Upload
gynx
View
217
Download
0
Embed Size (px)
Citation preview
8/9/2019 19 03 Hacking
1/8
12 I into IT
You can manage what you know about; it's what you don't
know about that creeps up and stabs you. For the IT
manager, computer hacking is one such sword of
Damocles for which sensible preventive
and detective measures have become
essential. And in common with other
disasters in waiting, infiltration should
feature in contingency planning.
For the benefit of those readers
unfamiliar with computer
hacking, N. Nagarajan of the
Office of the Comptroller
and Auditor General of
India gives an overview
and explains some of
the terms associated
with it.
The basics of pr ot ect ing against comput er hack ing
The hacker
Technically, a "hacker"is someone who isenthusiastic about computerprogramming and all things computerrelated, and is motivated by curiosity toreverse engineer software and to explore.
8/9/2019 19 03 Hacking
2/8
into IT I 13
The term "cracker", on the other hand,
describes those who apply hacking skillsto gain unauthorisedaccess to acomputer facility, often with sinistermotives. But "cracking"never reallycaught on, perhaps due to the greyarea that exists between the twoactivities and to the media's widespreaduse of "hacking"as a term synonymouswith computer crime. I will nottherefore try to buck the trend in thisarticle.
Computer hacking
Hacking is in some ways the onlineequivalent to burglary; in other wordsbreaking intopremises against thewishes of the lawful owner - in somejurisdictions a crime in itself - fromwhich other criminal acts such as theftand/or damage generally result.
Computer hacking refers to gainingunauthorisedaccess to, and hence somemeasure of control over, a computerfacility, and most countries now have
specific legislation in place to deterthose who might wish to practice thisart and science. In some jurisdictions,unauthorised access alone constitutes acriminal offence, even if the hackerattempts nothing further. However, inpractice, hackers generally have aparticular target in mind, so their unau-thorised access leads to further acts,which national law might also define ascriminal activities. These can besummarised under the headings ofunauthorised:
G obtaining of confidentialinformation: perhaps the majorgrowth area in computer crime is"identity theft", in other words theobtaining of personal informationthat can then be used to commitother serious offences, usually in
the area of fraud. However, other
motives include espionage (bothgovernmental and commercialsecrets) and the obtaining ofpersonally sensitive information thatmight be used for tracing people,deception and blackmail;
G alteration or delet ion of dataand code: most organisations nowdepend to some extent on comput-erised information systems, and anyact resulting in significant corruptionor deletion of corporate data could
have serious implications on theirability to transact business;
G degradation or cessation ofservice: acts that result in systemsbeing unable to carry theirworkload or that fail altogether,could also have serious businessimplications;
G use of computer resources:this impact is really inherent in theprevious three, but it's worthmentioning separately because an
emerging problem is the use byhackers of other people's systems(extending to home PCs) to storeillegally obtained data or to mountattacks on other systems. There aredocumented cases of systemshacked in this way - sometimesreferred to as "zombies" becausethey are no longer in the full controlof their unsuspecting owners -being used to store childpornography and material that
breaches copyright law (e.g.copyrighted music files), to mountdistributed denial of service attackson other systems, and to distributespam e-mail.
Finally, it's worth emphasising that theterm "hacker" applies both to outsidersand to otherwise authorised personnelwho misuse their system privileges, orwho impersonate higher privilegedusers. This sad fact needs to berecognised when formulating corporate
security policy.
The Ten Immutable Laws o f Security
1 If a bad guy can persuade you to run his program on your computer, it's
not your computer anymore.2 If a bad guy can alter the operating system on your computer, it's not your
computer anymore.
3 If a bad guy has unrestricted physical access to your computer, it's not
your computer anymore.
4 If you allow a bad guy to upload programs to your web site, it's not your
web site any more.
5 Weak passwords trump strong security.
6 A machine is only as secure as the administrator is trustworthy.
7 Encrypted data is only as secure as the decryption key.
8 An out of date virus scanner is only marginally better than no virus
scanner at all.
9 Absolute anonymity isn't practical, in real life or on the web.
10 Technology is not a panacea.
Source - www.microsoft.com/technet
8/9/2019 19 03 Hacking
3/8
Approaches to hacking
There are several basic strategies forhacking a computer facility: physicalintrusion; password attacks; networkaccess; web server attacks; and e-mailattacks, but there are a multitude oftactics that can be used to implementthem. For example, security flaws (or
design
weaknesses) in infrastructure softwareand communications protocols offer
seemingly endless tactical possibilities,as is evidenced in the never-endingstream of security updates (seeexample).
