/backorifice2000.html


Back Orifice 2000 (cont.)

• List current processes, kill a process and start a process

• View and edit the registry - create a key, set a value, get a value, delete a key, delete a value, rename a key, rename a value, enumerate keys and enumerate values

• Video and audio capture and playback

• Capture a screen shot

• File and directory commands - list directory, find file, delete file, view file, move file, rename file, copy file, make directory, remove directory and set file attributes

• Receive and send files

• Compress and uncompress files

• Resolve host name and address

• Server control - shutdown server, restart server, load plug-in, remove plug-in and list plug-ins


Intruder Detection Checklist

Look for Signs That Your System May Have Been Compromised

1. Examine log files

2. Look for setuid and setgid Files

3. Check system binaries

4. Check for packet sniffers

5. Examine files run by 'cron' and 'at'.

6. Check for unauthorized services

7. Examine /etc/passwd file

8. Check system and network configuration

9. Look everywhere for unusual or hidden files

10. Examine all machines on the local network

http://www.cert.org/tech_tips/intruder_detection_checklist.html

http://www.cert.org/tech_tips/intruder_detection_checklist.html


Other Attack Methods

• Piggyback– gain unauthorized access to a system via an

authorized user's legitimate connection.

• Redirects– The action used by some viruses to point a

command to a different location. Often this different location is the address of the virus and not the original file or application


Other Attack Methods (cont.)

Social EngineeringAuthority Attack: using fake badge, uniform, to gain info or

access or identify a key individual as alleged friend, or claim authority and demand information

Knee Jerk Attack: making an outlandish statement in order to get an informational response

Persistent Attack: continuous harassment using guilt, intimidation and other negative ways to obtain information

Social Attack: social parties are a great time and place to gain access and information from/about employees and activities

Fake Survey Attack: win a free trip to Hawaii, just answer these questions about your network

Help Desk Attack: impersonating a current or new end-user needing help with access to a net/server


Gee, Thanks a Lot !http://www.eeye.com/html/press/PR19990608.html

NEWS HEADLINE - “eEye Digital Security unveils one of the largest security holes on the Internet to date”“Corona Del Mar, CA - eEye Digital Security Team, an eCompany LLC venture, dedicated to network security and custom network software development, has unveiled one of the most vulnerable security holes on the Internet to date. The vulnerability exists in the latest release of Microsoft Internet Information Server. The most commonly used Windows NT web server on the Internet.”“The vulnerability allows arbitrary code to be run on any web server running the latest release of Microsoft Internet Information Server. Utilizing a buffer overflow bug in the web server software, an attacker can remotely execute code to enable system level access to all data residing on the server.”

Less than a month later, the Code Red worm appeared; then a few weeks later came Code Red II, with a back door to allow others to gain control of the infected machine.

http://www.eeye.com/html/press/PR19990608.html


Network Defenses• Firewalls, DMZ, air gap• VPN, SSL encryption• Intrusion Detection Systems, honeypots and burglar

alarms, vulnerability scanners• e-mail filters, SMIME encryption

Bastion Host - A strongly protected computer that is in a network protected by a firewall (or is part of a firewall) and is the only host (or one of only a few hosts) in the network that can be directly accessed from networks on the other side of the firewall. Filtering routers in a firewall typically restrict traffic from the outside network to reaching just one host, the bastion host, which usually is part of the firewall. Since only this one host can be directly attacked, only this one host needs to be very strongly protected, so security can be maintained more easily and less expensively. However, to allow legitimate internal and external users to access application resources through the firewall, higher layer protocols and services need to be relayed and forwarded by the bastion host. Some services (e.g., DNS and SMTP) have forwarding built in; other services (e.g., TELNET and FTP) require a proxy server on the bastion host.

http://www.linuxsecurity.com/dictionary/dict-42.html


What Does a Firewall Do?

• Define network components– Workstations, routers, networks, printers, etc.– Insiders, Outsiders, “Bad Guys”

• Typical Policy Rules– Stop Bad Guys (from Any Source , to Any

Destination)– Stop non-Insiders from getting Inside/Outside– Allow Insiders to get Inside (other nets, resources,

etc.)– Allow Insiders to get Outside (I.e., on specific ports)– Deny Everything Else

• Reports, Alarms– Event logs, various levels of detail– Notify if certain events occur


Network Design Considerations

• Support communications requirements

• Design Goals– Easy to use

– Inexpensive

– Reliable

– Fast

– Secure

• Counter-Issues– Access Controls (passwords, permissions, etc.)

– Security Management (policy, maintenance, updates)

– Security Overhead (bandwidth, cycles, manpower)


Basic Network Architecture

DTE

router

firewall

w w w d n sm a i l usagefilters

firewall routerrouter

Intranet 1 Intranet 2

INTERNET

SecurityPolicy?

ManagementSupport?


HACKER PSYCHOLOGY

• Achievement– The Harder the Better

– The Bigger the Better

• Fame– Recognition (Distrust)

– Respect (Fear)

• Surprise– Creativity

• Money*– Corporations

– Governments

How to be a Hackerhttp://www.tuxedo.org/~esr/faqs/hacker-howto.html

Phrackhttp://www.phrack.com/

DarkCyde (for Phreakers)http://www.f41th.com/

cDchttp://www.cultdeadcow.com/

*Note: Hackers don’t make the Money – their Thrill is in the Game!

http://www.tuxedo.org/~esr/faqs/hacker-howto.html

http://www.tuxedo.org/~esr/faqs/hacker-howto.html

http://www.f41th.com/

http://www.cultdeadcow.com/


Lopht: “We Can Cripple Internet in 30 minutes”

WASHINGTON (AP) A Senate committee heard seven of the nation's top computer hackers claim Tuesday they could cripple the Internet in a half-hour. Given more time and money, they boasted, they could interrupt satellite transmissions or electricity grids and snoop on the president's movements. The seven, dressed in business suits, identified themselves only by their hacker nicknames Mudge, Space Rogue, Brian Oblivion "due to the sensitivity of their work," said Sen. Fred Thompson, R-Tenn.

"I'm informed that you think that within 30 minutes the seven of you could make the Internet unusable for the entire nation. Is that correct?" asked Thompson. "That's correct," replied Mudge, a frizzy-haired computer security expert. "Actually, one of us, with just a few packets," he added, referring to bundles of data that flow across the global computer network. He went on to describe generally a process to separate "the different major long-haul providers," such as AT&T, so its network couldn't exchange information with other major networks, such as MCI. "It would definitely take a few days for people to figure out what is going on," Mudge said.


Lopht: “We Can Cripple Internet in 30 minutes”

MANHASSET, N.Y., April 16 /PRNewswire/ - A group of Boston-based, sophisticated computer hackers, called the L0pht (pronounced 'loft'), is continuing the assault of Microsoft's (Nasdaq: MSFT) Windows NT operating system. The L0pht has made available for download, via their Web site, a program “L0phtcrack” they claim can be used to steal the entire registry of passwords off a Windows NT network, according to CMP Media's EE Times Online.


Popular View of Hackers (also by Hackers)

6/3/2015Hacking as Warfare1 Hacking as Warfare Tony Villasenor Director of Technical Services GeoTrust Inc. Previous Posts: Director, NASA Science Internet.

Documents

warfare1 hacking

http port

bug http

http request

faqs http

network web sites

images slide

web content