HACKERS - The Modern Roadwarrior-. THE CHANGING WORLD l General Powell describes an historic meeting with Gorbachev, who was becoming frustrated in trying.

HACKERS- The Modern Roadwarrior-

THE CHANGING WORLD

General Powell describes an historic meeting with Gorbachev, who was becoming frustrated in trying to explain how the old model of the world was unworkable. He finally leaned across the table to Secretary Schultz and said." You need to understand, Secretary Schultz; today I am ending the cold war." He then turned to Powell and said," General, you will have to find another enemy."

THE CHANGING WORLD The bipolar world of the last half century has become a

multipolar economy dominated by the United States, Europe and the Pacific Rim.- Economic competition has replaced military

competition.- Information and economic value have become

synonymous.- Personal and economic interests have merged

with national interests. The new economy is based upon information

technology that is fast leading to an age of networked intelligence (the network is the computer) that is leading to a new society with new politics.

The world is on the doorstep of a digital economy fueled by information and knowledge. (Information is Power)

Hackers- An Academic View -

Hacker History The original generation of Hackers has been said to be such

personalities as John Von Neuman, Alan Turing and Grace Hopper.

The first use of the term "Hacker" is attributed to member of the "Tech Model Railroad Club" from MIT in the late 1950s. This was originally a term of praise for the very best

programmers and designers. Media coverage in the 1980s redefined the term to be synonymous

with "Computer Criminal". The visibility and rise of Hackers is the result of four major

developments:1. The proliferation of computers2. The dramatic rise and geographical expansion of

networks.3. The dramatic rise in computer literacy.4. The dependence of organizations upon information.

My personal belief… Computers are tools for the masses. Computers

should not be private devices for the rich. Computers are tools for the masses. Computers

should not be private devices for the rich. Information belongs to everyone. Most hackers start

at the university which generates and distributes knowledge.

Coding is community property. The status of all software should be shareware, freeware or public domain.

Coding is an art. A good program has a certain elegance and beauty. In beauty there is creativity which is demonstrated by a program that can penetrate others.

The computer lives. Most hackers have a social and personal relationship with their computer.

The Hacker’s Ethics

• Access to computers should be unlimited and total. • Always yield to the Hands-On Imperative • All information should be free. • Mistrust authority--promote decentralization. • Hackers should be judged by their hacking. • You can create art and beauty on a computer. • Computers can change your life for the better.

Qualities

Young. Most are under 30 and concentrated around colleges and universities.

Bright. A good hack results from meeting a challenge which will require in many cases exceptionally high intelligence.

Understanding, Prediction and Control. These three conditions seem to bring a sense of competence, mastery, and self-esteem.

Computer fascination. For many of us the computer is simply a tool. For the hacker it is an unendingly fascinating toy - a mystery wrapped in an enigma to be explored and understood.

No malice. The good hacker does no damage.

Social view is Misguided youths. Hackers are misguided youths and are

essentially harmless. Their intelligence and creativity should be encouraged but

directed toward more constructive channels. Security specialists. Hackers know the corporate security

weaknesses. They should be hired as security specialist and their expertise

utilized to protect the corporate vital information resources. Scumbags. Hackers are the scum of the earth and should be

treated as varmints and hunted down with dogs and put away for life.

Ordinary criminals. Hackers should be treated no different than any other criminals. Human nature inevitably breeds predators and it is the

responsibility of everyone to put in place the necessary controls to protect their valuables

From the Hacker’s mouth "Hacking to me [is] to transcend custom and engage in creativity

for its own sake..." "For the most part, its simply a mission of exploration. In the

words of the captain of the starship Enterprise, Jean-Luc Picard, "Let's see what's out there!"

"Its like picking a lock on a cabinet to get a screwdriver to fix a radio. As long as you put it back what's the harm?"

"Although computers are part "property" and part "premises" ..... they are supreme instruments of speech..... We must continue to have absolute freedom of electronic speech."

"Thousands of people legally see and use this ever-growing mountain of data much of it erroneous. Whose rights are we violating when we peruse the file. ...The invasion took place long before the hacker ever arrived."