Physical int rusion: an attacker's workis made easier by gaining physicalaccess to a machine's keyboard or tonetwork junction boxes. Physical access
opens up such possibilities asinstalling a keystroke
logger1; installingunauthorised
hardware devices(e.g. linking a
modem thatbypasses the
corporate firewalls tothe network); tapping
junction boxes throughwhich network traffic
might be analysed; gainingaccess to system docu-mentation, printouts andto written notes of theirpasswords left by recklessusers. Even access to confi-
dential waste can prove fruitful.Perhaps the quickest and easiest way togain physical access to an organisation'scomputer facilities is to join thecontract cleaning force, which oftenworks unsupervised and outside normal
office hours.Passwor d att acks: obtain a validpassword to the system and youbecome just another legitimate user.This is particularly dangerous wherethe hacked account has specialprivileges assigned to it that permitwide-ranging system access and use.A successful password attack is bothdifficult to detect and difficult toprevent because password securitydepends largely on the user. Keystroke
loggers and social engineering (seeterminology below) are methods ofcapturing passwords, while peopleoften share their personal passwordswith others, write them on notes thatthey attach to their terminals, and failto change them periodically. Passwordcracking programs perform anelaborate process of guessing 'weak'passwords by trial and error, usingcombinations of words from differentlanguages, names (places, people,characters in books), jargon, slang, andacronyms. These are tried backwards,in two-word combinations, in combina-tions with numbers substituted forletters, etc. Vendors often ship infra-structure software with the administra-tor account passwords set to defaultvalues; because these are widelyknown in the hacking community, theyprovide an easy route into a computerfacility if left unchanged.
Network Access and Web ServerAttacks: computers forming part of alocal area network that is in turn
14 I into IT
Just another security update for Microsoft Internet Explorer
Are You on a Network?
If your computer is part of a m anaged network, contact your organization's system
administrator before making changes to your computer.
Why We Are Issuing This Update
A number of security issues have been identified in M icrosoft Internet Explorer that
could allow an attacker to compromise a Microsoft Windows-b ased system and then
take a variety of actions. For example, an attacker could run programs on a computer
used to view the attacker's Web site. This vulnerability af fects computers that have
Internet E xplorer installed. (You do not have to be using Internet E xplorer as your Web
browser to be affected by this issue.) You can help protect your computer by installing
this update from M icrosoft.
Source - Microsoft Security Bulletin M S03-032
1Hardware or software than captures the user's keystrokes, including their passwords.
8/9/2019 19 03 Hacking
4/8
into IT I 15
connected to the Internet are exposedto a range of potential logical accessrisks. A network's primary purpose isto permit users to access resourcesand exchange information, but hackerscan also use the network for the same
purpose. There are different ways toachieve unauthorised access under thisheading, many being technically sophis-ticated. One set of approaches exploitsfeatures of networking software thatmake it accessible from outside thenetwork. Another set exploitsbrowsers; for example, browsersmaintain or have access to informationabout the user and computer that ahacker can exploit. A hacker could alsocause a browser to launch an "applet"(a program that runs in conjunction
with the browser) to hack thecomputer or network, or to send backinformation that is not normallyaccessible from outside. Once access isgained, "island hopping" through thenetwork is sometimes possible byexploiting trusted relationshipsbetween interconnected computers -the fact is that a network of computersthat trust each other is only as secure asits weakest link.
The basic solutions to this family ofsecurity risks are to keep abreast ofvendor security updates - such as theMicrosoft example illustrated - and tomaintain an effective "firewall"2.
Email At tacks: e-mail is a major routeinto networked computers. Typically, aTrojan horse program is buried withinan innocuous-looking attachment to ane-mail message (see the Autorooterexample). The Trojan is launched whenthe attachment is opened (orsometimes viewed) and covertly passescontrol of the computer to the hacker.
Managing commonvulnerabilities
A compromised system can be a self-inflicted injury due simply to the basicprecautions having being ignored:
G ensure that your computer hasgood physical security, consistentwith both its value in terms ofreplacement cost and the conse-quences that could stem from itsdata being disclosed or destroyed.Secure sensitive areas; manageaccess keys; consider installingintruder alarms. Ensure communica-tions junction boxes are securedand inspect them periodically for
signs of tampering - network admin-istration packages can detect unau-thorised physical devices connectedto the network. Provide a securewaste disposal service for computerprintouts and removable media;
G formulate a sensible passwordpolicy for authenticating users andenforce it. Consider the need tostrengthen password authenticationwith tokens or biometrics. Disableunnecessary services and accounts
promptly;
G systems administrators occupypositions of extreme trust; itfollows that they should themselvesbe trustworthy. Be very carefulwho you permit to have systemadministrator-level access to your
network particularly when hiringnew staff or appointing people tocover for absences. Considerimplementing a policy of "leastprivilege"3 and review periodicallythe privileges that have beenallocated, to whom and for whatpurpose;
G infrastructure software - inparticular the operating system andfirewalls - generates logs thatrecord who is using (or attempting
to use) the system, for whatpurpose and when. Thisinformation can prove vital indetecting unauthorised activity - forexample, attempted access to par-ticularly sensitive accounts or files -and system use at unusual times.Logs should be reviewed frequently- it may be necessary to develop orpurchase a log monitoring andanalysis package to enable keysystem messages to be detectedquickly. An unplanned increase in
2A combination of hardware and software that limitsexternal access to networked computers and resource.
3The least level of privilege consistent with performing aparticular role.
Autorooter
...a Trojan horse, potentially spread by e-mail, which exploits a Windows vulnerability to
allow a hacker to gain control of infected computers.
This D COM -RPC exploit only affects Windows XP/2000 Pro/NT computers, which can
use Remote Procedure Call. As the Trojan is incapable of spreading by itself, the file
reaches computers through in fected e-mail messages, inside files downloaded from the
Internet or even on floppy disks.
When run, Autorooter creates files, including RP C.EXE , which exploit the operating
system vulnerability by opening communication port 57005 and logging on w ith the
same privileges as the computer's user. It also downloads a file called L OLX.EXE ,
which opens a backdoor in the computer. After that, the infected computer is at the
mercy of the hacker who can gain remote control through the port created.
Because it doesn't show any messages or warnings that may indicate that it has
reached the computer, Autorooter is difficult to recognise.
8/9/2019 19 03 Hacking
5/8
disc storage, slower than expectednetwork performance andsuspicious-looking outboundconnections can be other indicatorsthat you have a cuckoo in the nest;
G make sure that your system files(including the Registry) are wellprotected from unauthorisedchange. Apply the principle of leastprivilege to limit what users are ableto do. Implement a change controlprocedure to ensure at least twopeople are involved in important
system changes and that all changesare recorded. Periodically audityour system software for unautho-rised executables;
G never run or download softwarefrom an untrusted source (thesource from which it was obtainedmight not be the same as thedeveloper). If you run a web site,you should control closely whatvisitors can do; in particular, youshould only permit programs on the
site that you obtained from atrusted developer;
G typically, a new virus or Trojan doesthe greatest amount of damageearly in its life when few people areable to detect it. Thus, an out ofdate virus scanner is only marginallybetter than no virus scanner. Newviruses and Trojans are createdvirtually every day, so it's vital tokeep your scanner's signature file upto date - virtually every vendor
provides a means to obtain freeupdated signature files from theirweb site.
When you're satisfied that the basicsare both in place and operating, whynot consider hiring a reputable firm ofsecurity specialists to undertake a"penetration testing" programme toassess the extent to which yourscheme of control rests on solidfoundations rather than on sand?
Planning for hackingincidents
So, you discover that your system hasbeen hacked. What next?Well, first it'snecessary to backtrack and considerplanning for this possibility. Sit downwith colleagues and write down astrategy to guide your response,exactly as you would for any otheraspect of contingency planning. Whowill form your incident response team?What are your goals going to be and inwhat order of priority?In most casesthey are likely to be first, to preventfurther intrusion, then to identify the
vulnerabilities that led to the attack,assess the damage and consider whatremedial action needs to be taken (e.g.what would you do were you tosuspect identity theft?). Will you assignresources to identifying the intruder?Will you involve the police?