"Crime gets redefined all the time. Offend enough people or institutions and lo and behold, someone will pass a law."

"At the risk of sounding like some digital posse comitatus, I say: Fear The Government That Fears Your Computer."

What you mean by Hacker? A Hacker is someone who has achieved some level of

expertise with computers. A Cracker is someone who breaks into systems without

permission. A Script Kiddie is someone who uses scripts or

programs from someone else to do his/her cracking. Other terms are leech, warez puppy, warez

dood, lamer and rodent. A Phreaker is a hacker who specializes in telephone

systems. A White Hat is someone who professes to be strictly a

good guy. A Black Hat is someone who is viewed as a bad guy. A Grey Hat is someone who falls in between White and

black

What motivates the hacker?

Psychological Need/Recognition. Desire to Learn/Curiosity. Revenge/Maliciousness. Experimentation. Gang Mentality. Misguided trust in other individuals. Altruistic reasons. Self-gratification. Desire to Embarrass. Joyriding. Scorekeeping. Espionage. Cyber-Warrior

Typical attacks are

Insider Attack. Social Engineering. Virus Infiltration. Denial of Service. Software Bug. Password Infiltration. Lack of Security Infiltration. IP Spoofing. Trojan Horse. Stealth Infiltration. Brute Force. TCP/IP Protocol Flaw. Worms and viruses

Typical Attacks come from

• 49% are inside employees or contractors on the internal network.

• 17% come from dial-up from inside employees.

• 34% are from the Internet.

• The major financial loss is due to internal hacking.

What characteristics make a GOOD target?

Lax Security (Hard on the outside, soft on the inside!). High visibility makes a good "Scorekeeper" site. High visibility makes a good "Embarrassment" site. Resources that are useful to the hacker. Destruction of ability to provide service to customer.

Examples The Cuckoo's Egg discussed four hackers, Dirk Brzesinski, Peter

Carl, Markus Hess and Karl Koch, from Hannover, Germany, penetrated or attempted penetration of at least 50 computers connected to MILNET. These systems included the Pentagon, Lawrence Livermore Labs, the

Los Alamos Nuclear Weapons Systems and the National Computer Security Center.

They exploited these systems by means of weaknesses in TCP/IP and the UNIX operating systems.

One of their favorite techniques was to plant Trojan Horses to steal authorized passwords.

The German Chaos Computer Club brought "chaos" to the national Aeronautics and Space Administration computer systems in the late 1980s. They primarily planted Virus programs at the Goddard Space Flight

Center in Greenbelt, Md. They gained access through a Unix flaw that the system administrator

had failed to patch.

Examples Eberhard Blum, part of the Bundesnachrichtendienst (BND), is reputed to

have instituted a program called Project Rehab composed of computer scientist designed to penetrate the communications systems of the Eastern block. This organization since the fall of the Eastern block is reputed to have

targeted the west. The Direction Generale de la Securite Exterieur (the French CIA) is

reputed to target foreign businesses. Their favorite US targets seems to have been IBM and TI. They are reputed to search visitor rooms looking for information on

laptops and to bug Air France flights. The French are reputed to auction these industrial secrets to the

highest corporate bidder. The Ministry for International Trade (MITI) is reputed to coordinate the

industrial espionage activities of Japanese corporations. These secrets are funneled through MITI which uses the information as

part of their national industrial policy. China, the former Soviet Union, France, Japan, Israel, Sweden,

Switzerland and UK are reputed to be to be the most active in national industrial espionage

Examples Robert Morris Jr, Cornell University, brought the Internet to its knees

in 1988 through the "Internet Worm". The Worm consumed computer resources making them

unavailable to others thereby either halting the computer or slowing it to a crawl. The worm primarily consisted of two attack programs. A program designed to exploit the backdoor DEBUG

command in Sendmail, a Finger daemon program to inundate the Finger daemon's

input buffer and a password guessing program. The Legion of Doom (LoD) and the Masters of Destruction(MoD)

were two of the major computer gangs in the late 80s and early 90s. They were from Brooklyn, the Bronx and Queens. They wiretapped, intercepted data transmissions, reprogrammed

phone computer switches, stole and sold passwords, etc. The LoD were convicted in 1992 apparently turned in as a result

of a falling out with other hackers.