One of the first points to consider iswhether to disconnect from yourexternal networks to limit damage andprevent further infiltration to othertrusted networks. Assuming the attack
is external, remaining connected mayleave the hacker able to observe andnegate the response team's actions.Organisations that have reliable (i.e.
successfully tested) disaster recoveryarrangements in place may find it com-paratively easy to transfer their keyoperations to a disaster recovery sitewhile they thoroughly investigate andsanitise their home site.
You should consider the extent towhich you back up your firewall andother significant logs. Assuming the vul-nerability that gave rise to the attack isnot apparent, you may need to lookback, perhaps weeks, to identify whenand how the intrusion occurred
(another plus in favour of frequent logreviews). Furthermore, should eventsfinish up in the hands of the police, thepolice are likely to need the evidencecontained in your logs to support aprosecution.
You will also need to consider who toinform when you discover theproblem. This will involve striking abalance between those who need to beinvolved in the investigation, topmanagement - but only when you have
concrete proposals to make to them -and everyone else, at least until theevidence has been preserved.
Investigation needs to be thorough;focusing on a single vulnerability beforerestoring service might overlook theexistence of backdoors that the hackerhas inserted to enable easy re-entrylater. A thorough investigation willinvolve advanced networkingtechniques, adeptness with softwaretools, system administration,
data/system recovery, technical skillsthat might not be at your immediatedisposal. Thus, it might be prudent in
16 I into IT
It's vital to appreciate that:
G security consists of both
technology and policy; that is,
it's the combination of the
technology and how you use it
that ultim ately determines how
secure your systems are;
G security is journey, not a
destination. It's not a p roblem
that can be "solved" once and for
all, but a continual series of
moves and countermoves
between the good guys and thebad guys;
G the key is to ensure that you
have good security awareness,
appropriate security policies
( that you enforce), and that you
exercise sound judgment.
The hackers' hit parade
Security firm Qualys produces a
real-time index of the vulnerabilities
that are the current f avourites of the
Internet's computer hacking
community. You can obtain details of
each vulnerability by clicking on each
entry in the 'ID' column of the vulner-
ability table.
http://www.qualys.com/services/threa
ts/current.html.
8/9/2019 19 03 Hacking
6/8
into IT I 17
your planning to identify reputablesecurity specialists well versed inpenetration testing that might be calledupon to assist with sanitising andrebuilding your systems.
In addition to identifying the systemvulnerabilities exploited by the hacker,a critical review and reconciliation ofactivated accounts (particularly those ofguests, supposedly disabled accountsand those whose presence can't beexplained) and their associated systemprivileges, while tedious, could revealother unused entry points the hackerhas set up against a rainy day; likewise,you should confirm the status of allinterconnected 'trusted' systems.
Scan the system for Trojans. These aretypically identified by antiviruspackages, but their scan engines havevarying degrees of success, particularlyif not up-to-date, so scan using (up-to-date versions of) several packages.
Note: there is more information onincident response at...
http://www.cert.org/security-improvement/modules/m06.html
Conclusion
In the context of computer hacking,knowing what you do not know ismanageable, hence the importance ofgood preventive and detectivemeasures, such as log review andintrusion detection systems. The lessfortunate are those who remain in self-inflicted ignorance - maybe for weeksor months - that their system has beeninfiltrated and their business is beingdamaged.
Regardless of the strength of yourpreventive and detective measures, beprepared for hacking incidents, particu-larly if your organisation relies heavilyon networks (the Internet, WANs andLANs) for its operations and customerservices. Should you fall victim, athorough investigation of acompromised system - whiledisruptive, time-consuming, expensive,and tedious - is essential. Thetemptation is to give in to pressure to
resume operations quickly by closingthe obvious vulnerabilities and trustingto luck that the system is clean. Thatcould easily be a false economy.
Some terminology
Buffer overflows - are due partly to acharacteristic of some programminglanguages, such as C, which poorprogramming practices thenexacerbate. An overflow occurs when a
program attempts to store more datain temporary storage area, or "buffer",than it can hold. Since buffers are offinite size, the extra informationoverflows into adjacent buffers therebycorrupting or overwriting the valid dataheld in them. This would normallycause a program failure or even asystem crash, but a skilfully craftedoverflow can also be exploited as aform of security attack. The attackercan gain control by creating anoverflow containing code designed tosend new instructions to the attackedcomputer, hence the relevance ofbuffer overflows to hacking.
Firewall - the online equivalent of the
'man on the door' who, when a visitorarrives in the foyer, asks for proof ofidentity, checks the appointments book,contacts the host, issues a temporarypass and perhaps inspects the visitor'sbaggage before permitting - or denying- entry.
A network firewall sits at the junctionpoint or gateway between twonetworks - usually a private networkand a public network such as theInternet - its purpose being to reduce
the risk to networked computers ofintrusion. It may be a hardware deviceor software running on a secure hostcomputer. In either case, a firewall hasat least two network interfaces, one forthe network it is protecting and one forthe untrusted network to which it isexposed. Because firewalls cannotdecide for themselves whether traffic ishostile or benign, they must beprogrammed with rules (a "securitypolicy") that govern the types of trafficto allow or deny.
In addition to guarding externalconnections, firewalls are alsosometimes used internally to provideadditional security by segregating sub-network that give access to highlysensitive applications.
Honey Pots - decoy servers orsystems designed to gather informationabout attackers. A honey pot, which isset up to be easier prey for attackersthan genuine production systems,
incorporates modifications that enableintruders' activities to be logged andtraced. The theory is that when anintruder breaks into a system, they willreturn. During subsequent visits,additional information can be gatheredand additional attempts at file, security,and system access on the Honey Potcan be monitored and saved. Mostfirewalls can be configured to alertsystem administrators when theydetect traffic entering or leaving ahoney pot.
Identit y theft - involves taking over anindividual's identity by stealing criticalprivate information, such as the SocialSecurity number, driver's license
Responding to intrusions
G understand the extent and
source of an intrusion;
G protect sensitive data contained
on systems;
G protect the systems, the
networks and their ability to
continue operating as intended;
G recover systems;
G collect information to better
understand what happened.
Without such information, you
may inadvertently take actions
that can further damage your
systems;
G support legal investigations.
Source: www.cert.org
8/9/2019 19 03 Hacking
7/8
number, address, credit card number,or bank account number. The identitythief can then use the stoleninformation to obtain loans or credit
lines to buy goods and services underthe stolen name. Identity thievestypically change the consumer's mailingaddress to hide their activities.
Int rusion detect ion - the art andscience of detecting when a computeror network is being used inappropri-ately or without authority. An IDsystem monitors system and network
resources and activities and, using
information gathered from thesesources, alerts system administratorson identifying possible intrusion.
Firewalls (see above) work only at anetwork's point of entry with packetsas they enter and leave the network.An attacker that has breached thefirewall can roam at will through anetwork - this is where an ID systembecomes important.
Intrusion Prevention - systemsmonitor for suspicious activity with the
aim of proactively blocking potentialattacks. Typically, an IP systemcomprises a software agent that residesnear to the host's operating systemkernel, which monitors system callsbefore they reach the kernel using arules engine to identify potentiallysuspicious activity. This can then behalted, or the systems administratoralerted. A drawback is that IP systemscan respond to legitimate activities andgenerate false alarms. Defining
exceptions can reduce such false alarms,but there are pros and cons to this.
Keystroke logger (or keylogger) - isa program that runs in the backgroundrecording all keystrokes. Once logged,the keystrokes are returned to thehacker who peruses them carefully toidentify passwords and other usefulinformation that could be used to
compromise the system, or be used in
a social engineering attack. Forexample, a keylogger will reveal thecontents of all e-mail composed by theuser. Keylogger programs arecommonly included in rootkits andremote administration Trojans. Akeystroke logger can also take the formof a hardware device, independent ofthe operating system, which plugs inbetween the keyboard and the mainsystem (for PCs). They simply recordwhat is typed at the keyboard; thehacker can later retrieve the device
and examine its contents.
Phishing - occurs when a consumerreceives a deceptively legitimatelooking e-mail from what appears to bea reputable company (see Spoofing).The e-mail might ask a recipient to, forexample, update their credit cardinformation, and/or provide otherpersonal details to avoid their accountbeing terminated. Another approach isfor the sender of the message to offera service, for example to protect their
credit cards from possible fraud. Thosestung by phishing are victims of"identity theft" (see above).