Rome Lab Attack On 28 March 1994 the Rome Labs Sysadmins detected a password

Sniffer. The Sniffer had collected so much information that it had filled a

disk and crashed the system Defense Information Systems Agency (DISA) was notified who, in

turn, notified AFOSI. Air Force Information Warfare Center (AFIWC) was notified and SA Jim Christi was assigned the case.

The investigators, after reviewing the logs and interviewing the Sysadmins, found that: The penetration was made on March 23 by two hackers. They penetrated seven computers and planted sniffers. 100 accounts on 30 systems were compromised. Rome Lab had been used as a jumping off point for hack attacks

on other military, government and research facilities around the world.

The Commanding officer was briefed and made the decision to leave several systems open in the hopes of tracking the hackers. Pursue and Prosecute

Rome Lab Attack The investigative team established a snooper program that began key

stroke monitoring on the systems left open and discovered the hacker handles Datastream Cowboy and Kuji .

The majority of the attacks were traced back to: cyberspace.com, Seattle Washington and mindvox.com, New York City.

On 5 April, an Internet informant provided AFOSI an EMail address and home Telephone number (Datastream) in the UK of a hacker who had been bragging about the exploit.

Scotland Yard initiated a pen register on the hackers telephone while AFOSI continued to monitor Datastream's online activity. During this time, based upon sniffed passwords, he : Attacked systems at the Jet Propulsion Lab in California and Attacked systems at the Goddard Space Flight Center,

Greenbelt ,Md Compromised an Aerospace contractor systems in California and

Texas Initiated a scan against Brookhaven Labs , DOE, in NY.

Rome Lab Attack On April 14/15, 1994 the investigative team observed Kuji initiate attacks

from Latvia against: Goddard Space Flight Center Wright-Patterson AFB NATO Headquarters

In the meantime Datastream was busily attacking the Korean Atomic Research Inst. Alarm bells started going off until it was discovered to be South Korea.

In May, 1994 Scotland Yard executed a search warrant and arrested 16 year old Richard Pryce. His tool was a 25 Mhz, 486SX, 170 Mb machine.

During the interview Datastream indicated: He communicated with Kuji only through the Internet or Telephone. He provided the information he stole to Kuji. Kuji had been his mentor.

Pryce pleaded guilty and was fined 1,200 pounds. In June 1996 21 year old Matthew Bevan, A.K.A. Kuji, was finally

apprehended. In 1997 Charges against him were dropped due to lack of evidence. Kuji is now a security consultant. His web site is www.bogus.net/kuji.

A Typical Hacker Attack

THE BOEING ATTACK - 1995

INTERNET

November 19951. A computer consultant noticed the

system was sluggish.(a). He executed the top command

to determine what was slowing down the system.

(b). A program called vs was consuming a large amount of system resources and was running as superuser.

2. He next ran ps.a). vs did not appear so he

suspected a break-in. 3. He executed the Emacs dired

command and found the vs program in a directory called /var/.e/vs. 4. He next did a chdir() to the /var

directory and did a ls -a command.(a). The directory /var/.e was not

displayed.

Boeing Computer

Hacker

Trusted Connection Trusted Connection

Trusted Connection

Commercial Computer Government Computer

Modem Attack

Education Computer

5. The programmer used the tar

command to make a copy of the /var/.e, /bin and /etc directories.

(a) He copied this to another computer.

6. The programmer then shut down the system.7. He next examined the /bin/login file

and found it had been modified to allow logging in with a special password. 8. This seemed to be an exceptionally

sophisticated attack.

THE BOEING ATTACK - 1995

INTERNET

Boeing Computer

Hacker

Trusted Connection Trusted Connection

Trusted Connection

Commercial ComputerGovernment Computer

Modem Attack

Education Computer

9. He found the /var/.e/vs was a password sniffer which passed copied passwords to a remote computer. 10. He found the /bin/ls and /bin/ps

command had been modified to not display the directory /var/.e.11. He also found the /bin/ls, /bin/ps

and /bin/login file creation dates and modification times had been reset to the original dates and times.12. He found, in addition, that the

checksums for the modified commands matched those of the original unmodified versions.