18 I into IT
Example of a buffer overflow
vulnerability
The Phone Book Service that runs on
Internet I nformation Services (IIS) 5.0
has an unchecked buffer (a
temporary data storage area that has
a limited capacity but no specification
for the amount of information that can
be written into it) i n the code that
processes requests for phone book
updates. A specifically malformed
HTTP request from a malicious user
can cause a buffer overflow in thePhone Book Service, which might
allow the malicious user to run unau-
thorized code on the server, or cause
the service to fail.
Source: extract from a M icrosoft
security update.
Attempted identi ty theft
National Australia Bank customers
became targets for an e-mail fraud in
which they were sent (grammatically
incorrect) requests, purportedly from
the bank, requesting them to connect
to the NAB w eb site."Dear valued customer,"it read, "Our
new security system will help you to
avoid frequently fraud transactions
and to keep your investments in
safety."The e-mail encouraged
recipients to click a link in the body of
the message, which then connected
them to a site that mimicked the NAB
Web site but that had been set up to
capture their login and password
details.
The scam used a message previouslyused to targeted other banks'
customers.
8/9/2019 19 03 Hacking
8/8
Rootkit - a collection of tools andutilities that a hacker can use to hidetheir presence and gather data to helpthem further infiltrate a network.Typically, a rootkit includes tools to logkeystrokes (see keylogger above),create secret backdoor entrances tothe system, monitor packets on thenetwork to gain information, and altersystem log files and administrative toolsto prevent detection.
Social engineering - in his book, TheArt of Deception: Controlling the H uman
Element of Security4
, arch hacker KevinMitnick poses the question: why botherattacking technology when the weakestlink lies not in the computer hardwareor software, but in humans who can betricked into giving up their passwordsand other secrets?Mitnick goes on tostate that social engineering "usesinfluence and persuasion to deceivepeople by convincing them that the socialengineer is someone he is not, or bymanipulation. The social engineer is ableto take advantage of people to obtain
information with or without the use oftechnology."
Spoofing - in essence a technique thatdepends on forging the identity ofsomeone or something else ("mas-querading"), the aim being to alter thetrust relationship between the partiesto a transaction.
In the online world, there are differentflavours of spoofing. A hacker mightemploy sophisticated e-mail spoofing tomake it appear that an e-mail requiringthe victim to confirm their accountdetails, including such information astheir logon ID and password, has been
sent by a reputable person or organisa-tion (see "phishing" and "socialengineering" above).
IP spoofing is another common form ofonline camouflage, in which a hackerattempts to gain unauthorised access toa computer or network by making itappear that a packet has come from atrusted machine by spoofing its uniqueInternet IP address. A countermeasureis to use of a Virtual Private Network(VPN) protocol, a method that involves
encrypting the data in each packet aswell as the source address usingencryption keys that a potential attackerdoesn't have. The VPN software orfirmware decrypts the packet andsource address, and performs achecksum. The packet is discarded ifeither the data or the source address
has been tampered with.
Trojan horse - a name derived fromthe classic Trojan horse in Homer'sIliad. After spending many monthsunsuccessfully besieging the fortifiedcity of Troy, the Greeks evolved astrategy. They departed leaving behindthem as a gift a large wooden horse,which the citizens of Troy brought intotown. Unknown to them the horsecontained Greek warriors, who at nightjumped out and opened the city gatesletting in the Greek army who hadbeen in hiding.
In the IT environment - and settingaside the legitimate use of networkadministration tools - Trojans aregenerally considered a class of"malware" that, like their predecessor,contain covert functionality. They act asa means of entering a target computerundetected and then allowing a remotehacker unrestricted access and control.They generallyincorporate a rootkit(see above).
into IT I 19
N. Nagarajan CISA joined the Officeof the Comptroller and AuditorGeneral of India in 1989, and ispresently employed as Senior DeputyAccountant General in Mumbai. Inaddition to his wide experience inauditing IT (particularly in the field of
Electronic Data Interchange) and intraining staff in IT audit skills,Nararajan has also worked as adeveloper of pensions systems.
Nagarajan's international workincludes audit assignments at theUnited Nations in New York, and atwo year secondment to the Office ofthe Auditor General of Mauritiuswhere he was involved in trainingstaff and in the audit of EDI systemsoperated by the Customsdepartment. Nagarajan has beenpublished in a number of internationaljournals.
About t he aut hor4
Wiley, ISBN 0-471-23712-4