A comparison of the modified programs with the backup version revealed the differences.

Attack Methodology What to Attack (selecting a network/target)?

1. Interneta. Access the Network Information Center. The InterNic

provides Registration (rs.internic.net), Database (ds.internic.net) and Information (is.internic.net) Services.

b. whois server to obtain public information on hosts, networks, domains and system administrators.

c. WWW using the Uniform Resource Locator(URL notation).

d. DNS to acquire the dotted decimal address. e. traceroute to determine intermediate networks.f. SNMP to dump a router table.g. Archie to establish the locations of files. Archie is a

server with an index of filenames.h. Gopher as an ftp interface. Gopher allows access to

resources through menus.

Attack Methodology

2. Telecommunication/Modema. Social Engineering.b. Dumpster Divingc. Demon Dialing(Scanning/Autodialing/WarDialing)c. Wiretappingd. Optical-spyinge. Cheese box(unauthorized call forwarding)f. Piggybackingg. Call Forwardingh. Password Breakeri. Parking Lotsj. Shoulder Surfingk. Socializingl. Stealing Laptopsm. Wireless Communication

Attack Methodology Who to Attack (selecting a host)?

1. Ping the address with an ICMP Echo Request. This can also be used to find the route of the packet to the address.

2. DNS with a reverse name look-up to translate the numeric address into a domain name address.

3. DNS HINFO records provide the hardware and operating systems release which will be helpful in formulating an attack.

4. Pinglist (a modification of traceroute with udp) to map the network.

5. Netmappers are publicly available.6. Portmappers are publicly available.7. The Login Screen can be used to derive information about the

target.Note: Breadth is more important than innovation

Select a known vulnerability rather than expose a new one.

Attack Methodology Testing the host (finding a weakness).

Note: Weaknesses are generally specific to an operating system, host hardware or due to old bugs that have not been patched.

Utilize Internet Security Scanner(ISS) or Security Analysis Tool for Auditing Networks(SATAN) to scan for various holes.

a. Check for unprotected logins or mail alias( sync,guest,lp,etc.). Does not require a password.

b. Connect to mail port with Telnet and logs mailer type and version.c. Attempts an anonymous FTP connection and trys to grab the

/etc/passwd file by using the root account. May want a list of supported commands.

d. rpcinfo to test for services running. This program prints out the current portmapper which details what Remote Procedure programs, ports, and protocols are active. Looking for NFS/mountd, yp/ms, rexd.

e. ypx to attempt to grab the passwords through the Network Information System(NIS), originally called Yellow Pages, in order to invoke some type of dictionary attack.

f. Transitive Trust Analyser to learn the source of logins and to recursively probe those hosts.

g. fping to determine Internet connection or Firewall.

Attack Methodology

Hacker goals after penetration Leave no evidence of the successful attack.

The good hack retains a cloak of invisibility. Fetch and crack the /etc/passwd file. Obtain machine root(superuser) access. Install password sniffing tools to collect data for later

retrieval. Install two or more security backdoors (security holes). Check the /etc/hosts or .rhosts files for trusted hosts. Check the mail alias database and log files. Run security auditing programs such as:

– COPS– Internet Security Scanner(ISS)– Security Analysis Tool for Auditing Networks(SATAN

- A Hackers View -

Hacker isNote: A hacker spends 60-70 hours/week Hacking! Why?

A challenge/A game of wits/skill and ingenuity. A sense of enjoyment/Accomplishment. Intensely interested in computers.

Hacker Profile: Teens or early twenties. A fast learner. Academically advanced. Bored in school. Hackers grow up to become computer

professionals.As many as 80% of all system operators

claim to have hacked.

Hacker is

The Student: Very bright but bored. Excited by learning more about computers.

They will spend days examining files on a system. Hacking is a solitary pastime - not antisocial behavior. Generally adheres to good computer ethics.

He wants to remain undiscovered so he can use the system.

He wants to stay out of trouble. He respects the system/programmers and doesn't want to

create additional work. He may seek employment with the company (at just the

right time with just the right credentials).

Hacker is

The Crasher: A troublemaker. No obvious purpose or logic to their hacking. Makes themselves visible by creating as much trouble as

possible. They are very patient and plan their attack to accomplish

the most damage.Erases programs, files, etc

Crashers don't have a good reputation with other hackers.They crash hacker bulletin boards, close down

hacker accounts, etc. The Crasher must be stopped during the reconnaissance

phase.

Attack Methodology Step One - The Target Reconnaissance. Target Reconnaissance, sometimes called

footprinting, is when the Hacker gathers information about the target system and the network.

Search the Internet - Web sites, IRC, newsgroups, etc.

Use the Domain Information Grouper(DIG) to attempt a Zone Transfer.

Gather information on network users through the Web, newsgroups, telephone books, Social Engineering, Dumpster Diving, examine cars, etc. This will reveal password combination and the policy

for determining user names.

Attack Methodology For example:

whois xyz.abc will find hosts on the xyz.com network nslookup on xyz.abc will return information contained in the

xyz.xom DNS. utilize a zone transfer program (DIG or named.xfer) to

retrieve the DNS files from the primary DNS. Utilize the ping command to determine which systems are

connected to the Internet. telnet navy.mil will determine the machine type and OS

version. Utilize telnet to port 25 to determine the sendmail version

and machine type. Utilize rpcinfo to scan for active ports and return a list of rpc

programs running on the machine w/version numbers and port numbers.

Utilize finger to get a list of users on the system, etc.

Typical Hacker Attacks VIRUS. A self-replicating, malicious program segment that attaches itself

to legitimate application programs, operating system commands or other executable system components and spreads from one system to another. Each reproduced virus code then grows independently of the other. The virus grows geometrically.Boot Sector. A virus that replaces the boot sector of a floppy or hard

drive.System File. A virus that infects system files.Stealth. A virus that hides itself and actions from the operating system.Polymorphic. A virus that changes itself each time it infects a file or disk.

This virus hides itself and its actions from the operating system.Multi-Parite. This virus infects both files and boot sectors.Macro Virus. This virus is written in a macro language and is commonly

found in software containing a scripting language such as Word, Excel, and Powerpoint.

Typical Hacker Attacks

WORM. An independent program that replicates from machine to machine across network connections and that clogs networks and computer systems as it spreads. It is designed to search for idle computer memory

and then to copy itself repeatedly until the memory is exhausted and the computer crashes.

A worm is not a virus although they are sometimes confused.

A virus must infect other programs with a copy of itself.

The most famous is the Internet Worm by Robert Morris.

Typical Hacker Attacks

IMPERSONATION. An attempt to gain access to a system by posing as an authorized user. Synonymous with masquerading and mimicking.

Example: using another person's access code to log on.• BOMBS. A computer program residing in a computer that is

executed at appropriate or periodic times to determine conditions or states of a computer system and that facilitates the perpetration of an unauthorized act.

Example: a program that causes the system to erase all financial files when it discovers that a particular person has been removed from the personnel files. Writing Logic Bombs is very easy but difficult to detect. A Time Bomb has a time trigger. A Logic Bomb has a computer state trigger.

Typical Hacker Attacks TRAP DOOR. A breach created intentionally in an ADP system for

the purpose of collecting, altering or destroying data. Generally done through putting extra code in a software

program which acts as a testing aid for programmers during construction, testing or program maintenance.

TROJAN HORSE. A computer program that is apparently or actually useful but that performs another function. The Trojan can modify databases, write checks, send

electronic mail, destroy File Allocation Tables, directories or files.

The Trojan Horse can be embedded by a programmer or down loaded from a BBS.

Most Trojan Horses in the microcomputer detonate their payload the moment they run not only carrying out their intended function but also destroying themselves.

Typical Hacker Attacks SOFTWARE PIRACY. The illegal copying of software (and

repackaging it for sale). Software piracy is being fought by the Software Publishing

Association. Indications are that this amounts to between 4-7$ billion

loss in sales. This results from individual copying, Pirate BBS, country

piracy(China, Taiwan, Singapore, etc)and try before buying rental/loans.

SNIFFING. The installation of protocol analyzer software program (Sniffer) to gather surreptitiously gather user passwords and log them into and unused space under an innocuous name,

such as "..". The hacker at some time in the future will return and

download the passwords and if necessary employ a Password Cracker.

Typical Hacker Attacks

BROWSING. Searching through storage to locate or acquire information, without necessarily knowing of the existence or the format of the information being sought.

DATA DIDDLING. The unauthorized changing of data before or during their input to a computer system resulting in increased paychecks, extra leave, overtime pay, etc.

EMBEZZELING. Using a computer to prepare false financial reports.

FORGERY. The illegal creation of documents or records which are intended to be construed as real, officially produced documents or records. For example, using desktop publishing to create a false

drivers license, social security card or passport.

Typical Hacker Attacks

FRAUD. The exploitation of information systems in an attempt to deceive an organization and/or to take its resources.

DENIAL OF SERVICE. This is performed by trashing a system, tying up ports, placing garbage on screens, changing file names, and erasing program files. This type attack is becoming more common( Spamming,

SYN Attack, etc). SPOOFING. The deliberate inducement of a user or a resource to

take incorrect action. Example: a user writes a program that gives "system like"

responses to someone trying to log on the system; thus, the person trying to log on will unwittingly give his password to the person/program doing the spoofing.

Typical Hacker Attacks SUPERZAPPING. The unauthorized use of a utility computer

program that violates computer access controls to modify, destroy, copy, disclose, insert, use , deny use or expose data in a computer. The name derives from an IBM utility program called "Superzap" which

permitted an operator to start, stop or modify a procedure that has been misbehaving.

The equivalent in a microcomputer would be something like PC Tools or Norton Utility.

SALAMI TECHNIQUES. The unauthorized, covert process of taking small amounts (slices) of money from many sources in and with the aid of a computer. An example is the round down fraud, whereby remainders from the

computations of interest are moved to the attackers account instead of being systematically distributed among accounts that were rounded up.

The story is told of a Russian worker who left the factory each night with a wheelbarrow full of sawdust and every night the guard poked the sawdust and upon finding nothing let him pass. Several years later, after both were retired, they accidentally met in a bar and the guard asked him what he was stealing in the wheelbarrow to which the worker replied: "Oh, I was stealing the wheelbarrows."

Typical Hacker Attacks PIGGY BACKING. Unauthorized access that is gained to an ADP system via

another user's legitimate connection. A method of gaining unauthorized physical access to guarded areas

when the attacker does not possess the required authorization to pass. Electronic piggybacking occurs when a computer or terminal covertly

shares the same communication line as an authorized user. The host computer, to which they both transmit, is unable to distinguish the signals of the authorized user from those of the unauthorized user.

EAVESDROPPING. The unauthorized interception of information-bearing emanations through the use of methods other than wiretapping(TEMPEST).

SCAVENGING. Searching through residue for the purpose of unauthorized data acquisition. A covert, unauthorized method of obtaining information that may be left

in or around a computer system after the execution of a job. Included here is a physical search (trash barrels, carbon copies, ribbons,

diskettes, etc) and a search for residual data within the computer storage areas, temporary storage tapes, and the like.

This, for example, encompasses dumpster diving, unerasing diskette files, examining scratch tapes and looking at old ribbons.

Typical Hacker Attacks BUMBLING. Sometimes called "accidents", "errors of omission", or "errors

of commission". Indications are that this amounts to 50-60% of annual dollar loss. This

is the result of clumsy fingers, big thumbs, and improper training, DATA LEAKAGE. The covert copying of computer information and its

removal from the organization. For example, this could be as simple as the copying of a software

program for home use. This can be accomplished through diskettes, tape or hard copy. Very

rarely do guards perform body checks or open brief cases. WIRETAPPING. Normally accomplished at the wiring closet.

Passive Wiretapping with electrical induction can easily be accomplished with a tape recorder, microphone, AM/FM portable radio, a modem and a printer. The cassette recorder, through induction picks up the signal, amplifies it through the radio, perhaps acoustic coupling it through a modem which converts the analog signal to digital for printing.

Active Wiretapping is the monitoring and recording of data while the data is being transmitted over a communications link.